Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1 & WMM7
Legal notice
Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All
other trademarks are the property of their respective owners
CONTENTS
1 INTRODUCTION .............................................................................................................................. 17
1.1 OBJECT AND SCOPE OF THIS DOCUMENT ........................................................................... 17
1.2 AUDIENCE FOR THIS DOCUMENT .......................................................................................... 17
1.3 TEG NAMING CONVENTIONS .................................................................................................. 17
2 RELATED DOCUMENTS ................................................................................................................ 19
2.1 APPLICABLE DOCUMENTS ...................................................................................................... 19
2.2 REFERENCE DOCUMENTS ...................................................................................................... 21
3 LTE IP NETWORK TRANSPORT ................................................................................................... 25
3.1 LTE NETWORK ARCHITECTURE ............................................................................................. 25
3.2 LTE/EPS STANDARD REFERENCE POINTS ........................................................................... 25
3.3 LTE PROTOCOL STACKS ......................................................................................................... 26
3.3.1 eUTRAN protocol stack .......................................................................................................... 26
3.3.2 ePC protocol stack ................................................................................................................. 26
3.3.2.1 GTPv2-C Control Plane ..........................................................................26
3.3.2.2 DIAMETER Control Plane ........................................................................27
3.3.2.3 User Plane .........................................................................................27
3.4 LTE PROTOCOLS ...................................................................................................................... 28
3.4.1 SCTP ...................................................................................................................................... 28
3.4.1.1 RTO calculation ..................................................................................31
3.4.1.2 SCTP packet format .............................................................................33
3.4.1.3 Retransmission timer ............................................................................38
3.4.1.4 Fault Management ...............................................................................38
3.4.1.5 Peer Multi-Homing ...............................................................................42
3.5 DIAMETER .................................................................................................................................. 43
3.5.1 Diameter packet format .......................................................................................................... 44
3.5.2 Diameter message flows ........................................................................................................ 47
4 LTE E2E PERFORMANCE & QOS FUNCTIONS ........................................................................... 48
4.1 OVERVIEW OF LTE E2E QOS................................................................................................... 48
4.2 BEARER QOS PARAMETERS ................................................................................................... 49
4.3 E2E FLOW BINDING .................................................................................................................. 50
4.4 E2E QOS FUNCTIONS AND MAPPING TO LTE NETWORK ELEMENTS............................... 52
4.5 TRANSPORT QOS ..................................................................................................................... 53
4.5.1 Traffic Management functions ................................................................................................ 54
4.5.2 Network QoS models ............................................................................................................. 55
4.5.3 Layer 3 QoS: DiFFSERV ....................................................................................................... 56
4.5.3.1 Diffserv marking ..................................................................................57
4.5.3.2 PER HOP BEHAVIOR (PHB) .......................................................................60
4.5.4 Layer 2 QoS : 802.1q ............................................................................................................. 61
5 LTE TRANSPORT REQUIREMENT ................................................................................................ 63
5.1 LAYER2/LAYER3 REQUIREMENT ............................................................................................ 63
5.2 SECURITY REQUIREMENT ....................................................................................................... 63
5.2.1 Generic IPsec Theory ............................................................................................................ 63
5.2.1.1 Security Definitions ..............................................................................64
5.2.1.2 IPsec Components ................................................................................64
5.2.1.3 IPsec Walk Through ..............................................................................68
5.2.1.4 IPsec IKE (Stage 0) ...............................................................................71
6.1.6.1 IEEE 802.1q interoperability between release 2005 and release 2011 ................. 147
6.1.7 Ethernet frame size .............................................................................................................. 149
6.1.8 LAG ...................................................................................................................................... 149
6.2 IPV4 ........................................................................................................................................... 149
6.2.1 MTU ...................................................................................................................................... 149
6.2.1.1 MTU for C-Plane, OAM & PTP ................................................................. 150
6.2.1.2 MTU for U-Plane ................................................................................ 151
6.2.2 OAM addressing................................................................................................................... 154
6.2.2.1 eNB OAM addressing - without PnP .......................................................... 154
6.2.2.2 eNodeB events time-stamping ............................................................... 155
6.2.3 Telecom addressing ............................................................................................................. 155
6.2.4 Subnetting ............................................................................................................................ 157
6.2.5 eNB private IPv4 addressing................................................................................................ 158
6.2.6 Routing ................................................................................................................................. 158
6.2.6.1 Routing principle at eNodeB .................................................................. 158
6.2.6.2 OAM Routing .................................................................................... 159
6.2.6.3 Telecom Routing ............................................................................... 159
6.2.6.4 Routing table initialisation ................................................................... 161
6.2.7 IP QoS .................................................................................................................................. 162
6.3 DHCPV4 .................................................................................................................................... 166
6.3.1 eNB configuration by DHCPv4 server .................................................................................. 168
6.3.1.1 Vendor Specific Information option format ................................................ 170
6.4 IPV6 ........................................................................................................................................... 172
6.4.1 MTU ...................................................................................................................................... 173
6.4.1.1 MTU for C-Plane, OAM & PTP ................................................................. 173
6.4.1.2 MTU for U-Plane ................................................................................ 173
6.4.2 Addressing ........................................................................................................................... 173
6.4.2.1 eNodeB events time-stamping ............................................................... 173
6.4.2.2 eNodeB Link-local address .................................................................... 174
6.4.2.3 eNodeB Global Unicast address .............................................................. 175
6.4.2.4 eNodeB IPv6 interface(s) static configuration ............................................. 176
6.4.2.5 eNodeB IPv6 interface(s) automatic configuration ........................................ 177
6.4.3 OAM interface configuration at initial eNodeB startup ......................................................... 179
6.4.4 OAM interface configuration at non initial eNodeB startup .................................................. 180
6.4.5 Subnetting ............................................................................................................................ 180
6.4.6 Routing ................................................................................................................................. 180
6.4.6.1 Routing table initialisation ................................................................... 181
6.4.7 IP QoS .................................................................................................................................. 183
6.5 DUAL IPV4/IPV6 STACK .......................................................................................................... 183
6.6 IPV4 TO IPV6 MIGRATION ...................................................................................................... 183
6.7 ICMPV6 FOR NEIGHBORING DISCOVERY ........................................................................... 184
6.7.1 Source and destination IP addresses .................................................................................. 184
6.7.2 Router Solicitation ................................................................................................................ 185
6.7.3 Router Advertisement .......................................................................................................... 185
6.7.4 Neighbor Solicitation / Neighbor Advertisement .................................................................. 187
6.8 DHCPV6 .................................................................................................................................... 188
6.8.1 DHCPv6 stateless ................................................................................................................ 188
6.8.2 DHCPv6 stateful ................................................................................................................... 188
6.8.3 Source and destination IP addresses .................................................................................. 189
6.8.4 DHCPv6 message format .................................................................................................... 189
LIST OF FIGURES
Figure 1: Overview of LTE network architecture ........................................................................................... 25
Figure 2: eUTRAN Protocol Stack .................................................................................................................... 26
Figure 3: SCTP association establishment....................................................................................................... 29
Figure 4: SCTP heartbeating ........................................................................................................................... 30
Figure 5: Delayed SCTP acknowledgement ..................................................................................................... 31
Figure 6: SCTP message structure ................................................................................................................... 33
Figure 7: SCTP INIT format .............................................................................................................................. 35
Figure 8: SCTP heartbeating and peer multi-homed ...................................................................................... 39
Figure 9: Association establishment failure .................................................................................................... 40
Figure 10: SCTP association failure ................................................................................................................. 41
Figure 11: SCTP association failure and peer multi-homed ............................................................................ 42
Figure 12: SCTP path failure and peer multi-homed ...................................................................................... 43
Figure 13: Diameter packet structure ............................................................................................................. 44
Figure 14: Diameter Attribute-Value Pair ....................................................................................................... 46
Figure 15: Diameter message flows................................................................................................................. 47
Figure 16: EPS bearer service layered architecture ....................................................................................... 48
Figure 17: E2E traffic flows and their QoS requirements ............................................................................... 52
Figure 18: Main QOS functions and mapping on LTE NE ................................................................................. 53
Figure 19: QOS functions per level .................................................................................................................. 53
Figure 20: QOS Function .................................................................................................................................. 54
Figure 21: Diffserv domain concept ................................................................................................................ 57
Figure 22: IPv4 header format ........................................................................................................................ 58
Figure 23: IPv6 header format ........................................................................................................................ 58
Figure 24: DiffServ Code Point field details .................................................................................................... 59
Figure 25: Transport and Tunnel Mode Formats ............................................................................................. 65
Figure 26: Transport and Tunnel Mode Formats ............................................................................................. 66
Figure 27: Protection Depending on Transport and Tunnel Mode .................................................................. 66
Figure 28: AH Header ...................................................................................................................................... 67
Figure 29: ESP Header ..................................................................................................................................... 68
Figure 30: IPsec Transport Configuration ........................................................................................................ 69
Figure 31: Host IP Packet Transmission to Security Gateway......................................................................... 70
Figure 32: IKEv2 Phase 1 Negotiation .............................................................................................................. 72
Figure 33: IKE Key calculation with Pre-Shared Key Authentication .............................................................. 73
Figure 34: IKE Key calculation with Digital Signature Authentication ........................................................... 74
Figure 35: IKEv2 Phase 2 Negotiation .............................................................................................................. 75
Figure 36: SPD / SADB Transmission Validation .............................................................................................. 76
Figure 37: SADB / SPD Receiving Validation.................................................................................................... 78
Figure 38: Fortinet Reference Architecture ................................................................................................... 82
Figure 39: Fortinet Virtual Domain Configuration .......................................................................................... 83
Figure 40: CMS Archtitecture .......................................................................................................................... 87
Figure 41: CMS Architecture Model 1 .............................................................................................................. 88
Figure 42: CMS Architecture Model 2 .............................................................................................................. 89
Figure 43: CMS Architecture Model 3 .............................................................................................................. 90
Figure 44: CMS eUTRAN Architecture.............................................................................................................. 92
Figure 45:CMS Root and CA SUB Initialization ................................................................................................ 94
Figure 46: CA SUB and eNB Initialization ........................................................................................................ 95
Figure 47: CMPv2 Protocol Stack ..................................................................................................................... 96
Figure 48: Model 1 Validation Diagram ......................................................................................................... 100
Figure 49: End to End OAM support ............................................................................................................... 101
Figure 50: Synchronous ethernet concept..................................................................................................... 104
Figure 51: Unicast negociation ...................................................................................................................... 106
Figure 52: Request unicast transmission message structure ........................................................................ 107
Figure 53: PTP periodical Unicast negociation and time stamp exchange ................................................... 108
Figure 111: Initial Request Unicast Transmission – ALU implementation ..................................................... 337
Figure 112: 1588 VLAN & IP – Model object for configuration ...................................................................... 341
Figure 113: 1588 – Model object for configuration ....................................................................................... 342
Figure 114: eMBMS architecture ................................................................................................................... 344
Figure 115: M3 Session Start ......................................................................................................................... 346
Figure 116: M3 Session Stop .......................................................................................................................... 347
Figure 117: M3 Session Reset ........................................................................................................................ 347
Figure 118: M3 SCTP – peer addressing - Model object for configuration .................................................... 349
Figure 119: IGMPv3 and MLDv2 – Query and Report ..................................................................................... 352
Figure 120: NON IPsec Plug and Play Flow .................................................................................................... 362
Figure 121: MCO FAM transport components ................................................................................................ 370
Figure 122: Traffic paths for the LTE MCO plus Daisy Chain traffic ............................................................. 373
Figure 123: UL Traffic L2 QoS management for the LTE MCO plus Daisy Chain traffic ............................... 374
Figure 124: NAT - procedure for updating the mapping table ..................................................................... 393
Figure 125: ATCA Connector Zones ............................................................................................................... 395
Figure 126: Cabling Configuration for oRTM and Faceplate ......................................................................... 397
Figure 127: Cabling Configuration for Hub Interconnection......................................................................... 398
Figure 128: MME Hub Connectivity ................................................................................................................ 399
Figure 129: MME Network Connectivity ........................................................................................................ 407
Figure 130: Port Connectivity for oRTM ........................................................................................................ 409
Figure 131: MME VLAN Configuration ............................................................................................................ 410
Figure 132: MME Logical Interfaces ............................................................................................................... 422
Figure 133: SCTP restart on MIF switchover .................................................................................................. 434
Figure 134: S1 SCTP Profile provisionning ..................................................................................................... 438
Figure 135: S1 Interface Profile provisionning .............................................................................................. 439
Figure 136: S6a SCTP Profile ......................................................................................................................... 444
Figure 137: S6a over SCTP - Interface Profile ............................................................................................... 444
Figure 138: S6a Diameter Profile .................................................................................................................. 445
Figure 139: S6a over SCTP - Diameter Connection provisioning ................................................................... 446
Figure 140: S6a over SCTP - Remote End Point Configuration...................................................................... 446
Figure 141: S6a over TCP - Diameter Connection ......................................................................................... 448
Figure 142: S6a over TCP - Remote End Point Configuration ....................................................................... 448
Figure 143: SGs SCTP Profile ......................................................................................................................... 453
Figure 144: SGs Interface Profile .................................................................................................................. 453
Figure 145: SGs –MSC Server provisioning ..................................................................................................... 454
Figure 146: SGs - Remote End Point Configuration ....................................................................................... 454
Figure 147: SLg protocol stack ...................................................................................................................... 455
Figure 148: Mobile Terminated - Location Request (MT-LR) ........................................................................ 456
Figure 149: Network Induced - Location Request (NI-LR) ............................................................................. 457
Figure 150: SLg SCTP Profile.......................................................................................................................... 461
Figure 151: SLg Interface Profile ................................................................................................................... 461
Figure 152: SLg Diameter Profile ................................................................................................................... 462
Figure 153: SLg Diameter Connection ........................................................................................................... 463
Figure 154: SLg Remote End Point Configuration ......................................................................................... 464
Figure 155: SLg primary GMLC vs. alternate GMLC ....................................................................................... 465
Figure 156: SLs protocol stack ....................................................................................................................... 466
Figure 157: LPP signaling between E-SMLC and UE ....................................................................................... 466
Figure 158: UE assisted and UE based positioning procedure....................................................................... 467
Figure 159: LPPa signaling between E-SMLC and eNodeB ............................................................................. 467
Figure 160: Network based positioning procedure ....................................................................................... 468
Figure 161: SLs SCTP Profile .......................................................................................................................... 471
Figure 162: SLs Interface Profile ................................................................................................................... 471
Figure 163: SLs Remote End Point Configuration .......................................................................................... 472
Figure 164: SLs E-SMLC Configuration ........................................................................................................... 472
Figure 165: M3 protocol stack ....................................................................................................................... 474
Figure 166: M3 MBMS Session Management procedures ................................................................................ 474
Figure 167: M3 SCTP Profile .......................................................................................................................... 477
LIST OF TABLES
Table 1: Meaning of <Nature> ......................................................................................................................... 18
Table 2: Standardized QoS characteristics ..................................................................................................... 50
Table 3: General Security Gateway IPsec Attributes ..................................................................................... 80
Table 4: Fault management mechanism at the Ethernet level .................................................................... 101
Table 5: ESMC PDU format ............................................................................................................................ 105
Table 6: Details of the Data and Padding field............................................................................................. 105
Table 7: syncE Quality Levels........................................................................................................................ 105
Table 8: IEEE 1588v2 message types ............................................................................................................. 109
Table 9: Summary of Defined subnets and associated Vlan(s) ..................................................................... 118
Table 10: User Plane Delay Budgets ............................................................................................................. 119
Table 11: User Plane End to End Delays ....................................................................................................... 119
Table 12: Supported configurations with untagged Ethernet frames .......................................................... 134
Table 13: Supported configurations with 1 VLAN ......................................................................................... 135
Table 14: Supported configurations with 2 VLANs ........................................................................................ 135
Table 15: Supported configurations with 3 VLANs ........................................................................................ 136
Table 16: Supported configurations with 4 VLANs ........................................................................................ 137
Table 17: MOCN - Supported configurations for the master operator ......................................................... 141
Table 18: MOCN - Supported configurations for a non master operator ...................................................... 141
Table 19: GWCN - Supported configurations for the master operator ......................................................... 143
Table 20: GWCN - Supported configurations for non master operator#1 .................................................... 144
Table 21: GWCN - Supported configurations for non master operator#2 .................................................... 144
Table 22: eNodeB support for OAM IPv6 interface automatic configuration ............................................... 179
Table 23: OAM IPv6 interface configuration at initial startup ..................................................................... 180
Table 24: OAM IPv6 interface configuration at non initial startup .............................................................. 180
Table 25: ICMPv6 message supported for neighbor discovery ...................................................................... 184
Table 26: Source and Destination IPv6 addresses for Network Discovery messages.................................... 184
Table 27: Router Solicitation message format ............................................................................................. 185
Table 28: Router Solicitation message format ............................................................................................. 185
Table 29: M and O Flags in RA messages ....................................................................................................... 185
Table 30: Prefix information option format ................................................................................................. 187
Table 31: Source and destination IP addresses of DHCPv6 messages .......................................................... 189
Table 32: DHCPv6 message format ............................................................................................................... 189
Table 33: Supported DHCPv6 messages ........................................................................................................ 190
Table 34: DHCPv6 option format................................................................................................................... 190
Table 35: Supported DHCPv6 options............................................................................................................ 191
Table 36: DHCPv6 Client Identifier format ................................................................................................... 191
Table 37: DUID-EN format ............................................................................................................................. 192
Table 38: IA_NA format ................................................................................................................................. 192
Table 39: IA Address format .......................................................................................................................... 193
Table 40: Status Code format ....................................................................................................................... 193
Table 41: DHCPv6 Status Codes .................................................................................................................... 194
Table 42: Vendor Class .................................................................................................................................. 194
Table 43: Vendor-Class-Data format ............................................................................................................. 194
Table 44: Vendor Specific Information format ............................................................................................. 195
Table 45: DHCPv6 proprietary option for IPv6 router address ..................................................................... 195
Table 46: DHCPv6 proprietary option for EMS IPv6 address/Port number ................................................... 196
Table 47: DHCPv6 proprietary option for Security Gateway IP address ...................................................... 196
Table 48: DHCPv6 proprietary option for EMS FQDN .................................................................................... 196
Table 49: DHCPv6 proprietary option for SEG FQDN .................................................................................... 196
Table 50: DHCPv6 proprietary option for EMS IPv4 address/Port number ................................................... 196
Table 51: SCTP parameters setting at eNodeB ............................................................................................. 199
Table 52: IPsec Configurations for Single Operator (1) ................................................................................ 223
Table 53: IPsec Configurations for Single Operator (2) ................................................................................ 224
Table 54: IPsec Configurations for Single Operator (3) ................................................................................ 225
Table 55: IPsec Configurations for Multiple Operators (1) ........................................................................... 227
Table 56: IPsec Overhead example based on Encryption ............................................................................. 231
Table 57: DSCP to scheduling priority mapping derived by eNodeB ............................................................ 265
Table 58: S1 bit rate calculation – example for IMS VoIP & non-GBR in IPv4 with IPsec ............................. 293
Table 59: IMS VoIP & non-GBR without overbooking .................................................................................... 300
Table 60: IMS VoIP & non-GBR with overbooking ......................................................................................... 302
Table 61: IGMPv3 & MLDv2 source & destination IP addresses .................................................................... 354
Table 62: DHCP information set for PNP scenario ........................................................................................ 358
Table 63: MCO Ethernet port mode of operation ......................................................................................... 371
Table 64: Example IP Addresses for MME Application Interfaces ................................................................. 420
Table 65: Example IP Addresses for MME OA&M Interfaces.......................................................................... 420
Table 66: Example IP Addresses for MME Ethernet Interfaces ..................................................................... 421
1 INTRODUCTION
This document introduces the transport engineering guidelines for the eUTRAN (eNodeB) and
partially the ePC (MME), summarizing their scope and requirements for LR14.1 and WMM7.
In this document;
• chapters 3, 4 and 5 cover LTE general aspects such as 3GPP or RFCs specifications,
• chapter 6 covers the description of the macro eNB ALU design
• chapter 7 covers the description of the Metro cell ALU design
• chapter 8 covers the description of the MME ALU design
An End to End solution is named LEvv, E for E2E and is built from the products own releases.
These information are required for architecture and design of an end to end LTE network and
needed to deliver a detailed transport parameters plan.
Restriction:
The detailed transport design and configuration for a LTE network which will include IP nodes
layouts and configuration, IP Planning for core elements, IP dimensioning for WAN links, QoS
planning is out of the scope of this document.
Recommendations to get the best of the product and/or network within supported space
Where:
<Nature> Meaning
HC Hard Coded Either Hardware or Software is responsible for this.
M Mandatory Must be followed for the system to operate properly into a supported
environment.
S Standard Required by Standard
D Design Mainly for restriction related with Design
T Test Mainly for restriction related with Tests
R Recommended Design: To follow good Network Design basis and principles.
Availability: To ensure Network robustness.
Performances: To provide with an optimized usage of resources.
Security: To secure network against potential attacks.
Operations: To offer better operational effectiveness for site or network
extension, upgrade, reconfiguration…
2 RELATED DOCUMENTS
LM4.0
m10402-05 MME Support of SCTP Multi-Homing
m11014-01 MME support for multiple DSCP values on all network interfaces
m11005-01 MME support for Warning Message Delivery
m0402-06 MME support for SCTP Multi-Homing on S1-MME, S6a, and SGs MME
m80152-01 MME GigE Connectivity enhancements MME
m10401-01 MME support of VLANs MME
m80140-03 MME Support for Bidirectional Forward Detection IPv4 only
m80140-06 MME Support for Bidirectional Forward Detection for Dual Stack (IPv4 and IPv6)
m10404-01 Support of Provisioning of Separate SCTP Interfaces for SGs Interface
m10300-14 IPSEC support for X1_1, X2 CALEA interfaces
m10405-02 MME support for source based routing on MPH interfaces – Phase 2
m30107-02 Custom QoS Parameter Mapping from EPS to Release 99
m80152-06 Enhancement to MME Interface Configuration Changes
m10402-10 MME support for Multi-Homing for CMAS
LM5.0
m10300-04 IPsec support for X1_1, X2 CALEA Interfaces – Carry Forward
m80140-07 Bidrectional Forward Detection Enhancement
m0152-07 Enhancement to MME Interface Configuration Changes
LM6.0
m30107-03 MME support for QoS mapping
m11005-03 MME support for Access Control list for SBc link
m11005-03 MME Configuration Management Support for Diameter Routing Agent
m10910-01b MME support for Multiple S1 MME Local IP Address
m10418-01 MME Support for VLAN Growth/De-Growth
WMM7
m11501-02 MME support for Extended GTP Echo Timer
m10423-01 MME support of Source Based Routing
m14000-01 MME support of Home eNB and Local IP Address (LIPA)
m11303-01 WMM Support for Enhanced DRA Support
m11301-01 MME Support for Enhanced DPR/DPA
[R3] TS29.060 GPRS Tunneling Protocol (GTP) across the Gn & Gp interface
[R28] IETF RFC 0879 TCP maximum Segment size (MSS) and related topics
[R31] IETF RFC 2030 Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI
[R33] IETF RFC 2401 Security Architecture for the Internet Protocol (IPsec overview)
[R34] IETF RFC 2403 The Use of HMAC-MD5-96 within ESP and AH
[R35] IETF RFC 2404 The Use of HMAC-SHA-1-96 within ESP and AH
[R36] IETF RFC 2405 The ESP DES-CBC Cipher Algorithm With Explicit IV
[R37] IETF RFC 2407 The Internet IP Security Domain of Interpretation for ISAKMP
[R38] IETF RFC 2408 Internet Security Association and Key Management Protocol
[R45] IETF RFC 2474 Definition of the Differentiated Services Field in the IPv4/v6 Headers
[R55] IETF RFC 3247 Supplemental Information for the New Definition of the EF PHB
[R56] IETF RFC 3260 New terminology and clarifications for DiffServ
[R57] IETF RFC 3309 Stream Control Transmission Protocol (SCTP) Checksum Change
[R59] IETF RFC 3442 The Classless Static Route option for DHCPv4
[R62] IETF RFC 4301 Security Architecture for the Internet Protocol
[R75] IETF RFC 5061 Stream Control Transmission Protocol – Dynamic Address Reconfiguration
[R76] ITU-T G.8261 Timing and Synchronization Aspects in Packet Networks
IEEE Standard for Precision Clock Synchronization Protocol for Networked
[R77] IEEE 1588 v2
measurement & Control Systems
[R78] IETF RFC 5217 Memorandum for Multi-Domain Public Key Infrastructure Interoperability
[R82] IETF RFC 2315 PKCS #7: Cryptographic Message Syntax Version 1.5
[R83] IETF RFC 2986 PKCS #10: Certification Request Syntax Specification Version 1.7
[R84] IETF RFC 5217 Memorandum for Multi-Domain Public Key Infrastructure Interoperability
[R85] IETF RFC 5273 Certificate Management over CMS (CMC): Transport Protocols
[R88] IETF RFC 4604 Using IGMPv3 and MLDv2 for Source specific Multicast
The transport network layer provides services for user plane transport and signalling transport.
GERAN
SGSN HSS
UTRAN
S3 S6a
S1-MME
MME
PCRF
S4 Rx+
S11 S7
S10
“LTE-Uu”
Serving S5 PDN SGi
UE EUTRAN Operator’s IP Services
SAE SAE (e.g. IMS, PSS etc.)
S1-U Gateway Gateway
• S1-U: Reference point between E-UTRAN and Serving GW for the per bearer user plane tunnelling
and inter eNodeB path switching during handover.
• S3: It enables user and bearer information exchange for inter-3GPP access network mobility in
idle and/or active state. It is based on Gn reference point as defined between SGSNs.
• S4: It provides related control and mobility support between GPRS Core and the 3GPP Anchor
function of Serving GW and is based on Gn reference point as defined between SGSN and GGSN. In
addition, if Direct Tunnel is not established, it provides the user plane tunnelling.
• S5: It provides user plane tunneling and tunnel management between Serving GW and PDN GW. It
is used for Serving GW relocation due to UE mobility and in case the Serving GW needs to connect to
a non-collocated PDN GW for the required PDN connectivity.
• S6a: This interface is defined between MME and HSS for authentication and authorization.
• S7 (a.k.a Gx): It provides transfer of (QoS) policy and charging rules from PCRF to Policy and
Charging Enforcement Point (PCEF) ) in the PDN GW. S7 & Gx refere to the same interface.
• S8: It is the roaming interface in case of roaming with home routed traffic. It provides the user
plane with related control between Gateways in the VPLMN and HPLMN.
• S10: This interface is reference point between MMEs for MME relocation and MME to MME
information transfer.
• S11: This interface is reference point between MME and Serving GW.
• SGi: Reference point between the PDN-GW and the packet data network. The packet data
network can be a private or public data (IP) network or an intra-operator packet data network, e.g.
for provision of IMS services.
Transport
Network
Layer
GTP-U
SCTP UDP
IP IP
Data Link Layer Data Link Layer
Physical Layer Physical Layer
• SGSN-MME S3
• SGSN-SGW S4
• SGW-PGW S5-S8
• MME-MME S10
• MME-SGW S11
• MME-MBMS GW Sm
GTPv2-C
UDP
IP
Data Link Layer
Physical Layer
• MME-HSS S6A
• MME-EIR S13
• PGW-PCRF S7 (Gx)
• MME-GMLC SLg
Diameter
SCTP
IP
Data Link Layer
Physical Layer
• SGW-PGW S5-S8
User Plane
GTP-U
UDP
IP
Data Link Layer
Physical Layer
An SCTP association can be uniquely identified by the transport addresses used by the endpoints in
the association. A transport address is unique to an SCTP endpoint and is defined by the
combination of an IP address and an SCTP port number (case of single-homed SCTP endpoint) or by
the combination of multiple IP addresses and an SCTP port number (case of multi-homed SCTP
endpoint).
Two SCTP endpoints must not have more than one SCTP association between them at any given
time.
• created through a 4-way handshake procedure (INIT / INITack and Cookie Echo / Cookie ack)
Local Peer
SCTP endpoint SCTP endpoint
INIT start T1-init timer
t+δt
COOKIE ECHO start T1-cookie timer
(State Cookie sent back)
COOKIE ACK
If (δt ≤ Valid.Cookie.Life) stop T1-cookie timer
SCTP supports :
• multiple streams, where a packet error in one stream does not delay data in other streams. This
protocol thus addresses the ‘head-of-line’ blocking issues apparent with TCP
Local Peer
SCTP endpoint SCTP endpoint
HEARTBEAT
HEARTBEAT ACK
Heartbeat timer
HEARTBEAT
• retransmission mechanism
• acknowledgement mechanism
Local Peer
SCTP endpoint SCTP endpoint
The purpose of the SACK timer is to reduce the bandwidth consumed by SACK acknowledgments.
The SACK timer defines the time an SCTP endpoint waits before transmitting an acknowledgement
after a DATA chunk has been received from a peer SCTP endpoint. If a second DATA chunk is
received before the timer times out, then the SACK is transmitted immediately. If a second DATA
chunk is not received then the SACK is transmitted at SACK timer expiry.
If the SACK timer is set to 0 then SACK are not delayed.
An SCTP endpoint uses a retransmission timer T3-rtx to ensure data delivery in the absence of any
feedback from its peer. The duration of this timer is referred to as RTO (Retransmission TimeOut).
The RTO is calculated by the SCTP endpoint. When an endpoint’s peer is multi-homed, the endpoint
calculates a separate RTO for each different SCTP path between the two endpoints.
RTO calculation algorithm is specified in IETF RFC 4960. The SCTP protocol parameters used for
calculating the RTO are described hereafter.
3.4.1.1.1 RTO.Min
The RTO.Min parameter defines the minimum time limit for the retransmission timer. It is used to
trigger the retransmission of a Data chunk for which no acknowledgement has been received.
If the calculated RTO is lower than the RTO.Min parameter, the SCTP end-point rounds-up the RTO
value to RTO.Min.
The RTO at one endpoint must not expire before the SACK was sent by the peer endpoint. Else the
peer endpoint retransmits a packet that has been successfully received but not yet acknowledged.,
between two SCTP endpoints, the RTO.Min at an endpoint must be higher than the SACK timer value
at its peer.
To prevent unnecessary retransmissions the RTO.Min at an endpoint must be higher than the round-
trip delay to the peer endpoint + the SACK timer duration at the peer endpoint.
If the RTO.Min timer is set much larger then unnecessary latency is introduced in the SCTP data
transfer, as SCTP retransmissions are triggered later than necessary.
3.4.1.1.2 RTO.Max
The RTO.Max parameter defines the maximum time limit for the retransmission timer. It is used to
trigger the retransmission of Data chunk for which no acknowledgement has been received.
The RTO is doubled each time the SACK acknowledgment is not received in the RTO. If the
calculated RTO is greater than the RTO.Max parameter, the SCTP end-point rounds-down the RTO
value to RTO.Max.
The RTO.Max value must be set higher than RTO.Min.
3.4.1.1.3 RTO.Init
RTO.Alpha and RTO.Beta are constants that are part of the algorithm for updating the RTO value.
RTO_Alpha_divisor_exponent
RTO.Alpha may be expressed in the format of 1/RTO_Alpha_divisor or 1/2 .
Same applies for RTO.Beta.
E.g. with RFC default values;
RTO.Alpha = 1/8 may be expressed with RTO_Alpha_divisor = 8 or RTO_Alpha_divisor_exponent = 3.
RTO.Beta = 1/4 may be expressed with RTO_Alpha_divisor = 4 or RTO_Alpha_divisor_exponent = 2.
RTO.Min and RTO.Max setting impacts the SCTP path failure detection duration.
With the RFC 4960 default recommended setting, the maximum duration before SCTP reports that a
SCTP path is down is:
RTO.Min= 1s / RTO.Max=60s / Path.Max.Retrans=5 => 1+2+4+8+16+32=63s
The first packet transmission failure has RTO = RTO.Min = 1s, the first retransmission has RTO = 2s,
the fifth retransmission has RTO = 32s
This aggregate time is a considerable time to detect a failure of a path and invoke a switchover to
an alternate path in a multi-homed environment. Potentially, the association could be torn-down
before a switchover is invoked.
Note: From here to the end of this chapter, the text is extracted from the SCTP specification [IETF
RFC 4960].
0-7 8 - 15 16 - 23 24 - 31 bits
Destination Port Number: This is the SCTP port number to which this packet is destined. The
receiving host will use this port number to de-multiplex the SCTP packet to the correct receiving
endpoint/application.
Verification Tag: The receiver of this packet uses the Verification Tag to validate the sender of this
SCTP packet. On transmit, the value of this Verification Tag MUST be set to the value of the Initiate
Tag received from the peer endpoint during the association initialization
Checksum: This field contains the checksum of this SCTP packet. SCTP uses the CRC32c algorithm
for calculating the checksum.
Chunk Type: This field identifies the type of information contained in the Chunk Value field. It takes
a value from 0 to 254. The value of 255 is reserved for future use as an extension field.
Chunk Flags: The usage of these bits depends on the Chunk type as given by the Chunk Type field.
Unless otherwise specified, they are set to 0 on transmit and are ignored on receipt.
Chunk Length: This value represents the size of the chunk in bytes, including the Chunk Type, Chunk
Flags, Chunk Length and Chunk Value fields.
Chunk Value: The Chunk Value field contains the actual information to be transferred in the chunk.
The usage and format of this field is dependent on the Chunk Type.
Chunk values of SCTP control chunks consist of a chunk-type-specific header of required fields,
followed by zero or more parameters.
The optional and variable-length parameters contained in a chunk are defined in a Type-Length-
Value format:
0-7 8 - 15 16 - 23 24 - 31 bits
Parameter Type Parameter Length
Parameter Value
0-7 8 - 15 16 - 23 24 - 31 bits
Initiate Tag
Number of Number of
Outbound Streams Inbound Streams
Initial TSN
Optional/Variable-Length Parameters
Initiate Tag: The receiver of the INIT (the responding end) records the value of the Initiate Tag
parameter. This value MUST be placed into the Verification Tag field of every SCTP packet that the
receiver of the INIT transmits within this association.
Advertised Receiver Window Credit: This value represents the dedicated buffer space, in number of
bytes, the sender of the INIT has reserved in association with this window.
Number of Outbound Streams (OS): Defines the number of outbound streams the sender of this INIT
chunk wishes to create in this association.
Number of Inbound Streams (MIS): Defines the maximum number of streams the sender of this INIT
chunk allows the peer end to create in this association.
Note: There is no negotiation of the actual number of streams but instead the two endpoints will
use the min(requested, offered).
Initial TSN: Defines the initial TSN that the sender will use. The valid range is from 0 to 4294967295.
0-7 8 - 15 16 - 23 24 - 31 bits
Type = 5 Length = 8
IPv4 address
IPv6 Address: Contains an IPv6 [IETF RFC 2460] address of the sending endpoint.
0-7 8 - 15 16 - 23 24 - 31 bits
Type = 6 Length = 20
IPv6 address
Combined with the Source Port Number in the SCTP common header, the value passed in an IPv4 or
IPv6 Address parameter indicates a transport address the sender of the INIT will support for the
association being initiated. That is, during the life time of this association, this IP address can
appear in the source address field of an IP datagram sent from the sender of the INIT, and can be
used as a destination address of an IP datagram sent from the receiver of the INIT.
More than one IP Address parameter can be included in an INIT chunk when the INIT sender is multi-
homed. Moreover, a multihomed endpoint may have access to different types of network; thus,
more than one address type can be present in one INIT chunk, i.e., IPv4 and IPv6 addresses are
allowed in the same INIT chunk.
If the INIT contains at least one IP Address parameter, then the source address of the IP datagram
containing the INIT chunk and any additional address(es) provided within the INIT can be used as
destinations by the endpoint receiving the INIT. If the INIT does not contain any IP Address
parameters, the endpoint receiving the INIT MUST use the source address associated with the
received IP datagram as its sole destination address for the association.
Supported Address Types: The sender of INIT uses this parameter to list all the address types it can
support.
0-7 8 - 15 16 - 23 24 - 31 bits
Type = 12 Length
...
Address Type: This is filled with the type value of the corresponding address TLV (e.g., IPv4 = 5,
IPv6 = 6, Host name = 11).
The INIT ACK chunk is used to acknowledge the initiation of an SCTP association.
The parameter part of INIT ACK is formatted similarly to the INIT chunk. It uses two extra variable
parameters: the State Cookie and the Unrecognized Parameter.
The Selective Acknowledgement chunk is sent to the peer endpoint to acknowledge received DATA
chunks and to inform the peer endpoint of gaps in the received subsequences of DATA chunks as
represented by their TSNs.
An endpoint should send this chunk to its peer endpoint to probe the reachability of a particular
destination transport address defined in the present association.
The parameter field contains the Heartbeat Information, which is a variable-length opaque data
structure understood only by the sender.
An endpoint should send this chunk to its peer endpoint as a response to a HEARTBEAT chunk. A
HEARTBEAT ACK is always sent to the source IP address of the IP datagram containing the
HEARTBEAT chunk to which this ack is responding.
The parameter field contains the Heartbeat Information parameter of the Heartbeat Request to
which this Heartbeat Acknowledgement is responding.
0-7 8 - 15 16 - 23 24 - 31 bits
TSN
U bit: The (U)nordered bit, if set to ’1’, indicates that this is an unordered DATA chunk, and there is
no Stream Sequence Number assigned to this DATA chunk.
B bit: The (B)eginning fragment bit, if set, indicates the first fragment of a user message.
E bit: The (E)nding fragment bit, if set, indicates the last fragment of a user message.
Length: This field indicates the length of the DATA chunk in bytes from the beginning of the type
field to the end of the User Data field excluding any padding.
TSN: This value represents the Transmission sequence number for this DATA chunk. When a user
message is fragmented into multiple chunks, the TSNs are used by the receiver to reassemble the
message. The valid range of TSN is from 0 to 4294967295.
Stream Identifier S: Identifies the stream to which the following user data belongs.
Stream Sequence Number n: This value represents the Stream Sequence Number of the following
user data within the stream S. Valid range is 0 to 65535.
When a user message is fragmented by SCTP for transport, the same Stream Sequence Number MUST
be carried in each of the fragments of the message.
Payload Protocol Identifier: This value represents an application (or upper layer) specified protocol
identifier. This value is passed to SCTP by its upper layer and sent to its peer. This identifier is not
used by SCTP but can be used by certain network entities, as well as by the peer application, to
identify the type of information being carried in this DATA chunk.
An SCTP endpoint uses a retransmission timer T3-rtx to ensure data delivery in the absence of any
feedback from its peer. The duration of this timer is referred to as RTO (retransmission timeout).
When an endpoint’s peer is multi-homed, the endpoint will calculate a separate RTO for each
different destination transport address of its peer endpoint.
3.4.1.4.1 Heartbeating
By default, an SCTP endpoint SHOULD monitor the reachability of the idle destination transport
address(es) of its peer by sending a HEARTBEAT chunk periodically to the destination transport
address(es).
A destination transport address is considered "idle" if no new chunk that can be used for updating
path RTT (usually including first transmission DATA, INIT, COOKIE ECHO, HEARTBEAT, etc.) and no
HEARTBEAT has been sent to it within the current heartbeat period of that address. This applies to
both active and inactive destination addresses.
On an idle destination address that is allowed to heartbeat, it is recommended that a HEARTBEAT
chunk is sent once per RTO of that destination address plus the protocol parameter ’HB.interval’,
with jittering of +/- 50% of the RTO value, and exponential backoff of the RTO if the previous
HEARTBEAT is unanswered.
Local Peer
SCTP endpoint SCTP endpoint
Association establishment
INIT / INIT ACK
Primary path = IP@1
Alternate path = IP@2 COOKIE / COOKIE ACK
HEARTBEAT
If the T1-init timer expires, the endpoint MUST retransmit INIT and restart the T1-init timer without
changing state. This MUST be repeated up to ’Max.Init.Retransmits’ times. After that, the endpoint
MUST abort the initialization process and report the error to the SCTP user.
If the T1-cookie timer expires, the endpoint MUST retransmit COOKIE ECHO and restart the T1-
cookie timer without changing state. This MUST be repeated up to ’Max.Init.Retransmits’ times.
After that, the endpoint MUST abort the initialization process and report the error to the SCTP user.
Local Peer
SCTP endpoint SCTP endpoint
INIT #1
Start T1-init timer
INIT #2
Start T1-init timer
...
INIT #Max.Init.Retransmits
Start T1-init timer
An endpoint shall keep a counter on the total number of consecutive retransmissions to its peer
(this includes retransmissions to all the destination transport addresses of the peer if it is multi-
homed), including unacknowledged HEARTBEAT chunks. If the value of this counter exceeds the
limit indicated in the protocol parameter 'Association.Max.Retrans', the endpoint shall consider the
peer endpoint unreachable and shall stop transmitting any more data to it (and thus the association
enters the CLOSED state).
The counter shall be reset each time a DATA chunk sent to that peer endpoint is acknowledged (by
the reception of a SACK) or a HEARTBEAT ACK is received from the peer endpoint.
Local Peer
SCTP endpoint SCTP endpoint
SACK
RTO X Data and/or Data ack.
DATA
T3-rtx timer expires X Error counter is incremented
HEARTBEAT
When its peer endpoint is multi-homed, an endpoint should keep an error counter for each of the
destination transport addresses of the peer endpoint.
Each time the T3-rtx timer expires on any address, or when a HEARTBEAT sent to an idle address is
not acknowledged within an RTO, the error counter of that destination address will be incremented.
When the value in the error counter exceeds the protocol parameter 'Path.Max.Retrans' of that
destination address, the endpoint should mark the destination transport address as inactive, and a
notification SHOULD be sent to the upper layer.
When an outstanding TSN is acknowledged or a HEARTBEAT sent to that address is acknowledged
with a HEARTBEAT ACK, the endpoint shall clear the error counter of the destination transport
address to which the DATA chunk was last sent (or HEARTBEAT was sent).
When the primary path is marked inactive (due to excessive retransmissions, for instance), the
sender MAY automatically transmit new packets to an alternate destination address if one exists and
is active. If more than one alternate address is active when the primary path is marked inactive,
only ONE transport address SHOULD be chosen and used as the new destination transport address.
Peer
eNodeB SCTP endpoint
SACK
RTO X Data and/or Data ack.
DATA
T3-rtx timer X Error counter is incremented
expires for primary path
HEARTBEAT to IP@1
An SCTP endpoint is considered multi-homed if there are more than one transport address that can
be used as a destination address to reach that endpoint.
Moreover, the Upper Layer Protocol of an endpoint shall select one of the multiple destination
addresses of a multi-homed peer endpoint as the primary path.
By default, an endpoint SHOULD always transmit to the primary path, unless the SCTP user explicitly
specifies the destination transport address (and possibly source transport address) to use.
The association Path MTU is the smallest Path MTU of all destination addresses.
When retransmitting data that timed out, if the endpoint is multihomed, it should consider each
source-destination address pair in its retransmission selection policy.
DATA Chunk
or
Heartbeat Chunk
sent to peer
primary path
DATA ack’ed ?
or
Heartbeat Ack received ?
NO YES
NO YES
3.5 DIAMETER
Diameter is an Authentication, Authorization and Accounting (AAA) protocol.
A complete description of the Diameter application is the beyond the scope of this document.
However a brief description of Diameter is presented in the following.
The Diameter base protocol is defined by IETF RFC 3588, and defines the minimum requirements for
an AAA protocol. Diameter Applications can extend the base protocol, by adding new commands
and/or attributes.
The Diameter protocol consists of a header followed by one or more Attribute-Value Pairs (AVPs).
An AVP includes a header and is used to encapsulate protocol-specific data (e.g. routing
information) as well as AAA information. A Diameter Application reuses the basic mechanisms
defined by the diameter base protocol and it defines additional commands and AVPs to support
specific procedures.
0-7 8 - 15 16 - 23 24 - 31 bits
Version Message Length
R P E T Command Code
Application ID
Hop-by-Hop ID
End-to-End ID
AVPs
...
R bit: The Request bit, if set, indicates the message is a request. Else the message is an answer.
P bit: The Proxiable bit, if set, indicates the message MAY be proxied, relayed or redirected. Else
the message MUST be locally processed.
E bit: The Error bit, if set, indicates the message contains a protocol error, and the message will not
conform to the ABNF described for this command. This bit MUST NOT be set in request messages.
T bit: The potentially re-Transmitted message bit, is set after a link failover procedure, to aid the
removal of duplicate requests. It is set when resending requests not yet acknowledged, as an
indication of a possible duplicate due to a link failure.
0-7 8 - 15 16 - 23 24 - 31 bits
AVP Code
V M P AVP Length
Vendor ID (optional)
Data
...
V bit: The Vendor-Specific bit, indicates whether the optional ‘Vendor ID’ field is present in the AVP
header. When set the AVP Code belongs to the specific vendor code address space.
M bit: The Mandatory bit, indicates whether support of the AVP is required. If an AVP with the M bit
set is received by a Diameter client, server, proxy, or translation agent and either the AVP or its
value is unrecognized, the message MUST be rejected. Diameter Relay and redirect agents MUST
NOT reject messages with unrecognized AVPs.
P bit: The Protected bit, indicates the need for encryption for end-to-end security.
The values of AVPs Code are defined as follows:
Local Peer
endpoint endpoint
Diameter messages
DWR
Diameter heartbeat
DWA
DPR
Diameter disconnect
DPA
Transport connection
disconnect
Application
end-to-end QoS
LTE network QoS
end-to-end QoS
(SAE bearer QoS) Control
eUTRAN QoS: and
- SAE RB QoS
- S1U/X2U QoS Management
An EPS bearer/E-RAB is the level of granularity for bearer level QoS control in the EPC/E-UTRAN.
One EPS bearer/E-RAB is established when the UE connects to a PDN, and that remains established
throughout the lifetime of the PDN connection to provide the UE with always-on IP connectivity to
that PDN. That bearer is referred to as the default bearer. Any additional EPS bearer/E-RAB that is
established to the same PDN is referred to as a dedicated bearer. The initial bearer level QoS
parameter values of the default bearer are assigned by the network, based on subscription data.
The decision to establish or modify a dedicated bearer can only be taken by the EPC, and the bearer
level QoS parameter values are always assigned by the EPC.
An EPS bearer/E-RAB is referred to as a GBR bearer if dedicated network resources related to a
Guaranteed Bit Rate (GBR) value that is associated with the EPS bearer/E-RAB are permanently
allocated (e.g. by an admission control function in the eNodeB) at bearer
establishment/modification. Otherwise, an EPS bearer/E-RAB is referred to as a Non-GBR bearer. A
dedicated bearer can either be a GBR or a Non-GBR bearer while a default bearer shall be a Non-
GBR bearer.
Each EPS bearer can have one or more Service Data Flow (SDFs). These SDFs share the same QoS
treatment and performance characteristics for that bearer
Each EPS bearer/E-RAB (GBR and Non-GBR) is associated with the following bearer level QoS
parameters:
• QoS Class Identifier (QCI): value used to index node-specific parameters that control bearer level
packet forwarding treatment (e.g. scheduling, admission control, queuing, link layer protocol
configuration (ARQ and HARQ), etc.).
• Allocation and Retention Priority (ARP): the primary purpose of ARP is to decide whether a
bearer establishment / modification request can be accepted or needs to be rejected in case of
resource limitations. In addition, the ARP can be used by the eNodeB to decide which bearer(s) to
drop during exceptional resource limitations (e.g. at handover).
Each GBR bearer is additionally associated with the following bearer level QoS parameter:
• Guaranteed Bit Rate (GBR): the bit rate that can be expected to be provided by a GBR bearer.
Each APN access, by a UE, is associated with the following QoS parameter:
Each UE is associated with the following bearer aggregate level QoS parameter:
• per UE Aggregate Maximum Bit Rate (UE-AMBR): the upper limit of the sum of the rates of all the
Non-GBR bearers for a UE.
The GBR denotes bit rate of traffic per bearer while UE-AMBR/APN-AMBR denote bit rate of traffic
per group of bearers. Each of those QoS parameters has an uplink and a downlink component.
The standardized QCI label characteristics describe the packet forwarding treatment through the
network based on the following parameters:
• Priority (= ARP)
Standardized QCI Characteristics from 3GPP TS 23.203 “Policy and Charging Control Architecture”
are described in table below:
Packet
Packet
Resource Delay
QCI Priority Error Loss Example Services
Type Budget
Rate
(Note 1)
1 2 100 ms 10-2 Conversational Voice
2 4 150 ms 10-3 Conversational Video (Live Streaming)
3 GBR 3 50 ms 10-3 Real Time Gaming
Non-Conversational Video (Buffered
4 5 300 ms 10-6
Streaming)
5 1 100 ms 10-6 IMS Signalling
Video (Buffered Streaming), TCP-based
6 6 300 ms 10-6 (e.g., www, e-mail, chat, ftp, p2p file
sharing, progressive video, etc.)
Non-GBR Voice,Video (Live Streaming),
7 7 100 ms 10-3
Interactive Gaming
8 8 300 ms 10-6 Video (Buffered Streaming)
TCP-based (e.g., www, e-mail, chat,
9 9 ftp, p2p file sharing, progressive video,
etc.)
NOTE 1: A delay of 20 ms for the delay between a PCEF and a radio base station should be
subtracted from a given PDB to derive the packet delay budget that applies to the radio
interface. This delay is the average between the case where the PCEF is located "close" to the
radio base station (roughly 10 ms) and the case where the PCEF is located "far" from the radio
base station, e.g. in case of roaming with home routed traffic (the one-way packet delay
between Europe and the US west coast is roughly 50 ms). The average takes into account that
roaming is a less typical scenario. It is expected that subtracting this average delay of 20 ms from
a given PDB will lead to desired end-to-end performance in most typical cases. Also, note that the
PDB defines an upper bound. Actual packet delays - in particular for GBR traffic - should typically
be lower than the PDB specified for a QCI as long as the UE has sufficient radio channel quality.
The goal of standardizing QCI characteristics is to ensure the same minimum level of QoS :
• In case of roaming
• An UL TFT (Traffic Flow Template or packet filter) in the UE binds an SDF to an EPS bearer in the
uplink direction. Multiple SDFs can be multiplexed onto the same EPS bearer by including multiple
uplink packet filters in the UL TFT.
• A DL TFT in the PDN GW binds an SDF to an EPS bearer in the downlink direction. Multiple SDFs
can be multiplexed onto the same EPS bearer by including multiple downlink packet filters in the DL
TFT.
• An E-RAB transports the packets of an EPS bearer between the UE and the EPC. When an E-RAB
exists, there is a one-to-one mapping between this E-RAB and an EPS bearer.
• A data radio bearer transports the packets of an EPS bearer between a UE and an eNodeB. When
a data radio bearer exists, there is a one-to-one mapping between this data radio bearer and the
EPS bearer/E-RAB.
• An S1 bearer transports the packets of an E-RAB between an eNodeB and a Serving GW.
• An S5/S8 bearer transports the packets of an EPS bearer between a Serving GW and a PDN GW.
• A UE stores a mapping between an uplink packet filter and a data radio bearer to create the
binding between an SDF and a data radio bearer in the uplink.
• A PDN GW stores a mapping between a downlink packet filter and an S5/S8a bearer to create the
binding between an SDF and an S5/S8a bearer in the downlink.
• An eNodeB stores a one-to-one mapping between a data radio bearer and an S1 bearer to create
the binding between a data radio bearer and an S1 bearer in both the uplink and downlink.
• A Serving GW stores a one-to-one mapping between an S1 bearer and an S5/S8a bearer to create
the binding between an S1 bearer and an S5/S8a bearer in both the uplink and downlink.
Application
Application/Service layer level
UL Service
Data Flows
DL Service
Data Flows
Service 1
UL packet (e.g. Internet-access) DL packet
filtering filtering
Service 2
(e.g. P2P file sharing)
UL packet DL packet Service
filtering filtering data flow
level
Default EPS bearer (e.g. for BE traffic)
Radio bearer S1 bearer S5 bearer
Transport network QoS controls apply to every network node in the end-to-end data flow path,
including LTE nodes, transport routers, switches, and access concentrators/aggregators to ensure
consistent end-to-end QoS behaviour. Key element to define the behaviour when there is a grow
of traffic or an evolution of the network is to determine the traffic modelling, traffic engineering
and monitoring information which guarantee to ensure proper QoS control, and an efficient usage
of the bandwidth .
The QOS parameter defined at the transport layers (Layer 2 and Layer 3) are the following:
• DiffServ dimensioning/control
Ensure proper node resource allocation/reservation for DSCP flow PHB performance guarantee
Remarking/dropping per DiffServ specifications
• IP QoS to L2 mapping
Ensure IP QoS support/interworking with transport schemes
Ethernet, IPoA (legacy) and PoS transport support
• Traffic management
Conventional traffic engineering to ensure efficient bandwidth usage and QoS
Traffic policing to enforce GBR, MBR and AMBR compliance
Traffic shaping to compensate GBR, MBR and AMBR variation/jitter
• MPLS
Prevailing backbone transport scheme
eNodeB to interwork with edge router
Largely operator independent, especially when provided by the third party
Most QoS mechanisms include some type of classification but only a small number of mechanisms
also include marking capability.
Classification:
Classification is the term used for identifying a Behavior Aggregate to which a packet belongs. A
Behavior Aggregate is a collection of flows requiring the same Quality of service.
Marking:
Marking is the term used for coloring packets by applying a class-identifying Value to one of the
following markers: IP precedence, DSCP, QoS group (value is local to a router), MPLS experimental
bits (can be used only in MPLS-enabled networks), ATM CLP bit (value can be used only within ATM
networks), Frame Relay DE bit (value can be used only within Frame Relay networks), IEEE 802.1q.
Traffic shaping:
The purpose of traffic shaping is to control the rate at which packets are sent out of an interface,
while preventing packet loss.
The key benefit of traffic shaping is that packet buffering, rather than packet drop, is used to
achieve rate control. This is a crucial difference when dealing with drop-sensitive applications.
There is also a potential downside to shaping, however, because shaping is accomplished through
buffering, which introduces delay. Delay-sensitive traffic should not be shaped, unless the potential
impact is fully understood and acceptable in the environment.
Traffic policing:
The purpose of the policer is to control the amount of bandwidth consumed by an individual
microflow, or an aggregate of flows. Policing should not be confused with traffic shaping. Although
traffic shaping limits flows to a specified rate, it buffers nonconforming traffic to ensure the flows
remain within the confines of the configured contract. Policing, on the other hand, does not buffer
nonconforming traffic. As a result, policing does not introduce additional jitter or delay, which
could impact the timely delivery and performance of real-time voice or video applications.
Queuing:
Queues are created at the interface where congestion is expected. Depending on the specific
feature or mechanism being used to provide QOS and the platform on which the QOS is being
configured, there could be only one or several queues.
Packets (or frames, or cells …) are then assigned to these queues, based on classification
characteristics such as DiffServ codepoint (DSCP) value. The classification of packets by
characteristics is typically user-defined, and packets are placed into queues by these predetermined
characteristics. Some examples of packet characteristics that are typically used in classification are
the values in the packet for IP precedence, DSCP, and Layer 2 class of service (CoS). It is also
common to use defined policies to match packets based on more complex criteria, such as port
numbers.
Based on queue filling and “Dropping Precedence” frames can be dropped to avoid congestion.
Inside the queues, different occupancy thresholds may be defined for such purpose.
Scheduling:
Determines order in which queues (and then packets) are served. Determining the scheduling of
packets is specific to every congestion management mechanism, but it can generally be said that
there will be a way to provide for the transmission of more packets out of some queues than some
others. That is, the system is able to give some packets better treatment than others, with regard
to the amount of bandwidth that those packets receive.
Example: Queue #3 is strict priority, Queue #2 is WRR 70% and Queue #1 is WRR 30% : Queues #1 and
#2 are only served if queue #3 is empty
Three different models exist for implementing quality of service (QOS) on a network.
• The best effort model designed for no-guarantee delivery pf packets and still predominant model
in Internet best effort means no QOS applied to packet
• The integrated service (IntServ) model was introduced to supplement the best effort delivery by
setting aside some bandwidth for applications that requires bandwidth and delay guarantees.
IntServ expects application to signal their requirements to the network. The signalling uses RSVP
protocol to reserve the network resources.
• The differentiated Service (DiffServ) model was added to provide greater scalability in providing
QOS to IP packets. The main difference between the IntServ and DiffServ models is that in DiffServ,
the network recognize packets (No signalling is needed) and provides the appropriate services to the
packets.
To support different traffic types, each node need to behave in the same manner for each traffic
type. Therefore, a set of behaviors is specified and are called per-hop behaviors (PHBs) . An
operator that wants to support a certain PHB must assign a DSCP value for the PHB and then
upgrade and configure all his nodes to support the PHB.
Diffserv defines the concept of a Differentiated Services domain. One operator’s network can be a
Diffserv domain, or he can divide his network into several non-overlapping domains. A domain is a
connected sub-network, such as the one depicted in figure below. The traffic inside the domain is
considered as trusted by its operator, while traffic entering the domain is not. The operator makes
sure that no external customer or operator can misuse the resources of the domain. This is achieved
by policing and shaping at the edge nodes. The edge nodes are routers with a connection to another
node outside the domain and will perform policing, shaping and marking on traffic entering the
domain. The non-edge nodes, which are called interior nodes, only perform packet scheduling based
on the marking done by the edge nodes.
DiffServ DiffServ
Edge Port Interior
Port
Assume that the left host in above figure is the sender and the right host is the receiver of a flow.
For this flow, the left edge node will become the ingress node where the flow data traffic enters
the domain. At that node, it is necessary to perform marking, policing and shaping. The right node
will be the egress node for the same flow and there it might only be necessary to perform remarking
and maybe shaping. What node is ingress and what is egress depends always on which flow is under
consideration. An edge node can act as both ingress and egress at the same time for different flows
and therefore must all edge nodes be able to perform marking, policing and shaping.
With DiffServ, traffic is divided into classes based on business requirements; each of the classes can
then be assigned a different level of service. As the packets traverse a network, each of the
network devices identifies the packet class and services the packet according to that class. The
identification of this class is based on a 6-bit bit-pattern (called the Differentiated Services Code
Point [DSCP]) in the IPv4 ToS Octet or the IPv6 Traffic Class Octet & is used as shown below:
With the introduction of the DSCP markings, there were significantly more possible markings for
packets (63 are the possible markings for packets). Because there were so many more possible
markings, the IETF decided to standardize what some of the codepoints meant. In part, this is to
provide backward compatibility to IP precedence and, in part, this is to facilitate certain types of
behaviors that were seen as fundamental to the DiffServ architecture.
Four different types of DiffServ PHBs have been standardized so far. IETF RFC 2474 which defined
DSCP, itself has defined two types of PHBs : the default PHB and Class Selector (CS) PHBs Later in
1990, IETF RFC 2597 defined Assured Forwarding (AF) PHBs for forwarding data traffic. Also in 1999,
IETF RFC 2598 defined Expedited Forwarding (EF) PHB for forwarding real-time traffic.
• The default Per-Hop Behavior: defined in IETF RFC 2474. The default PHB should offer the
traditional best effort (BE) service Packets that are not explicitly mapped to other behavior
aggregates or forwarding classes belong to default PHB. No explicit delay, jitter or loss
characterization is associated with PHB. However, the traffic belonging to the BE PHB should not be
left to starve.
• Class Selector behavior (CS): defined in IETF RFC 2474 to provide backward compatibility with
legacy nodes using IP precedence, The recommended DSC value for CS PHBs are XXX000.No explicit
delay, jitter, or loss characterization is associated with PHB, the higher a CS is numerically , the
better the service precedence its gets.
• Assured Forwarding ( AF) PHBs: IETF RFC 2597 defines four Classes of Assured Forwarding PHBs.
These Classes are suitable for carrying data application traffic with minimum assured bandwidth
guarantee.
Priority hierarchy is defined between classes. The traffic in the higher class (AF1 being the highest
class) is given priority. Each of the four Classes of AF PHBs supports three levels of drop
probabilities. Under congestion, the higher the drop probability of a packet, the higher the chances
that the packet will be dropped. No delay, Jitter, or loss characterization is associated with the
PHBs.
The four classes of AF, with their three levels of drop probabilities and resulting 12 PHBs are
summarized in the following table:
Drop Probability
Classes Low (1):010 Medium (2):100 High (3):110
AF1: 001 AF11: 001 010 AF12: 001 100 AF13: 001 110
AF2: 010 AF21: 010 010 AF22: 010 100 AF23: 010 110
AF3: 011 AF31: 011 010 AF32: 011 100 AF33: 011 110
AF4: 100 AF41: 100 010 AF42: 100 100 AF43: 100 110
• Expedited Forwarding PHB (EF): IETF RFC 3246, supplemented by IETF RFC 3247 , replaced IETF
RFC 2598 in defining Expedited Forwarding characteristics. EF PHB is suitable for carrying
application traffic that requires low-loss, low-latency, and low jitter network service. EF PHB is
suitable for carrying time and loss sensitive application traffic at certain configured rate and the
node should service the packet belonging to EF PHB at a rate higher then their arrival rate and
irrespective of the offered load of non-EF traffic at the servicing point. Packet belonging to a flow
going for EF PHB class should not be reordered , such that traffic has strict servicing priority over
any other traffic, for this reason queues belonging to EF can be maintained at an empty or nearly
empty state and thereby queuing latency can be minimized which helps minimizing jitter, latency ,
and packet loss.
DSCP value 101110 is recommended for EF PHB
Basic
IEEE802.3
MAC frame IPG
2 Bytes 0x8100
Preamble
CFI
IEEE does not define how to handle Frames with certain 802.1q markings; however, it makes some
broad recommendations on providing the QOS using the field. A 802.1q compliant switch should be
able to segregate frames, based on their 802.1q marking, into different classes of service.
- IP header compression
Layer 2:
• Security of the traffic: Security of the user traffic by offering confidentiality, authentication and
integrity of the user data at the transport level. To address this problem, protocols as AAA
(Authentication, Authorization and Accounting), IPSec and MPLS are used to offer all the mature
mechanisms and process to guaranty this request.
This section of the document will describe the high level basics of Internet Protocol Security
(IPSec). We will describe all the supported options of IPsec even though some optional functionality
is not supported in the eNodeB.
IP communications between two entities are inherently insecure. IP traffic on the public network
can be captured, examined, and altered. Therefore security is the utmost concern when
transferring data over a public network.
The Internet Engineering Task Force (IETF) community had formed the IPsec (IP Security) forum to
develop a methodology to address IP security. IPsec is a protocol suite for securing Internet Protocol
(IP) communications by authenticating and encrypting each IP packet of a communication session
for either IPv4 or IPv6. IPsec also includes protocols for establishing mutual authentication between
agents at the beginning of the session and negotiation of cryptographic keys to be used during the
session.
Security Definitions:
Packet Integrity - is a guarantee that the message that is received is the exact one that was sent,
and that no tampering has occurred.
Data origin Authentication - is a guarantee that the message actually was sent by the apparent
originator of the message and not by another user masquerading as the supposed message
originator.
Replay protection (optional) - is the assurance that the same message is not delivered multiple
times and that messages are not delivered grossly out of order. This capability must be
implemented by the sender; the receiver may optionally enable its use.
Confidentiality - is a guarantee that, even if the message is read by an observer, the contents are
not understandable except to the authorized recipient.
Traffic analysis protection (Tunnel Mode only) - is an assurance that an eavesdropper cannot
determine who is communicating with whom or the frequency and volume of communications
between specific entities.
IPsec Definitions:
Security Association (SA) - Before two communicating entities can exchange secure communications,
they need to agree on the nature of the security to be applied to those communications: which
security headers (AH, ESP, or both) will be applied, the cryptographic algorithms to be used, the
secret keys, and so forth. A security association (SA) consists of all the information needed to
characterize and exchange protected communications.
Security Association DataBase (SADB or SAD) - An list of SAs and their associated information which
can indexed traffic selector rules.
Security Policy Database (SPD) - A security policy is a rule that is programmed into the IPSec
implementation that tells it how to process different datagrams received by the device. For
example, security policies are used to decide if a particular packet needs to be processed by IPSec
or not; those that do not bypass AH and ESP entirely. If security is required, the security policy
provides general guidelines for how it should be provided, and if necessary, links to more specific
detail.
It is important to discuss the various IPSec and cryptographic modes that will be described in the
IPsec Walk Through section of this document. The IPsec and cryptographic modes are value entries
in each SA with the SADB. Transport mode is mainly used for host-to-host configurations. However,
when a security gateway is used to provide protection for multiple hosts on a network, Tunnel Mode
is used. Cryptographic modes AH and ESP security protocols can operate in either transport or
tunnel mode.
In transport mode, only the payload (the data you transfer) of the IP packet is encrypted and/or
authenticated. The routing is intact, since the IP header is neither modified nor encrypted
In tunnel mode, the entire IP packet is encrypted and/or authenticated. It is then encapsulated into
a new IP packet with a new IP header. The original IP packet source and destination address will be
referred to as the Inner Tunnel Address. The new IP headers source and destination IP addresses will
be referred to as the Outer Tunnel Address.
Transport mode will reformat the orig
original
inal IP packet by inserting an IPsec header to form a new IPsec
packet for transmission. The Ipsec header is inserted between the IP header and the payload. The
original header remains unaltered. Tunnel mode will reformat the original IP packet by insertin
inserting a
new IP header and an Ipsec header in front of the original IP packet. The Ipsec header is either the
AH or ESP format.
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
Since both the AH and ESP method both contain a valid IP header, the encrypted packet can be
routed through an IP network transparently.
IPsec is a peer-to-peer
peer security scheme operating in the Internet layer of the Internet Protocol
Suite. It can be used in protecting data flows between a pair of hosts (host
(host-to-host),
host), between a pair
of security gateways (network-to-network),
network), or between a security gat
gateway
eway and a host (network-to-
(network
host). IPsec protects any application traffic across an IP network. Figure 25 depicts the different
network configurations and the point where traffic is secure.
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
Before we actually discuss the details of the IPsec implementation, we should describe a high level
view of the components of transmitting and receiving secure communications. When we start the
discussion of the IPsec components, it will allow the reader to determine which part of the
communications path we are describing. We will use the host
host-to-gateway
gateway configuration as the
example network, since this is the network configuration specified for LTE deployments.
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
Figure 26 is an example of the host transmitting a packet to the SEG. Before secure communications
can be established, the Security Association Database (SADB) must be populated with the Security
Association (SA) entries. A SADB contains SA’s for each secure communications tunnel. SA is simply a
contract between two entities to provide a minimum set of services. SAs are unidirectional (as in
phase2). We shall need two phase2 SAs to complete one communication path. One SA is required on
each of the IPsec termination points. Each SA contains the negotiated attributes associated with the
secure tunnel that is uniquely liked to the IPsec peer. The SA contains information on Security
Policy Index (SPI), its state (alive or expired), authentication algorithm, sequence number and SA
life time.
Stage 0 represents the initialization of the (SADB) prior to secure communications transmission.
Stage 1 represented by the green circle with the value of 1 indicates the actual transmission of the
original packet. The packet is examined to determine if there is a matching Security SA in the SADB.
Stage 2 represents the packets after the SADB lookup. The yellow box with label 2 represents the
original transmitted packet because the SADB had failed to locate a SA that matches the packet
criteria. The blue box with label 3 represents a reformatted secure IPsec packet since a valid SA had
been located that matches the transmitted packet. At the end of Stage 2, the packet is examined
and a routing table lookup is performed to determine the next hop, in this example the SEG.
Stage 7 the secure packet SA was found in the receiving SADB, decrypted and forwarded to the
upper layer stack.
Stage 8 is an example where the secure packet had failed a lookup at the SADB and the packet is
dropped. Each step of transmission of secure packets will be discussed in further detail.
IPsec consists of several protocols to administer the secure tunnel and perform the encryption of
user traffic. IPsec suite of protocols contains three main protocols, Internet Key Exchange (IKE),
Authentication Header (AH), and Encapsulating Security Payload (ESP). The administrative portion
of IPsec is either performed manually or dynamically. The dynamic method of tunnel negotiation is
performed by the IKE protocol. There are two flavors of IKE (IKEv1 and IKEv2) that may be
supported on a SEG. In case of the eNodeB, IKEv2 is the only supported IKE mechanism. For the
remainder of the IPsec discussion, we will only refer to IKEv2.
IKE is the protocol used to set up a SA in the IPsec protocol suite. IKE builds upon the Internet
Security Association and Key Management Protocol (ISAKMP) and uses a Diffie-Hellman Key exchange
to set up a shared session secret, from which crytographic keys are derived. Public key techniques,
certificates, alternatively, a pre-shared key, are used to mutually authenticate the communicating
parties. IKE is a two phase approach, Phase 1 establishes an ISAKMP SA, which is a secure channel
through which the IPsec SA negotiation can take place. Phase 2 establishes the actual IPsec SA or,
more precisely, a pair of one-way IPsec SAs: an inbound SA and an outbound SA. The ISAKMP SA
should not be confused with the IPsec SA. The ISAKMP SA is meant to secure (encrypt) the remaining
phase 1 and phase 2 negotiations.
IKEv2 Phase 1
ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security
Associations. SAs contain all the information required for execution of various network security
services, such as the IP layer services (such as header authentication and payload encapsulation),
transport or application layer services, or self-protection of negotiation traffic. ISAKMP defines
payloads for exchanging key generation and authentication data. These formats provide a consistent
framework for transferring key and authentication data which is independent of the key generation
technique, encryption algorithm and authentication mechanism.
IKEv2 phase 1 has a four message exchange as depicted in the following figure.
Message 1:
IK The initiator sends the IKE Header with
E HDR, SA1,KE,N
possible supported SAs (Crytographic
_ algorithms), KE – Diffe-Hellman Value, and
S HDR, SA1, KE, N, nonce value.
A [CERTREQ] Message 2:
_I The responder sends the IKE Header with
N the SA selected from one of the possible SAs
Responder
IT
Initiator
HDR,IDi,[CERT],[CE provided by the Initiator from message 1.
RTREQ], [IDr], Included as well is the responders KE –
AUTH, SA, TSi, TSr Diffe-Hellman Value, nonce and optionally
IK the Certificate Request.
E Dashed Line:
_ At this stage of the negotiation, the two
HDR,IDi,[CERT],
A participants have exchange Diffe-Hellman
AUTH, SA, TSi, TSr
u Values and they can derive shared secret
t keys. From this point on, all information
h after the IKE Header will be encrypted and
provides Integrity Protection.
Auth Authentication Message 3:
CERT Certificate The Initiator sends the IKE Header,
CERTREQ Certificate Request Identification, Certificate response if there
HDR IKE Header was a request in message 2, optional
IDi Identification - Initiator certificate request, optional ID of
IDr Identification – Responder responder, Authentication – could contain
KE Key Exchange the pre-shared keys or digital certificate
N Nonce verification. SA and traffic selectors for
SA Security Association traffic flow.
TS Traffic Selector Message 4:
The responder sends the IKE Header with an
ID, Certificate response if a certificate
request was present in message 3.
Authentication – could contain the pre-
shared keys or digital certificate
verification. SA and traffic selectors for
traffic flow. Peer Authentication has been
validated after this stage
After the second message, the IKE encryption key is calculated and used to encrypt the remaining
message transfers between the initiator and responder. The Key calculation is dependant on the
negotiated method of authentication. The following examples show the pre-shared key and digital
certificate method. In either case an IKE encryption key, IKE authentication key and IKE derivation
key are produced.
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
The IKE Encryption Key, Authentication and Derivation key are valid for all future communications,
unless otherwise renegotiated in the Phase 2 stage.
IKEv2 Phase 2
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
Dashed Line:
All traffic remains encrypted as a result
of the phase 1 negotiation.
Message 5:
The Initiator sends the IKE Header, SA
C HDR, SA, N, [KE], offers, a new nonce value different
r [3GPP TS i, TS] from the phase 1 transmission, optional
e KE if you want to create a new
a calculated key, and optional Traffic
Responder
t
Initiator
selection offers.
e HDR, SA, N, [KE], Message 6:
_ [3GPP TS i, TSr] The responder sends the IKE Header
c with a selected SA from message 5, a
hi new nonce value different from the
ld phase 1 transmission, optional KE if you
_ want to create a new calculated key,
S and optional traffic selector chosen
A from the offers provided in message 5.
As part of the phase 2 negotiation, new Diffie-Hellman keys and nonce values different from phase 1
could be exchanged to allow additional security (Perfect Forwarding Secrecy, PFS). The Phase 1
ISAKMP encryption key calculation was performed on values that were passed between the peers in
a non encrypted channel. If an entity were to observe the initial (message 1 & 2) communications,
theoretically the entity could possibly derive the keys (encryption, authentication). Therefore a
second key calculation is allowed in the phase 2 negotiations with new key and nonce values
provided by the peers. The phase 2 key and nonce values (message 5 and 6) are encrypted with the
phase 1 ISAKMP encryption key. The new keys are calculated the same method as described for the
phase 1 ISAKMP keys in Figure 28 and Figure 29. The new keys are referred to as the IPsec Derived,
IPsec authentication, and IPsec Encryption key. All communications after the phase 2 negotiations
will be encrypted with the IPsec encyption key.
IKE negotiation is completed at the end of the Phase 2 negotiation. The Agreed upon SA for each
direction will be entered into the Initiator’s and responder’s local SA database. The agreed upon
traffic selectors will be entered into the Initiator’s and responder’s local security policy database.
• A pseudo-random
random function (PRF) to hash certain values during the key exchange.
The SPD rules stage is analogous to an IP firewall filter rules lookup. The SPD filter can examine:
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
• Protocol Type
Depending on the rules validation the transmitted packet can have several possibilities. The packet
can be dropped, transmitted without IPsec encryption or IPsec encryption is enforced. If the IPsec
encryption is required, an SADB lookup is performed to retrieve the corresponding SA. With the
information retrieved from the SPD and SA, the packet encryption can be achieved.
The yellow packet (2) represents a packet that is forwarded without encryption. The Blue packet (3)
represents a packet that matched a rule in the SAPD and a corresponding SA was found. The packet
will be encrypted based on the parameters for that specific SA.
Based on the cryptographic modes that were negotiated in the ISAKMP (stage 0) phase, each packet
will be encrypted with the modes described in the IPsec Components section of this document. The
packet will transmitted in either AH or ESP encryption method in either Tunnel or Transport mode.
This is a generic step where the route table lookup to send the packet to the proper interface. The
receiving IPsec termination will inspect the packet to determine if the packet is IPsec encrypted.
Stage 5 represents a NON IPsec protected packet and sent to the internal IP stack for proper
decoding. Stage 6 represents an IPsec protected packet, that requires a SADB/SPD validation. The
IPsec decryption will be performed if a valid SADB/SPD pair has been found and the decryption will
be performed based on entries of the match SA/SP parameters.
Stage 7 represents a packet that successfully validated an SADB entry and corresponding SP in the
SPD. The packet was decrypted and sent to the IP stack for further processing. Stage 8 represents a
packet that failed to find a SA entry in the SADB for a SP in the SPD. In either case the packet is
discarded.
The Security Gateway (SEG) is the central hub of communications between the eNodeB and other
LTE components (i.e. eNodeB, MME, SGW and HSGW). The Network diagram from the eNodeB
section
n of this document has been reproduced for the reader’s convenience.
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
The diagram depicts the logical functionality of the SEG within the network. The physical SEG
component can be the same router that would normally aggregate traffic from the eNodeB’s, given
the router supports IPsec functionality. Most larger core routers that aggregate traffic should
support IPsec tunnels. The SEG will usually contain a robust IPsec feature set to allow compatibility
with a wide variety of vendors IPsec implementation.
This section describes the general IPsec attributes that the SEG should contain. This is in no
reference to any particular router platform.
Description Specification
IPsec • IPsec (IETF RFC 2401-2409)
• Encapsulating Security Payload (ESP) (IETF RFC 2406)
• Authentication Header (AH) (IETF RFC 2402)
IKE • IKEv1 (IETF RFC 2409)
• IKEv2 (IETF RFC 4306)
Mode • Tunnel
• Transport
Encryption • DES (IETF RFC 2405)
• 3DES
• AES 128 bits and 256 bits
Authentication • Preshared Secret Keys
• X.509 Digital Certificates
• Diffie-Hellman group 1,2,5 and 14
• Radius (IETF RFC 2138)
Integrity Hashed Message Authentication Code with MD5 (HMAC-MD5) and
with Secure Hash Algorithm-1 (HMAC-SHA-1) (IETF RFC 2403 and
2404)
Key Management • Internet Key Exchange (IKE: IETF RFC 2407-2409)
• IKE-XAuth
• IKE-CFG-MODE
Resiliency and High • IPsec Failover
Availability • Dead Peer Detection (DPD)
• Dynamic routing across IPsec
IP Version • IPv4 Support
• IPv6 Support
The Red High lighted values are the minimal required attributes to interoperate with the eNodeB
IPsec implementation.
The 7750 SR IPsec functionality is implemented in the MS-ISA module. The MS-ISA module is a hot
swappable component that can be inserted into an Input/Ouput Module-2 (IOM-2) or higher. Multiple
MS-ISA modules used in a redundant scheme can provide failure protection within an ALU 7750
chassis. Multiple MS-ISA modules on separate 7750 chassis can provide redundant IPsec failover
across chassis.
Please refer to the ALU 7750 product documentation for further information.
https://support.alcatel-lucent.com/portal/productContent.do?productId=null&entryId=1-
0000000002238
The MS-ISA will require compatible Hardware and Software components. The 7750 Hardware and
Software requirements are listed below.
Description Specification
Input / Output Module Minimum IOM-2 Hardware or higher
Supported Chassis 7750 SR-7 or 7750 SR-12
Operating System Minimum of Release 8.0R5 (includes IKEv2)
MS-ISA
Encryption DES, 3DES, AES-128, AES-192and AES-256
Authentication HMAC-MD5, HMAC-SHA1
Key Distribution IKE shared secret with PFS support
Encapsulation Encapsulating Security Payload (ESP)
Mode Tunnel
Key Generation Diffe-Hellman
Authentication Method PreShared Keys
Resiliency and High • IPsec Failover (Hard Failover only)
Availability • Dead Peer Detection (DPD)
• Dynamic Routing
• BFD (Bidirection forwarding detection)
IP Version • IPv4 Supported
If you have a pre-existing IPsec-ISA module reference (3HE03080AA ISA – 7750 SR IPSec – ISA) this
will now be replaced with a consolidated hardware component (MS-ISA) ISA − 7X50 MULTISERVICE ISA
(3HE04922AA IPU3AL8EAA).
The Fortinet Security Gateway is a third party equipment to fill the gap that the ALU 7750 SR
security gateway can not provide. The ALU 7750 limitations are specified in section 6.10.1.8
Engineering Notes. Specifically the Fortinet will handle the customer configuration that requires
IPsec on IPv6. The Fortinet specifications are provided below.
Description Specification
Input / Output Module FortIOS 4.2+
Supported Chassis 310B or Higher
Operating System Minimum of Release 4.2 (includes IKEv2)
The network architecture to support the Fortinet deployment is specified by the following diagram.
The Fortinet Security Gateway is used in conjunction with Layer 3/Layer 2 router/switch. This
device will depend on the network design. All traffic from the eNodeB will be sent through the
L3/L2 device towards the Fortinet gateway for IPsec termination. The Fortinet will send all
decrypted traffic back to the L3/L2 device to be forwarded to the final destination. On the
downlink path, all traffic from the EPC network will be forwarded from the L3/L2 device to the
Fortinet. The Fortinet with the IPsec Tunnels with configured policies will examine each packet to
determine the proper treatment of the packet. Based on the IPsec policies, the Fortinet may or may
not encrypt traffic and send the packets to the L3/L2 device to be forwarded to the eNodeBs.
Figure 38
38: Fortinet Reference Architecture
The Fortinet must be configured for logical Virtual Domains (VDOM). This is required configuration
to support asymmetric traffic flow. The Fortinet is a stateful firewall and requir
requires
es that the traffic
flow must be linked to an interface. Therefore multiple VDOMs are configured to allow this
configuration. The diagram below shows the virtual functional representati
representation.
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
Each Virtual Domain is a logical router. For traffic to flow properly between the VDOMs, IP routes
must be configured to point traffic in either direction. Each VDOM will have logical interfaces (IP
configuration) for proper routing.
Item Definition
In cryptography, certificates are digital documents attesting the binding of
Certificate
a public key to an individual or other entity. They allow verification of the
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
claim that a specific public key does in fact belong to a specific individual.
In their simplest form, certificates contain a public key and a name. As
commonly used, a certificate also contains an expiration date, the name of
the certifying authority that issued the certificate, a serial number, and
perhaps other information. Most importantly, it contains the digital
signature of the certificate issuer. The most widely accepted format for
certificates is defined by the ITU-T X.509 international standard
http://en.wikipedia.org/wiki/Certificate
In cryptography, X.509 is an ITU-T standard for a public key infrastructure
(PKI). X.509 specifies, amongst other things, standard formats for public
X.509 key certificates, certificate revocation lists, attribute certificates, and a
certification path validation algorithm.
http://en.wikipedia.org/wiki/X509
A digital signature is a mathematical scheme for demonstrating the
authenticity of a digital message or document. A valid digital signature
gives a recipient reason to believe that a known sender created the
Digital signature
message, and that it was not altered in transit.
http://en.wikipedia.org/wiki/Digital_signature
In release 3.0 the eNodeB only supported pre-shared keys method of authentication in the IPsec IKE
handshake. The pre-shared key method required the operator to manually load a known key into the
eNodeB and a corresponding key into the SEG, thus allowing the eNodeB and the SEG to mutually
authenticate each other when performing the IKE negotiation. Starting in Release 5.0 the eNodeB
will now be capable to support Certificate authentication in the IPsec IKE transaction. Digital
certificates method of authentication will allow the ease of deployment of IPsec trusted entities.
There will be two digital certificates exchanged in the IPsec IKE exchange. The eNodeB will send the
eNodeB certificate to the Security Gateway and in turn the SEG will send the SEG digital certificate
to the eNodeB. The digital Certificates are X.509v3 formatted embedded in the IKE transaction. In
order for the eNodeB and the SEG to transmit the digital certificates, the eNodeB will automatically
acquire their certificates from the CMS server. The main discussion for this section of the document
will only be concerned with the eNodeB acquiring and validating digital certificates. The SEG and
other supporting entities can acquire certificates via automatic or manual methods.
The eNodeB acquires its digital certificates via the CMPv2 protocol from the Certificate Management
System (CMS). The End to End CMS system will consist of several components, one being the
eNodeB, the Security Gateway (SEG), and CMS server. In order to support this feature, a CMS server
must be accessible by the eNodeB to acquire the certificates. The SEG will have an option to
acquire certificates from the CMS server or other means. The ALU implementation of the certificate
authentication requires the eNodeB and SEG to both support Certificate based authentication or Pre
shared key method.
It is recommended that the eNodeB and the Security Gateway either both support Certificated
based authentication or Pre-shared Keys. The eNodeB shouldn’t support an authentication method
different from the SEG.
The following diagram is an example of network components required to support the CMS
architecture.
The distributions of the trusted certificates are based on the ownership and trust model between
the Trust Anchor (the Certificate Authority (CA)) and the end entity (eNodeB or SEG). The ALU CMS
model architecture will support thr
hree different operator scenarios.
The following CMS models were referred in RFC 5217.
• Hierarchical CMS without operator CA: Model 1 - Hierarchical CMS with a common Root CMS.
Model 1 represents a vendor that owns the CMS structure
structure and does not have a dedicated CA
server. The CMS system will also act as the CA (Certificate Authority). The CA is able to
issue, distribute and revoke digital certificates X.509.The CMS server is owned and operated
by the same entity that owns the eNodeB and SEG. The eNB and SEG trusted anchor is the
ROOT CMS.
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
• Hierarchical CMS with operator CA: Model 2 - The Wireless Service Provider owns an
operator CA. The eNB and the SEG trusted anchor
anchor is the operator CA. The value added is
that the CMS infrastructure allows automation of the eNB certificate management of the
operator CA certificates.
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
• Direct Cross-Certification
Certification Model with Operator CA: Model 3 - The eNB and the SEG are
owned by different authorities and they trust different anchors. The operator of the SEG
owns an operator CA. The eNB trust the ROOT CMS and the SEG trust the operator CA. The
value added is that the operator can bridge the communication between the operators CA
and automate the management of the eNB certificates. In this model the Operator CA and
the Root CMS have a mutual agreed trust. Thus the end entities have to only validate the
certificates to their respective
pective trust anchor.
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
In Model 1 and model 2, there is only 1 trusted anchor. In this case the trusted anchor produces a
self signed certificate. A self signed certificate is a certificate whe
where
re the issuer and subject in the
X.509 certificate are the same entity. Since model 3 has two trusted anchors, each trusted anchor
will have certificate associated with the other trusted anchor.
All three scenarios have a common theme where the eNodeB and and SEG have a trusted anchor. The
eNodeB and SEG may have the same or different trusted anchors. The authentication mechanism is
valid if the End entity (eNB) can authenticate the received certificates to the trusted Anchor. Each
received certificate will contain
ontain the Issuer and Subject information. The eNB is responsible to verify
all the certificates and validate the path to the Trusted Anchor. Once the path to the trusted
Anchor has been verified, then the End entity has the proper credentials to participate
participate in the IPsec
IKE authentication handshake.
In model 3, the eNodeB must validate all the certificates to its trust anchor (Root CMS). The eNodeB
will start with the certificate that has itself as the subject within the certificate and identify the
issuer.
er. If the issuer of the certificate is not the trust anchor, the eNodeB will continue with the
validation process. The eNodeB will now use the Issuer (sub CMS) and use the certificate with the
sub CMS as the subject and check that certificate’s issuer. ThisThis process continues until the trusted
anchor is found in the Issuer field in a valid certificate. If this can not be accomplished, the path
validation fails and the IKE negotiation will terminate.
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
The CMS architecture will support at most a 3 level hierarchy. The will be at most 2 Sub CMS CA
between the CA and the eNB.
Model 3 is best suited to support the shared eUTRAN MOCN IPsec model. In the shared eUTRAN
model, each operator has the capability to have a separate trust anchor within the same eNodeB.
The architecture allows the flexibility for each operator to maintain their own CA. With each
operator with separate CAs, each operator is secure from other operators. The operator’s
certificates are secure from the master operator as well. The separation of certificates is more
secure than the pre shared key method. The pre-shared key method required the leasing operator
to provide the per-shared key to the master operator since the master operator is the only entity
that can manually insert the keys.
The following diagram depicts the network configuration required to support CMS certificates in the
MOCN eUTRAN configuration. All CMS communications are via the OAM link which is controlled by
the Master Operator. For Non Master Operators that use CMS certificates, the Non Master operator
CMS server will communicate with the eNB via the SEG A (owned by the Master Operator).
All CMS communications are via the OAM link which is controlled by the Master Operator. For Non
Master Operators that use CMS certificates, the Non Master operator CMS server will communicate
with the eNB via the SEG A (owned by the Master Operator).
Each operator can independently have Certificate or PSK selected as the authentication method if
IPsec is enabled for that operator.
For the master Operator, The OAM tunnel and Telecom tunnel will have the same authentication
method.
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
IPsec tunnels are important in securing communications between two peers. It is also important that
the peers authenticate each other prior to negotiating and configuring the IPsec tunnels. This allows
the IPsec peers to identify and validate the peer they are communicating with is the proper and
valid identity.
The IKE Authentication handshake allows the IPsec peers to transmit the certificates to their
corresponding peers. The certificate allows the peers to authenticate each other by identifying the
trust anchors. The eNodeB will validate the SEG’s transmitted certificates to the trusted anchor. If
the path validation is successful, the ENB now has a valid path from itself to the trust anchor and
from the trust anchor to the SEG. The SEG will in turn perform the same path validation with the
certificates it receives from the eNodeB. After authentication, the IKE process completes and the
peers continue with the IPsec negotiation and configuration.
The Steps required distributing and validating the certificates and IPsec .
1) The CMS components (CMS server, Sub CMS entity, and SEG) will have to create/acquire the
certificates to distribute to end entities. This can be performed dynamically or manually.
The Root CA certificate self certificate and sub CMS certificate are created once when
initializing the CMS system.
2) The eNodeB is configured to use certificates.
3) The End entities (eNodeB and SEG) will have to acquire their certificates prior to IPsec IKE
negotiations. Certificates received by the end entity from the CMS devices are validated to
confirm validity.
4) During IKE negotiations, the eNodeB and SEG send their certificates to each other for
validation. If certificate validation is successful and there are no revocation list criteria
met, then the IPsec negotiation can continue.
5) The eNB and the SEG will setup the IPsec tunnel.
The CMS architecture supports two methods of deploying eNB into the field. The first method that
will be support is the operator provided Certificates via the CMS server on the ePC network. The
second method is the Plug-N-Play method. The Plug-N-Play method will have the appropriate
certificates loaded in the eNB in the factory to allow the eNB to setup an initial OA&M IPsec tunnel
to the SGW. This allows the eNB to be configured remotely with the final parameters for proper
operation.
Model 1, which represents a hierarchical CMS without operator CA will provide a good example for a
walk through (Figure 41: CMS Architecture Model 1). In this example the trusted Anchor is the Root
CMS. The Root CMS is also the operating in a CA capacity. In order to populate the End Entity
(eNodeB) with the certificates, the system has to be properly configured. The Root CMS and Sub
CMS must have valid certificates to send to the eNodeB. Therefore the Root CMS & Sub CMS must
initialize and configured before the eNodeB request certificates.
Since this system is a single CA system, the Root CMS (CA) will generate a RSA key pair. Generate a
self signed certificate. The self signed certificate is required for path validation by the eNodeB. The
Sub CMS will generate its RSA key pair and send a Certificate request (PKCS #10 or RFC 2986) to the
Root CMS. The Root CMS will generate the SUB CMS certificate and sign the certificate. The Root
CMS will send the Certificate response (PKCS #7 or RFC 2315) to the requesting SUB CMS. This
procedure is required since the eNodeB will require these certificates to perform the trusted anchor
path validation. This exchange of certificates can be performed in a manual or automatic
procedure.
The eNodeB will now be able to acquire its certificate. The example below represent an eNodeB
that does not have a preloaded factory certificate and has been enabled to perform certificate
based IKE negotiations. Configuration aspects will be discussed in the eNode CMS portion of the
document. At this point the SUB CMS will have two certificates, the Root CMS self signed certificate
and the Sub CMS certificate signed by the Root CMS. At this point the Sub CMS is capable of
supporting eNodeB certificate requests.
The eNodeB will be configured to support digital certificates. At this time the eNodeB will have the
CMS parameters configured, including the pre-shared key. This is the CMS pre-shared key and NOT
the IPsec pre-shared key. The CMS pre-shared key is used to protect the eNodeB and SUB CMS
certificate communications. The eNodeB will reboot and generate the RSA key pair and eNodeB ID.
The eNodeB will send a CMPv2 (RFC 4210) Initialization request to the Sub CMS with the appropriate
keys, eNB ID with Proof of Possession.
An important message in RFC 4210 is the Initialization Request. This message contains all the
information that the eNB send to CMS to create the X.509 certificate. RFC 4210 defines the
requirements and procedures, but does not specify the certificate request message format, fields
and options. RFC 4211 defines in detail the certificate request message format (CRMF) and the
options supported for several different ways to perform certification requests. One of the options is
Proof of Possession (POP). POP refers to the action of the end entity (eNB) to provide adequate
information to CMS so that CMS can validate that the eNB possesses the private key pair of the
public key to be issued in the CMS certificate.
The CMPv2 initialization message is protected by the pre-shared key. SUB CMS validates the eNB
CMPv2 init message. If the message passes validation and no CRL restrictions, then the SUB CMS will
generate an eNB certificate signed by the SUB CMS. The SUB CMS will send a CMPv2 init response
message to the eNB with three certificates to the eNB (eNB Cert signed by the SUB CMS, Root CMS
cert signed by the Root CMS, and the SUB CMS cert signed by the Root CMS. The eNB will now
perform a path validation on the certificates to determine if the trusted CA can be reached. If the
validation is confirmed, the eNB and SUB CMS will send their corresponding confirmation messages
to terminate the certificate distribution.
The CMPv2 (RFC 4210) messages are sent via the eNB OAM IP address. CMPv2 will be carried over
HTTP/TCP/IP/Ethernet/Physical connection.
CMPv2
HTTP
TCP
IP
Ethernet
PHY
The CMPv2 messages are ASN.1 encoded and sent as the body of the HTTP messages.
The following are the supported CMPv2 messages associate to the HTTP Post messages:
Initialization Request
Certificate Request
Key Update Request
Certificate Confirm
The following are the supported CMPv2 messages associate to the HTTP OK messages:
Initialization Response
Certificate Response
Key Update Response
Certificate
Error Message
The CMPv2 message consists of the header, body, protection (optional), Extra Certs (optional). The
specifications were derived from the ETSI TS 133 310 V9.4.0 standard.
The CMPv2 IP or CP message will contain X.509v3 Certificates from the SUB CMS to the eNodeB. An
example of the X.509v3 parameters are presented below.
[The person, or entity identified. For the example of the eNodeB certificate
the issuer in this example is the eNodeB.]
subjectPublicKeyInfo SubjectPublicKeyInfo,
[The public key that was provided by the eNB for the certificate generation.]
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version shall be v2 or v3
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version shall be v2 or v3
extensions [3] EXPLICIT Extensions OPTIONAL
-- If present, version shall be v3
[This field is used to carry the public key and identify the algorithm with
which the key is used.]
}
The eNodeB performs path validation on the received certificates that were sent from the SUB CMS
to the eNodeB as part of the certificate initialization response. The path validation is performed
prior to eNodeB sending the CMPv2 Certificate Confirmation.
The validation process will examine the Issuer and Subject fields of a certificate to determine if the
Issuer is the trusted CA. If the Issuer field in the certificate is not the trusted CA, the eNodeB will
take the certificate in the chain to validate. The next certificate in the chain is the certificate that
has the Subject field that is equivalent value of the current certificates Issuer Field. In essence, you
will be taking the certificate of the issuer of the current certificate. This process is repeated until
the Trusted CA certificate is reached. If the validation process is unable to reach the trusted
anchor, the validation fails and the certificates are invalid.
SEG
CMS CA model eNB Certification Path Certification
Path
Model-1 Hierarchical model without eNB SUB CMS ROOT CMS SEG ROOT
Operator CA CMS
Model-2 Hierarchical model with eNB SUB CMS ROOT CMS SEG
Operator CA Operator CA Operator CA
Model-3 Direct Cross-Certification eNB SUB CMS ROOT CMS SEG
with Operator CA Operator CA
The eNB certificate signed by the Sub CMS will be the starting point for the path validation. Since
the eNB certificate was signed by the Sub CMS, the CMS certificate will be checked for a validate
certificate. The Sub CMS and Root CMS certificates were sent to the eNB via the Certificate
response message. The Sub CMS certificate will next be validated. The Sub CMS certificate is signed
by the Root CMS. The process continues until the trusted anchor certificate is validated. In this
scenario, the Root CMS certificate is the next certificate to be validated. The Root CMS certificate is
self signed and the validation ends here. If at any point, any of the certificate validation fails, the
certificates will be rejected and the distribution fails.
The following diagram below show the certificate path validation for Model 1.
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
The listed Ethernet protocol are implemented at the Network element to offer fault management
function summarized in the following table:
5.3.1 LAG
The 802.3ad standard defines link aggregation for full-duplex Ethernet links. In this standard, a set
of Ethernet links of the same type between a pair of Ethernet switches can form a logical trunk
called a Link Aggregation Group (LAG). The LAG is used as a single link by the switches at either
end, which balance traffic between the links composing the LAG. The link aggregation control
protocol (LACP) can be used to auto-negotiate the trunk configurations between adjacent switches.
Link aggregation provides both expansion of capacity and protection from link failures: a failure on
one link would cause a reduction in bandwidth but not loss of connectivity. Failure detection works
fastest if both directions of the duplex link fail simultaneously.
In the 1+1 protection scheme, two links, which carry identical copies of the transmitted
information, protect one other. During normal operation the receiving end listens to the status of
both links but only receives data from one of them. In the event of failure, the receiver simply
switches to receiving data from the other link. Given that detection of link failure is a hardware
function, restoration can be accomplished in tens of milliseconds or less. Thus link-level failures
cause minimal service disruption when 1+1 protection is used.
3GPP TS36.104 [R6] specifies different air interface synchronization accuracy requirements
according to the Base Station class:
BS class Accuracy
LTE networks require phase synchronization to meet the TDD air interface criterion of ± 1.5us.
RF frame timing delivery to meet the TDD specifications also includes delivery of correct SFN
numbering. This is needed for features which require the RF frames to be aligned across
neighbouring eNodeB’s both in phase and in SFN count.
The eNodeB supports multiple synchronization methods which are presented hereafter.
There is a synchronization signaling system known as the Synchronization Status Message or SSM.
The SSM is a message which carries an information about the quality level of the source clock from
clock to clock along the branches of the synchronization distribution tree. There are a number of
pre-defined quality levels (QL) corresponding to existing clock specifications i.e. QL-PRC, QL-SSU-A,
QL-SSU-B, QL-SEC and QL-DNU.
This signaling system is used for controlling protection switching in case of link or clock failures.
The communication channel used for transferring the SSM from clock to clock in Synchronous
Ethernet is the so-called Ethernet Synchronization Messaging Channel (ESMC).
The ESMC structure, and the SSM TLV is described in G.8264.
The definition of the Quality Levels of the source clock are defined in G.781.
PTP is a timing over packet (ToP) method for synchronizing a client to a server.
As per IEEE 1588 standard, PTP is supported over protocol stacks UDP/IP/Ethernet and Ethernet.
The 1588 server may support clients in either multicast mode, where all clients receive the
multicast timing messages, or unicast mode where each client has is own targeted timing messages.
Multicast mode allows a server to support more clients, however, unicast mode is considered the
option delivering the best synchronization accuracy.
Master Slave
clock clock
7 6 5 4 3 2 1 0 bits
transportSpecific messageType e.g. 0xC = Unicast
reserved versionPTP
MessageLength
domainNumber
Reserved
flagField
correctionField
reserved
sourcePortIdentity
sequenceId
controlField
logMessageInterval interval between message type considered below
targetPortIdentity
tlvType e.g. 0x4 = Request, 0x5 = Grant
lengthField
messageType reserved e.g. 0x0 = Sync, 0xB = Announce, 0x9 = Delay resp
logInterMessagePeriod period between requested unicast messages
durationField duration this message type must be transmitted
Master Slave
clock clock
δt = logMessageInterval
Sync δt = logInterMessagePeriod
durationField Sync
Sync
Figure 53: PTP periodical Unicast negociation and time stamp exchange
The conversion from interval in second to/from interval in log base 2 are given by the formulae:
-6 1/64 64 /s
-5 1/32 32 /s
-4 1/16 16 /s
-1 1/2 2 /s
0 1 1 /s
1 2 1 every 2 s
6 64 1 every 64 s
Synchronization is distributed via packets that carry time stamps generated by a master (server)
that has access to a PRC (e.g. GPS). The receiving equipment (slave) recovers the frequency
synchronization by comparing the time provided by the timing packets (time stamps) with its local
time.
The network between the master and the slave introduces packet delay, packet delay variation
(PDV) and packet loss.
To be able to guarantee frequency synchronization in the order of parts-per-billion, the slave must
be able to filter out the effects of PDV. Therefore, selection of the less delayed timing packets or
averaging over relatively long periods are needed at client for stable performance. Beside, the SLA
(Service Level Agreement) between the operator and the backhaul transport network provider must
ensure that the synchronization traffic flow benefits a consistent PDV regarding the ToP
requirements. The link from grandmaster to client should minimize the number of hops since the
forwarding algorithms of intermediate transport equipment introduce PDV. And the synchronization
traffic flow must be marked with the highest QoS priority.
In add of frequency synchronization, IEEE 1588 also supports time and phase synchronization.
7 6 5 4 3 2 1 0 bits
transportSpecific messageType 0xB = Announce
reserved versionPTP
MessageLength
domainNumber
Reserved
flagField
correctionField
reserved
sourcePortIdentity
sequenceId
controlField
logMessageInterval
originTimestamp time the Announce was transmitted at origination
currentUtcOffset from timePropertiesDS data set
reserved
grandmasterPriority1 from parentDS data set
(2)
grandmasterClockQuality from parentDS data set
grandmasterPriority2 from parentDS data set
grandmasterIdentity from parentDS data set
stepsRemoved from currentDS data set
(1)
timeSource from timePropertiesDS data set
(1) timeSource indicates the reference time source of the grandmaster clock (e.g. a GPS radio
clock).
• clockClass, which indicates the traceability of the time or frequency distributed by the
grandmaster.
• clockAccuracy which indicates the quality of the grandmaster clock. It is used in the BMC
algorithm (if implemented).
clockAccuracy value
CLK_Q_CLK_EPOCH_BETTER_THAN_25ns 0x20
CLK_Q_CLK_EPOCH_BETTER_THAN_100ns 0x21
CLK_Q_CLK_EPOCH_BETTER_THAN_250ns 0x22
CLK_Q_CLK_EPOCH_BETTER_THAN_1us 0x23
CLK_Q_CLK_EPOCH_BETTER_THAN_2_5us 0x24
CLK_Q_CLK_EPOCH_BETTER_THAN_10us 0x25
CLK_Q_CLK_EPOCH_BETTER_THAN_25us 0x26
CLK_Q_CLK_EPOCH_BETTER_THAN_100us 0x27
CLK_Q_CLK_EPOCH_BETTER_THAN_250us 0x28
CLK_Q_CLK_EPOCH_BETTER_THAN_1ms 0x29
CLK_Q_CLK_EPOCH_BETTER_THAN_2_5ms 0x2A
CLK_Q_CLK_EPOCH_BETTER_THAN_10ms 0x2B
CLK_Q_CLK_EPOCH_BETTER_THAN_25ms 0x2C
CLK_Q_CLK_EPOCH_BETTER_THAN_100ms 0x2D
CLK_Q_CLK_EPOCH_BETTER_THAN_250ms 0x2E
CLK_Q_CLK_EPOCH_BETTER_THAN_1s 0x2F
CLK_Q_CLK_EPOCH_BETTER_THAN_10s 0x30
CLK_Q_CLK_EPOCH_WORSE_THAN_10s 0x31
CLK_Q_CLK_EPOCH_UNKNOWN 0xFE
twoStepFlag
clockIdentity
numberPorts
defaultDS ordinary clock
clockQuality
priority1
priority2
stepsRemoved
currentDS synchronization offsetFromMaster
meanPathDelay
parentPortIdentity
parentStats
observedParentOffsetScaledLogVariance
observedParentClockPhaseChangeRate
parentDS parent & grandmaster
granmasterIdentity
grandmasterClockQuality
grandmasterPriority1
grandmasterPriority2
currentUtcOffsetValid
leap59
leap61
timePropertiesDS timescale timeTraceable
frequencyTraceable
ptpTimescale
timeSource
Sync (and optionally Follow up): The grandmaster server periodically transmits a Sync (optionally
with Follow up) message to each client. The client requests the Sync intermessage period in the
Request unicast transmission message for Sync messages.
7 6 5 4 3 2 1 0 bits
transportSpecific messageType 0x0 = Sync
reserved versionPTP
MessageLength
domainNumber
Reserved
flagField If twoStepFlag bit is FALSE then no Follow up message is sent
correctionField
reserved
sourcePortIdentity
sequenceId
controlField
logMessageInterval
originTimestamp time the Sync was transmitted at origination
7 6 5 4 3 2 1 0 bits
Delay req (*): The client may request periodically Delay information by invoking the Delay req
message.
Delay req message transmission interval: This value is determined and advertised by a master clock
based on the ability of the master clock to process the Delay req message traffic. The value shall be
an integer with the minimum value being portDS.logSyncInterval, i.e., at the same rate as Sync
messages, and a maximum value of logSyncInterval+5.
7 6 5 4 3 2 1 0 bits
transportSpecific messageType 0x1 = Delay req
reserved versionPTP
MessageLength
domainNumber
Reserved
flagField
correctionField
reserved
sourcePortIdentity
sequenceId
controlField
logMessageInterval Delay req message transmission interval
originTimestamp time the Delay req was transmitted at origination
Delay resp (*): The client requests the Delay_Resp intermessage period in the Request unicast
transmission message for Delay_Resp messages.
7 6 5 4 3 2 1 0 bits
transportSpecific messageType 0x9 = Delay resp
reserved versionPTP
MessageLength
domainNumber
Reserved
flagField
correctionField
reserved
sourcePortIdentity
sequenceId
controlField
logMessageInterval
receiveTimestamp time the Delay req was received
requestingPortIdentity
(*) The use of Delay req and Delay resp offer more timing information to the client. There are
optional in the 1588 protocol for frequency synchronization.
Signaling: Signaling messages carry information, requests, and commands between clocks. It is used
by the client to initiate a Unicast negiciation and to periodically renew unicast grants for each
message type (Announce, Sync, Delay resp, Pdelay resp).
PTP can be implemented with or without On-Path Support. On-Path Support is for removing effects
caused by queuing and other delays in network nodes.
IEEE 1588v2 defines five types of clock devices: ordinary clock, boundary clock, end-to-end
transparent clock, peer-to-peer transparent clock and management node.
Ordinary clocks, either grandmaster or slave, are the end points of synchronization network.
Boundary and transparent clocks are intermediate nodes that provide the On-Path Support for the
end points.
When using boundary clocks, the master-slave architecture is constructed hop-by-hop with all the
intermediate nodes between the end points being boundary clocks. Boundary clock works as a
master for next hop and a slave for previous hop. It terminates and regenerates the packet
timestamps.
Transparent clock is a bridge between the master and the slave. It is transparent to the PTP
messages except that it corrects the timing messages by adding processing time (a.k.a residence
time) into a correction field while forwarding them. The end-to-end transparent clock only adds the
residence time of packet to the correction field, which does not require any hop-by-hop messaging.
Peer-to-peer transparent clock adds also link delay correction information to the header of timing
packets, which requires peer-to-peer messaging.
It begins by determining the mean propagation delay between master and slave. After which only
one time stamped sync message is needed to make the clock corrections at the slave by adding the
one-way propagation delay in downlink to the time reference delivered within the Sync message.
Master Slave
clock clock
Master sends the Sync timing packets (with timestamps) to the slave at a certain rate in packets per
second (pps) (but not necessarily at fixed intervals).
The receiver records the time when packets are received after which the local interval between two
received packets is compared to the difference between the timestamps. The time stamps inside
the consecutive packets are compared with local arrival times.
Master Slave
clock clock
t1’ = 0,999999 s
Theorically one can determine the frequency error of the local clock compared to the reference by
sending two packets. In reality it is more complex due to PDV.
PTP PTP
server client
t1’ = 1,025999 s
Constant packet Latency is not an issue for 1588 when delivering Frequency Synchronization.
But PDV introduced by the synchronization transport backhaul requires that packet selection or
averaging methods are implemented at slave PLL, and that PDV is removed or minimized for the PTP
traffic within the network.
The P-GW receives a UL GTP-U PDU. The UL UE PDU is extracted from the GTP-U packet. The UL UE
PDU is sent to the next hop router connected to the sgi interface, which is able to route the packet
et the external network.
The following table provides delays (one way end to end delay) associated with different
services/scenarios (based on above delay budgets).
VOIP UE to PDSNGW - This is the one way delay for sending a VOIP bearer packet from the UE to the
PDNGWY. Includes the additional overhead in the UE to encode the voice frames.
VOIP UE to PSTN user – This is the one way delay for sending a VOIP packet from the UE to a PSTN
end user. It includes the processing delay in a MGW (25 msec), IP core network (10 msec), and PSTN
(10 msec). Based on ITU-T G.114 VOIP Latency Guidelines, the max allowable end to end delay
should be <= 280 msec (highest quality requires <= 200 msec).
VOIP UE to UE (LTE) – This is the one way delay for sending a VOIP bearer packet from the UE (LTE
network) to another end user (UE) in an LTE network. It assumes that there is no transcoding
required.
BFD is designed to detect failures in communication with a forwarding plane next hop. BFD operates
on top of any data protocol (network layer, link layer, tunnels, etc.) being forwarded between two
systems. It is always run in a unicast, point-to-point mode. BFD packets are carried as the payload
of whatever encapsulating protocol is appropriate for the medium and network. BFD may be
running at multiple layers in a system. BFD can provide failure detection on any kind of path
between systems, including direct physical links, virtual circuits, tunnels, MPLS Label Switched
Paths (LSPs), multihop routed paths, and unidirectional links (so long as there is some return path,
of course). Multiple BFD sessions can be established between the same pair of systems when
multiple paths between them are present in at least one direction. The BFD state machine
implements a three-way handshake, both when establishing a BFD session and when tearing it down
for any reason, to ensure that both systems are aware of the state change.
BFD is a simple layer 3 Hello protocol. A pair of systems transmit BFD packets periodically over each
path between the two systems, and if a system stops receiving BFD packets for long enough, some
component in that particular bidirectional path to the neighboring system is assumed to have failed.
A path is only declared to be operational when two-way communication has been established
between systems, though this does not preclude the use of unidirectional links.
A separate BFD session is created for each communications path and data protocol in use between
two systems. A BFD session is established based on the needs of the application that will be making
use of it. It is up to the application to determine the need for BFD, and the addresses to use --
there is no discovery mechanism in BFD.
BFD has two operating modes that may be selected, as well as an additional function that can be
used in combination with the two modes.
The primary mode is known as Asynchronous mode. In this mode, the systems periodically send BFD
Control packets to one another, and if a number of those packets in a row are not received by the
other system, the session is declared to be down.
The second mode is known as Demand mode. In this mode, it is assumed that a system has an
independent way of verifying that it has connectivity to the other system. Once a BFD session is
established, such a system may ask the other system to stop sending BFD Control packets, except
when the system feels the need to verify connectivity explicitly, in which case a short sequence of
BFD Control packets is exchanged, and then the far system quiesces. Demand mode may operate
independently in each direction, or simultaneously.
An adjunct to both modes is the Echo function. When the Echo function is active, a stream of BFD
Echo packet is transmitted in such a way as to have the other system loop them back through its
forwarding path. If a number of packets of the echoed data stream are not received, the session is
declared to be down. The Echo function may be used with either Asynchronous or Demand mode.
Since the Echo function is handling the task of detection, the rate of periodic transmission of
Control packets may be reduced (in the case of Asynchronous mode) or eliminated completely (in
the case of Demand mode).
BFD consists of control and optional echo packets. Asynchronous mode control packets are used to
maintain state and test the forwarding plane. The Echo packets are optionally used in conjunction
with the control packets to minimize the use of control packets. This reduces overhead. Demand
mode is used in networks that have large number of BFD sessions.
If Echo function is not requested, the control packets are sent at a high rate to achieve the desired
detection time. If the Echo function is negotiated, control packets are sent at a slow rate and the
self directed echo packets are sent at a high rate.
The Control packet consists of 24 bytes with an optional 4 bytes for authentication. Figure below
depicts the control packet format. The first 2 bytes are used for version, diagnostic
agnostic and control bits.
The receiving systems detection time in Asynch
Asynchronous
ronous mode is determined by multiplying the
detection time multiplier and the negotiated transmit interval.
My Descriminator and Your Descriminator fields are nonzero value generated by the transmitting
and receiving system respectively. The values are used to distinguish BFD sessions between the
same hosts. The Desired Minimal TX Interval field is the number if milliseconds that the local system
would like to use when transmitting BFD Control packets, less any jitter applied. The Required Min
RX Intervall is the number of milliseconds between received BFD Control packets that this system is
capable of supporting, less any jitter applied by the sender. If this value is zero, the transmitting
system does not want the remote system to send any periodic BFD C Control
ontrol packets. The Required
Min Echo RX Interval is the minimal interval, in microseconds, between received BFD Echo packets
that this system is capable of supporting, less any jitter applied by the sender. If this value is zero,
the transmitting system does not support the receipt of BFD Echo packets.
The four authentication bytes are detailed in IETF RFC 5880 and will not be discussed in the
document since it will not be implemented in the nodes.
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
The only requirement is that sufficient information is included to demultiplex the received packet
to the correct BFD session after it is looped back to the sender.
Both Peers of the BFD session will be manually provisioned. One of the Peers must be taken an
active role while the second
econd BFD peer will take on either a passive or active role. The BFD Peer that
takes the active role will send Control Packets to passive BFD session. The Passive BFD peer will not
send control packets until it receives a control BFD packet from its peer tto
o learn the “My
Descriminator” value. A session begins with the periodic, slow transmission of BFD Control Packets.
When bidirectional communication is achieved, the BFD session becomes up.
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
• Demand mode
– Calculated only during Poll Sequence
– Calculated by (Detect Multiplier) * (local TX interval)
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
6.1 ETHERNET
6.1.1 Backhaul connectivity
eNB Gigabit Ethernet backhaul interface is provided by eCCM/eCCM2/eCCM2-HR.
Note: eCCM2 and eCCM2-HR boards have exactly the same architecture. eCCM2-HR is a “functional
variant” of eCCM2.
eNB controller type configuration is done through:
• Object: Enb, Parameter: expectedControllerType, Value: [eCCM, eCCM2, MET3C1, SDCAM], Class:
C, Service Impact: None, Update transient impacts details: Immediate-propagation
CCM type
all all eCCM only
(eCCM, eCCM2, eCCM2-HR)
• The full-duplex link will not resend its frame. It determines that the incoming frame is bad
and flags cyclical redundancy check (CRC) errors.
• Applications will timeout and retransmit continuously, causing a very slow connection.
Note:
In case a node is configured with auto-negotiation while its peer is not configured with auto-
negotiation, then autonegotiation device correctly detects the speed of operation, but is unable to
correctly detect the duplex mode. As a result, it sets the correct speed but starts using the half
duplex mode.
If the peer is also set to half-duplex then the nodes interoperate (duplex modes are matching).
If the peer is set to full-duplex then the nodes have an interoperability issue (duplex modes are
mismatching).
The table below summarizes all possible combinations of duplex settings between eNB and its peer:
half-duplex or
auto-negotiation
full-duplex
yes
duplex mode
full-duplex no
mismatching
eNB supports one MAC address dedicated to 1588 flow, and one MAC address dedicated to
OAM/Telecom… flow.
A dedicated MAC@ for 1588 enforces a dedicated IP@ for 1588: an ARP for 1588 IP@ gives the 1588
MAC@ and an ARP for OAM and/or Telecom gives the OAM and/or Telecom MAC@.
6.1.1.1 eCCM
For eNB equipped with eCCM, the Gigabit Ethernet interface is provided through the use of the GbE
MDA which is the daughterboard of the eCCM.
As per eNB design, the eCCM GbE MDA provides 2 GbE ports for connecting to the backhaul:
• 1 SFP module (SFP2), either equipped with optical or electrical TRX (1000BASE-X)
• 1 RJ45 (10/100/1000BASE-T)
eCCM only supports 1 SFP port out of the 2 SFP ports of the GbE MDA.
The only supported SFP port is SFP2.
eCCM only supports 1000BASE-X (1000 Mbit/s Giga Ethernet) over optical SFP TRX.
eCCM does not support 100BASE-FX (100 Mbit/s Fast Ethernet) over optical SFP TRX.
RJ45 SFP2
Electrical Optical Electrical
10 Mbps 100 Mbps 1000 Mbps 100 Mbps 1000 Mbps 10 Mbps 100 Mbps 1000 Mbps
yes no yes yes
A single GbE port may be used for connection with the backhaul.
In case both SFP2 and RJ45 ports are cabled then SFP2 has precedence over RJ45. That is, SFP2 is
used while RJ45 is invalidated.
The physical interface supports both user and control planes for all S1 & X2 logical connections,
in addition to the OAM traffic.
The GbE MDA also provides 1 RJ45 port for connecting a Local Maintenance Terminal (LMT).
Note: There is an EthernetPort object which parameters are not used in this release.
6.1.1.2 eCCM2
ethDebug
eth2
MAC from EEPROM
Port 1 192 .168. 10. 1
(for debug&
LMT access) NOTE: eNB DHCPv 4
server gives out
ethCallp
192.168 .10.2 address
eth3
to attached clients
MAC from EEPROM
192.168 .1.2
PCI
eth1588
1588 00:01:02:03: 04:05
tap
tap0 192.168.1.10
BOARD _INIT_REQ.1588 MacAddress (from
from EEPROM)
EEPROM (for internal ARP to BP ENET )
INTERFACE_CONFIG_REQ(ipAddr , vlanId
vlanId)
Port 2
(for port
mirroring)
BH1/SFP
WP3 Ethernet modems
modems
Switch modem
BH3/RJ45
(BCM56334L)
not
WP3 used
192.168 .
BH2/SFP not used [128+LTE_cell_index ].
[Slot _ID]
(Slot_ID = 2, 3 or 4)
BH4/RJ45 not used
not
SYNCE Clock used SYNCE Clock
for BH1 for BH2
to SIB
SIB2
FPGA
BH1/BH2 BH3/BH4
SFP RJ45
Figure 60: eCCM2 front panel
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
eCCM/eCCM2 only supports one Ethernet port that is used for backhaul access.
As consequence, eNB does not support daisy chaining to others equipments.
Note:
“Vlan” object owns a “chained” parameter that is not used in this release.
If SSM is disabled the eNB receives no indication of a loss of quality of the source SyncE clock, for
example when the upstream equipment Ethernet source clock fails due to a loss of its own
reference clock.
The eNB impact is that the RF carrier can be pulled ‘out-of-spec’.
It is not recommended to disable SSM, whilst allowed given that certain equipments do support
SyncE but not SSM.
A specific alarm is generated when the SSM indicates the upstream equipment can no longer
guarantee a clock of sufficient accuracy. This alarm is ONLY available when SSM functionality is
enabled.
In case of syncE failure an alarm is raised.
RJ45 is SyncE compliant.
Optical SFPs are SyncE compliant while electrical SFPs are not SyncE compliant.
The only solution for electrical connection with syncE is through the RJ45 port.
The only solution for optical connection with syncE is through the SFP2 port.
RJ45 SFP
Electrical (copper) Optical (fiber) Electrical (cooper)
At eNodeB we can have OAM, 1588 & Telecom traffics organized within no VLAN at all, or within 1
to 4 VLANs.
OAM traffic must be mapped on the first TrafficDescriptor instance of the first VLAN instance.
Either IPv4 addresses or IPv6 addresses are supported in a VLAN. It is not possible to have
simultaneously IPv4 and IPv6 addresses in a VLAN.
The traffic flows within one VLAN instance is only IPv4 or IPv6.
IPv4 addresses are supported with untagged and tagged Ethernet frames.
IPv6 addresses are not supported with untagged Ethernet frames.
By default, eNB is pre-configured at factory with a OAM VLAN ID of “no Vlan” (untagged frames).
At I&C, eNodeB may be configured with a OAM VLAN ID.
It is replaced by provisioned OAM VLAN ID value once MIM has been downloaded.
IP version(s) as well as number of IP @s supported per VLAN are given in the table below.
Traffic type
no VLAN
1588 OAM S1-U S1-C X2-U X2-C M3 M1 IGMPv3 MLDv2
0 IPv4@1 IPv4@2
IP version(s) as well as number of IP @s supported per VLAN are given in the table below.
Traffic type
VLAN 1
1588 OAM S1-U S1-C X2-U X2-C M3 M1 IGMPv3 MLDv2
2 IPv4@1
3 IPv4@1 IPv4@2
4 IPv4@1 IPv4@2
5 IPv6@1 IPv6@2
Traffic type
VLAN 1
VLAN 2 1588 OAM S1-U S1-C X2-U X2-C M3 M1 IGMPv3 MLDv2
7 IPv4@1 IPv4@2
8 IPv6@1 IPv6@2
9 IPv4@1 IPv6@2
IP version(s) as well as number of IP @s supported per VLAN are given in the table below.
In Ipv4, to have no VLAN extension in the Ethernet header there must be configured at I&C:
Enb/EnbTransportConf/RanBackhaul/Vlan:vLanId = 4096
In this case parameter Enb/EnbTransportConf/RanBackhaul/Vlan:vLanId is ignored.
eNB
eNBtransportConf
RanBackhaul
Vlan[1-50]
ipFormat
ipv6Address / ipv6RoutingPrefixLength
ipv4Address / ipv4SubNetMask
The L2 backhaul access is shared between the operators but the telecom traffics of the operators
are logically separated logically with VLANs. This allows each operator to manage its own policy for
QoS (see limitations in Ethernet & IP QoS sections) and SLA (see Traffic Management chapter).
Amongst the operators, a master operator manages not only its telecom traffic but also the OAM
and 1588 traffics as wells as the X2-C traffics of all the non master operator(s).
A non master operator only manage its S1-U, S1-C and X2-U traffics.
PlmnIdentity instance which parameter ‘isPrimary’ = true defines the PLMN of the master operator.
The X2-C traffic cannot be split between operators and is carried in the telecom VLAN of the
master operator.
Only the master operator’s telecom address is used for the X2-C traffic type.
The VLAN configurations that are supported by the master operator are a subset of the VLAN
configurations supported by a single operator.
SGWs)
• the Gateway Core Network (GWCN) model where the core network is shared by several
operators. MMEs can be shared by several operators (not necessary all operators) and the SGW
can be shared by several operators (not necessary all operators).
CN (operator A) CN (operator B)
MMEs SGWs MMEs SGWs
Backhaul
eNBs
eUTRAN (shared)
2 VLANs are dedicated to the master operator for separating traffic flows as follows:
• 1 VLAN for OAM (and 1588 if used) traffic
• 1 VLAN for the master operator telecom traffic (S1, X2) and the non master operators X2-C
traffic
VLAN configurations as well as IP version(s) and number of IP @s supported per VLAN are given in
the table below.
Traffic type
VLAN 1
VLAN 2 S1-U S1-C X2-U X2-C
VLAN 3 1588 OAM M3 M1 IGMPv3 MLDv2
all
master operator only
operator
13 IPv4@1 IPv4@2
14 IPv4@1 IPv6@2
15 IPv6@1 IPv6@2
1 VLAN is dedicated to a non master operator for its S1 and X2-U traffic flows.
VLAN configurations as well as IP version(s) and number of IP @s supported per VLAN are given in
the table below.
Traffic type
VLAN n+2
VLAN n+3
S1-U S1-C X2-U
VLAN n+4 1588 OAM X2-C M3 M1 IGMPv3 MLDv2
(*)
n = [1-3] non master operator
12 IPv4@n+3
13 IPv4@n+2
14 IPv6@n+2
15 IPv6@n+2
CN (operator A) CN (operator B)
MMEs SGWs
Backhaul
eNBs
eUTRAN (shared)
VLAN configurations as well as IP version(s) and number of IP @s supported per VLAN are given in
the table below.
Traffic type
VLAN 1
VLAN 2 S1-U S1-C X2-U X2-C
VLAN 3 1588 OAM M3 M1 IGMPv3 MLDv2
all
master operator only
operator
VLAN configurations as well as IP version(s) and number of IP @s supported per VLAN are given in
the table below.
Traffic type
VLAN 3
VLAN 4 S1-U S1-C X2-U
VLAN 5 1588 OAM X2-C M3 M1 IGMPv3 MLDv2
non master operator #1
31 IPv4@4 IPv4@4
32 IPv6@4 IPv6@4
33 IPv4@4
34 IPv6@4
35 IPv4@4
36 IPv6@4
37 IPv4@5 IPv4@6
38 IPv6@5 IPv6@6
39 IPv4@5 IPv4@6
40 IPv6@5 IPv6@6
VLAN configurations as well as IP version(s) and number of IP @s supported per VLAN are given in
the table below.
Traffic type
35 IPv4@5 IPv4@5
36 IPv6@5 IPv6@5
eNodeB maps the value of the Pbit from the value of the DSCP of the IP packets according to a
DSCP to Pbit mapping table common for both S1 and X2 interfaces.
In case of eUTRAN sharing, all operators use the same DSCP to Pbit mapping.
The DSCP setting for user plane traffic is configurable with separate mapping tables maintained for
S1 and X2 interfaces. Thus data to be forwarded over the X2 interface may be offered a higher IP
QoS than the same service type data on the S1. This enhances the handover performance by
minimising the latency of forwarded data, and handover control messaging.
If VLAN tagging is used but Ethernet QoS is not needed there must be configured:
Enb/EnbTransportConf/GlobalTransportConf: pBitSettingEnable = false
In this case eNodeB sets pBit = 0 (lowest ethernet priority).
If VLAN tagging is used and Ethernet QoS is needed the recommended VLAN priority mapping per
type of traffic is:
Enb/EnbTransportConf/GlobalTransportConf: pBitSettingEnable = true
Enb/EnbTransportConf/GlobalTransportConf: pBitForArp = 6
Enb/EnbTransportConf/GlobalTransportConf/DscpToPbitMapping[0-21]: dscp & pBit
1. According to RFC4594, CS1 corresponds to a lower traffic priority than best effort.
2. According to 802.1q; “The default priority used for transmission by end stations is 0.
Changing this default would result in confusion and likely in interoperability problems. At
the same time, the default traffic type is definitely Best Effort. 0 is thus used both for
default priority and for Best Effort, and Background is associated with a priority value of 1.
This means that the value 1 effectively communicates a lower priority than 0.”.
eNB
eNBtransportConf
GlobalTransportConf
pBitSettingEnable = [true/false]
pBitForArp
DscpToPbitMapping/[0-21]
dscp
pBit
6.1.6.1 IEEE 802.1q interoperability between release 2005 and release 2011
“NOTE 4—The CFI field of the TCI was required for historical reasons, in order to support media
where MAC addresses were carried as data in Non-canonical format. New implementations should
not attempt to support user communication that would require the addition of a tag with the
CFI bit set to a frame; most Bridges will discard frames with this bit set that are to be forwarded
untagged, as permitted by this subclause. Conformance in respect of receipt of frames with this bit
set remains unchanged from previous revisions of this standard.”
- the vlan_identifier,
- the drop_eligible,
“The priority and drop_eligible parameters are conveyed in the 3-bit Priority Code Point (PCP) field
and the Drop Eligible Indicator (DEI) field as specified in 6.9.3.”
802.1q-2011 § 6.9.3 ‘Priority Code Point encoding’ states that DEI may be used separately or in
conjunction with PCP to indicate frames eligible to be dropped in the presence of congestion:
The priority and drop_eligible parameters are encoded in the Priority Code Point (PCP) field of the
VLAN tag using the Priority Code Point Encoding Table for the Port, and they are decoded from the
PCP using the Priority Code Point Decoding Table. […]
The drop_eligible parameter may also be encoded in and decoded from the Drop Eligible
Indicator (DEI) in the VLAN tag. Use of the DEI allows the VLAN tag to convey eight distinct
priorities, each with a drop eligible indicator. If this capability is provided, it shall be
independently manageable for each Port by means of a Use_DEI parameter. If the Use_DEI is True
for the Port, the drop_eligible parameter is encoded in the DEI of transmitted frames, and the
drop_eligible parameter shall be True for a received frame if the DEI is set in the VLAN tag [or the
Priority Code Point Decoding Table indicates drop_eligible True for the received PCP value]. If the
Use_DEI parameter is False, the DEI shall be transmitted as zero and ignored on receipt.
eNodeB does not interoperate with a peer Ethernet node that supports IEEE 802.1q-2011 and which
encodes the DEI in the VLAN TCI field.
eNodeB would interpret the peer Ethernet node’s DEI field value as a CFI bit set and would discard
the received frame.
If eNodeB’s peer Ethernet node is running IEEE 802.1q-2011, then it must be configured such as the
‘Use_DEI’ parameter is set to ‘False’ so that the DEI be transmitted as zero and ignored on receipt
at eNodeB side.
eNodeB supports standard and jumbo Ethernet frames for S1 and X2.
eNodeB supports jumbo Ethernet frames with a MTU size of 2000 bytes maximum.
The maximum ethernet frame length is thus 2022 bytes.
6.1.8 LAG
LAG is not supported on eNodeB (only one SFP port can be used)
6.2 IPV4
6.2.1 MTU
IPv4 packets are fragmented if they are greater than the MTU, and received packet fragments are
always reassembled. But IPv4 fragmentation by intermediary node has to be avoided for
performance reason (would add delay to the IP packets delivery).
The smallest MTU for all the links in a path from one node to another is called the path MTU, and
the process of determining the smallest MTU along the entire path from the source to the
destination is called path MTU discovery (PMTUD).
Path MTU discovery is supported by the Linux stack for IPv4 (and IPv6), and enabled by default. It
allows the TCP/SCTP protocols to automatically discover the minimum path MTU and adjust the size
of packet payloads to avoid IP fragmentation within intervening routers.
As explained in § “MTU for U-Plane”, the per VLAN configured mTU value represents the lowest MTU
value met on all S1-U and/or X2-U links (GTP flows). So ‘mTU’ value is by definition ≤ of MTU of the
first Ethernet link. Thus, for the OAM, PTP & Telecom C-Plane traffic the eNodeB sends IP packets
initially assuming that the path MTU is equal to the per VLAN parameter ‘mTU’ value. The Don’t
Fragment bit is set in the IPv4 header. If any of the packets are too large to be forwarded by some
router along the path, that router will discard them and return ICMP Packet Too Big messages. Upon
receipt of such message, the eNodeB reduces its assumed path MTU based on the MTU reported in
the Packet Too Big Message.
MTU of the first-hop link (eNodeB first-hop router or eNodeB peer eNodeB if on same link)
must be ≥ ‘mTU’ value (since path MTU discovery initiates at ‘mTU’).
If this is not the case a packet of more than ‘mTU’ bytes is silently discarded at eNodeB egress by
layer 2. Thus the path MTU discovery cannot be initiated.
Note: path MTU discovery is not applicable in a layer 2 network (as it is based on ICMP).
eNB keeps track of dynamically updated PMTU values on a per destination IP address basis.
For instance in the presence of several MMEs the eNB associates one PMTU value with each target
MME IP address.
For the Telecom Control Plane (S1-MME & X2-C), as per IETF RFC 4960, the eNodeB uses the
smallest Path MTU of all paths to a multi-homed peer as setting of the MTU size for all paths to this
peer.
These flows terminate in the CEM and go through the Winpath2 processor.
Path MTU discovery is not supported by CEM.
Path MTU discovery mechanism is not supported for the User Plane.
The MTU for User Plane (S1-U & X2-U) is configurable per VLAN.
The MTU is an attribute of a network interface and not of an IP address, so in situations where
multiple IP addresses (e.g., with differing traffic types) share a network interface (e.g., in the same
VLAN), the MTU value cannot be independently set for each IP address.
For U-Plane (S1-U & X2-U) the eNodeB MTU is configured through:
• Object: Enb/EnbTransportConf/RanBackhaul/Vlan, Parameter: mTU, Value: [1280-2000] byte,
Class: A, Service impact: Critical, Update transient impacts details: full-eNB-reset
eNB
eNBtransportConf
RanBackhaul
Vlan
mTU = [1280-2000]
MTU setting must be choosen based on the UE MTU and peers’ eNodeB path MTU, as well as LTE
transport overhead and operator backhaul transport overhead. In the case all of these dependencies
are known then the decision tree here after is given as proposal for setting the eNodeB path MTU.
In case eNodeB to peers’ path MTU are unknown then the guideline is to try with :
• Aggressive approach: mTU = (1500 + LteTransportOverHead (1) + BackhaulTransportOverHead)
bytes. This makes assumption that the UE MTU is 1500 bytes and the transport backhaul
supports jumbo Ethernet frames.
• Conservative approach: mTU = (1500 - LteTransportOverHead (1) -
BackhaulTransportOverHead) bytes. This makes assumption that the UE MTU is 1500 bytes and
the transport backhaul supports standard Ethernet frames of 1500 bytes.
(1) LteTransportOverHead = 41 bytes
Two management protocols are used for communication between the eNodeB and OAM server:
• The Simple Network Management Protocol (SNMP), for the monitoring of the eNodeB (alarms,
state changes, performance monitoring, equipment management). This protocol is UDP-based.
• The Network Configuration Protocol (NetConf) on top of SSH, to manage the (radio and
transport) configuration of the eNodeB.
OAM server is responsible for establishing the communication with eNodeB. OAM server sends the
first SNMP message to the eNodeB. The eNodeB answers using the source IP address of the received
SNMP message.
‘Read Only’ parameters display the eNB OAM IPv4 address information currently in use by the eNB:
• Object: Enb/EnbTransportConf/OamTransportConf/currentEnbOamAddressData,
Parameter: currentEnbOamIpv4Address, Class: N/A, Service Impact: N/A, Update transient
impacts details: N/A
Parameter: currentEnbOamIpv4SubnetMask, Class: N/A, Service Impact: N/A, Update transient
impacts details: N/A
This section only addresses static eNB IP setting configuration. Refer to the § that describes eNB Self
Commissioning for description of the eNB Plug and Play (PnP) functionality.
eNB OAM IP address may be manually configured when RanBackhaul:: ipConfigAutomatic = false.
eNB OAM static IP addressing configuration is done through I&C parameters; OAM IP Address, OAM
IP Netmask / Prefix Routing Length, OAM IP Gateway. They are replaced by provisioned values once
MIM has been downloaded.
• Object: Enb/EnbTransportConf/RanBackhaul/Vlan[1-50]/TrafficDescriptor[0-10],
Parameter: ipv4Address, Class: C, Service Impact: None, Update transient impacts details:
Immediate-propagation
Parameter: ipv4SubNetMask, Class: C, Service Impact: None, Update transient impacts details:
Immediate-propagation
An internal OMC parameter (not sent to eNodeB) provide the eNodeB IP address for SNMP and SSH
connection. It is used by the OMC for monitoring of the alignment with the eNodeB.
The configured provisionedEnbIdentifier must be the same as the one configured by the
ipv4Address for the TrafficDescriptor which contains ‘OAM’ traffic.
eNodeB performs a full fall back to previous (working) configuration version when no SNMP traffic
from OMC is received after eNodeB reset from configuration change and a fallback timer is expired.
Considered configuration change is OAM Vlan transport parameters modification (e.g. new IPv4
address or new IPv4 subnet or migration to IPv6).
eNodeB generated events (alarm, state change) are time-stamped with a clock delivered by the
Network Time Protocol (NTP). NTP is UDP-based and uses port 123.
Two NTP servers are used. The second server is used in case the first one is not accessible.
eNB
eNBtransportConf
RanBackhaul
Vlan[1-50]
plmnId
ipFormat = IPv4
ipv4Address
ipv4SubNetMask
ipv4AddressFirstHopRouter
OAM and Telecom IPv4 addresses should be configured in two different subnets.
Only the master operator’s telecom address is used for the X2-C traffic type.
The non master operators’ telecom address is only used for their S1-U, S1-C & X2-U traffic types.
All operators are configured with the same IP format for the telecom traffic, either IPv4 or IPv6.
See VLAN § for more information on supported VLANs configuration as well as IP version(s) and
number of IP @s supported per VLAN.
6.2.4 Subnetting
Within a VLAN, several IPv4 addresses can be assigned within the same subnet.
Within a VLAN, several IPv4 subnets can be assigned but they must not overlap.
There can be one IPv4 subnet per IPv4 address.
A subnet must be used by only one VLAN, i.e. one subnet must not overlap VLANs.
The first hop router associated to a traffic flow may be unset if the eNB is connected to its peer
through a L2 switch.
In case the eNB is on the same subnet than its peer a connection through a L3 router is not
mandatory.
The first hop router associated to a traffic flow must be set if the eNB is connected to its peer
through a L3 router.
In case the eNB is on a different subnet than its peer a connection through a L3 router is mandatory.
Private IPv4 addressing is used for internal eNodeB addressing. The IETF RFC 1918 defines the
private addressing. The IANA has reserved the following 3 blocks of the IP address space for private
internets:
• 10.0.0.0 - 10.255.255.255 (10/8 prefix)
• 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
• 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
eNodeB uses the private IPv4 192.168.0.0/16 prefix for internal addressing.
This is not configurable.
eNB source IP @ (OAM, telecom) must not be in eNB internal subnet (192.168/16).
eNB destination IP@ (MME, PTP server) may be set within eNB internal subnet (192.168/16).
6.2.6 Routing
Each configured subnet has its own routing table, and thus, its own default route.
An outgoing traffic (OAM, 1588 or Telecom) is directed to the appropriate routing table based on
its source address.
All traffic not matching one of the source address routing rules, gets directed to the main routing
table.
The OAM traffic is bound to a main routing table while others traffic are bound to auxiliary routing
tables.
Example: OAM & 1588 in same IPv4 subnet and VLAN, Telecom in a different IPv6 subnet and VLAN.
In this example :
• Telecom traffic which source address = enbTelIpv6 get directed to the 2nd auxiliary routing
table which has a default route to the 2nd router (rt2)
• 1588 traffic traffic which source address = enb1588Ipv4 get directed to the 1st auxiliary routing
table which has a default route to the 1st router (rt1)
• OAM traffic traffic which source address = enbOamIpv4 get directed to the main routing table
which has a default route to the 1st router (rt1)
eNodeB OAM first hop router configuration is either PnP or done at I&C through:
• Object: Enb/EnbTransportConf/RanBackhaul/Vlan[1-50]/TrafficDescriptor[0-10], Parameter:
ipv4AddressFirstHopRouter, Class: A, Service impact: Critical, Update transient impacts details: full-
eNB-reset
If VLAN tagging is enabled at L2 but L3 routing is not required for the OAM traffic, then parameter
OAM ipv4AddressFirstHopRouter should be set to 0.0.0.0
If VLAN tagging is enabled at L2 but L3 routing is not required for the Telecom traffic, then
parameter eNobeBfirstHopRouterTelecomIpAddr should be set to 0.0.0.0
eNodeB performs ARP to discover MAC address of OAM first hop router
OAM server polls newly installed eNodeB which learns the OAM server IP
address from the received SNMP request. eNodeB answer is routed through
the specific route via the OAM ipv4AddressFirstHopRouter
IF OAMSynchControl:enableAutomaticConfiguration=true THEN
OAM server starts downloading to eNodeB the MIB parameters.
ELSE the download must be launched by an operator action.
eNodeB performs ARP to discover MAC address of OAM first hop router
IF OAMSynchControl:enableAutomaticConfiguration=true THEN
OAM server starts downloading to eNodeB the MIB parameters.
ELSE the download must be launched by an operator action.
In DHCPv4, eNodeB broadcasts ‘DHCP Discover’ message on and authenticates with DHCP server
(IETF RFC 3118)
6.2.7 IP QoS
For the Telecom Control Plane, OAM, PTP and other control flows (GTP echo, ICMP, Call Trace),
eNodeB maps the value of the DSCP according to a Control Flow to DSCP mapping table.
In case of eUTRAN sharing, the DSCP mapping for S1-C, X2-C, OAM, PTP and others control flows is
the same for all operators.
For the Telecom User Plane, eNodeB maps the value of the DSCP from the value of the QCI of the
Radio Access Bearer according to a QCI to DSCP mapping table.
There is 1 QCI to DSCP mapping table for S1 User Plane traffic and 1 QCI to DSCP mapping table for
X2 User Plane traffic.
In case of eUTRAN sharing, the DSCP mapping for S1-U and X2-U is configurable per operator.
DSCP setting for Telecom Control Plane, OAM, PTP and others:
• Object: Enb/EnbTransportConf/GlobalTransportConf/ControlFlowToDscpMapping[0-7],
Parameter: controlFlow, Value: [SctpS1, SctpX2, GTPuEcho, OAM, PtpEvtMsg, PtpGenMsg, ICMP,
CallTrace, IKE, DDT, M3, AGPS], Class: C, Service Impact: None, Update transient impacts
details: Immediate-propagation
Parameter: dscp, Value: [BE, CS1, AF11, AF12, AF13, CS2, AF21, AF22, AF23, CS3, AF31, AF32,
AF33, CS4, AF41, AF42, AF43, CS5, VOICE-ADMIT, EF, CS6, CS7, NotUsed], Class: A, Service
impact: Critical, Update transient impacts details: full-eNB-reset
The operator PLMN identifier (MCC and MNC) configuration is done through:
• Object: Enb/EnbTransportConf/PerOperatorTransportConf[0-3], Parameter: plmnId, Value: link
to a ‘PlmnIdentity’ instance that contains the MCC and MNC of an operator, Class: A, Service
impact: Critical, Update transient impacts details: full-eNB-reset
If DSCP marking is needed the recommended DSCP mapping per traffic type is :
Enb/EnbTransportConf/GlobalTransportConf:dscpSettingEnable = true
Enb/EnbTransportConf/GlobalTransportConf/ControlFlowToDscpMapping [0-7]: controlFlow & dscp
(1) values 1-9 are 3GPP standard QCIs and values 10-255 are ALU proprietary QCI
The same DSCP mapping is used for both IPV4 and IPV6.
The QoS mappings are OAM configurable with separate mapping tables maintained for S1 and X2
interfaces. Thus data to be forwarded over the X2 interface may be offered a higher QoS than the
same service type data on the S1. This enhances the handover performance by minimising the
latency of forwarded data, and handover control messaging.
eNB
eNBtransportConf
GlobalTransportConf
dscpSettingEnable = [true/false]
ControlFlowToDscpMapping/[0-7]
PerOperatorTransportConf/[0-3]
plmnId (link to a PlmnIdentity instance)
QciToDscpMappingX2/[0-31]
qci
dscp
QciToDscpMappingS1/[0-31]
qci
dscp
6.3 DHCPV4
Dynamic Host Configuration Protocol DHCPv4 is defined in RFC2131 and RFC2132.
There are 3 methods of DHCP allocation:
• Manual allocation
The DHCP server performs the allocation of IP addresses based on a table with a list of client-
identifying information.
• Automatic allocation
The DHCP server assigns an available IP address to the requesting client from a defined IP range.
• Dynamic allocation - not supported by eNB
This provides dynamic re-use of IP addresses. The DHCP has an assigned range of IP addresses and
each client on the LAN requests an IP address from the DHCP server when that client’s interface
card starts up. The IP address becomes available again in the server’s pool of addresses once its
previous lease times out.
DHCP uses UDP to deliver messages and broadcasts.
If a DHCP server is not present on a network, then a DHCP relay agent should forward messages
between a client and a server.
DHCPv4 DHCPv4
client server
DHCPDISCOVER (broadcast)
DHCPOFFER (unicast)
DHCPREQUEST (broadcast)
DHCPACK (unicast)
TRANSACTION IDENTIFIER
CLIENT IP ADDRESS
YOUR IP ADDRESS
SERVER IP ADDRESS
ROUTER IP ADDRESS
OPTIONS (VARIABLE)
Upon power-up eNB sends a broadcast ‘DHCPDISCOVER’ (broadcast) message on the VLAN that
supports OAM (default VID=400) on condition that its ‘ipConfigAutomatic’ parameter is set to ‘true’.
The DHCPv4 server responds with the ‘DHCPOFFER’ (unicast) message containing IP address, IP
subnet, GW IP address and the EMS IP@. eNB host then sends a ‘DHCPREQUEST’ (broadcast) servers,
and receives a ‘DHCPACK’ (unicast) to complete the procedure.
eNB is allocated an Ipv4 address with an infinite ‘lease’ time by the DHCPv4 server.
eNB supports the Client-Identifier option 61 which the server uses to index the IP-allocation table.
The Client-Identifier is based on eNB Cabinet Serialization number.
* The domain name server option specifies either one (no redundancy) or two (primary then
secondary) name servers.
** Set to ‘ENODEBALUTYPE1’
*** Based on eNB serialization number
The option format is defined in rfc2132. The sub-options are defined by the vendors.
When included, this sub-option contains a list of a maximum 10 times 6 bytes (4 bytes for EMS IPv4
address, 2 bytes for port number).
When included, this sub-option contains a list of a maximum 10 times 18 bytes (16 bytes for EMS
IPv6 address, 2 bytes for port number).
When there are two addresses the primary GM is first, the backup is the concatenated address.
1588v2 primary GM Ipv4 address (end) 1588v2 secondary GM Ipv4 address (begin)
6.4 IPV6
IPv6 as specified in IETF RFC 2460 is supported for the Telecom traffic (S1 & X2) and for OAM.
In the IPv6 header, eNodeB sets the value of the Flow Label field (20 bits) to the default value of
zero, meaning it is not used. Flow label is used to support additional QoS capabilities.
In the IPv6 header, eNodeB sets the value of the Hop Limit field (8 bits) to 255 for all the IPv6
egress IP packets.
6.4.1 MTU
In IPv6, MTU setting is more sensible than in IPv4 since IPv6 routers can’t perform fragmentation.
Same applies as for IPv4 with the difference that LteTransportOverHead = 8 + 40 + Max(8; 13) = 61
bytes in IPv6.
Refer to dedicated chapter in IPv4 section.
6.4.2 Addressing
An IPV6 address has 128 bits (16 bytes). The address is shown as eight 16-bit hexadecimal blocks
separated by colon.
The eNodeB recognizes the following addresses to identify itself as per IETF RFC 4291:
• Its required Link-Local Unicast address (LLA) for each interface (mandatory)
• Any additional Global Unicats addresse (GUA) and Anycast addresses that have been configured
for the node's interfaces (manually or automatically).
• The loopback address.
• The all-nodes multicast addresses (FF01:0:0:0:0:0:0:1 & FF02:0:0:0:0:0:0:1)
• The solicited-node multicast address for each of its unicast and anycast addresses.
• Multicast addresses of all other groups to which the node belongs.
As per IETF RFC 4903 the term "link" is generally used to refer to a topological area bounded by
routers that decrement the IPv6 Hop Limit when forwarding the packet.
An IPv6 node is required a Link-Local Address (LLA) for each IPv6 interface.
A LLA must be unique on the link where it is used. The uniqueness of the LLA on a link is ensured by
the use of VLANs which create (logically) separated links.
Then an IPv6 node can source IP packets (e.g. Router Solicitation, DHCPv6) with its LLA on one
interface (VLAN1) as well as on another interface (VLAN2).
The eNodeB uses a LLA for communicating with an IPv6 router (e.g. for Neighbor Discovery
messages) or with a DHCPv6 relay or server.
The eNodeB does not use a LLA for any other purposes (OAM, S1 and X2 data flows).
Prefix Interface ID
10 bits 54 bits 64 bits
1111 1110 10 00 0000 … 0000
EIU-64 based on the MAC @
FE80::/10
The interface ID value of the LLA must be unique at least on the VLAN where it is used.
It may be replicated (same value) over several interfaces when multiple VLANs are configured. As a
result the same LLA value may be found several times within a given IPv6 node on different IP
interfaces.
At eNB, there can be only one LLA (only one usable ethernet port on CP).
The same LLA is replicated over several interfaces when multiple VLANs are configured.
A Global Unicast IPV6 address consists of 64 bits of global routing prefix and subnet ID and 64 bits of
interface ID. The subnet identifies a link within a site. The interface ID identifies an interface
within that sub network.
According to IETF RFC 4291 IPv6 addresses are assigned an IPv6 address prefix. The prefix length is
a decimal value specifying how many of the leftmost contiguous bits of the address comprise the
prefix.
The notion of subnet mask is not used in IPv6. Only prefix-length notation is supported.
Figure 71: Global Unicast Address (GUA) format as per IETF RFC 3587
The eNodeB is not aware of the Link Prefix sub-structure (Global Routing Prefix and Subnet ID) that
is used only by routers which on the other hand ignores the bottom 64 bits.
Per eNodeB site only 1 subnet is needed.
Global Unicats addresses used by the eNodeB have 64 bit-long prefixes and 64-bit long interface
IDs.
The eNodeB supports native IPv6 address only (no embedded IPV4 address).
The OAM and first hop router IPv6 addresses may be provisioned by OAM.
The Telecom IPv6 address is always provisioned by OAM.
Alternatively, the eNodeB may get its IP address for OAM with DHCPv6.
The eNodeB uses any valid IPv6 GUA to communicate with the MME, SGW and other eNodeBs over
the S1-U, S1-MME, and X2 interfaces respectively. See chapters on X2 interface & S1 interface.
In trials there may be cases where eNodeBs, MME and SGW are on same VLAN.
L3 routing is then not required for the Telecom traffic and parameter
eNobeBfirstHopRouterTelecomIpAddrIPv6 should be set to ‘::’
eNB
eNBtransportConf
RanBackhaul
Vlan[1-50]
plmnId
ipv6Address
ipv6RoutingPrefixLength = 64
ipv6AddressFirstHopRouter
The OAM and first hop router IPv6 addresses may be configured automatically.
The Telecom IPv6 address cannot be configured automatically.
There are two distinct sources for IPv6 interface(s) automatic configuration on a given VLAN:
• ICMPv6 Network Discovery messages (RS, RA and NS, NA),
• DHCPv6 messages (optional).
IPv6 has been designed so that a given configuration parameter cannot be received from both
sources (no duplication).
Two essential IPv6 parameters are found in RA but not in DHCPv6 messages:
• Router IP address
• Link Prefix
Others alternatives are supported;
The OAM interface Prefix can be set to 64 top bits of the OAM address assigned by DHCPv6.
Another alternative has been defined to cope with the absence of RAs that does not require a
Vendor Specific Information Option for passing the router IPv6 address to eNodeB.
It is based on configuring the same LLA value for all router interfaces, assuming there is a single
router on each VLAN. Redundancy is still supported but only with VRRP without load sharing (a
single interface address is perceived by eNodeB).
The supported method for automatic configuration of the OAM IPv6 address is:
• DHCPv6 (on the same principle as for DHCPv4 for IPv4 @ allocation)
The OAM IPv6 address is pre-configured in the DHCPv6 server and associated in the server database
with the DUID (DHCP Unique ID) of the eNodeB. The eNodeB DUID includes the eNodeB Serial
Number.
The serialization number is a field of 25 alphanumeric characters. The eNodeB DUID is obtained by
removing all the “space” characters from the “serialization number” and adding a prefix to be
ready for dual technology deployment (for the DHCP server provisioning to be as stable as
possible). The prefix for LTE is the string “LTE”.
The initial OAM exchange is always initiated by OAM server. The OAM IPv6 address of each eNodeB
need therefore to be configured at two different locations: OAM and DHCPv6 servers.
The eNodeB is assigned an IPv6 address with an infinite lifetime (permanent assignment).
DHCPv6 is never used as soon as the MIM already holds valid interface data, MIM data are used
instead.
Any subsequent changes to the OAM IPv6 interface parameters (IPv6 Prefix and/or address) are
performed through OAM.
Prefix
RA
with A- Next-Hop router On-link Prefix OAM IPv6 address
message
Flag set in configuration configuration configuration
presence
RA
Source address of RA Advertised Prefix with
Yes No DHCPv6 stateful
messages L-bit set.
DHCPv6 stateful with Top 64 bits of OAM
No n.a. Vendor Specific address returned by DHCPv6 stateful
Information Option. DHCPv6.
Top 64 bits of OAM
FE80::1:1
No n.a. address returned by DHCPv6 stateful
(default value)
DHCPv6.
Table 22: eNodeB support for OAM IPv6 interface automatic configuration
or
Stateful DHCPv6 alone with fixed router IPv6 address.
After the initial eNodeB startup and the MIM configuration phase is complete the eNodeB MIM
contains valid parameter values.
OAM gives eNodeB the possibility to always use RAs for router discovery by leaving the router IPv6
address set to “unspecified address” in the MIM. On the contrary if a valid router address is stored
in the MIM it is used by eNodeB for constructing its routing table, the source address of RAs is then
ignored.
When RAs advertise a Prefix with the A-flag set and a router IPv6 address is set to a non-null
address in MIM then no auto-configured GUA is used by eNodeB but (as per the generic rule that
MIM data always supersedes automatic sources of configuration information) the OAM-defined GUA
stored in MIM is used instead.
6.4.5 Subnetting
6.4.6 Routing
eNodeB performs NS/NA to discover MAC address of OAM first hop router
OAM server polls newly installed eNodeB which learns the OAM server IP
address from the received SNMP request. eNodeB answer is routed through
the specific route via the OAM ipv6AddressFirstHopRouter
IF OAMSynchControl:enableAutomaticConfiguration=true THEN
OAM server starts downloading to eNodeB the MIB parameters.
ELSE the download must be launched by an operator action.
eNodeB performs NS/NA to discover MAC address of OAM first hop router
OAM server polls newly installed eNodeB which learns the OAM server IP
address from the received SNMP request. eNodeB answer is routed through
the specific route via the OAM ipv6AddressFirstHopRouter
IF OAMSynchControl:enableAutomaticConfiguration=true THEN
OAM server starts downloading to eNodeB the MIB parameters.
ELSE the download must be launched by an operator action.
(1): The initial start up phase is performed over the configured OAM VLAN ID. If neither IPv4 nor
IPv6 interface setup completes successfully, eNodeB repeats the initialization sequence over
Untagged Ethernet.
(2): If OAM Ipv6AddressFirstHopRouter=”::” in MIM then router address is derived from RA or from
DHCPv6 if the Vendor Specific Information option is used
6.4.7 IP QoS
In the IPv6 header, eNodeB sets the IP QoS (DSCP) in the Traffic Class field (7 bits).
Same DSCP mapping recommendation applies as for IPv4.
To allow for supporting OAM in IPv6 and Telecom in IPv6 while dual stack in not supported, eNodeB
software applications for OAM and Telecom are bound to two separate IP stacks.
IPv6 addresses are not supported with untagged Ethernet frames. The migration from IPv4 to IPv6
can be performed on condition that IPv4 runs over a VLAN configuration. If this is not the case both
the eNodeB and the next-hop router have to be upgraded to a VLAN configuration.
An eNodeB with IPv4 address on OAM traffic can be reconfigured with IPv6 address(es) for OAM
and/or Telecom remotely from OAM. Then, the eNodeB re-starts and reconfigures the IP interfaces
taking into account the received data.
eNodeB performs a full fall back to previous (working) configuration version when no SNMP traffic
from OMC is received after eNodeB reset from configuration change and the fallback timer
‘timerToWaitForFallbackToPreviousIPversion’ is expired.
When an eNodeB is migrated to IPv6 all of its neighbours still have IPv4 addresses. Thus all of the X2
links remain Disabled/Dependency and therefore all handovers are processed over S1 rather than
over X2.
Table 26: Source and Destination IPv6 addresses for Network Discovery messages
0-7 8 - 15 16 - 31
Type = 133 Code = 0 (ICMPv6) Checksum
Reserved = 0
Options
0-7 8 9 10 - 15 16 - 31
Type = 134 Code = 0 (ICMPv6) Checksum
Cur Hop Limit M O Reserved Router Lifetime
Reachable Time
Retrans Timer
Options
The eNodeB sets the Hop Limit field to 255 in all egress IPv6 packets.
Cur Hop Limit advertised by the IPv6 router in RAs is ignored by eNodeB.
M-bit: the ‘Managed address configuration’ flag is set when DHCPv6 is available.
O-bit: the ‘Other configuration’ flag is set when DHCPv6 is available but address assignment
excepted (stateless).
These two flags convey the following information:
M-bit & Obit flags Available source(s) of information for automatic configuration
M=0 & O=0 Router Advertisements
M=0 & O=1 Router Advertisements and Stateless DHCPv6
M=1 & O=any Router Advertisements and Stateful DHCPv6
M-bit and O-bit values in Router Advertisement messages are ignored by eNodeB.
Regardless of their values the eNodeB always initiates both a RS/RA exchange and a DHCPv6
stateful exchange at initial eNodeB start up.
Router Lifetime:
When RAs are present on the link the eNodeB takes into account the ‘Router Lifetime’ timer
advertised by the router in RAs.
The router IPv6 address is invalidated by eNodeB if no RA is received in ‘Router Lifetime’ seconds.
This router invalidation procedure is only supported when the router IP address is set to
“unspecified address” in the MIM. When the router IPv6 address is set by OAM to a non-null value
the associated router lifetime is infinite (RAs are not used for router discovery).
A router lifetime value of 0 immediately invalidates the router IP address that is no longer used by
the eNodeB. When a router resumes sending RAs on the link with a non-null router lifetime the
eNodeB adds the sending router to the router list.
Reachable Time: The time, in milliseconds, that a node assumes a neighbor is reachable after
having received a reachability confirmation.
Retrans Timer: The time, in milliseconds, between retransmitted Neighbor Solicitation messages.
Options:
Source link-layer address: the router may send this option to advertise its link layer (MAC) address.
eNodeB uses NS/NA to learn the router MAC address if it is not advertised in the RA.
MTU: it is assumed that the MTU option is not configured on the router.
The MTU value is set by OAM and needs not be received from the router.
In case of conflict the eNodeB chooses the MTU value set by OAM.
Prefix information: the router advertises one or more on-link Prefixes (L-bit set). Stateless auto-
configuration is optional (0 Prefix with A-bit set).
0-7 8 - 15 16 - 23 24 25 26 - 31
Type = 3 Length = 4 Prefix Length L A 6 bits set to 0
Valid Lifetime
Preferred Lifetime
Reserved2 = 0
Prefix
L-bit: set when the advertised Prefix is on-link (which should always be the case).
A-bit: set when the advertised Prefix can be used for stateless autonomous address auto-
configuration (SLAAC). When set the L-flag is also set.
Prefix: A 128-bit field with “Prefix length” (64) meaningful leading bits (the Prefix value) and 64
trailing bits set to 0.
The eNodeB accomplishes address resolution as per IETF RFC 4861 by multicasting ICMPv6
Neighbour Solicitation message that asks the target node to return its layer 2 link-layer address.
ICMPv6 Neighbour Solicitation messages are multicast to the solicited-node multicast address of the
target address.
The target returns its layer 2 link-layer address in a unicast ICMPv6 Neighbour Advertisement
message.
For efficiency the eNodeB can also include its own layer 2 address in the ICMPv6 Neighbour
Solicitation that can be used by the target node to update its own cache.
6.8 DHCPV6
eNodeB can use DHCPv6 to get its OAM IPv6 address.
ALU DHCPv6 implementation supports optional parameter ‘Vendor Specific Information’ for in add
passing the router IP address.
SOLICIT message is a multicast message sent out by the DHCP client to verify that there is a DHCP
server available to handle its requests.
ADVERTISE unicast message is sent out by the DHCP server as a reply to the SOLICIT message that
was sent out by the DHCPv6 client that it can handle the requests.
REQUEST multicast message is sent out by the DHCPv6 client to request its configuration
information from the DHCPv6 server.
REPLY unicast message is sent out by the DHCPv6 server to the DHCPv6 client, and it contains the
configuration information that the DHCPv6 client requested.
REQUEST (multicast)
RELAY-FORWARD
RELAY-REPLY
REPLY (unicast)
The following additional messages are used when a DHCP relay is required:
RELAY-FORWARD message is forwarded towards the DHCPv6 server as a result of the DHCPv6 SOLICIT
or REQUEST message
The DHCPv6 RELAY-REPLY message is forwarded toward the DHCPv6 client as a result of response
from the DHCPv6 server for responses to the SOLICIT and REQUEST requests.
0-7 8 - 31
Msg-type Transaction-id
Options (variable)
DHCPv6 messages that are related to non-permanent address assignment (Confirm, Renew, Rebind,
Release, Decline, Reconfigure) are not supported.
The Information-Request message (DHCPv6 stateless) is not supported.
0 - 15 16 - 31
Option-code Option-len
Option-data (option-len octets)
0 - 15 16 - 31
Option-code = 1 Option-len = variable
eNodeB DHCP Unique ID (DUID) (variable length)
The eNodeB uses the DUID-EN format as per IETF RFC 3315:
0 - 15 16 - 31
(1)
DUID Type = 2 (DUID-EN) Enterprise-number = 637 (= ALU)
Enterprise-number (contd)
(2)
Identifier (variable length)
(1)
The enterprise-number of Alcatel-Lucent registered at IANA is 637
(2)
The eNodeB identifier is set to the eNodeB Serial Number.
A DHCP message may include multiple IA_NA options but a single one is supported.
The eNodeB requests a single IPv6 address by sending a single IA_NA option in the initial DHCPv6
SOLICIT message.
0 - 15 16 - 31
Option-code = 3 Option-len = variable
IAID (4 octets)
T1
T2
IA_NA-options
As per eNodeB DHCPv6 client requirement, the IAID is set to the last four octets of the MAC address
of the eNodeB sending interface.
Reminder: MAC addresses are made of 6 bytes: 3 first bytes identify the enterprise which delivers
the interface, while the 3 following bytes identify the interface within the constructor.
Since a single IPv6 address per eNodeB is retrieved using DHCPv6 the DUID alone identifies
unambiguously the pre-configured OAM address binding in the DHCPv6 server then the IAID does not
bring useful identification information to the server.
• T1 and T2 relate to lease renewal.
The eNodeB never renews the lease of the OAM IP address assigned by DHCPv6.
The eNodeB IPv6 OAM address is permanently assigned.
The eNodeB does not indicate a preference for a particular IPv6 address to the server. It leaves the
IA_NA options field empty.
The DHCPv6 server inserts the “IA Address” option and/or the “Status Code” option in the IA_NA-
options field.
6.8.5.3 IA Address
The IA Address Option is always conveyed in the IA_NA-options field of an IA_NA Option instance in
the server-to-client direction.
0 - 15 16 - 31
Option-code = 5 Option-len = variable
IPv6 address (16 octets)
preferred-lifetime
valid-lifetime
IAaddr-options
0 - 15 16 - 31
Option-code = 13 Option-len = variable
Status-code
Status-message (for display to an end user, ignored by eNodeB if present)
0 - 15 16 - 31
Option-code = 16 Option-len = variable
(1)
Enterprise-number (4 octets)
Vendor-Class-Data
0 - 15 16 - 31
Option-code = 17 Option-len = 24
(1)
Enterprise-number (4 octets) = 637 (= ALU)
Option-data field (20 octets)
Option Code = 261 EMS IPv4 address(es) & port number(s) (for IPv4 over IPv6 IPsec)
This option may be returned by the DHCPv6 server to convey the IPv6 router address.
This option may be used when Router Advertisements are switched off.
0 - 15 16 - 31
Option-code = 256 (router IP@) Option length = 16
IPv6 address of the router on the link that hosts the eNodeB (16 octets)
This option may be returned by the DHCPv6 server to convey the EMS (SAM) IPv6 address & port
number.
0 - 15 16 - 31
Option-code = 257 (EMS IPv6@) Option length = n x (16 + 2)
IPv6 address of the EMS (16 octets) + Port number (2 octets)
Table 46: DHCPv6 proprietary option for EMS IPv6 address/Port number
One or several concatenated EMS IPv6@/Port number can be sent back in the same Option-data
field.
This option may be returned by the DHCPv6 server to convey the Security Gateway IP address.
0 - 15 16 - 31
Option-code = 258 (SEG IP@) Option length = 16
IPv6 address of the SEG (16 octets)
This option may be returned by the DHCPv6 server to convey the EMS FQDN.
0 - 15 16 - 31
Option-code = 259 (EMS FQDN) Option length = max 64
EMS FQDN (max 64 octets)
This option may be returned by the DHCPv6 server to convey the EMS FQDN.
0 - 15 16 - 31
Option-code = 260 (SEG FQDN) Option length = max 64
SEG FQDN (max 64 octets)
This option may be returned by the DHCPv6 server to convey the EMS (SAM) IPv4 address & port
number when the backhaul is IPv6 and the EMS is IPv4 (IPv4 over IPv6 IPsec).
0 - 15 16 - 31
Option-code = 261 (EMS IPv4@) Option length = n x (16 + 2)
IPv4 address of the EMS (16 octets) + Port number (2 octets)
Table 50: DHCPv6 proprietary option for EMS IPv4 address/Port number
One or several concatenated EMS IPv4@/Port number can be sent back in the same Option-data
field.
6.9 SCTP
SCTP is the choosen protocol to transport control messages between the eNodeB and the MME over
the S1-MME interface (S1-AP/SCTP/IP/ETH/PHY) and between eNodeB’s over the X2-C interface (X2-
AP/SCTP/IP/ETH/PHY).
INIT # 1
start T1-init
INIT # 2
start T1-init
up to Max.Init.Retransmits
INIT # n
start T1-init
T1-init
X SCTP association failure alarm
expiry
sctpAccessEstablishmentRetryInterval
up to sctpAssocEstablishmentMaxRetries (1)
Similarly during Initialisation, if the eNodeB receives the INIT-ACK and sends COOKIE, it starts the
T1-cookie timer. If the timer expires the eNodeB resends the COOKIE message a maximum number
of times set also by the parameter “max.INIT.Retransmits”.
If the COOKIE-ACK is not forthcoming on the last re-send the eNodeB raises alarm “SCTP
ASSOCIATION FAILURE”.
stack. If the RTO expires before a Data Chunk is acknowledged then the Data Chunk will be
retransmitted.
Data to IP@2
start T3-rtx
Secondary path
RTO (IP@2)
Data and/or SACK
T3-rtx expiry X
error_assoc > error_path2 = +1
sctpAccessAssociationMaxRetrans X alarm - SCTP association down
Figure 77: Path failure & Association failure – case of peer multi-homed
6.10 SECURITY
6.10.1 IPsec Feature
This section assumes the reader has prior knowledge of IPsec functionality. A Generic IPsec
Description section has been included in this document for the reader’s reference.
• The eNodeB feature can be activated on a per eNodeB basis. In order to activate the eNodeB
IPsec functionality, an IPsec license must be activated for each eNodeB. With the addition of eUtran
sharing the IPsec License is still required as long as any operator on the eNodeB wish to enable
IPsec. The following table gives an example licensing requirement.
• IPsec Activation:
OMC uses a new transport configuration after an OAM IPsec tunnel is setup. This new configuration
is generated with WPS and transferred to the OMC, which downloads it to the eNB. The eNB takes
into account the new transport parameters and restarts. All traffics are lost. After the eNB restart,
the requested IPsec tunnels are setup.
If after a while the OMC-eNB connection is not re-established, the eNB automatically returns to its
previous configuration and restarts.
Object: Enb, Parameter: timerToWaitForFallbackToPreviousIPversion, Value: [30-120] (with step =
1), Unit: minute, Default: 30, Class: C, Service impact: None, Update transient impacts details:
New-set-ups
IPsec is an end-to-end security scheme operating in the Internet layer of the Internet Protocol Suite.
It can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of
security gateways (network-to-network), or between a security gateway and a host (network-to-
host). IPsec protects any application traffic across an IP network.
The LTE transport network will support the host-to-network configuration. The transport networks
IPsec session peer will be referred to as the Security Gateway (SEG). The eNodeBs will be the hosts
connected to the network SEG. The network SEG will be the communications hub between all IPsec
hosts. Figure 78 depicts the network-to-host topology for a single operator in reference to the LTE
components.
All secured IP communications between eNodeB’s and other LTE components will be forwarded to
the SEG for encryption / decryption prior to the packet being forwarded to the final destination.
Figure 78
78: IPsec Host-to-Network Security Topology
The following diagram depicts the network configuration for multiple operators sharing a common
eNodeB. This is referred to as Multiple Operator Core Netwrok (MOCN) eUTRAN sharing model.
There is a master operator that
hat owns and configures the eNodeB. The MOCN model was intended to
share the eNodeB only. Each operator will have their own core network components. Refer to
section 6.1.5.1for
for complete MOCN operation. This section only pertains to IPsec in reference to
MOCN.
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
A more detailed example of a two operator scenario is depicted in the following picture. In this
configuration the eNB will belong to operator A (master operator). Operator B (non master
operator) will use use the same eNB that is owned by operator A. With the eUTRAN sharing feature,
the IPsec config and supported architecture is slightly modified to accommodate multiple operators
sharing the same eNodeB.
In the eUtran shared architecture the eNodeB will only have one OAM network connconnection.
ection. The OAM
network connection will belong to the master operator. AN IPsec tunnel can be configured for the
OAM or Telecom traffic. Each of the telecom transport commuications will belong to their
respective operator (i.e S1-U, S1-C,
C, X2-U).
X2 It is expected
cted that each operator will have their own
Security gateway and LTE transport network components (i.e. MME, SGW). The X2-U X2 U traffic will only
be transported on the master operators IPsec communications since this is an eNodeB to eNodeB
communications and owned
wned by the master operator. Each Operator can independently
enable/disable IPsec tunnels.
Figure 81 depicts an example of a source eNB has to send X2 traffic to a target eNB. In this example
the Source eNB will encrypt the transmitted packet and forward the packet to the SEG. The SEG will
in turn decrypt the packet sent from the source eNB and determine the proper route to send the
original X2 packet. In this case the original X2 packet will be forwarded to the target eNB. Prior to
the SEG transmitting the packet, the SEG will encrypt the X2 packet with the appropriate algorithm
associated with the IPsec tunnel that the SEG has negotiated with the target eNB. When the target
eNB receives the encrypted eNB packet, it will decrypt the packet and process the packet.
NOTE: The diagram displays the SEG < <-> MME and SEG <->> SGW traffic as IPsec encrypted, This is
not the case. For release LA3.0.2, the eNB <
<->
> SEG is the only optional encrypted path.
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
The IKE negotiations have a failure mechanism. When there is a timeout in the IKE negotiation, the
peer will periodically retransmit and wait for acknowledgement. If acknowledgement is not received
in the timeout value, the new timeout value will be derive
derived
d from an exponential algorithm. After
several retries, the IKE negotiation is deemed failed negotiations.
IPsec has two types of methods for protecting IP datagrams. The first protocol is the Encapsulating
Security Protocol (ESP) and the second is the Authentication Header (AH). The ESP provides
confidentiality using an encryption
cryption algorithm and data integrity using an authentication algorithm.
The AH provides data integrity but not confidentiality. Either the ESP or the AH protocol are
negotiated at the time of SA establishment.
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
ESP is the only supported IPsec protocol as per standard : 3GPP TS 33.210 V9.1.0 section 5.3.1
The EnodeB and the SEG must be configured with the corresponding protection packet
configuration. IPSec allows either Transport or Tunnel mode. The EnodeB will only support Tunnel
mode and therefore the SEG must have the corresponding functionality.
IPsec tunnel mode is the only tranport setting allowed as per standard: 3GPP TS 33.210 V9.1.0
section 5.3.2
The eNodeB will only support certain IPsec configurations as presented below.
Description Specification
IKE Encryption 3 DES CBC
AES CBC 128 (IETF RFC 3602)
HMAC-SHA-96 (IETF RFC 2404)
IKE Authentication Diffie-Hellman exchange group 2 with 1024 MODP (IETF RFC 2409,
IETF RFC 4307 and IETF RFC 3526).
Diffe-Hellman exchange group 14 with 2048 bit MODP (Network
Transport Security SRS 13.3, 159440).
ESP Authentication NULL
HMAC-MD5-96
HMAC-SHA-1-96 (Mandatory)
AES-XCBC-MAC
Key Distribution IKE shared secret with PFS support
ESP Encapsulation ESP
NULL
3 DES CBC
AES-CBC 128 (Default)
AES-CBC
AES-CBC 256
Mode Tunnel
Key Generation Diffie-Hellman
Resiliency and High IPsec Failover
Availability Dead Peer Detection (DPD)
IP Version IPv4 Support
IPv6 Support
In the case of eUTRAN sharing network, the IKE parameters are configurable per operator basis. The
IPsec parameters will be associated per VLAN basis, each operator’s traffic will be on different
VLANs.
IPsec Service
ActivationService:
isIpsecEnable - IPSec Service Activation. This is a logical parameter must be enabled prior to
setting the IPsec General or specific IPsec tunnel parameters.
These parameters are used in the IPsec IKE optional functionality or negotiated parameters
between IPsec Peers.
Parameter isIpsecEnable
Object ENBEquipment/
ENBEquipment/eNB/ActivationService
Range & Unit Boolean
True/False
Class A - full-NE-reset
reset
Value False
Feature FRS 101808
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
Parameter isCertificateEnabled
Object ENBEquipment/eNB/ActivationService
Range & Unit Boolean
True/False
Class A - full-NE-reset
Value False
Feature FRS 101812
TrafficDescriptor:
eNBIPsecpolicy - This parameter specifies whether the in bound traffic will be bypassed,
checked for Integrity or protected by integrity protection and encrypted.
(0) “no-IPsec”
IP packets matching this policy are sent outside the IPsec tunnel.
Parameter eNBIPsecpolicy
Object ENBEquipment/eNB/EnbTransportConfig/RanBackhaul/VLAN/TrafficDescriptor
Range & Unit List of elements corresponding to Traffic Type List
List Range
{1, 2, 3 , 4, 5, 6, 7}
Each list element has an enumeration.
Enumerate
{ 0, 1, 2 }
Class A - full-NE-reset
Value (0) No IPsec for each element
Feature FRS 101808
IPsecTunnelConf:
eNBpreSharedSecret – This is a manually loaded key that facilitates the IKE Authentication
process between peer entities. When IKE negotiation begins, the peers exchange keys to
mutually authenticate each other.
Parameter eNBpreSharedSecret
Object ENBEquipment/eNB/EnbTransportConfig/RanBackhaul/VLAN/IPsecTunnelConf
Range & Unit String
[0,40] Characters
Class A - full-NE-reset
Value NULL
Feature FRS 101808
Parameter ipsecTunnelname
Object ENBEquipment/eNB/EnbTransportConfig/RanBackhaul/VLAN/IPsecTunnelConf
Range & Unit String
[0,255] Characters
Class A - full-NE-reset
Value NULL
Feature FRS 101808
Parameter ipv4AddressEnbIPsecTunnel
Object ENBEquipment/eNB/EnbTransportConfig/RanBackhaul/VLAN/IPsecTunnelConf
Range & Unit IPv4 address
Class A - full-NE-reset
Value N.A.
Feature FRS 101808
ipv4AddressFirstHopRouter - The IPv4 address of the first hop router for the IPsec tunnel. The
first hop router does not have to be the Security Gateway (SEG).
Parameter ipv4AddressFirstHopRouter
Object ENBEquipment/eNB/EnbTransportConfig/RanBackhaul/VLAN/IPsecTunnelConf
Range & Unit IPv4 address
Class A - full-NE-reset
Value N.A.
Feature FRS 101808
ipv4AddressSegIPsecTunnel - The IPv4 address of the Security Gateway end point of the IPsec
tunnel.
Parameter ipv4AddressSegIPsecTunnel
Object ENBEquipment/eNB/EnbTransportConfig/RanBackhaul/VLAN/IPsecTunnelConf
Range & Unit IPv4 address
Class A - full-NE-reset
Value N.A.
Feature FRS 101808
ipv4SubNetMaskEnbIPsecTunnel - The IPv4 subnet mask to define the size of the subnet.
Parameter ipv4SubNetMaskEnbIPsecTunnel
Object ENBEquipment/eNB/EnbTransportConfig/RanBackhaul/VLAN/IPsecTunnelConf
Range & Unit IPv4 address
Class A - full-NE-reset
Value N.A.
Feature FRS 101808
Parameter ipv6AddressEnbIPsecTunnel
Object ENBEquipment/eNB/EnbTransportConfig/RanBackhaul/VLAN/IPsecTunnelConf
Range & Unit IPv6 address
Class A - full-NE-reset
Value N.A.
Feature FRS 101808
ipv6AddressFirstHopRouter - The IPv6 address of the first hop router for the IPsec tunnel. The
first hop router does not have to be the Security Gateway (SEG).
Parameter ipv6AddressFirstHopRouter
Object ENBEquipment/eNB/EnbTransportConfig/RanBackhaul/VLAN/IPsecTunnelConf
Range & Unit IPv6 address
Class A - full-NE-reset
Value N.A.
Feature FRS 101808
ipv6AddressSegIPsecTunnel - The IPv6 address of the Security Gateway end point of the IPsec
tunnel.
Parameter ipv6AddressSegIPsecTunnel
Object ENBEquipment/eNB/EnbTransportConfig/RanBackhaul/VLAN/IPsecTunnelConf
Range & Unit IPv6 address
Class A - full-NE-reset
Value N.A.
Feature FRS 101808
Parameter ipv6RoutingPrefixLengthEnbIPsecTunnel
Object ENBEquipment/eNB/EnbTransportConfig/RanBackhaul/VLAN/IPsecTunnelConf
Range & Unit [0-128]
Class A - full-NE-reset
Value N.A.
Feature FRS 101808
ipFormat - The This parameter specifies the format (IPv4 or IPv6 ) that is applicable to the
traffic described by the “TrafficDescriptor” MO instance.
This parameter can be set for MCI. It is used when the traffic is encapsulated in IPsec and
describes the format of the inner IP header (the format of the outer IP header is described by
the ipFromat parameter of the parent Vlan instance).
Parameter ipFormat
Object ENBEquipment/eNB/EnbTransportConfig/RanBackhaul/VLAN/TrafficDescriptor
Range & Unit Enumerate
IPv4(0), IPv6(1), IPv6overIPv4 (2)
Class A
Value False
Feature 163456 & 163826
trafficDescriptorIdList parameter refers to the instances of TrafficDescriptor object that describe the
IPsec child SA pairs under the IKE SA pair described by this IPsecTunnelConf MO instance.
This parameter is set for MCI.
IPsecConf:
Parameter ikeAuthMethod
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/IPsecConf
Range & Unit Enumerate
{0,1}
Class A - full-NE-reset
Value (0) Pre Shared Keys
Feature FRS 101808
IkeRetryBase - This parameter specifies the base of exponential back-off multiplied by 10. The
true exponential back-off used in the calculation will be the IkeRetryBase entered divided by 10.
Parameter IkeRetryBase
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/IPsecConf
Range & Unit [10 – 20 ]
Class C- New-set-ups
Value 13
Feature FRS 101808
Parameter IkeRetryCount
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/IPsecConf
Range & Unit [1 – 100 ]
Class C - New-set-ups
Value 3
Feature FRS 101808
Parameter IkeRetryTime
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/IPsecConf
Range & Unit [100 – 20000 ]
Class C - New-set-ups
Value 1300
Feature FRS 101808
ikeSALifeDurationSec - The lifetime indicates the amount of time is left before the Security
Association is re-negotiated. The units are in seconds
Parameter ikeSALifeDurationSec
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/IPsecConf
Range & Unit [100 – 20000 ]
Class A - full-NE-reset
Value 28800
Feature FRS 101808
Ikev2IDType - This parameter specifies the type of identifier for IKE v2. This specifies whether the
IP addrss, Domain Name or Fully Qualified Domain Name is used. A value of (0) IP address, (1)
DN Domain Name or (2) FQDN Fully Qualified Domain Name.
Parameter Ikev2IDType
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/IPsecConf
Range & Unit Enumerate
{0, 1, 2}
Class B - Transport-Layers
Value (0) IPaddress
Feature FRS 101808
Parameter ipsecAntiReplaywindowSize
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/IPsecConf
Range & Unit [0-40]
Class A - full-NE-reset
Value 32
Feature FRS 101808
ipsecKeepalivePeriod - This aids in the Dead Peer Detection (DPD). Keepalive administrative
packets are sent between IPsec Peers to determine if the IPsec tunnel is still valid. The units are
in seconds.
Parameter ipsecKeepalivePeriod
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/IPsecConf
Range & Unit [0-120]
Class A - full-NE-reset
Value 10
Feature FRS 101808
Parameter ipsecPerfectForwardSecrecyOn
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/IPsecConf
Range & Unit Boolean
True/False
Class A - full-NE-reset
Value True
Feature FRS 101808
If the ENB has Perfect Forwarding Secrecy enabled, the SeGW must also have Perfect Forwarding
Secrecy enabled. There have been issues related to rekeying when where is a mismatch in the
Perfect Forwarding Secrecy between the eNB and SeGW.
ipsecSALifeDurationbytes - The lifetime indicates the amount of bytes sent before the Security
Association is re-negotiated. The units are in bytes.
Parameter ipsecSALifeDurationbytes
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/IPsecConf
Range & Unit [1- 4294967295]
Class A - full-NE-reset
Value 1620000
Feature FRS 101808
ipsecSALifeDurationSec - The lifetime indicates the amount of time is left before the Security
Association is re-negotiated. The units are in seconds.
Parameter ipsecSALifeDurationSec
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/IPsecConf
Range & Unit [1- 4294967295]
Class A - full-NE-reset
Value 28800
Feature FRS 101808
strictCrlPolicy: This parameter selects the policy to be followed by the eNodeB for certificate
revocation checks.
0 (no): eNB checks the received certficate for revocation when an HTTP URI is included in the
CRLDP field of the certificate and the CRL can be retrieved by eNB. If this is not the case the
revocation check is simply skipped.
1 (yes): the received certificate MUST include a CRLDP field and the CRL MUST be retrieved by
eNB otherwise the certificate is rejected.
2 (ifuri): the revocation check is simply skipped when the certificate does not include an HTTP
URI. When it includes one the CRL must be retrieved by eNB otherwise the certificate is
rejected.
Certificate Enrollment:
CertificateUpdateDate: This parameter specifies the date against which eNB checks the issuing
date of the operator-signed certificate for the operator associated with the FIRST
PlmnIdentity Object instance. The string format is YYMMDDHHMMSS (year month day hour
minutes seconds). The certificate is renewed on condition that it was issued before the
specified date. The renewal operation is performed either at the specified date or
immediately if the specified date is already passed.
Parameter CertificateUpdateDate
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/CertificateEnrollment
Range & The string format is YYMMDDHHMMSS (year month day hour minutes seconds).
Unit
Class A - full-NE-reset
Value
Feature FRS 101812
cmsIPv4Address – This is the IPv4 address of the CA that is directly above the eNB in the CMS
architecture. If this is model 1 architecture, then the IP address would be the Sub CA.
Parameter cmsIPv4Address
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/CertificateEnrollment
Range & IPv4 address
Unit
Class C - Immediate-propagation
Value N.A.
Feature FRS 101812
cmsIPv4Address2 – This is the IPv4 address of the CA that is directly above the eNB in the CMS
architecture. If this is model 1 architecture, then the IP address would be the Sub CA.
Parameter cmsIPv4Address2
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/CertificateEnrollment
Range & IPv4 address
Unit
Class C - Immediate-propagation
Value N.A.
Feature FRS 159440
cmsIPv4Address3 – This is the IPv4 address of the CA that is directly above the eNB in the CMS
architecture. If this is model 1 architecture, then the IP address would be the Sub CA.
Parameter cmsIPv4Address3
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/CertificateEnrollment
Range & IPv4 address
Unit
Class C - Immediate-propagation
Value N.A.
Feature FRS 159440
cmsIPv6Address – This is the IPv6 address of the CA that is directly above the eNB in the CMS
architecture. If this is model 1 architecture, then the IP address would be the Sub CA.
Parameter cmsIPv6Address
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/CertificateEnrollment
Range & IPv6 address
Unit
Class C - Immediate-propagation
Value N.A.
Feature FRS 101812
cmsIPv6Address2 – This is the IPv6 address of the CA that is directly above the eNB in the CMS
architecture. If this is model 1 architecture, then the IP address would be the Sub CA.
Parameter cmsIPv6Address2
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/CertificateEnrollment
Range & IPv6 address
Unit
Class C - Immediate-propagation
Value N.A.
Feature FRS 159440
cmsIPv6Address3 – This is the IPv6 address of the CA that is directly above the eNB in the CMS
architecture. If this is model 1 architecture, then the IP address would be the Sub CA.
Parameter cmsIPv6Address3
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/CertificateEnrollment
Range & IPv6 address
Unit
Class C - Immediate-propagation
Value N.A.
Feature FRS 159440
ENBcaName – This is the name of the Trust Anchor. This allows the eNB to perform path
validation.
Parameter ENBcaName
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/CertificateEnrollment
Range & [0-40] Character String
Unit
Class C - Immediate-propagation
Value NULL
Feature FRS 101812
ENBcaName2 – This is the name of the Trust Anchor. This allows the eNB to perform path
validation.
Parameter ENBcaName2
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/CertificateEnrollment
Range & [0-40] Character String
Unit
Class C - Immediate-propagation
Value NULL
Feature FRS 159440
ENBcaName3 – This is the name of the Trust Anchor. This allows the eNB to perform path
validation.
Parameter ENBcaName3
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/CertificateEnrollment
Range & [0-40] Character String
Unit
Class C - Immediate-propagation
Value NULL
Feature FRS 159440
eNBcmsPreSharedSecret– This parameter registers the Pre-shared secret key to be used for
authenticating CMPv2 messages at eNB-CMS interface if the eNB does not own any certificate yet.
Parameter eNBcmsPreSharedSecret
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/CertificateEnrollment
Range & [0-40] Character String
Unit
Class C - Immediate-propagation
Value NULL
Feature FRS 101812
Httpportcmpv2 – This is the same port value configured on the CMS CA that accepts http
protocols.
Parameter Httpportcmpv2
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/CertificateEnrollment
Range & [49152- 65535]
Unit
Class C - Immediate-propagation
Value 80
Feature FRS 101812
HttpURLcmpv2 – This is the URL the eNB is required to send to the CA. This value can be
derived from the CMS CA when configuring the CMS HTTP directory.
Parameter HttpURLcmpv2
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/CertificateEnrollment
Range & [12-128] Character String
Unit
Class C - Immediate-propagation
Value N.A.
Feature FRS 101812
Note: It has been noticed that the entry for the parameter HttpURLcmpv2 with a full name
HttpURLcmpv2=”https://IPaddress:port_number/cmsdir “ will produce a CMP request from the eNB
towards the CMS server with an extra “/” inserted between the port_number and cmsdir. The
actual request will be =”https://IPaddress:port_number//cmsdir .
No adverse behaviour had been observed when the Full name had been used with the
HttpURLcmpv2 parameter.
If the user requires the enb to send the CMP request with one “/”, the HttpURLcmpv2 parameter
should be set to the directory path only. HttpURLcmpv2=”cmsdir “
IPsec tunnel configuration vary dependant on the VLAN configuration and IP interface configuration
for the OAM and Telecom interface. Each category below represents a supported single and multi
operator configurations.
The inner and outer IPsec tunnel address must be of the same type (i.e. both IPv4 or IPv6).
Each row with yellow or green background contains one of the basis VLANs traffic mix. Each row
number represents a VLAN configuration.
When there are several lines in a yellow or green row, each line corresponds to an IP address. The
list of types of traffic mapped to the IP address is listed in the line (e.g. for VLAN combination # 4
there are two lines in green. The traffic S1u/X2u of the first line is mapped to an IP address and the
traffic S1c/X2c of the second line is mapped to another IP address).
# in first column is the VLAN traffic mix. E.g. #13 refers to a VLAN with 3 IP addresses: one IP
address for Oam, one IP address for S1u/S1c/X2u/X2c and one IP address for 1588.
A column below “VLAN configuration reference” identifies a possible association of VLANs that is
defined by the set of grey areas in this column. “4” (respectively “6”) in a column represent an eNB
IP address; “4” means it is an IPv4 address; “6” means it is an IPv6 address.
The VLAN configuration designated with the symbol “ ⁿ” are new in this release. In the tables below,
VLAN 24ⁿ is new in this release.
1588
10 OAM
S1u+S1c+X2u+X2c
11 Oam+S1u+S1c+X2u+X2c
12 Oam+S1u+S1c+X2u+X2c
1588
13 Oam
S1u+S1c+X2u+X2c
1588
14 S1u+S1c+X2u
15 M1
16 S1u+X2u+X2c
17 S1u
18 X2u
19 S1c
Support IPsec with PSK Y Y Y Y Y Y Y Y Y Y
The following diagram depicts the graphical representation of row 1 from Table 52. Both OAM and
Telecom traffic have a common IPv4 address (Black dot). The 1588 traffic use a separate IPv4
address (green dot). Both traffic types OAM and Telecom have been assigned to IPsec Tunnel T1
(Lime green Line). The diagram shows the OAM (Red line) and Telecom (Violet Line) with in the T1
tunnel. The IPsec Tunnel is associated with the VLAN V1 (Blue Line), therefore the Tunnel T1 is
within the VLAN V1. The 1588 traffic (Black Line) is in bypass mode and therefore does not traverse
within the IPsec Tunnel T1.
2. All X2-C traffic will part of the Master Operator Telecom VLAN.
3. Master Operator manages the IPsec configuration for all operators.
a. The Pre-shared Keys for each operator’s IPsec tunnel will have to be given to the
master operator in order to push the keys to the eNodeB.
b. Each operator IPsec configuration parameters must be transmitted to the Master
operator for proper IPsec configuration.
7750 8.0R5 Implementation will not support IPsec IKEv2 over IPv6. The 8.0R5 Implementation will
only support IPsec IKEv2 over IPv4.
Note: ALU 7750 8.0R5 only supports Static IP assignment (Does not support DHCP) for eNodeB.
The 7750 can NOT provide traffic policy on a protocol level. The 7750 can only provide traffic
policy on an IPaddress or IPaddress range.
The 7750 can NOT support Bypass traffic policy within the IPsec tunnel. The 7750 can only provide
traffic policy Integrity Protection or Integrity Protection with Encryption.
If the ENB has Perfect Forwarding Secrecy enabled, the SeGW must also have Perfect Forwarding
Secrecy enabled. There have been issues related to rekeying when where is a mismatch in the
Perfect Forwarding Secrecy between the eNB and SeGW.
Based on the Fortinet specifications, there are no are no restrictions on the eNodeb and Fortinet
configurations.
If the ENB has Perfect Forwarding Secrecy enabled, the SeGW must also have Perfect Forwarding
Secrecy enabled. There have been issues related to rekeying when where is a mismatch in the
Perfect Forwarding Secrecy between the eNB and SeGW.
6.10.1.10 QOS
The DSCP value found in inner header of IPSEC-ed traffic is copied to the outer IPSEC tunnel header,
so this traffic can be shaped.
The VLAN priority will follow recommendations specified in section 0 VLAN Ethernet QOS.
1. The DSCP of the user plane inner packets shall be configurable per operator.
6.10.1.11 MTU
1. It is best to calculate MTU frame size with consideration for all over to avoid IPsec packet
fragmentation..
6.10.1.12 Recommendations
The outer IPsec address is set to a different value than the Inner IPsec address.
IPsec tunnels pose an interesting problem for debugging communications outages. Interrupted
communications could be a result of either a network component (i.e router issue) or the IPsec
tunnel failure. In order to distinguish one failure from another, an ICMP message is usually sent
to/from the interface in question. If all ICMP messages are sent within the tunnel, then we could
not distinguish a network failure from and IPsec failure. We must have the capability to send ICMP
messages inside and outside the tunnel. When the outer IPsec tunnel address is identical to the
inner IPsec tunnel address, the eNodeB can not distinguish whether to send the ICMP messages to
inside or outside the tunnel and decides to send the ICMP messages inside the tunnel.
The Perfect Forwarding Secrecy is option in the phase 2 stage of the IKE negotiation to perform
another Diffie-Hellman key exchange. This increase the security of the IPsec tunnel since the first
key exchange was performed in a clear context. The phase 2 IKE exchange messages are
sent/received encrypted packets.
As an example we will take the case where the eNodeB is connected to a core 7750 router. The
eNodeB has an OAM and Telecom IPv4 address that are unique. A corresponding VLAN will be
configured for each (OAM, Telecom) domain. For convenience, Table 41 is reproduced with valid
configurations based on the eNodeB and ALU 7750 SR SEG interoperability. Refer to the Security
Gateway section for an explanation of ALU 7750 IPsec implementation.
2 V1 V2 Yes Bypass T1
3 V1 V2 No NA T1
7 V1 V2 Yes Bypass T1
8 V1 V2 No NA T1
12 V1 V2 No NA T1
16 V1 V2 Yes Bypass T1 T2
17 V1 V2 No NA T1 T2
19 V1 V2 No NA T1 T2
Depending on the security objectives, a particular configuration can be chosen. Assuming that
neither the OAM nor the Telecom traffic is trusted, we are limited to options 16 and 17. If the 1588
interface is provisioned, then we are left with option 16.
The following parameters should be set in order to provision the system to option 16.
ipsecPerfectForwardSecrecy = enabled
ipsecAntiReplaywindowSize = 32
ikeSALifeDurationSec = 28800 (20 days)
ipsecSALifeDurationbytes = 162000
ipsecKeepalivePeriod = 10
ikeAuthMethod = PreSharedKeys
6.10.1.14 Considerations
IPsec will add additional bytes to the original transmitted packet. The overhead will depend on
IPsec mode (Transport/Tunnel) and encryption method. The following table displays the various
combinations of an IPv4 1500 byte transmitted packet size after IPsec encryption. The table below
only displays the ESP / Tunnel mode since LTE limits the IPsec configuration.
The table below represents the worse case overhead calculation for using either 3DES or AES (types)
encryption schemes.
There is an additional 52-73 bytes depending on the authentication and encryption Method. Twenty
of the overhead bytes are due to the IPsec outer Ethernet header. The remaining 32-53 bytes are
attributed to the ESP overhead. To avoid frequent IP packet fragmentation, the network should
accommodate the worse case overhead that IPsec imposes on the IP packet
The IPv6 overhead will be an additional 20 bytes (72 – 93 bytes overhead) above the IPv4 values to
accommodate for the length of the IPv6 addresses.
A Single License is required to activate the Certificate feature for the eNB. The eNB License is
dependant on an available and active IPsec License.
In the case for eUTRAN a license is required for each operator associated with each eNodeB.
The CMS MIM diagram is part of the IPsec MIM description; please refer to Figure 83: IPsec / CMS
MIM. A description were provided in the IPsec section, but duplicated here for ease of search and
comprehension.
ActivationService:
Certificate Enrollment:
This parameter specifies the date against which eNB checks the issuing date of the
operator-signed certificate for the operator associated with the FIRST PlmnIdentity
Object instance. The string format is YYMMDDHHMMSS (year month day hour minutes
seconds). The certificate is renewed on condition that it was issued before the specified
date. The renewal operation is performed either at the specified date or immediately if
the specified date is already passed.
cmsIPv4Address – This is the IPv4 address of the CA that is directly above the eNB in the CMS
architecture. If this is model 1 architecture, then the IP address would be the Sub CA.
cmsIPv6Address – This is the IPv6 address of the CA that is directly above the eNB in the CMS
architecture. If this is model 1 architecture, then the IP address would be the Sub CA.
ENBvaName – This is the name of the Trust Anchor. This allows the eNB to perform path
validation.
Httpportcmpv2 – This is the same port value configured on the CMS CA that accepts http
protocols.
HttpURLcmpv2 – This is the URL the eNB is required to send to the CA. This value can be
derived from the CMS CA when configuring the CMS HTTP directory.
The CMS certificates are associated with the IPsec IKE negotiation; therefore the CMS eNB
configurations are included with the IPsec configuration chart. Please refer to section 6.10.1.6.1
Single Operator Configuration and section 6.10.1.6.2 Multiple Operator eNodeB Supported
Configurations for CMS IPsec configurations. The second to the last row of each table has a row
indicating the CMS support. If the entry is “Yes” then CMS is supported in that VLAN-IPsec
Configuration. This is also true for the PSK Row, where PSK represents the Pre-Shared Key method
for IPsec IKE authentication.
• Operator certificates are supported for both OAM and Telecom tunnels.
• Certificate Revocation List (CRL) is not supported in this release of the eNB.
In LA5.0 IPsec authentication can be performed using Certificates or Pre Shared Keys. The eNB
provisioning parameters were provided in the MIM section. The following table provide a view of the
information set required to support the different variations of the PSK, CMS with factory certificates
or CMS without factory certificates. Factory Certificates will be supported in the future.
Nb CMS IP address, eNB IPsec for IPsec for IPsec for eNB action
CA name (MIM) credentials OAM (MIM) Telecom Telecom
(Master) (Non Master)
(eUTRAN
Sharing)
1 Provisioned No preloaded 1) Ipsec IPsecAuthMethod IPsecAuthMethod 1) Certificate
factory enabled = Certificates, = PSK or enrollment
certificate IPsecAuthMethod Certificates with Master
2) PSK is the same for operator CMS
Enabled OAM and (PSK for CMPv2
with telecom. authentication.
certificates 2) IPsec tunnel
setup using the
Master
operator-
signed
certificate for
IKEv2
authentication.
3) If
IPsecAuthMeth
od =
Certificates,
The Non Master
telecom will
perform
certificate
enrollment
with the non
master
operator CMS.
4) If
IPsecAuthMeth
od = PSK, The
Non Master
telecom will
perform IKEv2
authentication
with the
configured
IPsec PSK.
2 n.a. PSK shared 1) Ipsec IPsecAuthMethod IPsecAuthMethod 1) Master
Keys with enabled = PSK, = PSK or operator IPsec
SeGW (No IPsecAuthMethod Certificates. tunnel setup
CMS) 2)Enabled is the same for using the IPsec
(LA3.0 with PSK OAM and PSK for IKEv2
Feature) (No telecom. authentication.
Certificate 2) If
s) IPsecAuthMeth
od =
Certificates,
The Non Master
telecom will
perform
certificate
enrollment
with the non
master
operator CMS.
3) If
IPsecAuthMeth
od = PSK, The
Non Master
telecom will
perform IKEv2
authentication
with the
configured
IPsec PSK.
• The configuration of the CMS IP address is an indicator to the eNB to perform CMS
certificate requisition.
Certificate enrolment is performed on the field for eNBs (eCCM-U controller card or sBBU). An eNB
receives an Operator-signed certificate (as opposed to an ALU-signed certificate provisioned in the
factory).The associated eNB parameters are in the eNB MIM under SAM control (e.g. SAM provisions
the Operator CMS IP address to eNB and IPsecAuthMethod = certificates).CMS server does not
initiate exchanges with eNBs (it works in server mode). Initial certificate enrolment is performed at
eNB startup after the initial connection with SAM has been established (SAM has to provision the
CMS IP address).
For a new deployment of a CMS system, the following sequence is required.
1) Install and configure the CMS server. The CMS server can operate in Root CA and/or Sub CMS
mode.
a) Generate Root CA certificate
b) Generate Sub CA certificate
2) On the Security Gateway, generate a certificate request in PKCS #10 format.
a) Copy the PKCS #10 certificate request to andexternal media (i.e. USB)
3) On the CMS server, import the PKCS#10 messages and generate a signed SUB CA certificate. The
format for the signed certificate should be PKCS#7. Export the signed SUB CA signed certificate
and Root CA signed CA certificate to an external media (i.e. USB).
4) On the SEG, Import the SUB CA and Root CA certificate.
5) On the SAM, Provision the eNB CMS Parameters.
a) CMS IP address, CA Name, ENBcmsPreSharedKey, CMSUpdateDate, httpportCmpv2 (Value
will depend on the CMS server configuration), HttpUrlCmpv2 (Value will depend on the CMS
server configuration).
b) Set Authentication method to certificates.
The following is an example of an eNB transaction based on the entry 1 from the above table.
The 1B configuration is a single operator eNB with separate VLANs for OAM and telecom. There are
no factory certificates loaded into the eNB. The operator will have to configure the eNB parameters
described in the CMS system configuration:
The eNB will check for an existing public/private key pair. If public/private key pair does not exist,
then the eNB will generate a new key pair. If Certificates are enabled, the eNB will check if an
existing and non expired certificate is available for the key pair. In the case of and expired or non
existent certificate, the eNB will initiate a CMPv2 certificate request towards the CMS server. As
described in the general section of CMS theory, the CMS server will communicate with the eNB by
sending the required certificates to the eNB in order for the eNB to validate the the certificates to
the trusted anchor. If security is of concern, the operator can configure the eNB
“ENBcmsPreSharedKey” parameter in order to secure the CMPv2 communications between the eNB
and the CMS server. An equivalent Pre-shared Key for CMP communications must be provisioned on
the CMS server to allow bidirectional secure communications. Once the eNB receives the certificates
from the CMS server, the eNB will validate the the certicates. The eNB will now have the eNB
certificate signed by the Root CA or Sub CA depending on the architecture. The certificate is used in
the IKE negotiations to authenticate the IPsec peers.
The eNB will initiate the IPsec IKE negotiations. The diagram below shows the IPsec IKE phase 1
negotiations. This is the same diagram Figure 32: IKEv2 Phase 1 Negotiation taken from the general
IPsec theory section.
As seen in message 2, an optional CERTREQ can be sent from the SEG to the eNB requesting a
certificate. Message 3 and Message 4 are part of the IKE authentication phase. The eNB in message 3
will respond with the digital certificates to the SEG. Message 4 the SEG will send its digital
certificates to the eNB. Both the eNB and the SEG will validate the received certificates prior to
progressing to the IPsec Phase 2 negotiations.
When using ceritificates for authentication the IKEv2 ID Payload type used by eNB could be
e.g. an IP address (IPv4 or IPv6), a FQDN or a “Distinguished Name”.
• For release 13.1 IP address will not be supported Only the FQDN and DN will be
used.
The factory certificate capability allows the eNB to setup the IPsec tunnels on the OAM without
further CMS communications in the field. The eNB will have an Alcatel-Lucent certificate loaded at
the factory prior to shipment to the customer site. The preloaded certificate (Factory Certificate) is
an eNB certificate signed by the Factory CMS server. When the eNB is installed in the field, the eNB
with the loaded factory certificate will perform IPsec negotiations with the SGW since it has a pre-
configured certificate.
ALU’s
Root CMS
Secure central location
manual operations in
PKCS format
(e.g. PKCS#10 &
PKCS#7)
This feature assumes that that a CMS server or Sub CMS server is locally co-resident with the eNB.
The eNB are not required to have CMS pre-shared key setting since the SUB CMS server is local and
therefore trusted. The Root CMS can transfer the Sub CMS certificate via a manual process. This is a
less frequent process and therefore a manual procedure is sufficient. The SUB CMS provides the eNB
with a factory certificate via the CMPv2 protocol.
The eNB will download the eNB Certifacte and, sub CMS certificate and the self signed root
certificate. This allows the eNB to be deployed in the field and not perform a CMS certificate
request. The eNB can be atuthencticated by the factory certificate in the field.
The eNB in the factory will have the atuthentication method configured to “certificates”. The CMS
ip address configured with the address of the factory CMS server.
The eNB will have an operatorfactory CMS server IP address and CA name provisioned when
performing factory certificate.
The eNB when provisioned with the authentication method of “certificate”, the eNB will check for a
vendor certificate. If the vendor certificate is not available, the eNB will check for the factory
certificate. If there are no certificates provisioned and the CMS parameters are also not configured,
the eNB will perform a factory certificate initiation.
Vendor Certificates can be used instead of the factory certificates. The vendor certificates can be
acquired after the eNB has been installed in the field with the pre-loaded factory certificates. The
CMS IPaddress configuration and the CAname wil cause the eNB to initiate a CMS request for a
vendor certificate. The vendor certificate will have precedence and will be used once acquired.
The SEG shall be able to configure IPsec tunnels with the eNB using X.509v3 digital certificates for
IKEv2 authentication for the following IPsec configurations:
1. IKEv2 authentication
2. IPv4 IPsec traffic
3. IPv6 IPsec traffic
4. certificate chain delegation models supported in the CMS application of up to four levels of
hierarchy
5. Simplex mode without SEG redundancy
6. High Availability redundant system of active/standby configuration of SEGs
The redundant SEG can consist of a set of two aplpliances running in HA mode, or a set of redundant
security gateways running in the same chassis (intra-chassis redundancy) or in separate chassis
(inter-chassis redundancy).
Refer to the 9981 CMS LA5 (Architecture and Provisioning) documentation for examples of Fortinet
configurations to support CMS.
For SeGW that support CRL capabilitites, the CMS server will now provide CRLDP Field as part of the
SeGW Certificate. The SeGW can be loaded with CRL lists via
• Manual installation.
• Manully configured with the URL of the CRL File.
• Receives the URL and port information from the CRLDP Field within the SeGW certificates.
2 Ethernet boards
USB port
DVD drive
A is HSM card highly recommended. Thales nShield Solo version nShield 500e F3 for PCI
Express interface with ncipher Security World for Key backup and recovery
The CMS server hardware has an option for a High Security Module (HSM). This module is meant for
the storage of RSA keys in an encrypted format. It is not mandatory but highly recommended.
Otherwise the software will store the RSA keys in the local hardrive.
The CMS server can be configured as a Root or Sub CA depending on the Architectural model that is
deployed. The CMS server is structured to support the eNB as a server. The CMS server will never
initiate Certificate requests.
For the example of an existing eNB in the field, eNB will not have a factory certificate. In this case
the CSM pre-shared keys is used to secure CMPv2 communications between the eNB and the CMS
server.
This is a sample configuration required to support and existing eNB in the field and the CMS server
acts as the Root CA.
Step 1:
CA Creation: This creates the Certificate Authority and identifies the the CA as a Root CA.
Associated with the configuration are the hash algorithms, Domain name, lease times, and factory
configuration. The example below represents a Root CA, non factory (operator) configuration with
the associated CA parameters of lease time and hash algorithms.
Step 2:
Set Shared Secret for an eNB. As this is a field deployed eNB example and do not contain a factory
Certificate.
o CAname - CA name
o Format: text.
o SharedSecretFile – full path to file containing shared secret value.
o Default– When this parameter is specified, shared secret will be added as default.
Step 3:
Self-signed certificate generation: This required since this is the Root CA. The Root CA must Create
a self signed certificate that is provided to
o CAname - CA name
o NotBefore - duration before validity of the certificate
Step 4
Generating and signing the certificate for a security gateway. The SEG will require a Certificate.
This certificate can be manually transferred to the SEG.
Step 5:
This configures the CMS server information that is required for eNB interoperability. This will
include The Port and IP address configuration to accept CMPv2 requests.
o WebSrvAddr - New server address of the server on which the message is accepted. The
host name or IP address can be used. Several IP addresses can be specified. These
addresses must be used by this machine.
Note: If host name is used as server address then only IPs, wich were successfully
resolved for this host name, will be used (see /etc/hosts file).
o CmpURN - CMP location in the server configuration. It's part of address in requested URI
of CMP reqest. For example URI for location "cmp":
http://192.168.5.10/cmp
o CmsSessionTimeout - CMS GUI or CLI session timeout. Values: positive integer values
meaning timeout in minutes from 1 to 1500 or ‘-1’ in case the timeout is not needed.
Default value is 15. In order changes for your working shell (bash) can take effect, you
need to login/logout.
o LoginBanner – login banner. It contains the text which is showed before login to cms-
clitool and before login to server.
o PasswdValidity - CMS user password validity period. This parameter isn’t implemented.
o QosPriority – the value to be assigned to the priority field in the Ethernet header. This
parameter isn’t implemented.
As the CMS server can operate in many modes, there are many associated commands to configure
the CMS server based on the functionality required (i.e. [Factory or operator], Root or Sub CA,). The
commands above are for a specific example. For further information about the CMS server command
set, please refer to the CMS server User Guide.
CMS server with the Certificate Authority will have the capability to include the CRLDP field within
the generated certificates. The CRLDP field will support up to 2 CRL URLs with port numbers. The
CRL URLs are pointers to CRL servers such that the SeGW/eNB can retrieve the CRL list.
The CRL requests from the eNB or SeGW will be on TCP port 12784 (FRS 159440 ).
The CMS Server will now support the CRLDP Field. The CRLDP field allows the insertion of the CRL
URL and port number within the certificate. This allows the certificate requesting entity to query
for the CRL. (FRS 159440 ). The CMS server will support at most 2 HTTP URLs in the CRLDP field.
The documentation is based on the information obtained prior to the release. Please refer to the
release letter to determine if any restrictions on this feature exist at the time of release.
Restriction: <eNB><IPsec>(<Plug-N-Play>)
Plug-N-Play is meant for initial deployment for eNB with automatic establishment of IPsec OA&M
Connection only. Plug-N-Play capabilitites are not available for Telecom connections.
1. Only IPv4 over IPv4 are supported.
2. No factory customization of FQDNs (SeGW/ SAM FQDNs or IP address). All information are
acquired via DHCP.
3. DNS address resolutions are not supported during the Macro PNP deployments.
4. No SeGW redirection during PNP deployments.
5. Macro eNB will default to No VLAN from the factory.
6.
The SeGW router must support the ability to perform a DHCP request to an external DHCP server
when the SeGW receives the IKEv2 CP Request message. This is a special function that doesn’t exist
in all routers. Fortinet is the certified router.
If the eNB is deployed with PNP capabilities (IpConfigAutomatic = true), it is expected that the eNB
configuration in the SAM for the eNB maintain the PNP capabilities.
The SeGW will have to support dual Trust Anchors for a single connection. This is required since the
initiail IPsec connection.will use factory certificates and operator certificates will be used after
the initial connection.
The IPsec Plug-N-Play feature allows the eNB to automatically establish an OA&M IPsec channel
without extraneous configurations. Currently the eNB will require the user to configure the IPsec
outer and Inner tunnel addresses before communications to the SASAMM can be established. With PNP,
the Outer IPsec Tunnel address can be automatically acquired by enabling the Automatic Security
Gateway Discovery capability. The IPsec PNP will enable the automatic discovery of the IPsec Inner
Tunnel address and complete thehe IPsec tunnel configuration. The ability for the node to
communicate and register with the EMS will be discussed in the Enb Self Commissioning Feature.
The remaining eNB configuration will be configured after the eNB has established communications
established
ished with the SAM. The remaining procedure will be decribed to make the example
complete. A generic Plug-n-Play
Play section will be added to the TEG to describe the capabilities Plug-
Plug
n-Play with and without IPsec.
In order for the the eNB to be installed in the field without any configuration on site (Plug
(Plug-n-Play),
additional network functionally must exist to support information transfer to the eNB.Before we
describe all the functionality required to support the Plug
Plug-N-Play
Play scenario, we will introduce a
network diagram for reference.
eNB/Metrocell pre-requisits
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
Restriction: <eNB><IPsec>(Plug-N-Play>)
The nodes DHCP client will not perform DHCP renew requests. The DHCP server should have a
permanent lease time for the Outer IPsec tunnel address.
Restriction: <eNB><IPsec>(Plug-N-Play>)
The nodes DHCP client will not perform DHCP renew requests. The Core DHCP server should have a
permanent lease time for the Inner IPsec tunnel address.
CMS
The CMS server is provisioned with the Domain information necessary to allocate certificates based
on the certificate requests organization field. The CMS server will allocate certificates to the eNB
via CMP protocol and certificates to the SeGW via a manual process. This follows the CMS
architecture and description provided in the CMS section of this document.
SAM
The SAM is provisioned with the eNB serial number in order to accommodate the 13.3 eNB
registration scheme (Feature L115970, eNB Self Commissioning). Release 13.1 eNB will initiate hello
messages to EMS IP addresses that are pre-configured on the eNB or EMS IP addresses that are
acquired when an eNB sends the hello message to the controlling SAM, the SAM will respond and
continue with the registration process. Once the eNB is registered and Managed, the SAM is used to
provision the eNB/Metrocell with the final configuration once communications to the eNB or
Metrocell is established.
The PNP components must be pre-configured to support the deployment of the eNB/Metrocell prior
to the delivery of the equipment. In order to provide a proper explaination of the functionality a
complete walk through the communications between the deployed equipment and the network
components will be discussed. An example of the communications between the eNB and the
network components are provided in this section. The example will be an IPsec tunnel configuration
for the OAM and telecom interfaces.
Edge Device
If the edge device is a layer 2 device, then the device should be configured to accept no VLAN
OA&M traffic.
If the device is a layer 3 device, an internal DHCP server should be configured to provide the:
• outer address of the IPsec tunnel
• the EMS IP addresses and ports (Maximum of 10)
• the SeGW IP address.
The assigned IP addresses are associated with the eNB Upon receiving a DHCP request, the edge
router will respond with the appropriate IP addresses.
The SeGW have to be loaded with the SeGW certificate signed by the Core network CMS server.The
Root self signed certificate from the Core network CMS server have to be loaded as well. These
certificates are different than the ALU factory signed certificates.
CMS
The CMS is configured to assign certificates to the eNB.Certificates assigned to the SeGW are
performed manually.
SAM
The SAM will have the complete configuration for each eNB. This includes all the parameters a new
communications channel for the OAM if necessary. The SAM is configured with the serial numbers of
all the eNBs that the SAM will manage. The SAM has the self configuration policy set with the
following set:
o Auto Start
o SW Upgrade
o Configuration Deployment
o Administrative Enable
Each row with yellow or green background contains one of the basis VLANs traffic mix. Each row
number represents a VLAN configuration. The N in the VLAN number indicates a NO VLan
configuration.
When there are several lines in a yellow or green row, each line corresponds to an IP address. The
list of types of traffic mapped to the IP address is listed in the line (e.g. for VLAN combination # 1
there are two lines in green. The traffic Oam+S1u+S1c+X2u+X2c of the first line is mapped to an IP
address and the traffic 1588 of the second line is mapped to another IP address).
A column below “VLAN configuration reference” identifies a possible association of VLANs that is
defined by the set of grey areas in this column. “4”, “6” or (respectively “6over4”) in a column
represent an eNB IP address; “4” means it is an IPv4 address; “6” means it is an IPv6 address, and
“6over4” indicates IPv6 over IPv4.
6.10.3.4 IPsec Plug-N-Play Walk Through with IPsec and DHCP capability
Figure 88: Plug-N-Play Flow (1),Figure 89: Plug-N-Play Flow (2),Figure 90: Plug-N-Play Flow (3)and
Figure 91: Plug-N-Play Flow (4) represents the flow of communications for Plug-N-Play. All detailed
discussions will refer to these diagrams.
The eNB will be pre-loaded with the ALU factory certificates. The eNB/metrocell will also
configured to automatic configuration. All other components will be pre-configured to support the
eNB deployment. Please refer to section 6.10.3.2 IPsec Plug-N-Play Pre-Deployment configurations.
When the eNB is first deployed in the field, the eNB will first boot and perform a DHCP request for
an outer IPsec tunnel address, SAM IP addresses and SeGW address. The edge device will allocate
the IP addresses. After acquiring the IPsec tunnel address, SAM IP addresses and SeGW address, the
eNB will initiate an IPsec tunnel connection with the SeGW. The eNB will use the factory certificates
as part of the IKEv2 authentication procedure in order to avoid additional manual provisioning.
As part of the Plug-N-Play scenario, the eNB will request the Inner IPsec address via the IKEv2
negotiation. The eNB will send a CP request as part of the IKEv2 negotiation. This will prompt the
SeGW to allocate an IP address via a DHCP request to an external core DHCP server on behalf of the
eNB. When the SeGW receives the DHCP response, the SGW will reply to the eNB with the IP address
via the IKEv2 CP response. The eNB and the SeGW will continue with the IPsec configuration.
The eNB will initiate contact with the SAM addresses that was received in the original DHCP
response from the edge DHCP server. The SAM that is responsible for managing the eNB will reply
and complete the eNB registration. After the OAM IPsec tunnel is established and the SAM is
connected to the eNB, the SAM can load the work order to complete the provisioning of the eNB.
After the eNB is configured, the eNB will have to reboot in order to substantiate the new MIM
parameters. The IpConfigAutomatic parameter should still remain set to true, therefore the eNB will
initiate another DHCP request for IP configuration. Since the startup is via a dynamic method, the
outer and inner IP address should NOT be populated in the MIM. At this point the eNB has not
contacted the operators CMS server and does not have the operator certificates. The eNB will re-
establish the IPsec tunnel using the factory certificates. The eNB will receive the same inner
address from the internal DHCP server via the IKEv2 CP response.
It is expected that the outer and inner IP addresses are left unconfigured in the SAM for the IPsec
tunnel. The outer and inner addresses are provisioned in the respective DHCP servers.
It is expected that the Factory certificates were only used for the initial OA&M connection. Future
connection to the OA&M will be via the operators CMS domain. The eNB complete the IPsec OA&M
connection. The eNB will request for new operator certificates from the core CMS.The eNB receives
the operator certificates and starts the IKEv2 negotiation with the SeGW. As part of the pre-
configured conditions, the SeGW is preloaded with the operator certificates prior to the eNB
deployment. The eNB will reboot after installing the operator certificates. A new SeGW can NOT be
configured that is different from the SeGW that established the connection for the bootup IPsec
tunnel.
The eNB completes the OA&M tunnel setup. The eNB will setup all the IPsec tunnels that are
configured by the SAM.
The ASGD capability allows the node to automatically acquire the Security Gateway information
IPaddress or Fully Qualified Domain Name (FQDN). As the FQDN suggests, a Domain Name Server
(DNS) functionality can be used to resolve the FQDN to an IPaddress. The use of a DNS to resolve the
IPadddress of the SeGW is currently not supported. Therefore the SeGW IPaddress is the only valid
SeGW information set.
The node requires the SeGW ip address for IPsec tunnel negotiation and configuration.
• DNS is currently not supported in the Automatic Security Gateway Discovery Feature. The SeGW
Fully Qualified Domain name (FQDN) can not be used with a DNS server to resolve
resolve the SeGW IP
address. The current implementation requires the DHCP server to respond with the IP address of
the SeGW. This only applies to Macro only.
DHCP Vendor Spcific Option 43 is required for DHCP replies containing SeGW information (i.e.
SeGW IPaddress or SeGW FQDN).
Sub Option 3 EMS FQDN
Sub Option 4 SEG FQDN
The Network topology will assume the edge DHCP server or DNS device to reside in the network as
depicted in the following diagram.
1. If this device is a layer 2 device, there are no special capabilities required. The edge DHCP
server is behind the L2 device and can be reached directly by the eNB.
2. There are several options associated with DHCP if the device is a layer 3 device.
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
a. The device may have an internal DHCP server capability The Edge DHCP server will
be configure to provide the outer address of the IPsec tunnel, the EMS IP address
(including ports), and the SeGW IP address. Upon receiving a DHCP request, the
edge router will respond with the required IP addresses.
b. The Layer device can act as a DHCP relay to send a request to a DHCP server to
acquire the outer address of the IPsec tunnel, the EMS IP addresses (including
ports), and the SeGW IP address.
In the Layer 2 and layer 3 explanation above, the DHCP server return a list of EMS IPaddresses and
the IPsec outer tunnel address in addition to the SeGW address. The IPsec outer tunnel address is
required as part of the PNP capability and the EMS IP address list will be discussed further in the
eNB Slef Commisioning capability.
To enable the Automatic Security Gateway Discovery capability the parameter information are
provided below.
Parameter ipConfigAutomatic
Object ENBEquipment/eNB/EnbTransportConfig/RanBackhaul/
Range & Unit True or False
Class C - New-set-ups
Value True
Feature 160695 and L115970
If the ipConfigAutomatic parameter is enabled, the node will perform a DHCP discovery. If this
parameter is disabled, the node will use the configuration parameters to set the OA&M link.
Parameter securityGWFqdn
Object ENBEquipment/eNB/
Range & Unit String (1-64) characters
Class A - full-NE-reset
Value N.A.
Feature 160695
This parameter specifies the fully qualified domain name (FQDN) of the Secrity Gateway to use
during the initial OA&M establishment. This parameter is used when ipConfigAutomatic is enabled
and when DNS capabilities are used without DHCP. Due to the restriction of the DNS capability this
parameter is deferred to a later release.
Parameter primaryDnsIpAddress
Object ENBEquipment/eNB/
Range & Unit IPv4 address
Class C - New-set-ups
Value N.A.
Feature 160695
This parameter specifies the IPv4 primary domain name server (DNS) address. Due to the restriction
of the DNS capability this parameter is deferred to a later release.
Parameter primaryDnsIpAddressv6
Object ENBEquipment/eNB/
Range & Unit IPv6 address
Class C - New-set-ups
Value N.A.
Feature 160695
This parameter specifies the IPv6 primary domain name server (DNS) address. Due to the restriction
of the DNS capability this parameter is deferred to a later release.
Parameter secondaryDnsIpAddress
Object ENBEquipment/eNB/
Range & Unit IPv4 address
Class C- New-set-ups
Value N.A.
Feature 160695
This parameter specifies the IPv4 secondary domain name server (DNS) address. Due to the
restriction of the DNS capability this parameter is deferred to a later release.
Parameter secondaryDnsIpAddressv6
Object ENBEquipment/eNB/
Range & Unit IPv6 address
Class C- New-set-ups
Value N.A.
Feature 160695
This parameter specifies the IPv6 secondary domain name server (DNS) address. Due to the
restriction of the DNS capability this parameter is deferred to a later release.
This feature enhances the nodes ability to protect against various security threats. The node will
limit the susceptibility to layer 2 and layer 3 external threats. All enhancements are local to the
node. The node will filter ingress traffic. The Node determines the acceptable type of ingress traffic
based on the nodes configuration.
The control and management plane connections that are initiated by the node are controlled with a
stateful firewall that uses the following packets attributes: protocol source IP@, destination IP
address, source port, destination port.
The control and management plane connections that can be initiated by remotes node (SNMP, SSH,
X2c, PTP) are controlled with additional static rules that include, when the feature is activated, the
source IP address of the known remote nodes. The node allows the user to configure additional
source IP address/subnets for SNMP, SSH and X2c traffic.
Filtering rules are supported with IPv4 and IPv6 and are compatible with IPsec and Non IPsec
interfaces.
This capability is Hardware dependant. The following HW controller boards support the capability.
1. ECCM
2. ECCM2
3. Metro
When the packet filtering capability is activated, the Node will begin to inspect and discriminate
traffic against a well known list of acceptable traffic. All ingress traffic that doesn’t match the
known list of acceptable traffic will be discarded. Packet filtering can be enabled/disabled on a per
node IP address basis.
The acceptable traffic list (Known traffic) is automatically determined. The known traffic is derived
from the nodes configuration. Based on the nodes configuration (i.e MME address, EMS address,
etc....), the communications protocols and expected source and destination IP addresses are
deterministic. For each nodes activated IP interface, the filtering mechanism will determine the
source IP address for ingress traffic with the IP addresses of the remote known nodes (S1c, S1u,
NTP, CMS, etc..)
There may be circumstances that require additional communications that are unknown based on the
nodes configuration. The node has configuration parameters to allow the node to accept unknown
traffic.
The following parameters allow the node to accept traffic in addition to the known traffic list.
Parameter isIpFilteringEnabled
Object ENBEquipment/eNB/ActivationService
Range & Unit Boolean (True or False)
Class C- Immediate-propagation
Value False
Feature 114382
This parameter enables or disables the use of IP filtering for an eNB IPaddress. This is the
destination IP address of an ingress packet.
Parameter ipFilteringActivation
Object ENBEquipment/eNB/EnbTransportConfig/RanBackhaul/VLAN/TrafficDescriptor
Range & Unit Boolean (True or False)
Class C- Immediate-propagation
Value False
Feature 114382
This parameter, defines the IPv4 source address(es) used for the filter. The destination address for
the filter will be the IPv4 address configured in the TrafficDescriptor.
Parameter ipv4Address
Object ENBEquipment/eNB/EnbTransportConfig/RanBackhaul/VLAN/TrafficDescriptor/PacketFilteringConf
Range & IPv4 Address
Unit
Class C- Immediate-propagation
Value NA
Feature 114382
This parameter specifies the IPv4 subnet mask for the PacketFilteringConf instance.
Parameter ipv4SubNetMask
Object ENBEquipment/eNB/EnbTransportConfig/RanBackhaul/VLAN/TrafficDescriptor/PacketFilteringConf
Range & IPv4 Address
Unit
Class C- Immediate-propagation
Value NA
Feature 114382
This parameter defines the IPv6 source address(es) used for the filter. The destination address for
the filter will be the IPv6 address configured in the TrafficDescriptor.
Parameter ipv6Address
Object ENBEquipment/eNB/EnbTransportConfig/RanBackhaul/VLAN/TrafficDescriptor/PacketFilteringConf
Range & IPv6 Address
Unit
Class C- Immediate-propagation
Value NA
Feature 114382
This parameter specifies the IPv6 subnet mask for the PacketFilteringConf instance.
Parameter ipv6RoutingPrefixLength
Object ENBEquipment/eNB/EnbTransportConfig/RanBackhaul/VLAN/TrafficDescriptor/PacketFilteringConf
Range & [0-128]
Unit
Class C- Immediate-propagation
Value NA
Feature 114382
This the relative index to the PacketFilteringConf object instances. There can be 20 additional User
specified IP.
Parameter rdnId
Object ENBEquipment/eNB/EnbTransportConfig/RanBackhaul/VLAN/TrafficDescriptor/PacketFilteringConf
Range & [0-9]
Unit
Class NA
Value NA
Feature 114382 and 168496 (increased to 20)
This parameter specifies whether, or not, the group of counters related to IpFiltering is selected to
be reported.
Parameter ipFilteringReported
Object ENBEquipment/eNB/ PerformanceManagement
Range & Unit Boolean (True or False)
Class C
Value False
Feature 114382
This parameter specifies the list of destination ports numbers that are authorized from the IP
address or subnet defined by ipv4Address/ipv4SubNetMask or ipv6Address/ipv6RoutingPrefixLength
parameters of the PacketFilteringConf instance.
Parameter dstPortNumberList
Object ENBEquipment/eNB/EnbTransportConfig/RanBackhaul/VLAN/TrafficDescrip
tor/PacketFilteringConf
Range & Unit IP address
Class C - Immediate-propagation
Value N.A.
Feature 168496
This section of the document contains generic security features associated with the node. This
section will not list all the available features. Instead, we will concentrate on security ascpects that
can be controlled by the operator. Security enhancements include:
1) (LA2) The node will support Role Based Access Control (RBAC) for user and machine interfaces.
a) (14.1) Modification the root password can only performed after user has already logged in
as root.
b) (14.1) the eNB shall support 2 accounts , to differentiate ALU and operator account.
c) (14.1) the eNB shall not support weak hash algorithm for password storage, need to use
SHA-512
This parameter allows to request for pre-login banner display when a user wants to connect to the
eNB through the CLI/SSH.
Parameter displayPreLoginBanner
Object ENBEquipment/eNB
Range & Unit Boolean (True or False)
Class C - Immediate-propagation
Value False
Feature 168496
This parameter defines the measurement period to detect that a data flow controlled by the policer
is overloaded. When a data flow is overloaded the eNB sends an alarm to the EMS. The value 0
means that the policer overload detection time is disabled.
Parameter policerOverloadDetectionTime
Object ENBEquipment/eNB/EnbTransportConf/GlobalTransportConf
Range & Unit Integer (0 – 360)
Class C - Immediate-propagation
Value 15
Feature 168496
It is recommended that Transport-CAC and UL Traffic Shaping features be both configured at eNB.
When the shaper is not used, traffic does not go through the strict priority scheduler but goes to a
specific queue which size is hard coded. Hence, it is not the best way to manage traffic with
different CoS.
Even if no SLA is enforced within the transport network provider, ALU recommendation is that UL
Traffic Shaping feature be nonetheless configured at eNB with following CIR setting:
• CIR = PCR = bit rate of the physical interface (whatever the shaping mode ‘per port’ or ‘per
Vlan’)
This is for taking benefit of the scheduler stage that goes with the shaper. This ensures that egress
traffic is scheduled with QoS differentiation onto the physical link.
Note: In case SLA is enforced within the transport network provider, then UL Traffic Shaping feature
must be configured with a CIR setting that complies to the SLA either at port or at Vlan granularity.
eNodeB supports UL traffic scheduling to ensure the QoS differentiation between high priority flows
and low priority flows.
Scheduling functionality is performed by the WinPath 2 (WP2) processing unit.
Strict highest
priority
priority queue0 VLAN x / DSCP a
queue1
to shaped unshaped from
scheduler classifier
backhaul traffic traffic backplane
...
queueN
VLAN x / DSCP z
lowest
priority
VLAN x
N ≤ 16
16 traffic queues are supported, queue 0 has the highest priority while queue 15 the lowest priority.
All the incoming traffic (eRAB, SCTP, OAM, IEEE1588…) is classified based on its L3 QoS marking and
put into one of these queues on the basis of a DSCP to scheduling priority mapping table.
Each queue is scheduled on a strict priority basis. Whenever there are packets in a queue, they are
scheduled first as compared to others queues with a lower priority. Each queue also maintains the
FIFO discipline.
The strict priority scheduling ensures the QoS guarantee for all GBR (high DSCP classes) and high
priority flows, provided that at any time the sum of these flows does not exceed the CIR. Any
remaining bandwidth is allocated to the rest of the flows in a strict priority order.
The DSCP to scheduling priority mapping table is derived (built) by eNodeB from two sources;
• the provisioned traffic flows to DSCP mapping through ControlFlowToDscpMapping,
QciToDscpMappingS1 and QciToDscpMappingX2 (see IP QoS section), and
• the provisioned traffic flows to queue mapping through TransportCosConf[PerPort]/x, where
x=[0-15] is a queue number
The PTP traffic is not shaped so PtpEvtMsg & PtpGenMsg flows do not go through the shaper.
• Object:
Enb/EnbTransportConf/RanBackhaul/EthernetPort/SlaConfPerPort/TransportCosConfPerPort,
Parameter: queuePriorityAndCosId, Value: [0-15] (0 is highest priority), Class: B, Service impact:
Partial, Update transient impacts details: Transport-Layers
eNB
ActivationService
isUlTrafficShapingEnabled = true
eNBtransportConf
RanBackhaul
cacAndTrafficShapingMode = PerVlan
Vlan[1-50]
SlaConf
TransportCosConf/[0-15]
qciS1List = [Qci1-255]
qciX2List = [Qci1-255]
queueSchedulerMode = [StrictPriority]
queueSize
queueMinThreshold
queueMaxThreshold
maxDropProbability
Figure 94: UL traffic scheduling – per VLAN – Model object for configuration
ControlFlowList
TransportCosConf/x OtherFlowList TransportCosConf::
qciS1List queuePriorityAndCosId
qciX2List
ICMP, IKE
TransportCosConf/0
NetworkControl (1) 0 (highest priority)
(queue #0) Qci5 (2)
Qci5
unset
TransportCosConf/1
unset 1 (2nd priority)
(queue #1) Qci1, Qci2, Qci3
Qci1, Qci2, Qci3
OAM (3)
TransportCosConf/3
unset 3 (4th priority)
(queue #3) Qci7, Qci8
Qci7, Qci8
(4)
CallTrace , DDT
TransportCosConf/4
Other (5) 4 (lowest priority)
(queue #4) Qci9
Qci9
It is possible to map different traffic flows onto the same scheduling priority.
To avoid that the OAM traffic be starved of bandwidth, it is recommended that either;
• OAM traffic be separated from the user plane in a dedicated Vlan, else that,
• OAM traffic scheduling priority be higher than the best effort traffic
The DSCP to scheduling priority mapping table derived (built) by eNodeB from the provisioned
traffic flows to DSCP mapping and the provisioned traffic flows to scheduling priority mapping as
recommended by ALU is the following:
PtpEvtMsg CS7
Qci 5, ICMP, IKE CS6 0
(1)
NetworkControl N.A.
Qci 1, Qci 2, Qci 3 EF 1
GTPuEcho, SctpS1,
AF41
SctpX2, M3, AGPS 2
Qci 4, Qci 6 AF42
OAM AF11
Qci 7 AF22 3
Qci 8 AF21
CallTrace AF12
DDT CS1
(2)
4
Other other
Qci 9 BE
• Object:
Enb/EnbTransportConf/RanBackhaul/SlaConf/TransportCosConf/QueueAndSchedulerConf,
Parameter: queueSize, Value: [100-10.000], Unit: packets, Class: C, Service Impact: None,
Update transient impacts details: Immediate-propagation
If cacAndTrafficShapingMode is “PerPort” then the queue size is configured through:
• Object:
Enb/EnbTransportConf/RanBackhaul/EthernetPort/SlaConfPerPort/TransportCosConfPerPort/Qu
eueAndSchedulerConfPerPort, Parameter: queueSize, Value: [100-10.000], Unit: packets, Class:
C, Service Impact: None, Update transient impacts details: Immediate-propagation
QueueAndScheduler/0 1: ControlFlowList
2: OtherFlowList TransportCosConf::
TransportCosConf/x queueSize 3: qciS1List queuePriorityAndCosId
(packets) 4: qciX2List
1:ICMP, IKE
TransportCosConf/0 2: NetworkControl
100 3: Qci5
0
(queue #0)
4: Qci5
1: unset
TransportCosConf/1 2: unset
300 3: Qci1, Qci2, Qci3
1
(queue #1)
4: Qci1, Qci2, Qci3
1: GTPuEcho, SctpS1,
SctpX2, M3, AGPS
TransportCosConf/2
8000 2: unset 2
(queue #2) 3: Qci4, Qci6
4: Qci4, Qci6
1 : OAM
TransportCosConf/3 2 : unset
9000 3 : Qci7, Qci8
3
(queue #3)
4 : Qci7, Qci8
1: CallTrace, DDT
TransportCosConf/4 2: Other
10000 3: Qci9
4
(queue #4)
4: Qci9
Two queue congestion management mechanisms are supported at eNodeB; tail drop and WRED.
Per queue, the congestion management mechanism may be based on tail drop or WRED.
Tail drop is recommended for queue handling real time traffic (e.g., UDP traffic).
WRED is recommended for queue handling non real time traffic (e.g.,TCP traffic).
By dropping packets with a certain probability, WRED avoids that many TCP connections decrease
their window at the same time.
There are counters associated to UL traffic management (See Monitoring §) that provide for
average, minimum and maximum packet loss rates. Those rates are obtained by sampling at a
certain period of time the total number of packets accepted and rejected at the queue.
The sampling rate configuration is done through:
• Object: Enb/EnbTransportConf/GlobalTransportConf, Parameter:
packetsLossRateMeasurementPeriod, Value: [10-300], Unit: second, Default: 120, Class: C, Service
impact: None, Update transient impacts details: New-set-ups
With the tail drop mechanism, once a queue reaches it maximum fill size, the queue discards any
new packets arriving at the queue.
There are 3 configurable parameters per queue which govern the WRED mechanism:
• queue minimum threshold
• queue maximum threshold
• maximum drop probability
These three parameters are collectively known as a WRED profile.
mint and maxt values are derived from queueMinThreshold, queueMaxThreshold and queueSize
eNodeB provisioned values as:
mint = queueMinThreshold * queueSize
maxt = queueMaxThreshold * queueSize
eNB
ActivationService
isUlTrafficShapingEnabled = true
eNBtransportConf
RanBackhaul
cacAndTrafficShapingMode = PerVlan
Vlan[1-50]
SlaConf
TransportCosConf/[0-15]
queuePriorityAndCosId = [0-15]
qciS1List = [Qci1-255]
qciX2List = [Qci1-255]
QueueAndSchedulerConf/0
queueSchedulerMode = [StrictPriority]
queueSize
queueMinThreshold
queueMaxThreshold
maxDropProbability
Figure 96: UL congestion management – per VLAN - Model object for configuration
eNodeB supports UL traffic shaping to adapt to the available backhaul transport bandwidth.
If UL traffic shaping mode is ‘per VLAN’ with mixity of shaped and non-shaped VLANs then it must
be created one instance of shaper per VLAN, and, for the non-shaped VLAN, egressCir parameter
must be set a value that equals eNB backhaul port bandwidth.
The backhaul transport bandwidth is defined at eNodeB through a bandwidth profile which
parameters are CIR/CBS and EIR/EBS. There can be configured a bandwidth profile per port or per
VLAN.
In this release, the CBS (Committed Burst Size) maximum value actually supported by WP2 is 16 kB
(16384 bytes). If a larger number is provisioned the shaper still uses 16 kBytes.
As per IETF RFC 2698: CBS must be configured to be greater than 0. It is recommended that it is
configured to be equal to or greater than the size of the largest possible IP packet in the stream.
eNB
ActivationService
isUlTrafficShapingEnabled = true
eNBtransportConf
RanBackhaul
cacAndTrafficShapingMode = PerVlan
Vlan[1-50]
SlaConf
egressCir = [1000-1000000]
TransportCosConf/[0-15]
egressCbs = [10-17]
QueueAndSchedulerConf/0 egressEir = 0
egressEbs = 0
Figure 97: UL traffic shaping – per VLAN - Model object for configuration
eNB Call Admission Control (CAC) includes Radio CAC and Transport CAC (T-CAC).
When both T-CAC and Radio CAC are applicable, T-CAC is performed first.
T-CAC supports eUTRAN sharing.
At RAB set-up (or modify) T-CAC controls if the associated S1-U UL and DL volume of traffic can be
satisfied according to the remaining UL and DL bandwidth of the transport link to the backhaul
network.
Warning: in case the T-CAC mode is changed from ‘per port’ to ‘per VLAN’ (or reversely) then the
setting of parameters dlStaticBandwidth and ingressCir must be reconsidered.
If eUTRAN sharing is activated it is only possible to configure the per VLAN mode.
In case eUTRAN sharing is activated, the number of VLAN and the number of PLMN managed by T-
CAC are the same. There is one VLAN handling S1-U per operator (i.e. per PLMN identified by
VLAN::plmnId). There is one T-CAC runing per VLAN (i.e. per operator).
eNB
eNBtransportConf
RanBackhaul
EthernetPort
Vlan[1-50]
TrafficDescriptor[0-10]
SlaConf
(1): ul/dlTransportLoadThreshold is used by Inter-frequency Load Balancing feature (see this section)
Figure 98: T-CAC - backhaul & VLAN - Model object for configuration
(1)
QCI online modification for existing data bearers is possible for QCI in range [6..9].
Note: QCI online modification is enabled at ActivationService::isQciArpOnLineModificationAllowed.
(2)
If the transport bandwidth is not sufficient, the QoS of existing eRABs is maintained by rejecting
the new eRAB.
T-CAC does not modify QoS characteristics of existing eRABs nor pre-empt ressources in case of
transport link bandwidth exhaustion.
T-CAC algorithm operates in an open loop mode. T-CAC does not get feedback from the user-plane
transport layer (i.e. WinPath) of UL and DL bandwidth consumption measurement.
o OAM traffic
At each S1-AP (or X2-AP) procedure that triggers T-CAC algorithm, T-CAC selects the relevant
transport CoS based on the QCI of the eRAB.
To evaluate the needed bandwidth for the eRAB, T-CAC takes into account:
• the GBR for voice and GBR traffic
• the Minimum Bit Rate (minBR) for non-GBR traffic (a.k.a BE)
Note:
1) The Minimum Bit Rate for non-GBR traffic is the minimum IP bit rate that is guaranteed for
each end user in case of S1 load condition. But, in case some S1 bandwidth is left unused then
it is shared amongst the non-GBR users and each non-GBR user may benefit of more bandwidth
than the Minimum Bit Rate.
2) the GBR is provisioned at PCRF and is provided to eNB via S1-AP eRAB Setup Request, while
the Minimum Bit Rate is configured at eNB through OAM.
• for GBR eRAB, a per QCI provisioned UL & DL user plane signaling factor. This is a coefficient
to take into account the RTCP bit rate.
• a per QCI provisionned UL & DL overbooking factor to apply on the eRAB bit rate.
UL & DL overbooking factor, user plane signaling factor and packet inter-arrival time are dependant
on the traffic model.
dlOverbookingFactor and ulOverbookingFactor new value is taken into account for the already
established eRABs AND the new eRABs.
See “step 4” of T-CAC algorithm description farther for usage of overbooking factors.
• Object: Enb/EnbTransportConf/PerOperatorTransportConf/TransportCacQciConf,
Parameter: dlPacketInterArrivalTime, Value: [1-20000], Unit: ms, Class: C, Service Impact:
None, Update transient impacts details: Immediate-propagation
Parameter: ulPacketInterArrivalTime, Value: [1-20000], Unit: ms, Class: C, Service Impact:
None, Update transient impacts details: Immediate-propagation
dlPacketInterArrivalTime and ulPacketInterArrivalTime setting guideline:
- for voice it is the codec period (e.g. 20ms or 30ms)
- for video it is the codec period (e.g. 40ms)
- for non-GBR it is the packet inter-arrival time (e.g. 100ms, it is traffic model
dependant)
eNB
eNBtransportConf
PerOperatorTransportConf/[0-3]
plmnId (link to a PlmnIdentity instance)
TransportCacQciConf/[0-31]
qci (Qci1-Qci255)
dlOverbookingFactor
ulOverbookingFactor
dlPacketInterArrivalTime
ulPacketInterArrivalTime
userPlaneSigFactor
Emergency call is always a conversational speech call (i.e Video Telephony may not be an
Emergency call).
There are two kinds of Emergency Calls (EC), Regular EC and CSFB EC.
There is no CSFB indicator received in S1AP Initial Context Setup Request, or CSFB is
disabled at eNB.
Only one Emergency IMS VoIP Call may be initiated per UE.
The data flow to establish a IMS VoIP EC depends on the initial state of the UE (RRC connected, in
idle mode, or in limited service state).
To establish an IMS VoIP EC, the UE has first to establish a PDN connectivity towards the PDN in
charge of Emergency service (using its default bearer for this PDN). eNB then receives the request
to establish a SIP bearer that is being used by the UE to initiate the SIP “INVITE” procedure to the
Core. In return eNB receives the request to establish a VoIP bearer. SIP bearer may be a default
bearer (i.e. first bearer established) or a dedicated bearer. See 3GPP TR 23.869 for IMS Emergency
calls over e-UTRAN use cases.
An emergency IMS VoIP call may coexist with a regular IMS VoIP call. In this case regular IMS VoIP
call has also its own VoIP bearer and SIP bearer.
Note: VoIP feature is subject to license per eNB and is activated through:
Object: Enb/LicensingMngtSystem, Parameter: isVoIPEnabled, Value: [true, false], Class: C, Service
impact: None, Update transient impacts details: Immediate-propagation
IMS VoIP Emergency Calls are enabled through:
• Object: Enb/ActivationService, Parameter: isIMSEmergencyCallAllowed, Value: [false, true],
Class: C, Service impact: None, Update transient impacts details: New-set-ups
eNB supports up to two IMS VoIP service per UE to support the combination of 1 emergency IMS VoIP
call + 1 regular IMS VoIP call.
In case ENB receives the request to establish two non Emergency IMS VoIP calls for a given UE, it
accepts the combination.
T-CAC provides a mechanism to accept some extra emergency eRABs in case of transport link
bandwidth reaching exhaustion.
It is based on provisioning a percentage of the transport link bandwidth that is reserved for
emergency calls.
An extra bandwidth, called ‘Extra Reserved Bandwidth’ can be configured in a CoS pool for
emergency calls in case the Reserved Bandwidth is reached.
There may be configured an Extra Reserved Bandwidth in the CoS(es) that handle Emergency IMS
VoIP calls. Up to 3 CoS(es) are concerned: CoS for SIP bearer (IMS signaling), CoS for VoIP bearer
and CoS for default bearer.
The other CoS(es) must be configured such that the Extra Reserved Bandwidth equals to the
Standard Reserved Bandwidth.
Feature L115860 “High Priority Access Admission Control” does not make any assumption about HPA
service type, although it is probable in the field that HPA calls are VoLTE calls. In the TEG, to
illustrate HPA calls interaction on Transport CAC it is assumed that HPA calls are IMS VoIP calls.
If HPA call is enabled at eNB, an eNB identifies a call as a HPA call if:
HPA UEs send RRC Connection Request message with establishment cause “highPriorityAccess”, thus
get UE Connection Setup Priority. This connection priority is independent of bearers ARP value from
the eNB perspective; the assigned ARPs depend on the operator policy configured in the core. This
means that HPA UEs setup E-RABs, for which some will get and some will not get HPA-ARP priority
from the core. Only those bearers that have an ARP value that falls within the HPA-ARP range (ARP
≤ PlmnIdentity::arpPriorityHighPriorityAccess) get overload privileges in the eNB after UE
Connection Setup.
T-CAC provides a mechanism to accept some extra HPA eRABs in case of transport link bandwidth
reaching exhaustion.
It is based on provisioning a percentage of the transport link bandwidth that is reserved for HPA
calls.
An extra bandwidth, called ‘Extra Reserved Bandwidth’ can be configured in a CoS pool for HPA
calls in case the Reserved Bandwidth is reached.
In the assumption that HPA calls are IMS VoIP calls, then following rules apply;
There may be configured an Extra Reserved Bandwidth in the CoS(es) that handle HPA IMS VoIP
calls. Up to 3 CoS(es) are concerned: CoS for SIP bearer (IMS signaling), CoS for VoIP bearer and CoS
for default bearer.
The other CoS(es) must be configured such that the Extra Reserved Bandwidth equals to the
Standard Reserved Bandwidth.
- the reserved bandwidth percentage for extra emergency eRABs within the CoS. This parameter
tunes the percentage of the bandwidth used for extra emergency eRABs inside the CoS when the
transport CoS bandwidth for any eRAB is reached.
A Transport CoS is configured through a TransportCosConf object. There must be configured as
much TransportCosConf as needed. This is ruled by the operator strategy in terms of traffic flows
allocation per Transport CoS.
An OAM check ensures that each supported QCI is allocated to one and only one transport CoS.
∑ dlReservedBandwidthPercentage = 100
TransportCacCosConf
This is to ensure that all the available S1-U bandwidth is entirely used over all the configured CoS.
• the maximum number of simultaneous IMS emergency bearers is not lower than the
maximum number of simultaneous VoIP emergency bearers, AND,
• the maximum number of simultaneous default emergency and/or HPA bearers is not lower
than the maximum number of simultaneous VoIP emergency bearers.
This is to ensure that the maximum number of simultaneous VoIP emergency and/or HPA bearers
can be accepted by T-CAC, and is not limited due to lack of reserved emergency IMS and/or default
bearer(s).
eNB/eNBtransportConf/RanBackhaul
cacAndTrafficShapingMode = PerVlan
Vlan[1-50]/SlaConf
egressCir
egressCbs
egressEir
egressEbs
ingressCir
ingressCbs – not
used
ulStaticBandwidth
dlStaticBandwidth
TransportCosConf/[0-15]
qciS1List
qciX2List
controlFlowList
otherFlowList
queuePriorityAndCosId
TransportCacCosConf/0
dlReservedBandwidthPercentage
ulReservedBandwidthPercentage
dlReservedBandwidthForEcAndHpaRabsPercentage
ulReservedBandwidthForEcAndHpaRabsPercentage
Per CoS, T-CAC algorithm maintains three variables related to bandwidth that are;
• DL_CoS_Extra_Reserved_Bandwidth: This is the total DL bandwidth for the CoS.
It is denoted as ‘(1)’ in the rest of T-CAC algorithm description when encountered in a formula.
Emergency calls may access (1) entirely while standard calls can only access part of it as defined
by (2) below.
• DL_CoS_Standard_Reserved_Bandwidth: This is the part of the CoS bandwidth that is
accessible for serving any eRABs (standard calls or emergency calls).
It is denoted as ‘(2)’ in the rest of T-CAC algorithm description when encountered in a formula.
DL_CoS_Extra_Reserved_ Bandwidth
(1) (2) DL_CoS_Standard_Reserved_ Bandwidth (2)
For any eRABs inc. Emergency ones.
DL_CoS_Consumed_Bandwidth.
T-CAC CoS bandwidth consumption vs. S1 bandwidth accessibility per traffic flow:
For illustration, we consider a S1 interface of 100 Mbit/s which is split in 3 transport CoS:
• 1 VoIP CoS of 8 Mbit/s
• 1 GBR CoS of 20 Mbit/s
• 1 non-GBR CoS of 70 Mbit/s
This way this leaves a 2 Mbit/s bandwidth to transport the common services (OAM, CP, X2-U…).
To simplify the illustration we don’t consider bandwidth reservation for emergency calls in this
example (meaning dlReservedBandwidthForEcAndHpaRabsPercentage = 0% for all CoS).
From T-CAC, each CoS represent a bandwidth resource from which it decounts a per eRAB cost at
each eRAB establishment. The cost being either based on the GBR data rate received via S1AP
procedure to which may apply for VoIP the overbooking factor (e.g. 50% if silence suppression is
activated for voice), or on the minBitRate provisioned at eNB to which may apply the overbooking
factor chosen in regard of the multiplexing gain that may be used as per the operator call model.
This T-CAC decounting of the S1-U bandwidth must not be mis-interpreted as a static split of the S1-
U bandwidth between the traffic flows. T-CAC acts at call admission for limiting the number of
simultaneous eRABs per traffic type. It does not restrict the accessibility to the S1-U bandwidth by
the traffic flows.
As per VoIP and GBR traffic types engineering recommendation, it is expected that those flows will
load the S1-U at the same load level as the one that has been estimated by T-CAC.
In our example, T-CAC will accept up to 8 Mbit/s of VoIP calls and 20 Mbit/s of GBR calls. And we
expect that the S1-U will be loaded at maximum of 28 Mbit/s by these traffic flows. This will
probably be less depending on the call profile, the time of the day etc…but it must not be higher
than 28 Mbit/s as it is not recommended that this limit is crossed for ensuring SLA of real time
traffic over the transport network.
It is different for non-GBR traffic as the T-CAC is based on a minBitRate that may be adjusted by an
overbooking factor. The overbooking factor must be used when the operator adjusts the
configuration of the T-CAC based on network monitoring. The overbooking factor acts on the
minBitRate value that is taken into account by T-CAC (that is provisioned ‘minBitRate’ x provisioned
‘overbooking factor’). Update of the overbooking factor value will apply not only to evaluate the
cost of the new eRABs establishment but also to update the consumed CoS bandwidth that was
estimated by T-CAC with the previous overbooking factor value (see ‘step 4’ of T-CAC algorithm
farther for more detail).
It can not be predicted what will be the throughput of the cumulated non-GBR traffic on the S1. In
our example, T-CAC will accept up to 70 Mbit/s of non-GBR calls based on the minBitRate and the
overbooking factor. Nonetheless, non-GBR traffic may make use, in add of its engineered CoS
bandwidth of 70 Mbit/s, the S1 bandwidth let unused by others flows (VoIP/GBR/common services).
The throughput of non-GBR traffic over S1 may then range from 70 Mbit/s up to 100 Mbit/s
(maximum S1 throughput) in the case where there is only non-GBR traffic.
The mechanisms that will regulate the non-GBR actual volume of traffic over S1 are;
- the traffic shaping (UL at eNB and DL within the transport network) that enforces QoS amongst the
different traffic flows
- applicative layer, e.g. TCP that will increase/decrease its window size according to the TCP
acknowledgement procedure
- radio scheduler that will allocates radio transmission opportunities according to the volume of
data and the QoS of the data (per eRAB QCI).
Use case 1:
VoIP and GBR have consumed 100% of their transport CoS bandwidth, that is 28 Mbit/s, while non-
GBR has consumed 50% of its transport CoS bandwidth, that is 70/2=35 Mbit/s
The S1 bandwidth for transporting the traffic flows may be partitioned such that:
• VoIP+GBR traffics use their 28 Mbit/s bandwidth
• non-GBR uses at maximum the remaining available S1 bandwidth, that is 100-28=72 Mbit/s
(assuming no common services traffic).
Note that traffic shaping must be set such a way that for non-GBR traffic the CIR is set to the S1 link
rate (in this example 100 Mbit/s).
The S1 bandwidth accessibility per traffic flow is shown in the figure below:
VLAN bandwidth = 100 Mbit/s
Use case 2:
VoIP and GBR have consumed 0% of their transport CoS bandwidth, that is 0 Mbit/s, while non-GBR
has consumed 50% of its transport CoS bandwidth, that is 70/2=35 Mbit/s
The S1 bandwidth for transporting the traffic flows may be partitioned such that:
• VoIP+GBR do not use at all their 28 Mbit/s bandwidth
• non-GBR uses at maximum the remaining available S1 bandwidth, that is 100 Mbit/s (assuming
no common services traffic).
Note that traffic shaping must be set such a way that for non-GBR traffic the CIR is set to the S1 link
rate (in this example 100 Mbit/s).
The S1 bandwidth accessibility per traffic flow is shown in the figure below:
- the S1AP messages information elements that are the QCI and the e-RAB-GuaranteedBitrateDL
for GBR eRAB. DL_GBR_BIT_RATE = e-RAB-GuaranteedBitrateDL (S1AP)
Note: this is a Class C parameter that is taken into account for the new RABs.
- the bandwidth consumed for the transport CoS associated to the QCI in DL, that is
DL_CoS_Consumed_Bandwidth
- the bandwidth for the transport CoS on the physical link of the VLAN, that is
DL_CoS_Standard_Reserved_Bandwidth
T-CAC algorithm calculates the overhead bit rate as the sum of the protocols headers divided by the
packet inter-arrival time configured for the QCI.
It is denoted as ‘Overhead_Bit_Rate’ in the rest of T-CAC algorithm description when encountered in
a formula.
GTP _ UDP _ IP _ eNB _ Header + IPSec _ UDP _ Security _ Header + Eth _ Phy _ Header
Overhead _ Bit _ Rate =
TransportCacQciConf :: dlPacketInterArrivalTime
Notes:
1 GTP_UDP_IP_eNB_Header is the GTP/UDP/IP eNB header which size depends on the eRAB
Transport Layer Address IP version configured at Vlan::ipFormat:
There is a single IPsec overhead value used by T-CAC whatever the IPsec flavor:
voice + 31 bytes
AMR 12.2 kbit/s PDU
RTP + 12 VoIP overhead
VoIP overhead (40 bytes) is
UDP + 8 included in the GBR value received
from the signaling plane (S1AP).
VoIP 29.82 kbit/s
IPv4 + 20
inc. + 5% for RTCP
GTP + 8 S1 overhead
UDP + 8
IPv4 + 20
ESP
Figure 103: S1 overhead bit rate calculation – example for VoIP in IPv4 with IPsec
provisioned
input value
parameter
output value
service
GBR non-GBR
type
QCI 1 2 3 4 5 6 7 8 9 Calculation Unit Comment
traffic type VoIP - - - IMS - - - BE
application Kbit/ data = Conversational (VoIP), Video Streaming,
(1) 12,2 - - - n.a.
bit rate s Interactive Gaming
This is the packet inter arrival time (codec
packet period) to be provisioned
(2) inter 20 - - - n.a. ms TransportCacQciConf::dlPacketInterArrivalTi
arrival time me
[1-20000] ms
(3) PDU size 31 - - - (1)x(2)/8 byte function of codec rate & codec period
RTP over
IPv4 or IPv6 IPv4 n.a. RTP over IPv4 or IPv6 ?
?
RTP
(4) 40 (5)+(6)+(7) byte
overhead
n.a.
(5) RTP 12 n.a. byte 12
(6) UDP 8 n.a. byte 8
(7) IP 20 n.a. byte IPv4=20, IPv6=40
GBR DL_GBR_BIT_RATE (S1AP).
Kbit/
(8) (provisione 28,4 - - - [(3)+(4)]*8/(2) This is provisioned at the PCRF and sent by MME
s
d at PCRF) to eNB within the S1AP: eRAB Setup Request.
This is the RTCP bandwidth (in % of data rate)
0 0 0 to be provisioned
(9) RTCP % 5% n.a. %
% % % TransportCacQciConf::userPlaneSigFactor
[0-5]%
(10 traffic data 29,8 Kbit/
- - - (8)x[1+(9)] GBR bit rate included RTCP
) rate 2 s
service
GBR non-GBR
type
QCI 1 2 3 4 5 6 7 8 9 Calculation Unit Comment
traffic type VoIP - - - IMS - - - BE
minBR is dimensionned based on a call model
(11 Kbit/
minBR 32 RadioCacCell::dlMinBitRateForBE
) s
[0-2048] Kbit/s
(12
PDU size 1500 0 0 0 1500 byte PDU size dimensioned from call model
)
packet
function of minBR/GBR & PDU size
(13 inter
n.a. 375 0 0 0 375 (12)*8/(11) ms packet inter arrival time must be < 20000 ms (it
) arrival time
is a provisioning limitation)
calculated
If above calculated value is > 20000 ms, it must
packet be provisioned max setable value, that is 20000
(14 inter minimum[(13);1000 ms.
375 0 0 0 375 ms
) arrival time ] TransportCacQciConf::dlPacketInterArrivalTi
adjusted me
[1-20000] ms
S1-u over
IPv4 or IPv6 IPv4
? Calculation Unit Comment
IPsec
IPsec
activated ?
(15 S1
36 (16)+(17)+(18) byte
) overhead
(16
GTP S1 8 n.a. byte 8
)
(17
UDP 8 n.a. byte 8
)
(18
IP 20 n.a. byte IPv4=20, IPv6=40
)
(19 IPsec
66 n.a. byte eNB hardcoded value: 66 (IPv4) or 86 (IPv6)
) overhead
(20
ETH 22 n.a. byte 22 with VLAN tagging, or 18 without
)
(21 20 (Preamble: 7 + Start of frame delimiter: 1 +
PHY 20 n.a. byte
) Interframe gap: 12)
(22 Total S1
144 (15)+(19)+(20)+(21) byte
) overhead
service
GBR non-GBR
type
QCI 1 2 3 4 5 6 7 8 9 Calculation Unit Comment
traffic type VoIP - - - IMS - - - BE
S1 GBR: (22)x8/(2)
(23 57,6 Kbit/ overhead bit rate per eRAB at target
overhead - - - 3,07 - - - 3,07 non-GBR:
) 0 s dlPacketInterArrivalTime
bit rate (22)x8/(13)
S1 overhead bit rate per eRAB at provisioned
(24 Kbit/
overhead n.a. 3,07 - - - 3,07 (22)x8/(14) dlPacketInterArrivalTime
) s
bit rate This is the value for 'Overhead_Bit_Rate' used
(25 87,4 35,0 35,0 GBR: (10)+(23) Kbit/ S1-u bandwidth per eRAB at target
S1 bit rate - - - - - -
) 2 7 7 non-GBR: (11)+(23) s dlPacketInterArrivalTime
(26 S1 bit rate 35,0 35,0 Kbit/ S1-u bandwidth per eRAB at provisioned
n.a. - - - (11)+(24)
) adjusted 7 7 s dlPacketInterArrivalTime
Table 58: S1 bit rate calculation – example for IMS VoIP & non-GBR in IPv4 with IPsec
Note 1: IP fragmentation is not considered in this estimate. In case fragmentation occurs, this
causes a small underestimate of S1 traffic volume as the headers of the fragmented packet are not
taken into account.
Note 2: rows that address ‘target’ and ‘adjusted’ value can be disregard as there of use farther in
the section considering “Overbooking usage for non-GBR eRAB with a ‘low’ minBR”.
T-CAC algorithm calculates the bandwidth consumed by the eRAB within the transport bandwidth
allocated to the CoS associated to the QCI of the eRAB.
ENDIF
Notes:
1. Dl_GBR_Bit_Rate present means that the information element e-RAB-GuaranteedBitrateDL is
present in S1AP message received for that particular GBR eRAB. In case Dl_GBR_Bit_Rate is not
present the AMBR is not used but rather the RadioCacCell::dlMinBitRateForBE
2. For GBR eRAB, Dl_GBR_Bit_Rate_Delta is calculated as follows;
Dl_GBR_Bit_Rate
eRAB setup or incoming handover
of eRAB to setup or move-in after incoming HO
Dl_GBR_Bit_Rate
eRAB release or outgoing handover
of eRAB to release or move-out after outgoing HO
When T-CAC algorithm runs in case of consumed bandwitdh decrease it is always successful and
there’s no additional check. In case of consumed bandwitdh increase, T-CAC succeeds only if there is
a free transport bandwidth to accept the new or modified eRAB.
/* GBR eRAB */
the eRAB to setup/modify is accepted (established) and the TAC succeeds
ELSEIF ((RadioCacCell::dlMinBitRateForBE > 0) AND
((Dl_CoS_Bandwidth_Consumption_eRAB ∗ TransportCacQciConf :: dlOverbookingFactor) + (3) ≤ (2)) ) THEN
/* non-GBR eRAB */
the eRAB to setup/modify is accepted (established) and the TAC succeeds
ELSEIF (RadioCacCell::dlMinBitRateForBE = 0) THEN
/* non-GBR eRAB */
the eRAB to setup/modify is accepted (established) and the TAC succeeds
ELSE /* in any other case: T-CAC failure */
(2) = DL_CoS_Standard_Reserved_Bandwidth
(3) = DL_CoS_Consumed_Bandwidth
The step 3.2 triggers the Extra_bandwidth use within transport CoS if the eRAB to setup/modify is an
Regular Emergency eRAB.
/* non-GBR eRAB */
the eRAB to setup/modify is accepted (established) and the TAC succeeds
ELSEIF (RadioCacCell::dlMinBitRateForBE = 0) THEN
/* non-GBR eRAB */
the eRAB to setup/modify is accepted (established) and the TAC succeeds
ELSE /* in any other case: T-CAC failure */
(1) = DL_CoS_Extra_Reserved_Bandwidth
(3) = DL_CoS_Consumed_Bandwidth
After eRAB setup or incoming handover or eRAB GBR increase then T-CAC adds the eRAB contribution
from the current DL_CoS_Consumed_Bandwidth for the QCI of the eRAB:
DL_CoS_Con sumed_Band width ( qci ( x )) + = Dl_CoS_Ban dwidth_Con sumption_e RAB
After eRAB release or outgoing handover or eRAB GBR decrease then T-CAC substracts the eRAB
contribution from the current DL_CoS_Consumed_Bandwidth for the QCI of the eRAB:
DL_CoS_Con sumed_Band width ( qci ( x )) − = Dl_CoS_Ban dwidth_Con sumption_e RAB
The contribution of all the eRABs to the consumed bandwidth is modulated by applying the
overboking factor provisonned per QCI:
The purpose of T-CAC feature is to ensure real time traffic (VoIP, GBR) is guaranteed to be served
its S1 bandwidth in the case where there is mixity of real time traffic with non real time traffic. For
achieving this, T-CAC must be activated in conjunction with traffic shaping. A per eRAB overbooking
factor is used for accepting at call admission an amount of eRABs that will ensure that the per eNB
S1 bandwidth that has been ‘reserved’ on the transport network for backhauling LTE traffic may be
loaded up to its maximum. Given that not all the admitted eRABs will traffic at the same time, it
may be used overbooking factor to lower the weight of eRAB load from CAC perspective.
It is recommended that VoIP and GBR traffic be not overbooked by T-CAC. This means that the
provisioned overbooking factor for those traffic flows is set to 100%. Note that VoIP may be set a
lower overbooking factor in case mechanism for silence suppression is activated.
It is assumed that the VoIP and GBR CoS bandwidth and overbooking factors are set at eNB in
consistency with the SLA that is enforced by the provider of the transport network in order to
preserve the the end-to-end QoS (delay, jitter, loss). Hence, it makes not sense to use overbooking
factor lower than 100%. Else this would signify that the LTE traffic from those CoS could suffer QoS
degradation in case the SLA is not respected.
On the contrary, non-GBR may be overbooked by T-CAC by provisioning overbooking factor lower
than 100%. As these are non guaranteed traffic this is up to the operator to define how much non-
GBR eRABs can be accepted at T-CAC while those traffic flows still be served an acceptable end-to-
end QoS from end user perspective.
In the case of GBR traffic, the overbooking factor must be set to 100%.
Nonetheless, for VoIP, if silence suppression is performed it is recommended to set a an
overbooking factor that is adjusted to the real volume of voice traffic.
In the case of non-GBR traffic, if radio-CAC and T-CAC have different requirements for their minBR
values (while there is a single common parameter) then the overbooking factor must be tuned such
that T-CAC expectation is met.
E.g.: if minBR = 1kbps & overbooking = 2000% => minBR = 1kbps at radio-CAC & 20kbps at T-CAC.
Note that for non-GBR traffic even the minBR is not guaranteed.
If TransportCacQciConf::dlOverbookingFactor = 0 and
TransportCacCosConf::dlReservedBandwidthPercentage = 0 then eNB accepts all eRABs setup for
the considered QCI.
• IMS VoIP without silence suppression (overbooking factor = 100%) vs. IMS VoIP with silence
suppression (overbooking factor = 50%)
• non-GBR without multiplexing factor (overbooking factor = 100%) vs. non-GBR with
multiplexing factor of 20 (overbooking factor = 1/20 = 5%)
Calculation tables hereafter show that in this example:
• with silence suppression (overbooking set to 50%) T-CAC may accept twice the number of
IMS VoIP eRABs vs. without silence suppression.
• with overbooking set to 5% T-CAC may accept 20 time the number of non-GBR eRABs vs.
when overbooking is set to 100%.
Note: rows that address ‘target’ and ‘adjusted’ value can be disregard as there of use farther in the
section considering “Overbooking usage for non-GBR eRAB with a ‘low’ minBR”.
provisione
d input value
parameter
output value
service
GBR non-GBR
type
QCI 1 2 3 4 5 6 7 8 9 Calculation Unit Comment
traffic
VoIP - - - IMS - - - BE
type
applicatio Kbit/ data = Conversational (VoIP), Video Streaming,
(1) 12,2 - - - n.a.
n bit rate s Interactive Gaming
packet This is the packet inter arrival time (codec period)
inter to be provisioned
(2) 20 - - - n.a. ms
arrival TransportCacQciConf::dlPacketInterArrivalTime
time [1-20000] ms
(3) PDU size 31 - - - (1)x(2)/8 byte function of codec rate & codec period
RTP over
IPv4 or IPv4 n.a. RTP over IPv4 or IPv6 ?
IPv6 ?
RTP
(4) 40 (5)+(6)+(7) byte
overhead
(5) RTP 12 n.a. n.a. byte 12
(6) UDP 8 n.a. byte 8
(7) IP 20 n.a. byte IPv4=20, IPv6=40
GBR
DL_GBR_BIT_RATE (S1AP).
(provision Kbit/
(8) 28,4 - - - [(3)+(4)]*8/(2) This is provisioned at the PCRF and sent by MME to
ed at s
eNB within the S1AP: eRAB Setup Request.
PCRF)
This is the RTCP bandwidth (in % of data rate) to
0 0 0 be provisioned
(9) RTCP % 5% n.a. %
% % % TransportCacQciConf::userPlaneSigFactor
[0-5]%
(10 traffic 29,8 Kbit/
- - - (8)x[1+(9)] GBR bit rate included RTCP
) data rate 2 s
service
GBR non-GBR
type
QCI 1 2 3 4 5 6 7 8 9 Calculation Unit Comment
traffic
VoIP - - - IMS - - - BE
type
minBR is dimensionned based on a call model
(11 Kbit/
minBR 32 RadioCacCell::dlMinBitRateForBE
) s
[0-2048] Kbit/s
(12
PDU size 1500 0 0 0 1500 byte PDU size dimensioned from call model
)
packet
inter function of minBR/GBR & PDU size
(13 n.a.
arrival 375 0 0 0 375 (12)*8/(11) ms packet inter arrival time must be < 20000 ms (it is
)
time a provisioning limitation)
calculated
packet
If above calculated value is > 20000 ms, it must be
inter
(14 minimum[(13);10 provisioned max setable value, that is 20000 ms.
arrival 375 0 0 0 375 ms
) 00] TransportCacQciConf::dlPacketInterArrivalTime
time
[1-20000] ms
adjusted
S1-u over
IPv4 or IPv4
IPv6 ?
Calculation Unit Comment
IPsec
activated IPsec
?
(15 S1
36 (16)+(17)+(18) byte
) overhead
(16
GTP S1 8 n.a. byte 8
)
(17
UDP 8 n.a. byte 8
)
(18
IP 20 n.a. byte IPv4=20, IPv6=40
)
(19 IPsec
66 n.a. byte eNB hardcoded value: 66 (IPv4) or 86 (IPv6)
) overhead
(20
ETH 22 n.a. byte 22 with VLAN tagging, or 18 without
)
(21 20 (Preamble: 7 + Start of frame delimiter: 1 +
PHY 20 n.a. byte
) Interframe gap: 12)
(22 Total S1 (15)+(19)+(20)+(2
144 byte
) overhead 1)
service
GBR non-GBR
type
QCI 1 2 3 4 5 6 7 8 9 Calculation Unit Comment
traffic
VoIP - - - IMS - - - BE
type
S1 GBR: (22)x8/(2)
(23 57,6 Kbit/ overhead bit rate per eRAB at target
overhead - - - 3,07 - - - 3,07 non-GBR:
) 0 s dlPacketInterArrivalTime
bit rate (22)x8/(13)
S1 overhead bit rate per eRAB at provisioned
(24 overhead Kbit/ dlPacketInterArrivalTime
n.a. 3,07 - - - 3,07 (22)x8/(14)
) bit rate s This is the value for 'Overhead_Bit_Rate' used by
adjusted T-CAC algorithm
GBR: (10)+(23)
(25 87,4 35,0 35,0 Kbit/ S1-u bandwidth per eRAB at target
S1 bit rate - - - - - - non-GBR:
) 2 7 7 s dlPacketInterArrivalTime
(11)+(23)
(26 S1 bit rate 35,0 35,0 Kbit/ S1-u bandwidth per eRAB at provisioned
n.a. - - - (11)+(24)
) adjusted 7 7 s dlPacketInterArrivalTime
This is for adjusting provisioned
overbooki dlPacketInterArrivalTime vs. target
(27 100
ng factor n.a. - - - 100% (25)/(26) % dlPacketInterArrivalTime
) %
adjusted This is the value to be provisioned such that there
is actually no overbooking factor.
This is the overbooking factor to be provisioned
for the QCI to reach a given number of
(28 overbooki 100
100% - - - - - - 100% n.a. % simultaneous subscribers.
) ng factor %
TransportCacQciConf::dlOverbookingFactor
[0-2000] %
service
GBR non-GBR
type
QCI 1 2 3 4 5 6 7 8 9 Calculation Unit Comment
traffic
VoIP - - - IMS - - - BE
type
This is the bandwidth accessible to S1-u traffic
provisoned at:
(29 S1-u Kbit/ - SlaConfPerPort::ingressCir if
100000 n.a.
) bandwidth s cacAndTrafficShapingMode = PerPort
- SlaConf::ingressCir of the Vlan handling S1-u if
cacAndTrafficShapingMode = PerVlan
This is the estimated bandwidth needed for all
others traffic but S1-u traffic, it is provisoned at:
(30 Static Kbit/ - SlaConfPerPort::dlStaticBandwidth if
2000 n.a.
) bandwidth s cacAndTrafficShapingMode = PerPort
- SlaConf::dlStaticBandwidth of the Vlan handling
S1-u if cacAndTrafficShapingMode = PerVlan
provisione
d input value
parameter
output value
service
GBR non-GBR
type
QCI 1 2 3 4 5 6 7 8 9 Calculation Unit Comment
traffic
VoIP - - - IMS - - - BE
type
applicatio Kbit/ data = Conversational (VoIP), Video Streaming,
(1) 12,2 - - - n.a.
n bit rate s Interactive Gaming
packet This is the packet inter arrival time (codec period)
inter to be provisioned
(2) 20 - - - n.a. ms
arrival TransportCacQciConf::dlPacketInterArrivalTime
time [1-20000] ms
(3) PDU size 31 - - - (1)x(2)/8 byte function of codec rate & codec period
RTP over
IPv4 or IPv4 n.a. RTP over IPv4 or IPv6 ?
IPv6 ?
RTP
(4) 40 (5)+(6)+(7) byte
overhead
(5) RTP 12 n.a. n.a. byte 12
(6) UDP 8 n.a. byte 8
(7) IP 20 n.a. byte IPv4=20, IPv6=40
GBR
DL_GBR_BIT_RATE (S1AP).
(provision Kbit/
(8) 28,4 - - - [(3)+(4)]*8/(2) This is provisioned at the PCRF and sent by MME to
ed at s
eNB within the S1AP: eRAB Setup Request.
PCRF)
This is the RTCP bandwidth (in % of data rate) to
0 0 0 be provisioned
(9) RTCP % 5% n.a. %
% % % TransportCacQciConf::userPlaneSigFactor
[0-5]%
(10 traffic 29,8 Kbit/
- - - (8)x[1+(9)] GBR bit rate included RTCP
) data rate 2 s
service
GBR non-GBR
type
QCI 1 2 3 4 5 6 7 8 9 Calculation Unit Comment
traffic
VoIP - - - IMS - - - BE
type
minBR is dimensionned based on a call model
(11 Kbit/
minBR 32 RadioCacCell::dlMinBitRateForBE
) s
[0-2048] Kbit/s
(12
PDU size 1500 0 0 0 1500 byte PDU size dimensioned from call model
)
packet
inter function of minBR/GBR & PDU size
(13 n.a.
arrival 375 0 0 0 375 (12)*8/(11) ms packet inter arrival time must be < 20000 ms (it is
)
time a provisioning limitation)
calculated
packet
If above calculated value is > 20000 ms, it must be
inter
(14 minimum[(13);10 provisioned max setable value, that is 20000 ms.
arrival 375 0 0 0 375 ms
) 00] TransportCacQciConf::dlPacketInterArrivalTime
time
[1-20000] ms
adjusted
S1-u over
IPv4 or IPv4
IPv6 ?
Calculation Unit Comment
IPsec
activated IPsec
?
(15 S1
36 (16)+(17)+(18) byte
) overhead
(16
GTP S1 8 n.a. byte 8
)
(17
UDP 8 n.a. byte 8
)
(18
IP 20 n.a. byte IPv4=20, IPv6=40
)
(19 IPsec
66 n.a. byte eNB hardcoded value: 66 (IPv4) or 86 (IPv6)
) overhead
(20
ETH 22 n.a. byte 22 with VLAN tagging, or 18 without
)
(21 20 (Preamble: 7 + Start of frame delimiter: 1 +
PHY 20 n.a. byte
) Interframe gap: 12)
(22 Total S1 (15)+(19)+(20)+(2
144 byte
) overhead 1)
service
GBR non-GBR
type
QCI 1 2 3 4 5 6 7 8 9 Calculation Unit Comment
traffic
VoIP - - - IMS - - - BE
type
S1 GBR: (22)x8/(2)
(23 57,6 Kbit/ overhead bit rate per eRAB at target
overhead - - - 3,07 - - - 3,07 non-GBR:
) 0 s dlPacketInterArrivalTime
bit rate (22)x8/(13)
service
GBR non-GBR
type
QCI 1 2 3 4 5 6 7 8 9 Calculation Unit Comment
traffic
VoIP - - - IMS - - - BE
type
This is the bandwidth accessible to S1-u traffic
provisoned at:
(29 S1-u Kbit/ - SlaConfPerPort::ingressCir if
100000 n.a.
) bandwidth s cacAndTrafficShapingMode = PerPort
- SlaConf::ingressCir of the Vlan handling S1-u if
cacAndTrafficShapingMode = PerVlan
This is the estimated bandwidth needed for all
others traffic but S1-u traffic, it is provisoned at:
(30 Static Kbit/ - SlaConfPerPort::dlStaticBandwidth if
2000 n.a.
) bandwidth s cacAndTrafficShapingMode = PerPort
- SlaConf::dlStaticBandwidth of the Vlan handling
S1-u if cacAndTrafficShapingMode = PerVlan
This is the bandwidth for the CoS handling the QCI
(in % of the S1-u bandwidth minus the static
bandwidth).
They may be several QCIs per CoS but we assume
the QCI is given the whole CoS bandwidth.
This is to calculate the maximum # of eRABs that
(31 CoS 0 0 0 0 0 0
15% 5% 70% n.a. % can be accepted by T-CAC for a QCI.
) bandwidth % % % % % %
E.g.: Assuming QCI 1, 2 & 3 belong to the same
CoS.
=> max # eRABs with QCI 1 is calculated when the
CoS bandwidth is only used by QCI 1.
TransportCacCosConf::dlReservedBandwidthPer
centage
Reserved bandwidth for Emergency Calls (in % of
reserved CoS bandwidth)
(32 0 0 0 0 0 0
bandwidth 0% 0% 0% n.a. % TransportCacCosConf::
) % % % % % %
for EC dlReservedBandwidthForEcAndHpaRabsPercenta
ge
(33 CoS 1470 6860
0 0 0 4900 0 0 0 [(29)-(30)]*(31) Kbit bandwidth for this CoS
) bandwidth 0 0
GBR: (33)*[1-
(34 3911 (32)]/[(25)*(28)] # of simultaneous eRABs (standard or emergency)
# eRABs 336 - - - 279 - - - RAB
) 9 non-GBR: (33)*[1- accepted by T-CAC
(32)]/[(26)*(28)]
GBR:
(33)*(32)/[(25)*(2 # of simultaneous emergency eRABs accepted by
# extra
(35 8)] T-CAC
eRABs for 0 - - - 0 - - - 0 RAB
) non-GBR: SIP bearers >= VoIP bearers AND default bearers
EC
(33)*(32)/[(26)*(2 >= VoIP bearers
8)]
(36 # total 3911 # of maximum simultaneous VoIP eRABs accepted
336 - - - 279 - - - (34)+(35) RAB
) eRABs 9 by T-CAC
Same as per VLAN T-CAC in downlink by replacing the downlink parameters ‘dl’ by the uplink
parameters ‘ul’ and by replacing the ingressCir parameter by the egressCir parameter.
• RadioCacCell::ulMinBitRateForBE
• TransportCacCosConf::ulReservedBandwidthPercentage
• TransportCacCosConf::ulReservedBandwidthForEcAndHpaRabsPercentage
• TransportCacQciConf::ulOverbookingFactor
• TransportCacQciConf::ulPacketInterArrivalTime
• SlaConf::egressCir
• SlaConf::ulStaticBandwidth
Note: There is a parameter SlaConf::egressCbs that is unused by T-CAC algorithm in this release.
In the configuration model, T-CAC and UL Traffic Shaping features work closely.
Nonetheless, T-CAC and UL Traffic Shaping are 2 independent features.
T-CAC and UL Traffic Shaping may either be both configured, or only T-CAC may be configured, or
only UL Traffic Shaping may be configured.
The T-CAC stategy must be the same as the UL Traffic Shaping strategy.
Rule: <eNodeB> <Transport CAC> <Design>
• both of them apply the same mode of operation: both apply per port or both apply per VLAN.
There is a single parameter for configuring T-CAC and UL Traffic Shaping mode of operation
(RanBackhaul::cacAndTrafficShapingMode).
• both of them apply to the same CoS. That is, both apply to the same per CoS qciS1List. QCIs
scheduled to the same shaping queue share the same CoS_Standard_Reserved_Bandwidth.
At eNB a Transport CoS instance can be viewed as the representation of a queue of the shaper (if UL
traffic shaping is activated) and/or as a bandwidth pool for UL T-CAC (if T-CAC is activated).
If both T-CAC and UL Traffic Shaping are activated, then TransportCosConf::queuePriorityAndCosId
configures both the scheduling priority assigned to the queue and the CoS identifier assigned to the
Transport CoS. Beside, TransportCosConf object must have one TransportCacCosConf child for T-CAC
setting and one QueueAnd SchedulerConf child for UL Traffic Shaping setting.
It is recommended that T-CAC and UL Traffic Shaping features be both configured at eNB.
Same as per VLAN T-CAC in downlink by focusing on the single VLAN that represents the port.
• TransportCacCosConfPerPort::dlReservedBandwidthPercentage
• TransportCacCosConfPerPort::dlReservedBandwidthForEcAndHpaRabsPercentage
• SlaConfPerPort::ingressCir
• SlaConfPerPort::dlStaticBandwidth
• TransportCosConfPerPort::qciS1List
eNB/eNBtransportConf/RanBackhaul
cacAndTrafficShapingMode = PerPort
EthernetPort/SlaConfPerPort
egressCir
egressCbs
egressEir
egressEbs
ingressCir
ingressCbs – not
used
ulStaticBandwidth
dlStaticBandwidth
TransportCosConfPerPort/[0-15]
qciS1List
qciX2List
controlFlowList
otherFlowList
queuePriorityAndCosId
TransportCacCosConfPerPort
dlReservedBandwidthPercentage
ulReservedBandwidthPercentage
dlReservedBandwidthForEcAndHpaRabsPercentage
ulReservedBandwidthForEcAndHpaRabsPercentage
Same as per PORT T-CAC in downlink by replacing the downlink parameters ‘dl’ by the uplink
parameters ‘ul’.
• TransportCacCosConfPerPort::ulReservedBandwidthPercentage
• TransportCacCosConfPerPort::ulReservedBandwidthForEcAndHpaRabsPercentage
• SlaConfPerPor::egressCir
• SlaConfPerPor::ulStaticBandwidth
It is calculated based on inputs that are provided by T-CAC per VLAN (or per port) and per CoS:
• Consummed Bandwidth
• Reserved Bandwidth
For the CoS that handles VoIP traffic, the Reserved Bandwidth is equal to the Extra Reserved
Bandwidth.
Inter-frequency Load Balancing feature consider the load of an inter-frequency target cell for
mobility purpose.
As example, the eNB may take into account the S1 load of its neighboring eNBs to determine
whether a neighboring is a candidate for offload.
Cell load exchange between eNBs is achieved through an X2 resource status procedure [3GPP 36.423]
which purpose is to request the reporting of load measurements from another eNB.
The UL/DL S1 TNL Load Indicator is computed based on the eNB average S1 consumption level
compared to provisioned UL/DL load thresholds. If eNB average S1 consumption is below this
threshold then eNB sets the TNL Load Indicator to” LowLoad”, else it is set to “Overload”.
Only “LowLoad” and “Overload” load levels are implemented in this release.
The average S1 consumption level is calculated as the ratio of the S1 Consumption / S1 Reservation
over all CoS of all VLAN that handles S1-U traffic. There are possibly several VLANs if eUTRAN
sharing is activated.
Plmn(i)
∑
DL_CoS_Consumed_Bandwidth ( plmn(i ); Cos( x))
CoS(x)
Dl_ Average_S1_Consumption_Level = *100
Plmn(i)
CoS(x)
∑
DL_CoS_Reserved_Bandwidth ( plmn (i ); Cos ( x ))
The UL/DL load thresholds used to determine the UL/DL S1 TNL load provided to peer eNodeBs over
X2 are configured through:
• Object: Enb/EnbTransportConf/RanBackhaul,
Parameter: ulTransportLoadThreshold, Value: [0-100], Unit: %, Default: 10, Class: C, Service
Impact: None, Update transient impacts details: Immediate-propagation
Parameter: dlTransportLoadThreshold, Value: [0-100], Unit: %, Default: 10, Class: C, Service
Impact: None, Update transient impacts details: Immediate-propagation
Inter-frequency Load Balancing feature determines the “DL S1 TNL Load Indicator” as follows:
ENDIF
ENDIF
6.12 X2 INTERFACE
An eNodeB may have multiple X2 interfaces.
6.12.1 Ethernet
Information on VLAN, Ethernet QoS and MTU is gathered in a dedicated chapter which addresses all
types of traffic (including X2 traffic) as well as eUTRAN sharing specificities.
6.12.2 IP
Information on IP routing and IP QoS is gathered in a dedicated chapter which addresses all types of
traffic (including X2 traffic) .
6.12.2.1 IP addressing
Mismatches are reported to the operator using events. The intention is not to update the
eNB database but to report the mismatch to the operator. In any case SCTP runs with the
actual list of IP addresses since addresses are negotiated by the protocol, the error if any
lies in eNB configuration data. The SCTP association is not torn down by ALU eNB.
Peer eNB IP address for X2-U traffic is retrieved during Handover procedure within the GTP Tunnel
Endpoint IE of the Handover Acknowledge message. 3GPP 36.423 – X2AP: “The GTP Tunnel Endpoint
IE identifies an X2 transport bearer or the S-GW endpoint of the S1 transport bearer associated to an
E-RAB. It contains a Transport Layer Address and a GTP Tunnel Endpoint Identifier. The Transport
Layer Address is an IP address to be used for the X2 user plane transport or for the S1 user plane
transport.”
IP addressing provisioning:
An instance of X2Access is generated per X2 interface.
For each peer eNodeB the IPv4 addressing configuration is done through:
• Object: Enb/X2AccessGroup/X2Access/X2TransportLayerAccess, Parameter: sctpAssocRemAddr,
Class: B, Service impact: Partial, Update transient impacts details: X2-interface
For each peer eNodeB the IPv6 addressing configuration is done through:
• Object: Enb/X2AccessGroup/X2Access/X2TransportLayerAccess, Parameter:
sctpAssocRemAddrIpv6, Class: B, Service impact: Partial, Update transient impacts details: X2-
interface
An alarmn ‘Inconsistent IP address / X2 (4007098)’ will be raised by an IPv6 eNodeB per peer IPv4
eNodeB. Operational impact is that the mismatch of IP version between 2 peers eNodeBs prevents
X2 HO between them.
eNB
X2AccessGroup
X2Access/n
X2TransportLayerAccess
sctpAssocRemAddr = 0 to 2 IPv4 @s
sctpAssocRemAddrIpv6 = 0 to 2 IPv6 @s
6.12.3 SCTP
eNodeB supports multi-homed peer-eNodeB and the provisioning of up to 2 IPv4 or IPv6 addresses
per peer-eNodeB.
There must be only 1 SCTP association established between 2 peer eNodeBs. [3GPP TS 36.422]
As a consequence of the rule above, in case of eUTRAN sharing, all operators use the same X2-C
SCTP connection between a eNodeB and its peer eNodeBs.
The X2-C traffic of the non master operators is sent on the telecom VLAN of the master operator.
Within the SCTP association established between 2 eNodeBs a single pair of stream identifiers is
used for X2 common procedures and a single pair of stream identifiers is used for X2 dedicated
procedures.
eNodeB source and destination SCTP port for X2 is specified in 3GPP TS 36.422.
IANA has defined the SCTP source and destination port supporting X2-AP traffic as = 36422. [3GPP
TS 36.422]
To prevent unnecessary retransmissions eNodeB sctpRTOMin must be higher than the round-trip
delay to the peer eNodeB + the SACK timer duration at the peer eNodeB.
• Object: Enb/EnbTransportConf/GlobalTransportConf/CommonSctpLayerConf,
Parameter: sctpAlphaDivisor, Value: [1-10], Class: A, Service impact: Critical, Update transient
impacts details: full-eNB-reset
sctpAlphaDivisor value refers to the denominator of RFC 4960 RTO.alpha parameter, meaning
that RTO.alpha = 1/sctpAlphaDivisor
Parameter: sctpBetaDivisor, Value: [1-10], Class: A, Service impact: Critical, Update transient
impacts details: full-eNB-reset
sctpBetaDivisor value refers to the denominator of RFC 4960 RTO.beta parameter, meaning
that RTO.beta = 1/sctpBetaDivisor
• Object: Enb/EnbTransportConf/GlobalTransportConf/X2SctpLayerConf,
Parameter: sctpRTOInit, Value: [10-10000] ms (in 10 ms intervals), Class: B, Service impact:
Partial, Update transient impacts details: Transport-Layers
Parameter: sctpRTOMin, Value: [10-10000] ms (in 10 ms intervals), Class: B, Service impact:
Partial, Update transient impacts details: Transport-Layers
Parameter: sctpRTOMax, Value: [10-60000] ms (in 10 ms intervals), Class: B, Service impact:
Partial, Update transient impacts details: Transport-Layers
An eNodeB can initiate the INIT procedure towards another eNodeB for establishing the SCTP
association. [3GPP TS 36.422]
Default recommendation for the maximum number of retransmissions of the INIT (or COOKIE)
message at SCTP association establishment:
sctpAccessMaxInitRetransmits = 8
This is the default value as per IETF RFC 4960.
The maximum number of retries for re-establishing an association which is down is configured
through:
• Object: Enb/EnbTransportConf/GlobalTransportConf/X2SctpLayerConf, Parameter:
sctpAccessEstablishmentMaxRetries, Value: [0-255], Class: B, Service impact: Partial, Update
transient impacts details: Transport-Layers
The value 255 is interpreted as an infinite number of retries.
An association is terminated when the number of retransmission completes.
In case the neighboring eNodeB does not acknowledge the X2 association requests from the eNodeB
the alarm “X2 SCTP ASSOCIATION FAILURE” is raised.
When the eNB sends an ‘X2 Setup Request’ message (resp. ‘X2 eNB Configuration Update’), it starts
an X2 timer. When there is no answer by the X2 timer expiration then the X2 message is retried.
Timer duration and number of retries are not configurable but hardcoded to the following values:
# Retry
after initial after a retry
(if initial failed)
X2 Setup Request 8 2s
The SCTP parameters ruling the SCTP association failure detection must be set consistently with
the hardcoded X2 timer value.
That is, SCTP setting must allow multiple SCTP chunks retransmission before ‘X2 Setup Request’
(resp. ‘X2 eNB Configuration Update’) message is retried.
To comply with this constraint, ALU default recommended values for parameters “sctpRTOMin”,
“sctpRTOMin”, “sctpAccessAssociationMaxRetrans” and “sctpAccessPathMaxRetrans” are:
• sctpRTOMin = 400 ms
• sctpRTOMax = 1600 ms
• sctpAccessAssociationMaxRetrans = 4
• sctpAccessPathMaxRetrans = 2
Another set of SCTP values may be used but it must be consistent with the X2 timer duration.
With the ALU recommended setting RTO.Min = 400 ms, RTO.Max = 1600 ms, and Path.Max.Retrans =
2;
• the 1st packet transmission failure has RTO = RTO.Min = 400 ms, the 1st retransmission has
RTO = 800 ms, the 2nd retransmission has RTO = 1600 ms (RTO doubles at each
retransmission, rounded down to RTOMax), etc...
• there are at least 2 SCTP retransmissions before the X2 message is retried given that min(X2
Setup Request timer; X2 eNB Configuration Update timer) = 2 s > 1,2 s (400+800 ms for 2
SCTP retries).
• the maximum duration before eNodeB reports that a SCTP path is down is equal to 2,8 s
(400+800+1600 ms)
t=0s
SCTP timer = 400 ms initial SCTP (initial ‘X2 Setup Request’)
t = 0,4 s X SCTP chunck lost
1st retry SCTP (initial ‘X2 Setup Request’)
SCTP timer = 2*400 ms
X SCTP chunck lost
t = 1,2 s
2nd retry SCTP (initial ‘X2 Setup Request’)
X2 timer = 2 s X SCTP chunck lost
t=2s
initial SCTP (1st retry ‘X2 Setup Request’)
SCTP link failure detection is based on Heartbeat ACK’s and Data ACK’s monitoring.
Maximum number of retransmissions per SCTP path of Data and/or Heartbeat messages is done
through:
Default recommendation for the maximum number of Data/Heartbeat retransmissions per path:
sctpAccessPathMaxRetrans = 2
For information, the default value as per IETF RFC 4960 is 5.
With the ALU recommended setting, the maximum duration before eNodeB reports that a SCTP path
is down is: RTO.Min= 0,4s / RTO.Max=1,6s / Path.Max.Retrans=2 => 0,4+0,8+1,6=2,8s
The first packet transmission failure has RTO = RTO.Min = 0,4s, the first retransmission has
RTO = 0,8s, the 2nd retransmission has RTO = 1,6s (RTO doubles at each retransmission, rounded
down to RTOMax).
Maximum number of total retransmissions of Data and/or Heartbeat messages is done through:
• Object: Enb/EnbTransportConf/GlobalTransportConf/X2SctpLayerConf, Parameter:
sctpAccessAssociationMaxRetrans, Value: [0-255], Class: B, Service impact: Partial, Update transient
impacts details: Transport-Layers
In case the X2 association between the eNodeBs is detected down then the corresponding GTP-U
tunnels are released and alarm “X2 SCTP ASSOCIATION DOWN” is raised.
For ensuring that eNodeB does not consider the peer is reachable while all paths are in failure
there must be verified that;
∑ sctpAccessPathMaxRetrans ≥ sctpAccessAssociationMaxRetrans
SCTP paths
There is a single managed object for X2 SCTP parameters in the MIM (X2SctpLayerConf). Hence it is
not possible to define different PMR/AMR values (Maximum number of SCTP Retransmissions per
Path/per Association) for cases with and without X2 multi-homing. The PMR/AMR values are to be
defined by OAM for the multi-homing case when the possibility exists that an ALU eNB be associated
with a multi-homed peer eNB at X2-C interface.
Given that Linux SCTP ignores the sctpAccessPathMaxRetrans value when an association is not multi-
homed these values also fit the case of non-multi-homed associations.
The rule above allows for a consistent handling in case there are mixity of ALU eNBs which don’t
support multihoming and other-vendor eNBs which support multihoming”; ALU eNBs run
sctpAccessAssociationMaxRetrans towards peers single-homed ALU eNBs, and
sctpAccessAssociationMaxRetrans/2 per path towards peers multi-homed other-vendor eNBs. The
total number of retransmissions is the same whatever the peer multihoming capability.
eNB
EnbTransportConf
GlobalTransportConf
CommonSctpLayerConf
sctpSACKTimer = 0 (ms)
sctpAlphaDivisor = 8
sctpBetaDivisor = 4
X2SctpLayerConf
sctpAccessMaxInitRetransmits = 8
sctpAccessEstablishmentMaxRetries = 255
sctpAccessEstablishmentRetryInterval = 30000 (ms)
sctpAssocHeartbeatInterval = 1000 (ms)
sctpAccessPathMaxRetrans = 2
sctpAccessAssociationMaxRetrans = 4
sctpRTOInit = 3000 (ms)
sctpRTOMin = 400 (ms)
sctpRTOMax = 1600 (ms)
6.12.4 GTP
A GTP path exists between the eNodeB and each of its peer eNodeB with which a GTP tunnel is
established.
As per standard TS 29.281, the GTP echo mechanism is not implemented on X2 interface.
6.13 S1 INTERFACE
The eNodeB supports SCTP associations with multiple MME’s in support of S1-Flex topology.
The SCTP protocol associations are permanently established at the eNodeB start-up.
After successful set up of SCTP association, eNodeB sends S1 Set up message to exchange
application data needed for eNodeB and MME to inter-operate correctly on the S1 interface.
At call admission the eNodeB call processing defines which MME supports each call.
6.13.1 Ethernet
Information on VLAN, Ethernet QoS and MTU is gathered in a dedicated chapter which addresses all
types of traffic (including S1 traffic) .
6.13.2 IP
Information on IP routing and IP QoS is gathered in a dedicated chapter which addresses all types of
traffic (including S1 traffic).
6.13.2.1 IP addressing
Only 2 MME IPv4 or IPv6 addresses are supported for multi-homed MME.
Note: in the MIM there is the erroneous information that 4 MME IP addresses may be provisionned.
• Object: Enb/S1AccessGroup/MmeAccessGroup/MmeAccess/MmeTransportLayerAccess,
Parameter: sctpAssocRemAddrIpv6, Value: list of 2 IP addresses, Class: B, Service impact: Partial,
Update transient impacts details: S1-interface
eNB
S1AccessGroup
MMEAccessGroup
MMEAccess/n
plmnId
MmeTransportLayerAccess
sctpAssocRemAddr = 0 to 2 IPv4 @s
sctpAssocRemAddrIpv6 = 0 to 2 IPv6 @s
In case of MOCN, the IP addresses of the MMEs are configurable per operator in the eNodeB.
Even in case of GWCN, at eNB provisioning an MME shared between several operators is associated
with only one of the operators sharing this MME.
The provisioning of the complete list of operators sharing an MME is useless at eNodeB.
As per S1AP specification [3GPP TS 36.413], eNB learns the list of the PLMNs supported by an MME
from the S1 SETUP REPONSE sent by the MME.
When the selection of the serving MME for a UE is performed after RRC Connection is completed, all
PLMN identities that are supported by connected MMEs are considered.
SGW sharing does not impact eNB provisioning as the IP address of the SGW to which a bearer has to
be established is provided dynamically by the MME.
It is supported to have multiple eNodeBs with the same S1 address. The eNodeBs are uniquely
referenced by the combination of S1 IP address and port number.
6.13.3 SCTP
eNodeB supports multi-homed MME and the provisioning of up to 2 IPv4 or IPv6 addresses per MME.
In case of eUTRAN sharing, the same parameters setting of the SCTP stack apply to all operators.
Those parameters are those defined in RCF 4960 and configured under ‘MmeSctpLayerConf’ object.
There must be only 1 SCTP association established between an eNodeB and an MME. [3GPP TS
36.412]
In case of MOCN, the S1-MME SCTP connections between an eNodeB and the MMEs are per operator
(as each operator manages its own core network).
In case of GWCN with MME sharing, a single S1-MME SCTP connection is setup between eNodeB and
the shared MME [3GPP TS 36.412]. Thus, the traffic type “S1c” must be configured for only one of
the operators amongst those sharing the MME. Others operators’ S1-MME traffic is transported over
the VLAN of the operator that has been provisioned with the “S1c” traffic type.
S1-MME SCTP associations are initiated by eNodeB via INIT message sent from eNodeB.
Within the SCTP association established between an eNodeB and an MME a single pair of stream
identifiers is used for S1 common procedures and a single pair of stream identifiers is used for S1
dedicated procedures.
IANA has defined the SCTP destination port supporting S1-AP traffic as = 36412. [3GPP TS 36.412]
Note: in the MIM there is the parameter maxHoldOffTimeForS1Reestablishment at eNB object. This
parameter is not used in this release. SCTP parameters for RTO calculation
To prevent unnecessary retransmissions eNodeB sctpRTOMin must be higher than the round-trip
delay to the peer MME + the SACK timer duration at the peer MME.
With the RFC 4960 default recommended setting, the maximum duration before SCTP reports that a
SCTP path is down is:
RTO.Min= 1s / RTO.Max=60s / Path.Max.Retrans=5 => 1+2+4+8+16+32=63s
The first packet transmission failure has RTO = RTO.Min = 1s, the first retransmission has RTO = 2s,
the fifth retransmission has RTO = 32s
This aggregate time is a considerable time to detect a failure of a path and invoke a switchover to
an alternate path in a multi-homed environment. Potentially, the association could be torn-down
before a switchover is invoked.
The maximum number of retries for re-establishing an association which is down is configured
through:
• Object: Enb/EnbTransportConf/GlobalTransportConf/MmeSctpLayerConf, Parameter:
sctpAccessEstablishmentMaxRetries, Value: [0-255], Class: B, Service impact: Partial, Update
transient impacts details: Transport-Layers
The value 255 is interpreted as an infinite number of retries.
An association is terminated when the number of retransmission completes.
In case the neighboring MME does not acknowledge the S1 association requests from the eNodeB the
alarm “S1 SCTP ASSOCIATION FAILURE” is raised (major with S1 flex or critical without S1 flex).
When the eNB sends an ‘S1 Setup Request’ message (resp. ‘S1 eNB Configuration Update’), it starts
an S1 timer. When there is no answer by the S1 timer expiration then the S1 message is retried.
Timer duration and number of retries are not configurable but hardcoded to the following values:
# Retry
after initial after a retry
(if initial failed)
S1 Setup Request 2 2s
The SCTP parameters ruling the SCTP association failure detection must be set consistently with
the hardcoded S1 timer value.
That is, SCTP setting must allow multiple SCTP chunks retransmission before ‘S1 Setup Request’
(resp. ‘S1 eNB Configuration Update’) message is retried.
To comply with this constraint, ALU default recommended values for parameters “sctpRTOMin”,
“sctpRTOMin”, “sctpAccessAssociationMaxRetrans” and “sctpAccessPathMaxRetrans” are:
• sctpRTOMin = 400 ms
• sctpRTOMax = 1600 ms
• sctpAccessAssociationMaxRetrans = 4
• sctpAccessPathMaxRetrans = 2
Another set of SCTP values may be used but it must be consistent with the S1 timer duration.
With the ALU recommended setting RTO.Min = 400 ms, RTO.Max = 1600 ms, and Path.Max.Retrans =
2;
• the 1st packet transmission failure has RTO = RTO.Min = 400 ms, the 1st retransmission has
RTO = 800 ms, the 2nd retransmission has RTO = 1600 ms (RTO doubles at each
retransmission, rounded down to RTOMax), etc...
• there are at least 2 SCTP retransmissions before the S1 message is retried given that min(S1
Setup Request timer; S1 eNB Configuration Update timer) = 2 s > 1,2 s (400+800 ms for 2
SCTP retries).
• the maximum duration before eNodeB reports that a SCTP path is down is equal to 2,8 s
(400+800+1600 ms)
t=0s
SCTP timer = 400 ms initial SCTP (initial ‘S1 Setup Request’)
t = 0,4 s X SCTP chunck lost
1st retry SCTP (initial ‘S1 Setup Request’)
SCTP timer = 2*400 ms
X SCTP chunck lost
t = 1,2 s
2nd retry SCTP (initial ‘S1 Setup Request’)
S1 timer = 2 s X SCTP chunck lost
t=2s
initial SCTP (1st retry ‘S1 Setup Request’)
eNodeB uses the SCTP heartbeat mechanism for detecting S1-MME link failure in case of eNodeB or
MME or S1-MME path failure.
If SCTP is detected down then eNodeB will release RRC connections, delete UEs contexts and
release GTP-U tunnels for all UEs associated with the S1-MME link in failure.
Maximum number of retransmissions per SCTP path of Data and/or Heartbeat messages is done
through:
• Object: Enb/EnbTransportConf/GlobalTransportConf/MmeSctpLayerConf, Parameter:
sctpAccessPathMaxRetrans, Value: [0-255], Class: B, Service impact: Partial, Update transient
impacts details: Transport-Layers
Default recommendation for the maximum number of Data/Heartbeat retransmissions per path:
sctpAccessPathMaxRetrans = 2
With the ALU recommended setting, the maximum duration before eNodeB reports that a SCTP path
is down is: RTO.Min= 0,4s / RTO.Max=1,6s / Path.Max.Retrans=2 => 0,4+0,8+1,6=2,8s
The first packet transmission failure has RTO = RTO.Min = 0,4s, the first retransmission has
RTO = 0,8s, the 2nd retransmission has RTO = 1,6s (RTO doubles at each retransmission, rounded
down to RTOMax).
Maximum number of total retransmissions of Data and/or Heartbeat messages is done through:
• Object: Enb/EnbTransportConf/GlobalTransportConf/MmeSctpLayerConf, Parameter:
sctpAccessAssociationMaxRetrans, Value: [0-255], Class: B, Service impact: Partial, Update transient
impacts details: Transport-Layers
In case the S1 association between the eNodeBs is in fault the alarm “S1 SCTP ASSOCIATION DOWN”
is raised (major with S1 flex or critical without S1 flex).
For ensuring that eNodeB does not consider the peer is reachable while all paths are in failure
there must be verified that;
∑ sctpAccessPathMaxRetrans ≥ sctpAccessAssociationMaxRetrans
SCTP paths
eNB
EnbTransportConf
GlobalTransportConf
CommonSctpLayerConf
sctpSACKTimer = 0 (ms)
sctpAlphaDivisor = 8
sctpBetaDivisor = 4
MmeSctpLayerConf
sctpAccessMaxInitRetransmits = 8
sctpAccessEstablishmentMaxRetries = 255
sctpAccessEstablishmentRetryInterval = 30000 (ms)
sctpAssocHeartbeatInterval = 1000 (ms)
sctpAccessPathMaxRetrans = 2
sctpAccessAssociationMaxRetrans = 4
sctpRTOInit = 3000 (ms)
sctpRTOMin = 400 (ms)
sctpRTOMax = 1600 (ms)
6.13.4 GTP
A GTP path exists between the eNodeB and the SGW with which a GTP tunnel is established.
A GTP path verification is provided using GTP Echo and Response messages.
GTP Echo Requests has a TEID of 0.
After a failure is reported, eNodeB resets the failure count and continues sending Echo Requests.
On the first successfully received Echo Response after a failure, eNodeB notifies OAM with a
message indicating a recovery.
In order to process GTP Echo Requests, eNodeB listens on a UDP socket bound to the eNodeB’s
telecom IP address for traffic destined for the GTP port (port # 2152, as specified by TS 29.281).
In response to GTP Echo Requests received eNodeB builds a GTP Echo Response and sends it to the
source IP and UDP port that it came from.
GTP echo mechanism configuration is done through:
• Object: Enb/S1AccessGroup/SgwAccessGroup/SgwGtpConf,
Parameter: s1EchoRequestInterval, Value: [0-600], (with step = 10), Unit: second, Class: C,
Service Impact: None, Update transient impacts details: Immediate-propagation
Parameter: t3Response, Value: [1-5], Class: C, Service Impact: None, Update transient impacts
details: Immediate-propagation
Parameter: n3Request, Value: [1-10], Class: C, Service Impact: None, Update transient impacts
details: Immediate-propagation
For each active path on the S1-U interface a GTP Echo Request is sent every s1EchoRequestInterval
seconds.
If an Echo Response is not received within t3Response seconds (it is late or lost) then the Echo
Request is considered a failure.
After n3Request consecutive Echo Request failures eNodeB notifies OAM with message indicating a
failure.
Engineering: <eNodeB> <S1>
With the default recommended setting, the time before GTP echo reports that GTP-U path is down
is: 120 + 3 x 5 = 135s
eNB does not support GTP-u error handling. That is, in case of path failure eNB does not release
the eRABs associated to the path in failure.
Frequency, phase and Time of Day synchronization are supported by eNodeB PTP implementation in
FDD and TDD.
In its Announce messages, the grandmaster feeds the following information about its clocking:
• the reference time source (timeSource)
• the clock traceability (grandmasterClockQuality.clockClass)
• the clock accuracy (grandmasterClockQuality.clockAccuracy)
grandmasterClockQuality
timeSource clockClass clockAccuracy
0x20 25ns
_20 GPS 6 primary reference clock 0x21 100ns
0x22 250ns
clockClass is set to 7 (or 14) when there is an issue with the GPS (or E1) reference.
In case the grandmasterClockQuality does not match the table above, then the eNodeB does not
use the PTP source as its reference (until the grandmaster clock quality is restored).
For 1588 packet timing FREQUENCY delivery , as per ITU-T G.8261.1 section 8 ‘PDV Network
Limit’, the maximum permissible levels of packet delay variation for Hypothetical Reference
Model-1 (Metro ethernet) that the network must deliver is such that: more than 1% of SYNC timing
packets must arrive within 150us of the link floor-delay over a 200s window.
For 1588 packet timing PHASE delivery, ITU-T G.827x recommends a network design where each
transport equipment between the Grandmaster server and the 1588 client is 1588 aware, and
locally compensates for the variable latency it introduces onto the timing packets.
This is called On-Path Support, and has 2 variants – Transparent Clock and Boundary Clock.
ITU-T only consider the use of Boundary Clock, and reject the use of Transparent Clock. Boundary
Clock requires each Transport element to include a 1588 client which recovers the Sync Clock,
which is then used as the reference for a 1588 Master function.
This means there is only one hop between the end-client and its 1588 Master peer. So the PDV is
low, and so an SLA is not so important.
6.14.1 Hardware
The eNodeB PTP client communicates with the PTP server(s) on a single physical port.
eCCM vs. eCCM2 1588 algorithm differencies:
6.14.2 Ethernet
Information on VLAN and Ethernet QoS is gathered in a dedicated chapter which addresses all types
of traffic (including PTP traffic).
Since the 1588 traffic occupies the same vlan as OAM traffic, and all eNodeB traffic is supported on
the same physical link, there is a ‘risk’ of interaction between traffic flows (e.g. OMC download of
class ‘C’ parameters) increasing PDV impairments. This must be mitigated by ensuring 1588 packets
have higher priority qos marking than OAM packets.
In case of PTP over Ethernet in Unicast mode, the MAC address of eNB peer Primary Server is done
through:
• Object: Enb/ClockSync/PTPClientClockSync, Parameter: ptpPrimaryServerMACAddress, Value :
[xx-xx-xx-xx-xx-xx]; Class: C; Service Impact: None, Update transient impacts details: Immediate-
propagation
In case of PTP over Ethernet in Unicast mode, the MAC address of eNB peer Secondary Server is
done through:
• Object: Enb/ClockSync/PTPClientClockSync, Parameter: ptpSecondaryServerMACAddress, Value :
[xx-xx-xx-xx-xx-xx]; Class: C; Service Impact: None, Update transient impacts details: Immediate-
propagation
If there is no Secondary Master, this is set to ‘00-00-00-00-00-00’.
The MAC address of the active peer Grandmaster when in PTP over Ethernet in Unicast mode is
accessible through the Read Only parameter: ‘PTPClientClockSync::ptpActiveMACGrandmaster’.
In case of PTP over Ethernet in Multicast mode, the Multicast MAC address for PTP messages
generated and received by eNB is defined in IEEE1588 Annex D as: 01-1B-19-00-00-00.
Note: in Multicast mode Primary and Secondary peers have the same Multicast MAC address, and so
they can’t be differentiated through parameter: ‘PTPClientClockSync::ptpActiveMACGrandmaster’.
- in case of PTPoIP, allows to dissociate the Pbit setting policy for PTP from that set through
parameter pBitSettingEnable which applies for all eNB traffic
- in case of PTPoEth, allows in a ‘no Vlan’ topology to activate the Pbit setting for PTP
(2)
True Yes
True
False No
Vlan
ptpOverEthernet True Yes
or False
PTPoverUDPoverIP False No
(3)
True Yes
(4) (1)
No Vlan N.A.
False No
(1): ‘no Vlan’ is achieved by setting VlanId=4096, and it means eNB does not insert Tag fields at
egress Ethernet frames => pBitSettingEnable parameter cannot control Pbit presence.
(3): Pbit is derived from provisioned PTP DSCP that would be used if PTP was over IP. Note: VID=0.
(4): no Vlan topology for PTP may be configured for MCO, not for Macro.
6.14.3 IP
Information on IP routing and IP QoS is gathered in a dedicated chapter which addresses all types of
traffic (including PTP traffic).
The 1588 link from server to eNodeB should minimize the number of layer 3 hops since the
forwarding algorithms of intermediate transport equipment introduce Packet Delay Variation (PDV),
which must be bounded for the 1588 synchronization process to reliably deliver in-spec frequency
synchronization.
The affordable maximum number of hop between the eNodeB and the server also depends on the
traffic load in the backhaul.
For DL 1588 traffic, the Symmetricom TP5000 server cannot differentiate the QoS of event
messages and general messages. They are tagged with the same DSCP and Pbits values
(respectively EF and 6).
The eNodeB is configured with the IP addresses of both a primary and a secondary grandmaster.
If there is no secondary PTP server within the network then ptpSecondaryServerIPaddress must be
set to 0.0.0.0
In case of PTP over IPv4 in Multicast mode, IANA has assigned the IPv4 Multicast address
224.0.1.129 for all PTP generated and received messages except peer delay and 224.0.0.107 for
peer delay mechanism. See IEEE1588 Annex D.
1588v2 over IPv6 is only supported for FDD (not for TDD).
The eNodeB is configured with the IP addresses of both a primary and a secondary grandmaster.
If there is no secondary PTP server within the network then ptpSecondaryServerIPv6Address must
be set to 0:0:0:0:0:0:0:0
6.14.4 UDP
IANA has defined the UDP port supporting PTP traffic as:
319 for an event message
320 for a general message
6.14.5 PTP
The eNodeB supports both the one-step and the two-step methods, i.e. timestamp exchange
without or with the Follow up message sent by the master. The eNodeB Zarlink client algorithm
automatically adapts to either method.
Zarlink client API delivers a single duration element which is based on ptpSyncDuration.
The ptpAnnounceDuration parameter is not used by Zarlink client.
As per IEEE 1588 standard: The ‘ptpLogMinDelayReqInterval’ value shall be an integer with the
minimum value being portDS.logSyncInterval, i.e., at the same rate as Sync messages, and a
maximum value of logSyncInterval+5.
It must be verified that:
ptpLogSyncInterval ≤ ptpLogMinDelayReqInterval ≤ ptpLogSyncInterval + 5
With default logSyncInterval = -6 then -6 ≤ ptpLogMinDelayReqInterval ≤ -1
This is a minimum ratio of 1 Delay req message every 32 Sync messages.
The inter message period (logInterMessagePeriod) between Request Unicast Transmission messages
(for Sync, Announce or Delay resp) is a tradeoff between eNB requested value and GM granted
value.
At the 1st sent Request Unicast Transmission:
• eNB requests for a logInterMessagePeriod = ptpSyncDuration
• starts timer for triggering the next (2nd)unicast negociation to δ = ptpSyncDuration – 30 s
At reception of the 1st Grant Unicast Transmission and if granted logInterMessagePeriod < requested
logInterMessagePeriod then eNB:
• stops timer
• re-starts timer to δ = granted logInterMessagePeriod – 30 s
At timer expiration, eNB sends the 2nd Request Unicast Transmission:
• eNB requests for a logInterMessagePeriod = ptpSyncDuration
• re-starts timer for triggering the next (3rd) unicast negociation to same previous δ.
And so on. The 30 s margin is to ensure there are no gaps in the packet timing stream (in particular
Sync). eNB sends the next Request Unicast Negotiation 30 s before the previous 'lease' times out.
This offers opportunity to do multiple requests if messages are lost or errored.
The eNodeB supports a proprietary mechanism for delaying the transmission of the first Request
Unicast Transmission message by a random offset of 0 to ptpSyncDuration with a 100 ms
granularity.
The first eNodeB Request Unicast Transmission message is the first one after the eNodeB is up.
This is for ensuring the PTP master is not flooded by simultaneous Request Unicast Transmission
messages in the case a cluster of eNodeBs is setup at once.
Master Slave
clock clock
eNodeB power-up/reset
t0 : eNodeB PTP client is ready
δt = random delay
t0 + δt : first Request unicast transmission
Request unicast transmission
Sync logInterMessagePeriod
logMessageInterval
durationField Sync
Sync
t0 + δt + logInterMessagePeriod :
repetition of Request unicast transmission
Request unicast transmission
Use of Multicast saves the UL/DL bandwidth for periodic Unicast negotiation messages and limits the
DL bandwidth requirements of the 1588v2 messages. The benefit is especially for the backhaul
network while for the final hop to the eNB there is little bandwidth saving.
The drawback is that UL multicast messages from a eNB are broadcast to all other eNB on the LAN,
as well as to the master server.
As in Multicast mode there is no negotiation for message rates, the eNB accepts the message rates
offered by the peer Grandmaster(resp. Boundary Clock).
eNB identifies itself with its clockIdentity that is set in the SourcePortIdentity field.
The ClockIdentity is a 8 bytes identifier built from the 6 bytes of the eNB MAC address to which are
added the 2 bytes “FF FE” in the centre.
The client algorithm only processes messages with the correct ClockIdentity.
Eg. When the eNB transmits a Delay_Req to the GM (resp. BC), it inserts its unique
SourcePortIdentity in the message. The GM (resp. BC) places it back in the Delay_Resp message as
the RequestingPortIdentity field. Therefore even though the messages are multicast to all clients,
the target client captures its own data by comparing its SourcePortIdentity to the
RequestingPortIdentity field in the incoming message.
When an alternate grandmaster is installed (optional) the Zarlink client exchanges Sync and Delay
req/resp messaging with both grandmasters. Though only the synchronization messaging with the
primary master is used for synchronizing the eNodeB clock.
eNodeB PTP client exchanges timestamp also with the secondary grandmaster.
The secondary grandmaster is said in warm standby allowing for a quicker switchover in case of
failure of the primary master.
The failure of the primary grandmaster is detected by eNodeB Zarlink client in case of;
• loss of lock to received Sync messages, or
• loss of Sync messages, or
• loss of Announce messages
Zarlink client consideres there is a loss of Sync (Announce) messages when the percentage of
received Sync (Announce) messages is below 50% of the configured Sync (Announce) message rate.
Sync (Announce) message rate is provisionned with ptpLogSyncInterval (ptpLogAnnounceInterval).
The switchover from the primary grandmaster to secondary grandmaster is non revertive.
If the failure of the secondary grandmaster is detected by eNodeB Zarlink client, alarm “1588 loss
secondary server” is raised.
This alarm indicates the loss of synchronization from the secondary server.
eNodeB does not support the Best Master Clock (BMC) algorithm.
The DomainNumber field in the 1588 message Common Header received from a Grandmaster is
checked by 1588 receiver. If the DomainNumber from the source is different than the
DomainNumber at the Slave then the received PTP message is discarded by the slave.
As per IEEE1588v2 §7.1: “The domain with domainNumber 0 is known as the default domain. The
value of the domainNumber shall be configurable subject to limits established by a PTP profile.“
The DomainNumber at eNB PTP client it set to the standard default number (0) and cannot be
changed.
• with Boundary Clock topology where there is a single hop between client and peer master
• with Transparent Clock topology where is multiple hops. At each equipment packet latency
compensation is added to the CorrectionField. This allows the 1588 client to compensate for
the added delay.
ITU-T G.827x series of recommendations specify that in order to deliver phase accuracy it is
necessary for every transport node between the master and the client to support 1588v2 On-Path
Support by means of Transparent Clock support (and not by Boundary Clock support).
When the peer is a Boundary Clock, then eNodeB is unaware if its peer is a Grandmaster or a BC.
When the peer is a BC, eNB must be configured with the IP@ of the peer BC as its peer, not the IP@
of the peer GM.
When the peer is a BC, timeserver redundancy from eNB’s point of view is not supported since eNB
supports one First Hop Router, which is the BC.
6.14.5.6 Delay
There is a set of counters which provide the number of SYNC frames received within a delay
window based on the T1 time in SYNC/Follow-Up frame and the T2 time in the eNB. Each ‘ window’
defines a bar in a bar chart capturing the number of SYNC packets received from the active GM
within a particular delay spread.
Delay window width for each counter configuration is done through:
• Object: Enb/ClockSync/PTPClientClockSync, Parameter: ptpPDVCounterStepWidth, Value: [5 to
10000], (with step = 5), Unit: ns, Class: C, Service Impact: None, Update transient impacts details:
Immediate-propagation
Example: ptpPDVCounterStepWidth = 10 ns
There are 20 equal-width windows of 0-10 ns, 10-20 ns, 20-30 ns etc. The values that are captured
are (T2-T1)- (T2-T1)min, where (T2-T1)min represents the fastest packets with the minimum delay.
This measurement generates a baseline of 0 nsecs from which delays are measured.
The distribution of SYNC packets in the windows offers a view on the PDV the SYNC packets are
being subjected to.
Counters related to PDV are reported depending on following activation flag:
Object: Enb/PerformanceManagement, Parameter: pDVReported, Value: [true, false], Class: C,
Service impact: None, Update transient impacts details: Immediate-propagation
The IEEE1588v2 protocol allows for a static network UL to DL asymmetry delay between the eNB and
its remote 1588 peer. Positive value mean the UL has a longer latency than the DL, a negative value
means the DL had a longer latency than the UL. The default is 0, that is symmetrical UL/DL delay.
This offset, being configurable, is necessarily a ‘static’ offset, and does not compensate for dynamic
changing asymmetric delays. These must be compensated for by the use of 1588 Boundary Clock or
Transparent Clock topology.
eNB
eNBtransportConf
RanBackhaul
Vlan[1-50]
plmnId
vLanId = [2-4080; 4096]
TrafficDescriptor[0-10]
ipFormat = IPv4 or IPv6
trafficTypeList = 1588
ipv4Address
ipv4SubNetMask
ipv6Address
ipv6RoutingPrefixLength
eNB
ClockSync
PTPClientClockSync
ptpPrimaryServerIPaddress
ptpSecondaryServerIPaddress (1)
ptpPrimaryServerIPv6Address
ptpSecondaryServerIPv6Address (2)
ptpClientRegToD = 0:00:00
ptpSyncDuration 300 s
ptpLogSyncInterval -6 (64 Sync /s)
ptpLogAnnounceInterval 1 (1 Announce every 2 s)
ptpLogMinDelayReqInterval -4 (16 Delay req /s)
ptpPDVCounterWidthStep
(1) 0.0.0.0 if no secondary
(2) 0:0:0:0:0:0:0:0 if no secondary
PTPClientClockSync object owns parameters that are not used in this release:
SyncE has the advantage of offering robust frequency synchronization with the significant timing
events occurring at every recovered Ethernet clock edge. These significant events occur once every
Ethernet bit at Layer1. However, there is no phase or time of Day facility in SyncE. 1588v2, on the
other hand, offers phase and Time of Day but the synchronization significant events only occur once
per received SYNC packet, much slower than the SyncE rate. Therefore, a scheme using both
techniques simultaneously offers the advantages of both techniques, robust sync plus phase
alignment and Time of Day support.
Further advantages occur since once locked, if one of the reference technologies fails, the other
will offer indefinite holdover, since both technologies are traceable to Primary Reference Sources.
If PTP is lost the SyncE can maintain the already aligned phase and Time of Day whilst continuing to
provide frequency lock. If SyncE fails in ‘1588+SyncE’ mode the eNB migrates to traditional Holdover
mode, flywheeling on the local OCXO to maintain frequency and phase signals.
eNB monitors the performance of the recovered syncE clock by monitoring the Quality Level in the
received SSM messages. This information is accessible at OMC through the Read Only parameter
SyncEClockSync::synceQualityLevel.
For syncE+PTP, the only acceptable SSM Quality Level are 0001 and 0010.
If the monitored Quality Level accuracy is sufficiently stable then eNB locks to syncE. This
information is accessible at OMC through the Read Only parameter SyncEClockSync::syncELocked.
If eNodeB is locked to 1588 PTP then eNB enables the use of PTP. This information is accessible
through the Read Only parameter ‘PTPClientClockSync::ptpLocked’.
6.15 M3 INTERFACE
M1
eNB
M2 MBMS-GW
MCE MME
M3 Sm
eMBMS signaling (Session Start/ Session Stop/ Session Update/ Session Reset) is initiated at MBMS-
GW and conveyed to eNB via M3.
According to 3GPP, the Session Update does not change the transport layer parameters.
The MBMS-GW delivers the eMBMS packet data service to eNB via M1 interface.
IGMPv3/MLDv2 Report
(Allow New Sources, Multicast Address, Source Address)
N retransmissions
IGMPv3/MLDv2 Report
(Allow New Sources, Multicast Address, Source Address)
IGMPv3/MLDv2 Report
(Block Old Sources, Multicast Address, Source Address)
N retransmissions
IGMPv3/MLDv2 Report
(Block Old Sources, Multicast Address, Source Address)
MBMS Reset
(list of couples (MME id, MCE id))
N retransmissions
IGMPv3/MLDv2 Report
(Block Old Sources, list of (Multicast Address, Source Address))
ALU eNB supports eMBMS static configuration in case the peer-MME does not support M3 interface.
When M3 signalling is supported eNB does not take into account the IP addresses of M1 traffic
configured by OAM (if any).
6.15.2 Ethernet
Information on VLAN, Ethernet QoS and MTU is gathered in a dedicated chapter which addresses all
types of traffic (including M3 traffic) .
6.15.3 IP
Information on IP routing and IP QoS is gathered in a dedicated chapter which addresses all types of
traffic (including M3 traffic).
6.15.3.1 IP addressing
Only 2 MME IPv4 or IPv6 addresses are supported for multi-homed MME.
Note: in the MIM there is the erroneous information that 4 MME IP addresses may be provisionned.
eNBEquipment
Mce
M3MmeAccess
M3MmeTransportLayerAccess
sctpAssocRemAddr = 0 to 2 IPv4 @s
sctpAssocRemAddrIpv6 = 0 to 2 IPv6 @s
6.15.4 SCTP
M3-AP runs on top SCTP. A SCTP protocol association is permanently established by the eNB.
eNodeB supports multi-homed MME and the provisioning of up to 2 IPv4 or IPv6 addresses per MME.
The SCTP procedures used for the M3 interface between the eNB and the MME are the same as for
S1 interface between the eNB and the MME.
The same SCTP parameters with the same values are used.
Those parameters are those defined in RCF 4960 and configured under ‘MmeSctpLayerConf’ object.
There must be only 1 SCTP association established between an MCE and an MME. [3GPP TS 36.442]
M3 SCTP associations are initiated by eNodeB via INIT message sent from eNodeB.
There is only a single pair of SCTP stream identifiers in the SCTP association between the MME and
the eNB.
IANA has defined the SCTP destination port supporting M3-AP traffic as = 36444.
eNB determines whether to use IGMPv3 or MLDv2 depending on the version of IP addresses received
for the Multicast group and Multicast source in M3 signalling.
MBMS-GW allocates an IP multicast address to which the eNB should join to receive the MBMS data.
This IP multicast address together with the IP address of the multicast source (and a GTP DL TEID)
are provided to the eNB via MME within M3-AP message ‘MBMS Session Start’.
The IP multicast address and the source address identify the Source Specific Multicast (SSM) channel
used for user plane distribution on the backbone network.
The eNB may accept or reject the proposed IP Multicast distribution in the MBMS Session Start
Response to the MME.
Upon successful ‘MBMS Session Start’ procedure, eNB sends IGMPv3 (IPv4) or MLDv2 (IPv6)
Membership Report message to the Last Hop Router to subscribe to IP SSM channel associated with
the eMBMS bearer, including the MBMS-GW source IP and the destination IP multicast address chosen
by MBMS-GW for this session.
The first hop router to the eNB responsible for IP multicast distribution then propagates this
subscription information upstream. The result of this propagation is the establishment of a shortest
path tree (SPT) from source (MBMS-GW) to receiver (eNB). Then, MBMS-GW sends out M1 packets
with its IP address as source, and the chosen multicast IP address as destination.
At ‘MBMS Session Stop’ the eNB reports to the backbone in order to leave the bearer service
multicast distribution.
IGMPv3 and MLDv2 provide support for source specific multicast. Thus, a receiver of a multicast
group can specify an explicit set of sources from which it is interested or not interested to receive
data.
The eMBMS service as defined by 3GPP 23.246 uses Source Specific Multicast model with only 1
source address of multicast for a multicast address.
As per 3GPP 23.246, the full support of IGMPv3 and MLDv2 is not needed at the eNB which only uses
the filter mode “Include mode”.
eNB/MCE LHR
Query
Delayed response.
Combined response if pending responses.
Response not sent if Query for a group or a
source that the eNB does not listen to.
IGMPv3/MLDv2 Report
(Mode Is Include, Multicast
Addresses, Source Address)
The eNB uses the retransmission mechanism of unsolicited Report as described in RFC 3376 and RFC
3810.
The eNB delays its response (Report) to a Query from the router in compliance with RFC 3376 and
RFC 3810. The delay is a random amount of time, bounded by the Max Resp Time value derived from
the Max Resp Code in the received Query message. If there are pending responses to query, the eNB
sends a combined Response (Report).
Max Resp Time calculation from Max Resp Code is described in RFC 3376 & 3810.
Although the eNB uses a reduced set of IGMPv3 and MLDv2 features, it is fully compatible with full
IGMPv3 router or Lightweight IGMPv3 router and with full MLDv2 router or Lightweight MLDv2
router.
6.16.1 Ethernet
Information on VLAN, Ethernet QoS and MTU is gathered in a dedicated chapter which addresses all
types of traffic (including IGMPv3 and MLDv2 traffic).
In IPv4, the eNB listens to the IP multicast address 224.0.0.1 and the deduced multicast MAC
address.
In IPv6, the eNB listens to the IP multicast address FF02::1 and the deduced multicast MAC address.
6.16.2 IP
Information on IP routing and IP QoS is gathered in a dedicated chapter which addresses all types of
traffic (including IGMPv3 and MLDv2 traffic).
The DSCP marking for IGMPv3 and MLDv2 is the same than the one configured for ICMP traffic.
The MLDv2 messages are a subset of ICMPv6 messages and are characterized by:
• A preceding Next header value of 58
• Link-local IPv6 Source Address (or unspecified address)
• IPv6 Hop Limit 1
• IPv6 Router Alert option (RFC 2711) in a Hop-by-Hop Options header
6.16.2.1 IP addressing
Last Hop Router eNB router unicast address group multicast address (received in M3 Session
Start Request) for Group-Specific Queries and
Group-and-Source-Specific Queries
6.17 M1 INTERFACE
M1 transports eMBMS traffic.
MBMS is a point-to-multipoint service in which application data (TV and radio channels) is
transmitted from a single source entity to multiple recipients.
No IP @ needs to be configured at eNodeB.
eNodeB listens M1 multicast transport packets over an ethernet multicast @.
eNodeB then broadcasts IP application packets over air interface.
6.17.1 Ethernet
Multicast M1 packets are sent from Last-Hop-Router to eNB encapsulated in Ethernet frames. The
destination MAC address value is a multicast MAC address (the multicast bit is set).
The destination MAC address value for M1 multicast transport is calculated as follows by the Last
Hop Router:
• In IPv4, the low-order 23 bits of the IPv4 multicast address are placed into the low-order 23 bits
of the special multicast address 01-00-5E-00-00-00. This creates the range of Ethernet MAC
addresses for multicast IPv4 to be 01-00-5E-00-00-00 through 01-00-5E-7F-FF-FF. This mapping is
not unique. The SSM multicast destination IP address is in the subnet 232.0.0.0/8; 24 bits define
a specific service, while only 23 bits are copied to the MAC address. For a given source up to
two SSM multicast groups may map to the same hardware address at the same time. Taking into
account the possibility that many different sources can be used for the same SSM multicast
destination IP address, a large number of SSM channels may map to the same hardware address.
• In IPv6, the last four octets of the IPv6 multicast address are placed into the last four octets of
the special multicast address 33-33-00-00-00-00. This creates the range of Ethernet MAC
addresses for multicast IPv6 to be 33-33-00-00-00-00 through 33-33-FF-FF-FF-FF.
The eNB listens to the multicast MAC address deduced from the group multicast address.
6.17.2 IP
There is no IP address configured for the M1 traffic as it is downlink multicast traffic.
The Source Specific Multicast (SSM) service model is used.
The source address is the source address received from eMBMS GW in M3-AP MBMS Session Start
Request.
The SSM destination address is the group multicast address received in M3-AP MBMS Session Start
Request.
IANA has assigned the addresses range 232.0.0.0/8 (IPv4) and FF3x::/32 (IPv6) for SSM multicast
destination IP address.
The eNB M1 address configured in the traffic descriptor of the MIM is not used.
6.17.3 GTP
Same as for S1 interface.
A GTP path exists between the eNodeB and the MBMS-GW with which a GTP tunnel is established.
The GTP DL TEID used by the eNB to establish the tunnelling with the MBMS-GW for M1 user plan is
sent by the MME in the MBMS SESSION START REQUEST M3-AP message.
6.17.4 Synchronization
eMBMS traffic requires both radio frame phase synchronization AND aligned SFN on the air interfaces
of neighbouring eNBs.
sfnSyncOption parameter must be configured to support frequency and phase and Time of Day
synchronization mode (ClockSync::sfnSyncOption = FreqAndPhaseAndTimeOfDaySyncEnabled)
The PNP capabilies allow the node to be deployed without on site configuration of the node. The
Self Commissioning combinedwith the PNP capabilities allows the EMS to configure the node without
the EMS operator intervention. This capability is already available with nodes that are configured
with Static IP addresses and IPsec is disabled on the OAM channel. The ability to manage the nodes
with static IP addresses will still be available. The node will now be discovered by the nodes serial
number. The serial number discovery method supports the PNP mechanisms.
The EMS can be configured to discover each individual node with either the:
1. IP Address method – This capability requires the EMS to poll for the node. Once the node
responds, the EMS starts the registration process.
2. Serial Number method – The Node will send Hello messages to each of the EMS addresses
that the node has been provisioned. The EMS that is configured to manage the node by
configuring the EMS with the nodes serial number. The managing EMS will respond to the
node and start the OA&M link setup.
Self Commisioning Capabiltities via the serial number are compatible with IPsec and NON IPsec PNP
OA&M communications channels.
Restriction: <eNB><IPsec>(<Plug-N-Play>)
Plug-N-Play is meant for initial deployment for eNB with automatic establishment of IPsec OA&M
Connection only. Plug-N-Play capabilitites are not available for Telecom connections.
IPv4 traffic only for OA&M traffic.
1. No factory customization of FQDNs (SeGW/ SAM FQDNs or IP address). All information are
acquired via DHCP.
2. DNS address resolutions are not supported during the Macro PNP deployments.
3. No SeGW redirection during PNP deployments.
4. Macro eNB will default to No VLAN from the factory.
Parameter emsFqdn
Object ENBEquipment/eNB/EnbTransportConf/OamTransportConf
Range & Unit String (1-64) characters
Class C - New-set-ups
Value N.A.
Feature 115970
This parameter specifies the fully qualified domain name (FQDN) of EMS to use during initial OAM
Link Establishment. The emsFqdn/DNS is used during automatic Plug-n-Play procedures to obtain
EMS IP address for DNS option of providing EMS IP address. This parameter is only used when (1)
RanBackhaul.ipConfigAutomatic is set to True which indicates that the OAM Link Establishment
parameters are obtained from automatic Plug-n-Play procedures instead of provisioned by the
operator; (2) Operator does not use DHCP option. If the DNS option is used a default port of 162 is
used since the DNS does not return the port with IP address resolution.
Parameter emsIpv4Address
Object ENBEquipment/eNB/EnbTransportConf/ProvisionedEmsAddressData
Range & Unit IPv4 Address
Class C - New-set-ups
Value N.A.
Feature 115970
This parameter specifies an EMS IPv4 address provisioned by the operator. This is one of the
parameters in the ProvisionedEmsAddressData object. Up to 10 ProvisionedEmsAddressData objects
may be created by the operator. eNB contacts these EMS IP addresses in order to establish the
initial OAM connection. This parameter is only used when (1) RanBackhaul.ipConfigAutomatic is set
to False which indicates that the OAM Link Establishment parameters are provisioned instead of
obtained from automatic Plug-n-Play procedures AND (2) IPv4 is used for the OAM interface.
Parameter emsIpv6Address
Object ENBEquipment/eNB/ EnbTransportConf/ProvisionedEmsAddressData
Range & Unit IPv6 Address
Class C - New-set-ups
Value N.A.
Feature 115970
This parameter specifies an EMS IPv6 address provisioned by the operator. This is one of the
parameters in the ProvisionedEmsAddressData object. Up to 10 ProvisionedEmsAddressData objects
may be created by the operator. eNB contacts these EMS IP addresses in order to establish the initial
OAM connection. This parameter is only used when (1) RanBackhaul.ipConfigAutomatic is set to
False which indicates that the OAM Link Establishment parameters are provisioned instead of
obtained from automatic Plug-n-Play procedures AND (2) IPv6 is used for the OAM interface.
Parameter emsOamLinkInitPort
Object ENBEquipment/eNB/ EnbTransportConf/ProvisionedEmsAddressData
Range & Unit (1-65535)
Class C - New-set-ups
Value N.A.
Feature 115970
This parameter specifies the port on the EMS where eNB sends Hello msgs during OAM Link
Establishment. This is one of the parameters in the ProvisionedEmsAddressData object. Up to 10
ProvisionedEmsAddressData objects may be created by the operator. eNB contacts these EMS IP
addresses in order to establish the initial OAM connection. This parameter is only used when
RanBackhaul.ipConfigAutomatic is set to False which indicates that the OAM Link Establishment
parameters are provisioned instead of obtained from automatic Plug-n-Play procedures.
The information and the network component that issues the information will differ between the
NON IPsec and IPsec PNP scenario. As discussed in the IPsec PNP section of the Transport
Engineering Guide, the edge DHCP server returns Outer IPsec tunnel address, the SeGW IP address
and EMS information. For NON IPsec PNP scenario, the DHCP server will return the OAM IP address
instead of the IPsec Tunnel outer address. The IPsec inner tunnel address is not required in this
scenario.
The node determines whether the OAM channel is an IPsec OAM or NON IPsec OAM link based on the
information received from the DHCP response
• If the DHCP reponse contain the SeGW IP address in the vendor specific option 43, the node
will be configured for IPsec OAM
• . If the DHCP reponse does not contain the SeGW IP address in the vendor specific option
43, the node will be configured for NON IPsec OAM
The example above represents an example of a fully automatic method to allocate configuration
information to the nodes. It is not mandatory that DHCP be used for allocating configuration
information. Other mechanisms can be used. If certain information isn’t allocated as part of an
automated PNP method, then the information set must be manually provisioned.
The Nodes use the list of EMS IP addresses and ports to establish an OAM Link with the EMS.
Once the OAM communications channel have been established, the node will start the OAM link
establishement with EMS. The Serial number case will be described to illustrate the use of the DHCP
response information.
1. eNB sends Hello messages to Candidate EMS IP addresses and ports obtained from PnP
procedures.
2. Managing EMS receives Hello message. The Hello messages contain the nodes serial number
and IP address.
3. EMS determines if it is the Managing EMS for the eNB
4. Managing EMS opens the OAM link using the eNB’s OAM IP address in the Hello message and
registers itself as the Managing EMS.
5. EMS begins link monitoring and sends first valid Heartbeat message to eNB to SNMP port 161.
6.18.4.1 NON IPsec Plug and Play Pre-Requisits features and capabilities
The following components list the pre-requisit features required to support the Plug and Play
scenario.
eNB/Metrocell pre-requisits
1. Feature L115970 – eNB self Comissioning feature. This feature is required to complete the
Plug-n-Play scenario, but required to establish the OAM IPsec channel.
2. The parameter ranBackaul.ipConfigAutomatic is enabled. This is the default setting.
Upon receiving a DHCP request, the edge router will respond with the required IP
addresses.
d. The Layer device can act as a DHCP relay to and send a request to a DHCP server to
acquire the OAM address, the EMS IP address (including ports.
The nodes DHCP client will not perform DHCP renew requests. The DHCP server should have a
permanent lease time for the OAM IP address.
Not Required
CMS
Not Required
SAM
The SAM is provisioned with the eNB serial number in order to accommodate the eNB serial number
registration scheme (Feature L115970, eNB Self Commissioning). Release 13.1 eNB will initiate hello
messages to EMS IP addresses that are pre-configured on the eNB or EMS IP addresses that are
acquired When an eNB sends the hello message to the controlling SAM, the SAM will respond and
continue with the registration process. Once the eNB is registered and Managed, the SAM is used to
provision the eNB/Metrocell with the final configuration once communications to the eNB or
Metrocell is established.
The PNP components must be pre-configured to support the deployment of the eNB/Metrocell prior
to the delivery of the equipment. In order to provide a proper explaination of the functionality a
complete walk through the communications between the deployed equipment and the network
components will be discussed. An example of the communications between the eNB/Metrocell and
the network components are provided in this section. The example will be an IPsec tunnel
configuration for the OAM and telecom interfaces.
Edge Device
If the edge device is a layer 2 device, then the device should be configured to accept no VLAN
OA&M traffic.
If the device is a layer 3 device, an internal DHCP server should be configured to provide the:
• OAM IPsec address
• the EMS IP addresses and ports (Maximum of 10)
The assigned IP addresses are associated with the eNB/Metrocell. Upon receiving a DHCP request,
the edge router will respond with the appropriate IP addresses.
The router will be properly configured for routing traffic to the OAM network.
CMS -- N/A
SAM
The SAM will have the complete configuration for each eNB. This includes all the parameters for a
communications channel for the OAM if necessary. The SAM is configured with the serial numbers of
all the eNBs that the SAM will manage. The SAM has the self configuration policy set with the
following set:
o Auto Start
o SW Upgrade
o Configuration Deployment
o Administrative Enable
6.18.4.3 NON IPsec Plug and Play Walk Through with IPsec and DHCP capability
Figure 120: NON IPsec Plug and Play Flow represents the communications for Plug and Play. All
discussions will refer to this diagram.
The Node will be pre-loaded with the ALU factory certificates. The eNB/metrocell will also
configured to automatic configuration. All other components will be pre-configured to support the
eNB deployment.
When the eNB is first deployed in the field, the eNB will first boot and perform a DHCP request for
an AOM IP address, SAM IP addresses and next hop router. The edge device will allocate the IP
addresses. After acquiring the IPsec tunnel address, SAM IP addresses and next hop router address,
the node will initiate connection with the SAM. Te node will initiate communications to all EMS IP
addresses that are known. Only the Managing EMS configured for serial number node identification
will responds to the node initiation. The Node and the managing EMS completes the registration.
The EMS will configure the node based on WPS loaded DB in the EMS system. Once the node has
been configured, the node will reset to instantiate the configured parameters. The node will re-
establish communications channel with the EMS. Telecom communications are established.
Counter Description
ifOutOctets
ifOutUcastPkts
ifOutNUcastPkts
Same as above but for sent traffic
ifOutDiscards
ifOutErrors
ifOutLinkUtilisation
Counter Description
OAMOutOctets
Same as above but for sent traffic
OAMOutPackets
TelecomOutOctets
Same as above but for sent traffic
TelecomOutPackets
Counter Description
VlanULThroughput
VlanTrafficTypeULOctets
(1) At eNB, counting occurs before fragmentation and after re-assembly in the egress & ingress
respectively, for U-plane traffic. This causes a small underestimate of traffic volume as the headers
of the fragmented packet are not counted.
The implementation estimates the overhead for IPsec since in the U-plane the trafficType cannot
be retrieved from an encrypted packet, therefore decryption is required before trafficType counting
can occur.
(2) Counters related to Vlan are reported depending on following activation flag:
• Object: Enb/PerformanceManagement, Parameter: vlanReported, Value: [true, false], Class: C,
Service impact: None, Update transient impacts details: Immediate-propagation
(3) Counters related to Traffic Type are reported depending on following activation flags:
• PerformanceManagement::vlanReported, and,
• Object: Enb/ActivationService, Parameter: isTransportTrafficTypeCountersEnabled, Value:
[true, false], Class: C, Service impact: None, Update transient impacts details: Immediate-
propagation
6.19.2 SCTP
Counter Description
6.19.3 X2
Counter Description
X2SentThroughput
X2SentPackets
Same as above but for sent traffic
X2SctpOutOctets
X2SctpOutPackets
6.19.4 S1
Counter Description
S1ULThroughput
S1ULPackets
Same as above but for sent traffic
S1SctpOutOctets
S1SctpOutPackets
6.19.5 M1
Counter Description
Counters related to UL Traffic Shaping are reported depending on following activation flag:
Object: Enb/PerformanceManagement, Parameter: trafficShapingReported, Value: [true, false],
Class: C, Service impact: None, Update transient impacts details: Immediate-propagation
Counter Description
VlanShaperQueueRejectedPackets
VlanShaperQueuePacketLossRate
Counter Description
Counter Description
NbBearersPerVlanPerCoSOnS1u
VlanTransportCACFailureOnS1u
NbVoiceEmergencyBearersPerVlanForCoSVoIPOnS1u
VlanTransportCACFailureForEmergencyCallOnS1u
VlanTransportCACFailureForHPACallOnS1u
6.19.8 1588v2
Counter Description
Counter Description
exceeds the ‘normal’ range accepted by the
algorithm. The algorithm infers that acting
on this packet will actually create more
error, and so the perfectly good packet is
rejected.
PTPAnnounceRxSecondaryGM
PTPErroredSyncRxSecondaryGM
to/from Backhaul
to/from WAP
In the rest of this chapter, “MCO” refers to the Metro Cell Outdor in general. Where a specific
variant of MCO hardware matters, the terms “MCO TRF” and “MCO FAM” are used.
There is no external interface difference between a MCO and a Macro eNB regarding interconnection
with EPC (MME/SGW), SeGW, neighbor eNB or OAM nodes.
OAM and control plane traffic (S1-C/X2-C) is terminated by the Linux stack running on P3041.
Note:
This chapter applies as well to the Metrocell Indoor (MCI) which is based on MCO FAM.
Compared to MCO, MCI does not include any Metro Dock and does not support wifi
AP.ETHERNET
MCO TRF only supports one Ethernet port that is used for backhaul access.
As a consequence, MCO TRF can’t support daisy chaining nor port redundancy.
There is no Local Maintenance Terminal (LMT) port, and therefore no local NEM access is possible.
eNB supports one MAC address dedicated to 1588 flow, and one MAC address dedicated to
OAM/Telecom… flow.
The WiFi AP also has one MAC address.
A dedicated MAC@ for 1588 enforces a dedicated IP@ for 1588: an ARP for 1588 IP@ gives the 1588
MAC@ and an ARP for OAM and/or Telecom gives the OAM and/or Telecom MAC@.
MCO supports two external GigE ports: one port is used for backhaul access while the other port
may as an option be used to connect another MCO (LTE or WCDMA) which traffic is transported over
the MCO backhaul port.
As an option, MCO may be equipped with a Wi-Fi module which traffic is transported over the MCO
backhaul port.
LTE MCO No
WCDMA MCO No
LTE MCO
No Yes
L2 switch L2 switch
Optional
WiFi AP
Backhaul
LTE traffic
LTE or WCDMA daisy chained traffic
WiFi traffic
Figure 122: Traffic paths for the LTE MCO plus Daisy Chain traffic
QoS prioritization and scheduling are performed on the aggregated uplink traffic before forwarding
to the backhaul network. This is done at the L2 Ethernet switch in the LTE MCO. QoS priorities are
based on the L2 p bits in the uplink Ethernet frames. Four queues are available and used to map to
the p bits.
4, 3, 2 Second priority
0 Third priority
LTE module
LTE UL traffic
L2 switch
Backhaul
chained MCO UL traffic
Figure 123: UL Traffic L2 QoS management for the LTE MCO plus Daisy Chain traffic
LTE MCO does not provide syncE on its daisy chain port.
LTE MCO does not provide policing on its daisy chain port.
LTE MCO does not provide uplink traffic shaping on its backhaul access nor on its daisy chain port.
The L2 Ethernet switch performs L2 switching independent of the VLAN ID tag. Downlink and uplink
traffic are forwarded based on the L2 switch ports.
The VIDs used by the MCO can be shared or not with the daisy chained equipment(s).
Traffic type
VLAN 1
VLAN 2 1588 OAM S1-U S1-C X2-U X2-C M3 M1 IGMPv3 MLDv2
MCO TRF supports jumbo Ethernet frames with a MTU size of 2000 bytes maximum.
The maximum ethernet frame length is thus 2022 bytes.
The maximum frame size supported on the MCO FAM Ethernet switch is 1632 bytes.
MCO FAM supports jumbo Ethernet frames with a MTU size of 1610 bytes maximum.
7.1.7 LAG
Same applies as for Macro eNB.
7.2 IPV4
7.2.1 MTU
7.2.4 Subnetting
Same applies as for Macro eNB.
7.2.6 Routing
Same applies as for Macro eNB.
7.2.7 IP QoS
Same applies as for Macro eNB.
7.3 IPV6
Same applies as for Macro eNB.
7.7 DHCPV6
Same applies as for Macro eNB.
7.8 SCTP
Same applies as for Macro eNB.
7.9 SECURITY
he Metro security features are identical to the Macro features, unless otherwise specified.
7.9.1 IPsec
The Ike IDI uses the Certificate subject field. As part of the SA authentication.
The certificate subject is a Domain Name of the form ‘O=Alcatel-Lucent, CN=<Serial
Number>.Alcatel-Lucentcom’. The serial number is the Metros serial number.
PNP is mandatory for Metro deployed nodes. Therefore, certificate based IPsec tunnels are
required. IPsec Pre-shared key configurations for IPsec are not supported as compared to the Macro.
IPsec configurations for Metro eNB are not identical to Macro configurations. Specific Metro PNP
configurations are provided in section 7.9.2.1 Supported PNP Configurations.
In addition to the plug and play provided in the Macro, additional capabilities are provided in the
Metro platform.
Plug-N-Play is meant for initial deployment for eNB with automatic establishment of IPsec OA&M
Connection only. Plug-N-Play capabilitites are not available for Telecom connections.
1. Factory customization of FQDNs (SeGW/ SAM FQDNs, VLAN ID or IP address) are allowed.
2. DNS address resolutions are supported during the Macro PNP deployments.
3. SeGW redirection during PNP deployments are supported.
DNS capabilities are supported on Metro Platforms. Please refer to section 6.10.3 eNB Security Plug-
N-Play Implementation for PNP description. In this scenario the Metro cell has the capability to
1.
allow entries of FQDN (Fully Qualified Domain Names) and DNS addresses for IP address resolution.
This can be achieved via manual configuration or the FQDN/DNS information can be obtained via the
DHCP response. If the FQDN and DNS information are received vi the DHCP, the node will acquire
the IPaddresses of the FQDN entries (seGW FQDN, EMS FQDN).
fqdnSegIPsecTunnel: This parameter specifies the FQDN that resolves to the outer IP address
(IPv4 or IPv6) for the IPsec tunnel at the Security Gateway.
It can be set if and only if the eNB is an eNB-MCI..
Parameter fqdnSegIPsecTunnel
Object ENBEquipment/eNB/EnbTransportConfig/PerOperatorConf/IPsecConf
Range & Unit String
(0-128)
Class C
Value NA
Feature 159296
The SeGW redirection capability will be supported in 13.3 release. SeGW redirection is the ability to
change the first SeGW the eNB first communicates with the system compared to the final SeGW
after all the eNB is fully configured.This is done when the SAM sends new MIM DB configuration to
the eNB with a different SeGW configuration (Enb/securityGWFqdn parameter or
IPsecTunnelConf/ipv4AddressSegIPsecTunnel parameter). If the SeGW address was configured via
DHCP in the inital bring of the OA&M tunnel, after the connection to SAM, the new MIM parameters
will contain a different SeGW address than the original SeGW address (Re-direction).
Each row with yellow or green background contains one of the basis VLANs traffic mix. Each row
number represents a VLAN configuration. The N in the VLAN number indicates a NO VLan
configuration.
When there are several lines in a yellow or green row, each line corresponds to an IP address. The
list of types of traffic mapped to the IP address is listed in the line (e.g. for VLAN combination # 1
there are two lines in green. The traffic Oam+S1u+S1c+X2u+X2c of the first line is mapped to an IP
address and the traffic 1588 of the second line is mapped to another IP address).
A column below “VLAN configuration reference” identifies a possible association of VLANs that is
defined by the set of grey areas in this column. “4”, “6” or (respectively “6over4”) in a column
represent an eNB IP address; “4” means it is an IPv4 address; “6” means it is an IPv6 address, and
“6over4” indicates IPv6 over IPv4.
Please refer to the Macro IPsec PNP of this document for a detailed description of PNP functionality.
This section describes additional PNP functionality.
The Metro will now support IPv6 over IPv4 in the IPsec tunnel configuration for the OA&M. The outer
tunnel will be IPv4 and the inner tunnel address can be IPv6. The support for the outer and inner
tunnel address having identical protocol types remain.
A new entry value will be used with an existing parameter to distinguish the IPv6 over IPv4
funtionality. VLAN::ipFormat is configured with IPv6overIPv4IPsec.
The IPv6 over IPv4 capability will be compatilble with the following features:
1. IPsec Plug and Play
2. IPsec DNS and redirection
• 1588 and PTP traffic may be within the OA&M VLAN but not inside the IPsec Tunnel.
• Unlike the 3 IPsec VLAN configurations allowed for MACRO configurations.The IPv6 over
IPv4 will only be allowed for 0, 1 or 2 VLAN configurations.
An example of Plug and Play for IPv6 over PIv4 is provided for clarity reason. The eample below
does not show all the possible combinations of IPv6 over IPv4 with PNP. There are many
combinations of factory settings, FQDN and SeGW redirection.
The Metro security features are identical to the Macro features, unless otherwise specified.
The Metro security features are identical to the Macro features, unless otherwise specified.
The Metro security features are identical to the Macro features, unless otherwise specified.
The Metro security features are identical to the Macro features, unless otherwise specified.
7.9.7 NAT-T
Service providers that use IPv4 addresses in the ePC core may want to save addresses due to the
limited IPv4 addressing space. One method of conserving space is to use a Network Address
Translation. NAT inherently has an issue with IPsec packets. IPsec in ESP mode encrypts the port
number, source IP and destination IP of the original packet. The source and destination IP are
replaced with the IPsec tunnel address. The port number is not replicated in the IPsec packet. The
NAT device in the network will not be able to translate the IPsec packet from the eNB.In this
scenario the eNB will have the capability to assist in the network NAT function by performing a NAT-
T function. The NAT-T function on the eNB will insert a UDP header with the port number of 4500 .
This allows the external network NAT function to properly map the source packet to the ePC core IP
address.
The NAT-T function must exist on either end of the IPsec tunnel. The NAT-T is automatically
enabled on eith end of the tunnel. NAT-Detectio (NAT-D) is performed in the first few transactions
of the IKE negotiations. The first IKE message sent in the negotiations uses the UDP packet with port
500. The response is sent with addition of a HASH payloads containing source IP address, port
number and another HASH payload with the destination port and port number. The peer that sent
the first message will compare the HASH information to the received packet to compare the
source/destination address. If the packet information does not match the HASH information then a
NAT occurred. The peer that sent the first packet will proceed with the IKE negotiations and
respond with a packet containing the HASH payload of the source address, port number and
Destination address and port number. If NAT had been detected from the remote peer, this packet
will be sent with a port number of 4500. The second peer will perform the same check with the
HASH data as compared to the received packet to determine if NAT had occurred. If NAT had
occurred, then all subsequent messages are sent via port 4500.
Assuming NAT is detected, All subsequent IKE messages are sent port 4500. When the tunnel is
configured and the packets are encrypted in teh ESP payload, the NAT-T will now add an UDP
header to the to the payload with port 4500 such that the IPsec packet can be handled by the
network NAT.
Based on RFC 3948 (UDP encapsulation of IPsec packets) a standard UDP header is attached to the
ESP packet. RFC 768 (UDP data), the UDP header is an additional 8 bytes.
1. A secure boot mechanism to autehenticate the LTE MCO software image. Secure boot is the
cryptographic mechanism in the LTE MCO used to authenticate the MCO Softwre image
before booting the MCO. This guarantees that the software image has not been tampered
with.
2. A Secure Storage mechanism to store and use the IKEv2 RSA private key that authenticates
the LTE MCO. Secure Storage is the cryptographic mechanism employed to encrypt and
integrity protect the security credentials like the RSA private key used to authenticate the
MCO device to the EPS and the derive the IPsec session keys.The encryption and storage of
the keys are performed immediately after they are generated in the clear. When the RSA
keys are needed in normal operation, the Secure storage will decrypt the encrypted keys
and provide the information in clear text to the process. The clear text information will be
stored in secure RAM.
Activation of Secure Boot and Secure Storage is automatically performed as part of the 13.3 release.
1. Activation will be performed as part of the factory process prior to deployment in the field.
2. If the deployed MCO is release 13.1 and upgraded to 13.3.
1. The MCO is in the field with release 13.1 and upgraded to release 13.3. Release 13.3 will be
loaded into the passive software partition. When release 13.3 is activated the Secure Boot
and Secure Storage will be automatically activated. As part of the activation, new CMS
certificates are re-established.
After the MCO has been activated to release 13.3, there is a period of time that the user can
evaluate the release before premanately commiting to release 13.3. Permanately commiting to
release 13.3 will disallow fallback to release 13.1. Fallback to release 13.1 can only performed
when the 13.3 release had not been permantely commited.
• Permantely commiting to release 13.3 should be performed at the earliest convience once
the release 13.3 has been deemed acceptable.
The MCO will allow fallback from 13.3 release to release 13.1. This can only performed
2. Newly deployed release 13.3 MCO. The Secure Boot and Secure Storage are active in release
13.3 and greater.The 13.3 release can be upgraded to 14.1 or later release. In this scenario
both the present and previous release support the Secure Boot and Secure Storagefeature
and there are no special considerations for fallback scenarios. Therefore there is no
requirement to permantely to commit to a active release as in the case of scenario 1.
Prior to 14.1 release, the MCO had the ability to support an optional WIFI AP adaptor. The WIFI AP
adaptor is connected to the MCO L2 Switch. In all intent and purposes, the WIFI AP is an
independant module managed by a WI-FI AP controller and connects to a WLAN GW. The WI-FI
controller and WLAN GW are separate equipement that connect to the MCO.
The WIFI AP will be able to perform Plug-N-Play in a similar fashion to the method used in MCO.
Please refer to the MCO section for Plug-N-Play. This section assumes that the reader uderstnads
the MCO Plug-N-Play. There following are the supported models.
1. Model 1, Wi-Fi user plane model using GRE tunnels between the Wi-Fi AP and the WLAN GW
with L2oGRE protocol and Wi-Fi user plane is transported inside the Wi-Fi IPsec tunnel.
SECURITY
GATEWAY LTE EPC
MME
Wi-Fi AP
and
LTE MCO
UE and Wi-Fi
Mobile LTE OAM
Network SGW/PGW
The MCO and the WI-FI AP have separate IPsec tuunels to transport their respective OA&M
connections. The AI-FI AP and the MCO can connect to the same SeGW. The SeGW will terminate
both IPsec tunnels (MCO and WI-FI AP). The SeGW will route traffic to the respective OA&M
destination based on the IP destination address in the IP packet once the IPsec decryption has been
performed. The MCO traffic will communicate with the SAM management system. The Wi-Fi AP will
communicate with the WiSC (Wi-FI System Controller).
In this Wi-Fi AP configuration, the Wi-Fi AP user plane traffic, Wi-Fi OA&M and Wi-Fi EAP/AKA traffic
are transported in the same IPsec tunnel. The Wi-Fi AP user plane traffic and Wi-Fi EAP/AKA traffic are
transported in a Wi-Fi GRE tunnel. The Wi-Fi GRE tunnel is transported in the Wi-Fi AP IPsec tunnel.
The following table indicates the required network components to support the various
architectures:
• Vendor specific Certificates are not supported in Wi-Fi deployments. ALU certificates are
the only certificates supported for authentication.
1. ALU Certificates
2. The FQDN of the SeGW in the field is provisioned in the Wi-Fi AP.
3. The FQDN of the WiSC in the field is provisioned in the Wi-Fi AP.
Te following diagram depicts the connection flow and communication between the Wi-FI AP and
network components.
IPsec tunnel set between Wi-Fi AP and the SeGW using the factory digital certificates
Wi-Fi AP request WiSC IP address to the Internal DNS server using WiSC FQDN
WiSC has completed provisioning the Wi-Fi AP. WiSC has adopted the Wi-Fi AP.
Wi-Fi AP can start providing Wi-Fi over the air services to Wi-Fi subscribers.
7.9.10.4 Restrictions
1. WI-FI AP IPsec tunnels will be IPv4 outer and IPv4 Inner format only.
7.11 X2 INTERFACE
Same applies as for Macro eNB.
7.12 S1 INTERFACE
Same applies as for Macro eNB.
MCO 1588v2 client is based on the Bell Labs software, with Winpath3-SL as the timestamper.
grandmasterClockQuality
timeSource clockClass clockAccuracy
_10 ATOMIC
6 0x20 25ns
_20 GPS 80 primary reference clock 0x21 100ns
84 0x22 250ns
_40 PTP
13
_60 E1 80 application-specific clock 0xFE unknown
84
Phase synchronization with 1588v2 is supported and may only be used for eCSFB and eMBMS.
Any other feature requiring phase synchronization requires GPS to be used.
This timer specifies the time allowed for the client to attempt to lock to the 1588 messages before
triggering the PTP_UNEXPECTED_LONG_INITIALIZATION alarm.
MCO 1588 IP address and MCO 1588 master(s) IP address(es) may be either provisioned or supplied
through a DHCP procedure.
This (second) DHCP procedure comes after the one which supplies the local OAM (outer) IP address.
PTP IP address(es) supply mode configuration is done through:
• Object: Enb/ClockSync/PTPClientClockSync, Parameter: isPTPipAddressByDHCPenabled, Value :
[true, false], Default: false, Class: A, Service impact: Critical, Update transient impacts details:
full-eNB-reset
DHCP parameter
The 1588 IP @s delivery through DHCP is applicable for the following topologies:
(OAM server is assumed to be in the public network)
Network
Private Private Public Public
Type (1)
IP@ DHCP or
n.a. DHCP n.a. DHCP provisioning n.a.
acquisition provisioning
MCO may synchronize with 1588 behind a NID which is supporting NAT.
The NAT device supports a single public IP@ for all LTE flows, and maintains a mapping database
between the flows on the private network and the flows in the public network. The NAT must not
modify the UDP port numbers (319 for “Event” messages and 320 for “General” messages) used by
the eNB for the 1588 client running over UDP/IP/Eth protocol stack. Therefore Port Address
Translation for 1588 flow is not allowed. The NAT must function in ‘Port-Forwarding’ mode, where
port numbering is preserved.
1. in UL, a PTP packet arriving at the NAT with Source port ‘319/320’ must have only its
Source IP@ changed so that the Source port of the UL egress packet transmitted by the NAT
remains ‘319/320’.
2. in DL, a PTP packet arriving at the NAT with Destination port ‘319/320’must have only its
Destination IP@ changed so that the Destination port of the DL egress packet transmitted by
the NAT remains ‘319/320’.
Since Port Address Translation is not allowed, the NAT function is constrained to IP Address
Translation only which restricts the number of 1588 clients behind the NAT function to 1 (one).
As a consequence of the need for 1588 UDP ‘Port-Forwarding’ mode, daisy chained MCOs may not
be synchronized with 1588 behind a NID which is supporting NAT.
Note: The mapping for the other flows (eg. Telecom, OAM) from the MCO may be configured using
classic NAT, where the port numbers are renumbered.
As per IEEE1588v2:
• the first ‘General’ message (Unicast_Negotiation_Request) is sent from the client (here
MCO) to the master. This allows the NAT to define Address Translation for ‘General’
messages which use UDP port 319.
• the first ‘Event’ message (Sync) is sent from the master to the client. This does not allow
the NAT to define Address Translation for ‘Event’ messages which use UDP port 320. Thus
the NAT device can’t forward this ‘Event’ message downlink to the client since no Address
Translation mapping is available.
MCO may send the UL ‘Event’ message DELAY_REQ prior to the first DL ‘Event’ message upon
cold/warm/power reset.
This allows the NAT to construct the association between the MCO 1588 private and public IP
addresses, so the association exists when the server sends an Event message to the 1588 client in
the MCO.
Delay req. t3
t4
Delay resp. (with t4)
ITU-T G.827x series of recommendations specify that in order to deliver phase accuracy it is
necessary for every transport node between the master and the client to support 1588v2 On-Path
Support, by means of either Transparent Clock support or Boundary Clock support.
If the master for eNB 1588 client is upstream of the NAT device and if the NAT device does not
provide 1588 On-Path Support then NAT function and feature 159405 ‘Synchronization 1588V2 for
eMBMS and eCSFB’ (that brings phase delivery using 1588) are mutually exclusive.
Note: It is requested that the NAT device supports 1588 On-Path Support in order to compensate for
latency of 1588 timing packets added due to Address Translation operation.
If the master is downstream of the NAT device (eg. in a private network) then both NAT and 159405
may be supported.
The DomainNumber at eNB PTP client it set to the standard default number (0) and may be
configured to another value. This allows for different Domain Numbers used for the packet flows
from 2 Grandmasters (Primary Grandmaster and Secondary Stand-by Grandmaster).
7.14 M3 INTERFACE
Not supported in this release.
7.16 M1 INTERFACE
Not supported in this release.
Please note, beginning with release 13.1, the ALU 9471 MME product name will change to the 9471
WMM (Wireless Mobility Manager). The MAF name will change to the Service Board. The MIF name
will change to the Interface Board.
8.1 CONNECTIVITY
8.1.1 Internal Connectivity
Within a shelf, the intra-shelf communications are provided by the ATCA midplane and the
blades.
The ATCA midplane architecture is divided in three zones. The connectors in Zone 1
provide redundant -48VDC power and Shelf Management signals to the boards. The
connectors in Zone 2 provide the connections to the Base Interface and Fabric
Interface. The connectors in Zone 3 are user defined and are used to connect the
hub to the Rear Transition Module.
• Zone 1 is comprised of:
Redundant -48V dual power feed
Metallic test
Ringing generator
Keying alignment
Synchronization Clocks
Update Channels
Fabric Interface
Base Interface.
• Zone 3 may be defined as needed for a Rear Transition Module (RTM). There is a direct
connection between front board and RTM (not through the midplane). Specifically,
oRTM allows the 10GigE Base or Fabric links from Zone 3 to provide gigabit ethernet
optical links to the RTM front panel.
The term “Transport Hub” is used to describe the hub blades in the first equipped chassis
(shelf 0). The Transport Hub terminates external transport interfaces for the system. The
left and right LANs grow outward from Transport Hubs.
In the 9471 WMM configuration, the Ethernet Hubs terminate external transport interfaces
for the system. (These are physical connections.) Optical connections should always be used
if available. However, for customer OA&M networks having only electrical connections, the
electrical ports F0 and F1 on the faceplate of the Ethernet hubs may be used for the OA&M
external interface. These ports may only be used for OA&M and/or LI interfaces. These
ports may be configured as 10baseT, 100baseT, GigE (preferred) or Auto-Negotiate and are
always configured for full duplex. A default gateway must be established for subnet routing
to the configured ports (e.g. LTF0 and RTF0).
Legend:
oRTM Usage:
• Up to 13 total optical terminations are allowed on each RTM. The exact number and
configuration is customer-dependent.
• The Optical RTM (oRTM) provides up to 13 (thirteen) GigE ports configurable for 9471
WMM signaling and OA&M. All external connections (transport connections for signaling
and OA&M) to the 9471 WMM are to the oRTM (the front panel of the hub in not used for
these connections when the oRTM is present).
OA&M Connections:
• 1000Base-SX/LX connections are terminated on each Optical RTM (oRTM) to provide
OA&M connections.
• Two 1000Base-T physical connections from the customer’s IP network may terminate on
each Hub’s faceplate (supporting OA&M and/or LI) if optical connections are not
available). NOTE: the front panel of the hub is not to be used for OA&M connections
when OAM network optical connectivity to the oRTM is available.
Signaling Connections:
• The physical configuration of the IP network used to support signaling is customer-
dependent. Typically, four or more 1000Base-SX/LX physical connections from the
customer’s IP network terminate on each Hub’s Optical RTM to support signaling flow.
Alarm Card Connection:
• There is an additional Ethernet connection (not shown) from each Hub faceplate to the
smart alarm card in the cabinet PDU.
All internal cabling is completed at the factory before the cabinet is shipped to the
customer site.
Figure 127, below shows the hub interconnections on Shelf 0. The two Hubs in Shelf 0 are
connected to the two Hubs in Shelf 1 through a 10GBase-CX4 connection on their faceplate
fabric switch ports. This provides the necessary communication between shelves 0 and 1. All
intra-shelf communications (Hubs 7 & 8 and all other boards on the same shelf) are provided
by the chassis midplane.
PDU power cabling, including power to alarm cards, and all power cabling for chassis
operation is pre-wired as part of the cabinet prior to shipment.
The oRTM of each hub may have one or multiple connections to a pair of adjacent multi-
layer switches (MLS) or edge router (ER). The MLS/ER pairs are deployed in VRRP
configuration for reliability. There are multiple methods to detect line failures. First a
heartbeat mechanism (using either periodic Address Resolution Protocol (ARP) requests or
periodic pinging) is supported between WMM and MLS/ER to monitor WMM connectivity to
the first hop router. A second alternative method is the Bidirectoinal Forwarding Detection
(BFD). BFD is a low overhead protocol for fast detection of line failures. This ensures that a
failure between the oRTM and the MLS/ER does not require a pair of processor blades to
change act/stby state.
Each processor blade and each ShMC has an internal Ethernet link to each hub card via the
midplane. Both hubs are active and may serve any of the blades. Internal messaging can use
either hub to switch messages between blades.
Figure 128, below shows hub connectivity along with examples of message flows. The path
labeled by blue circles shows an initial signaling message flow. The path labeled by purple
circles shows signaling message flow when the link from MLS A to oRTM is down. (The link
could be down due to a failure in the oRTM or the MLS.) The path labeled by orange circles
shows an OAM message flow through the oRTM. Note: the legend following the figure defines
the step-by-step message flow for each path.
Legend:
Signaling message flow using active oRTM (denoted by numbers in blue circles):
Signaling message flow when the link from MLS A to oRTM is down (denoted by
numbers in purple circles):
1 eNodeB sends a message to the L3 switch on MLS A; the message is switched
to L2.
2 The link from MLS A to the oRTM is down, so the message is sent to MLS B.
MLS B selects a port on the redundant oRTM.
3 Message from MLS B L2 switch arrives at the active S1-MME signaling
interface of the oRTM.
4 The oRTM transfers the message to the HSPP4/MPH, then the HSPP4/MPH
transfers the message to the Hub.
5 MME Hub switches the message over the midplane (internal LAN) to the MIF.
6 Interface Board selects a Service Board (uses previously selected Service
Board if UE is already attached) and sends the message to the Service Board
via the Hub.
The Service Board sends a return message in the reverse direction: to the
Interface Board via the Hub, the Inteface Board sends the message to the
oRTM via the Hub, then the messages goes out from the active signaling
interface on the oRTM to the L2 switch.
Signaling message flow when Primary Interface failure occurs (denoted by numbers in
Red circles)
direction: to the Interface Board via the Hub, the Interface Board sends the
message to the oRTM via the Hub, then the messages goes out from the
active signaling interface on the oRTM to the L3 switch.
For a new installation, the MME application is loaded, the services and internal/external
subnets are configured, and the provisioning is completed based on the customer’s needs.
This is completed as part of the field install procedure. See 9471 WMM Configuration
Management, 418-111-207 for details and procedures.
Meaningful System Name, an Application Name (for MME, the application is always
9471_MME), and a meaningful System Prefix should be selected based on their ability to
distinguish this MME from other MMEs in the network.
The system name and system prefix of the MME should be selected based on
their ability to distinguish this MME from other MMEs in the network.
A class B subnet is then selected for internal MME communication. The customer is strongly
encouraged to keep the default internal value of 169.254.0.0. The internal subnet allows all
MME elements (ShMC, hub, OAM server, MIF, MAF, alarm card) to communicate with each
other. Internal IP addresses are automatically assigned from the defined subnet.
All redundant MME elements (ShMC, hub, OAM server, MIF, MAF) have a host-active, host-
standby and internal service subnet. Elements also have DHCP and local subnet IP addresses,
and the hubs have an external service subnet.
The MME may be provisioned to have both a default gateway and static routes for outgoing
messages routing functionality. The following describes the configurations that can occur:
• For the OA&M network, one default gateway must be established for subnet routing
terminating to the two MLSs connected to the oRTM ports for OAM. If additional subnet
routes are required (such as for supporting DNS on a separate subnet), then a static
route, to another MLS pair, must be provisioned for each secondary route.
• Netmask
• For MME Signaling network, one default gateway must be provisioned for subnet routing
terminating to the two MLSs attached to the oRTM ports for Signaling. If any additional
connections are established using other MLS switches or subnets, then static routes, to
those MLS pair(s), must also be provisioned for those subnet routes.
Note:
For WM7.0.0 and later releases, static routes are no longer needed because of Source Based
Routing
• Netmask
8.1.3.3 Recommendations
default IP address, each VLAN interface, and the VRRP in the VLAN.
Within the 9471 WMM six internal IP subnetworks (subnets) are used to route internal IP
messages between the different cards and processes that are running on these cards. Each
component has an IP address in each of the hardware subnets (Host, DHCP, LSN subnets)
according to standard formulas.
For example, the following IP addresses are in the Host Subnet. In this example, the fixed IP
address for the first OAM Server host in the first shelf is 169.254.64.16.
Legend:
Formula for the fixed IP address of a Node (host) in the Host Subnet = x.y.(64+s).(cx16+h)
Where:
The recommended value of x.y for internal subnets is 169.254. However, customers may
change this during planning for initial configuration.
c = Card/Slot number
s = Shelf Number
h = Host number.
NOTE: h = 0 for every card except HSPP4 host on the hub and ShMC.
For HSPP4 host on the hub, h = 4.
For ShMC, h = 0 for the virtual IP; h = 1 for the upper card; h = 2 for the lower card.
Internal subnets are used for internal communication among hosts within the 9471
WMM. These subnets do not route out of the 9471 WMM. These subnets are
predefined and are reusable by multiple 9471 WMM systems.
The subnetworks used can be divided into:
• Five hardware-related subnetworks - (Host Subnet, DHCP0 Subnet, DHCP1 Subnet, LSN0
Subnet, and LSN1 Subnet). Refer to Section 8.1.3.9.6 for additional information
regarding IP addressing and naming within the WMM.
External subnets are assigned to services within the 9471 WMM that need to communicate
with entities outside the 9471 WMM or within the customer network. These subnets are
provided by the customer.
Tip: the externally routable service subnets are sometimes informally called “transport”
subnets.
Calculations for addresses are done automatically by the system once the base is assigned.
• Externally routable service subnets should be large enough for growth as applicable.
• Each externally routable service subnet MUST be unique if visible to each other.
• Externally routable subnets and transport subnets MUST be different and non-
overlapping.
• The OAM&P subnet usually includes IP addresses for SSH and Serial Over LAN (SOL)
connections. Customers may optionally put these IP addresses in a separate subnet.
• MI and CNFG have IP addresses in the OAM&P Routable subnet; product-specific services
do not.
• MI and CNFG hosts do not need signaling address, but may have them for optional
features like DNS queries.
• Product-specific services have IP addresses in the Signaling Routable subnet. If there are
8 services, there are 8 IP addresses in the subnet.
• On the element management system side, the EMS has two IP addresses: one for the
active EMS and one for the standby EMS. Traps are sent to both IP addresses, since the
MME does not know which is active and which is standby.
In order to better understand the functions and necessity of the different subnetwork types,
it is useful to know that within a cabinet each component:
Transport connections are Ethernet connections between the MME and the external
network. In the following figures, examples of these connections are shown as colored lines
between the RTMs in the MME and the MLSs (multi-layer switches).
A redundant link group is a set of interfaces that includes an active GigE and its associated
standby link(s). Assignment of MME logical interface traffic to a redundant link group is
supported such that one group can be assigned to carry only S1-MME traffic, another group
can be assigned to carry S6a, and a third group can be assigned to carry all other traffic.
Each redundant link group has a Virtual IP address (VIP) assigned to an MME interface active
link. Each active link and standby link has its own physical IP address. The VIP address is
floated over to the standby link upon failover.
The MME currently supports GigE connectivity enhancements (1+1 GiGe) that reduce the
number of GigE links required and eliminates an MPH switch over if all physical interfaces
carrying an MME traffic fail on a active HUB or oRTM. From previous releases, this
configuration change:
• Reduces the number of GiGE links required by half as redundant GigE links are not
required on the same oRTM.
• Allows traffic of an MME interface on a GigE link on an RTM to be switched to a GigE link
on the other RTM without an MPH switch occurring.
Figure 129 shows two GiGE interfaces for redundancy (opposed to 4 interfaces in previous
releases). This figure also shows the use of BFD for fault detection which is introduced in
this release.
In the new 1+1 GiGe configuration, there will be one primary GIGE connection from MPH 0
oRTM to MLS A. A second redundant GiGE connection from MPH1 oRTM to MLS B is provided
for failover purposes. The active link is always on the active MPH and transmits and receives
all traffic. One link on each MPH is designated as the primary link. The primary link is
always used as the active link after system initialization on the active MPH. The two Hubs
are connected by way of their internal Fabric switches. The active MPH can connect to both
MLS's. A switchover of the RTM does not require a switchover of MPH (or vice versa) so that
traffic can be forwarded to and from the active MPH from either oRTM.
If the active link fails, MME attempts to failover to the standby link on the same MPH. If the
standby link is down on the active MPH then MPH failover occurs. One port is reserved for
port mirroring (port 12).
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
Figure 130 shows an example of transport connectivity for a customer with 1 OAM network
and 7 distinct signaling networks.
A Layer 2 cross-connection can be provided in the external network (shown in the “L2”
portion of each MLS) among the ports serving a set of redundant transport connections. The
layer 2 cross connection will be dependant on the redundant scheme used. As an example,
BFD assumes there is no layer 2 cross connection between the oRTMs and MLSs.
• All ports serving the set of transport connections (i.e., all of the same color in the
figure) must be in the same broadcast domain.
Each subnet used for external communication must be configured on exactly one set of
redundant Transport Connections. Multiple subnets can use the same set of connections, but
a subnet cannot be present on more than one set. For example, the IP addresses used for S1
and S11 could be in the same subnet, but the IP addresses used for S1 and S6a must be in
different subnets.
Each subnet used for external communications must be configured with exactly one default
gateway (next hop routing address) that will be used by the MME for associated outbound
packets.
A VLAN is a group of hosts that communicate as if they were attached to the Broadcast
domain, regardless of their physical location. Reconfiguration can be done through software
instead of physically relocating devices.
There are different VLANs defined for different purposes. Therefore, each Host will have:
• Untagged interfaces for the use of DHCP and Transport connections
• Tagged interfaces for use of Internal Subnets (Internal Service and Host Active subnets
in the 800 series of VLAN tags)
• Differently tagged interfaces for use of External Subnets (External Service subnets in the
400 and/or 600 series of VLAN tags)
For the untagged and internal VLANs, the Left Hub broadcast areas and the Right Hub
broadcast areas DO NOT INTERCONNECT. That means a Broadcast from an untagged or
internally tagged interface on eth0 will not be seen by any eth1 interface of any host
(exceptions are of the Hosts on the Hubs and ShMCs) irrespective of the number of shelves
in the configuration.
The following table lists all of the VLANs defined on the 9471 WMM Hubs:
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
• VLAN 301 is used for DHCP requests and responses in the Right Hubs.
• VLANs 400/401 is used in the Left/Right Hubs for External Subnet IP Addresses accessed
from the customer network over the Hub front panel connections in port FP GE0.
• VLANs 410/411 is used in the Left/Right Hubs for External Subnet IP Addresses accessed
from the customer network over Hub front panel connections in port FP GE1.
• VLANs 420/421 is used in the Left/Right Hubs for External Subnet IP Addresses accessed
from the customer network over Hub front panel connections in port FP GE2.
• VLANs 430/431 is used in the Left/Right Hubs for External Subnet IP Addresses accessed
from the customer network over Hub front panel connections in port FP GE3.
• VLANs in the 600 and 700 range are used for the Rear Transition Module (RTM) in the
same fashion as the 400 range VLANs. Note that port 12 (Transport R-12 -GE12) is
reserved for port mirroring so VLANs are not assigned.
• VLAN 800/801 is used in the Left/Right Hubs (slots 7 and 8, respectively) for all IP
addresses that stay on the ATCA shelf. Neither of these VLANs is configured on any port
of the Hub connected to the customer network.
• Other VLANs in the 800 range will be configured on the Hubs for use by other
Applications, however 9471 WMM will not use them on their Hosts.
• Recommended OAM VLAN 905
In release LM 4.0.1 the MME had introduced a new capability of tagging oRTM external transport
links with VLAN (801.1Q) tag Ids. The MME will receive and transmit 801.1Q tagged packets to/from
the customers MLS A and MLS B routers. Not all interfaces are required to be VLAN tagged. The
customer can choose which interface to VLAN tag or Not tagged.
External VLAN tags are assigned per subnet and transport. The same tag can be reused on a per
interface basis.
VLAN configuration is performed during installation. Please refer to the MME Field install guide for
configuration commands.
– Combination of FI/FI GUI, SCDT and IP_adm configuration
The MME will only send or receive a single tagged ethernet frame and that frame will have a well
defined TPID of 0x8100. MME does not support of mapping of DSCP to the user priority bits in the
802.1Q header.
There are measurement counters for transmitted and received Ethernet frames per VLAN.
The MME supports the growth of IPv4 and/or IPv6 addresses for IPs configured for multi-homing, BFD
and ACM. Growth of IPv4 and/or IPv6 subnets for specific network interfaces is also supported.
Degrowth for IPv4 addresses and subnets are also supported.
Growth refers to the adding of a new or a secondary IP address or subnet to a pre-configured VLAN
or the creation of a new VLAN with an associated IP address or subnet.
The subnets can be grown on an OAM, MIF or MPH. The same VLAN can also be grown across
different transports. Large packets can be segmented across a VLAN.
The specific procedures for growing and de-growing IP subnets with VLANs in various scenarios are
described in detail in section 7 of the Release 6.0.1 MME OAM guide (Alcatel-Lucent 9471 Wireless
Mobility Manager (WMM) Operations, Administration, and Maintenance 418-111-201WM6.0.1). Please
refer to this documentation to perform the growth and degrowth.
At a high level, the below commands are a sample of the IPv4 and IPv6 growth methods
respectively.
IPv4 Growth:
ip_adm –a add_subnet –e <redundancy mode> -b <subnet base> -m <subnet mask> -n <subnet name> -s
<subnet number> -o <IPv4 gateway offset> -t <transport ID1[,transport ID2]> [-v <vlanid1, vlanid2>]
IPv6 Growth:
ip_adm –a add_subnet –e <redundancy mode> -b <subnet base> -m <prefix length> -n <subnet name> -s
<subnet number> -o <IPv6 gateway> -t <transport ID1[,transport ID2]> [-v <vlanid1, [vlanid2]>]
The internal hardware-related subnetworks can be divided into the following different
subnetwork types:
• Host Subnet
• DHCP0 Subnet
• DHCP1 Subnet
• LSN0 Subnet
• LSN1 Subnet Host Subnet
The Host subnet is used to communicate with Host IP addresses of other hosts. Each host,
including the Hub and ShMC host is associated with a Host IP address and tagged interfaces
in VLANs (eth0.800 and eth1.801). The host IP address exist on both backplane interfaces in
the tagged VLANs.
Note: The host subnet assigns each Host a specific IP address based on the Shelf number,
Slot Number, and Host Number. Host Subnet is also known as Host Active Subnet. The Hub
cards have the host active addresses only on ONE interface, whereas in Node cards host
active addresses are on both interfaces. The Host Active address on Hub 7 is in VLAN 800
while on Hub 8, it is in VLAN 801. The interface to VLAN correlation is opposite between
Hub 7 and Hub 8.
The DHCP0 subnet is used for DHCP requests and responses in the untagged VLAN 300 which
spans the Left Hubs, and does not go out to the customer network.
A booting diskless host or a jumpstarted diskful host would send a DHCP request broadcast.
This broadcast would be untagged and hence interpreted by the switch to be in VLAN 300.
The DHCP server (the OAM Server) would respond to this request if configured to respond to
the hardware MAC address of the requesting host. It would give the requesting device,
among other things, an IP address in the DHCP0 subnet for its eth0 interface. A host will
first attempt a DHCP request on its eth0 interface. If no response is received, a request is
attempted on its eth1 interface.
The DHCP1 subnet is used for DHCP requests and responses in the untagged VLAN 301 which
spans the Right Hubs, and does not go out to the customer network.
A booting diskless host or a jumpstarted diskful host would send a DHCP request broadcast
in VLAN 301. The DHCP server (the OAM Server) would respond to this request if configured
to respond to the hardware MAC address of the requesting host. It would give the requesting
device, among other things, an IP address in the DHCP1 subnet for its eth1 interface.
The LSN0 subnet is used for communicating with other LSN0 IP addresses. The path of any
packets using LSN0 IP addresses will only traverse the Left Hub Switches.
The LSN0 subnet is associated with eth0 for all Hosts and tagged interfaces in VLAN 800 on
the Left Hubs. The only exceptions are the slot 8 (Right Hub Host) and the Bottom ShMC, on
which the eth1 interface has a presence in VLAN 800.
Note: All hosts have the same interface/vlan correlation (LSN0 on eth0 vlan 800 and LSN1 on
eth1 vlan 801) EXCEPT for the hub in slot 8 (the right hub) and the bottom ShMC. These two
hosts have the interfaces flipped with respect to the other hosts in the system. The LSN0 IP
is on the eth1.800 interface and the LSN1 IP is on the eth0.801 interface.
The LSN1 subnet is used for communicating with other LSN1 IP addresses. The path of any
packets using LSN1 IP addresses will only traverse the Right Hub Switches.
The LSN1 subnet is associated with eth1 for all Hosts and tagged interfaces in VLAN 801 on
the Right Hubs. The only exceptions are the slot 8 (Right Hub Host) and the Bottom ShMC,
on which the eth0 interface has a presence in VLAN 801. These two hosts have the
interfaces flipped with respect to the other hosts in the system.
This table lists the IP addressing and naming convention that is used within the 9471 WMM:
07 Node - AXXXX-
eth0.800 Left s<nn>c06h0- x.y.(32+s).(c×16+h) 169.254.32.96
(LSN0) 1
Node - AXXXX-
eth0.801 Right s<nn>c06h0- x.y.(48+s).(c×16+h) 169.254.48.96
(LSN1) r
14 Node - AXXXX-
eth0.800 Left s<nn>c14h0- x.y.(32+s).(c×16+h) 169.254.32.224
(LSN0) 1
Node - AXXXX-
eth0.801 Right s<nn>c14h0- x.y.(48+s).(c×16+h) 169.254.48.224
(LSN1) r
Notes:
1. In the RCC active interface name column, <nn> = Shelf number
2. In the RCC active interface name column, c = Card/Slot number
3. In the IP address column, s = Shelf Number
4. In IP address column, c = Slot/Card number
5. In the IP address column, h = Host number. h = 0 for every card except ShMC. For ShMC, h
= 0 for the virtual IP; h = 1 for the upper card; h = 2 for the lower card.
6. In the RCC active interface name column, AXXXX = The Switch or customer site prefix
(where A must be an alphabetic (a-z) and XXXX must be an alphanumeric (a-z, 1-9)).
The service-related subnetwork can be divided into the following different IP address
ranges:
• Internal fixed IP addresses - An internal fixed service IP Address is an IP address that
remains associated with a particular instance of a service, regardless of whether that
instance is active or standby.
• Internal floating IP addresses - An internal floating service IP Address is an IP Address
that is moved (floated) to an instance of a service that is currently in the active state.
NOTE: Provisioning of IPv4 and IPv6 floating addresses is supported for MME interfaces:
S1-MME, S10, S11, S6a, M3, SLs, SLg, SBc, Sm, S13 and S3. MME does not support IPv6 for
OAM interfaces not SGs and Gn interfaces.
The following table lists examples of the service subnetwork conventions that are used for
application interfaces (resident on the MIF-supporting traffic blades). Note that these are
simply examples and not all interfaces are included. Key takeaway is that each interface
must have a unique IP address (4th digit in address must be unique).
Interface IP address
S1 169.254.249.33/27
S3 169.254.249.34/27
S6a 169.254.249.35/27
S10 169.254.249.36/27
S11 169.254.249.37/27
S13 169.254.249.38/27
Gn 169.254.249.7/27
Default 169.254.249.59/27
First VLAN 901 169.254.249.60/27
Second VLAN 901 169.254.249.61/27
VLAN VRRP 901 169.254.249.62/27
The following table lists the service subnetwork conventions that are used for each of the
Ethernet Hub card servers (includes SSH and Serial-over-LAN [SOL]).
Interface IP address
Slot 7 Ethernet Hub card SSH IP 169.254.249.17/29
Slot 7 Ethernet Hub card SOL IP 169.254.249.18/29
Slot 8 Ethernet Hub card SSH IP 169.254.249.19/29
Slot 8 Ethernet Hub card SOL IP 169.254.249.20/29
7750-2 VLAN 902 IP 169.254.249.21/29
7750 VLAN 902 IP 169.254.249.22/29
A virtual IP address is an IP address that is shared between the two servers in a redundant
pair. A virtual IP address is not a physical address but a logical address and is maintained by
RCC for the diskful hosts (for diskless hosts the virtual IP addresses are assigned by REM).
The virtual IP address will always point to the active entity. Where for each pair of servers:
• One virtual IP address is available for application signaling
• A unique fixed IP address is assigned to each server, that can be used for any messages
needed to maintain (heartbeating) and configure that particular server.
The advantage of using a virtual IP address is that clients that use this IP address to talk to
the “active server” do not know which of the servers is currently active.
When the active server fails, its mate becomes active and assumes ownership of this IP
address. Clients with TCP/IP sockets up to the active server detect the failure of this
socket, and try to re-establish the socket. Although the client uses the same IP address, the
new connection is to a different processor.
Under normal operations, synchronization at the application layer must be maintained
between the active and standby servers (by keeping their TCP state machines in sync, for
instance). Otherwise the client connection can be broken as a result of server switchover,
requiring a reconnect from the client.
The MME interfaces and functionality conform to 3GPP Standards as shown in the table
below. The table lists the supported versions of the Pre-Release 8 3GPP Technical
Specifications (TS), and if applicable, notes any additional TS CRs supported.
Please refer to 9471 Mobility Management Entity LTE Parameters User Guide,
LTE/DCL/APP/031094 for detailed information on interfaces and protocols.
Through this section, when provisioning is described it refers to local MME GUI (not SAM GUI).
8.2.1 IP
8.2.1.1 IP QoS
In a congested network, GTP-C packets, SCTP packets, and packets generated as part of Lawful
Intercept procedures (via the CALEA X1_1 and X2 interfaces) must be able to get to their intended
endpoints. Hence, GTP-C packets, SCTP packets, and Lawful Intercept packets must be marked with
a high priority DiffServ code point.
MME supports the capability to provision DSCP for all its external interface traffic:
• GTP-C packets (S11, S10, Gn, Sv, S3, Sm, and S101),
• S102 packets,
• SCTP packets (S1-MME, S6a, SGs, S13, Gr, IuPS, SBc, SLs, SLg, M3),
• Lawful Intercept packets ( X1_1 and X2).
The DSCP code point is provisioned separately and independently for each of the interface types.
Provisioning of DSCP is acchieved through the “Interface Profile” table and attribute “DSCP Code”.
This feature provides provisioning of mapping between LTE and R99 QoS to allow operators
flexibility to select QoS mapping to provide the same user experience when a subscriber moves
between LTE and 2G and 3G networks.
In inter-RAT procedures where a UE moves from LTE to UMTS/GERAN, the MME must map the EPS
QoS parameters for each bearer into the set of QoS parameters used in the GPRS core network
(generally referred to as “R99 QoS” or “pre-Rel8 Qos”). The MME must also map R99 QoS parameters
into EPS QoS parameters for each bearer when a UE moves from UMTS/GERAN to LTE. Prior to this
feature, the MME implements this mapping as specified in Annex E of 3GPP TS 23.401. However
some operators desire to override this fixed mapping for various reasons. Therefore this feature
introduces configurable mapping of QoS values between EPS and R99 forms.
The 5620 SAM introduces two new WMM instance properties to support the new tables for QoS
flexibility:
• 2G/3G QoS Parameters to EPS QCI Mapping – provides mapping of QoS parameters for R99 into EPS
• EPS QCI to 2G/3G QoS Parameters Mapping – provides mapping of LTE QoS parameters into R99
Note:
The MME global parameter “R99 QoS Mapping Method” used in pre-LM6.0 releases will be removed.
Note:
The global parameter QoS Mapping High Delay Threshold defines QoS classes of
Conversational_Unknown_HighDelay/LowDelay in the 2G/3G QoS Parameters to EPS QCI Mapping object set.
Any values below the threshold are considered low delay. The default value is set to 150ms.
Note:
If the Global Parameter “R99 QsS Mapping Method” = CUSTOMER 1 in LM405/LM501, all values for
CUSTOMER 1 will be updated to the new tables automatically after software upgrade. Ensure all
tables match “CUSTOM 1” settings after upgrade
The mapping of UTRAN/GERAN QoS parameters to an LTE bearer QCI value shall be
provisionable in the MME. The mapping of the following discrete combinations of QoS parameters
shall be supported, with the indicated default mappings:
Traffic Class = Conversational, SSD = Speech (defaults to QCI 1)
Traffic Class = Conversational, SSD = Unknown, Transfer Delay >= high delay threshold
(defaults to QCI 2)
Traffic Class = Conversational, SSD = Unknown, Transfer Delay < high delay threshold
(defaults to QCI 3)
Traffic Class = Streaming, SSD = Speech (defaults to QCI 4)
8.2.2 Diameter
A complete description of the 3GPP Diameter applications is the beyond the scope of this document.
However pertinent information is presented in the following.
These Diameter applications are defined as IETF vendor specific Diameter application where the
vendor is 3GPP. The vendor identifier assigned by IANA to 3GPP is 10415.
The WMM supports functionality for the Diameter Routing Agent (DRA) across the S6a,
S13, and the SLg interfaces. The support for DRA can be enabled or disabled on a per link
basis. Each DRA can have it’s own provisioned Destination-Realm. When the same DRA is
used for routing S6a, S13 and SLg, the Remote End-Point definitions use the same IP address
for each interface, so different ports must be used which results in different SCTP
associations.
When a Diameter request is sent by a WMM to a Diameter Routing Agent/DRA, the DRA
shall determine the HSS/EIR/GMLC identity based on the provided user identity and shall
forward the Diameter request directly to the HSS/EIR/GMLC. The user identity of
HSS/EIR/GMLC is communicated to the WMM in the Origin-Host/Origin-Realm AVPs of
the response. The WMM will store the determined HSS/EIR/GMLC identity/name/Realm and
may use it in further Diameter requests to the same user identity.
With this feature the WMM supports the following routing related AVPs and routing related
errors as specified in RFC 3588 sections 6.1.8 and 6.4.
- Origin-Realm
- Origin-Host
- Destination-Realm
- Destination-Host
- Proxy-Info
- Route-Record
In relation to Route Record and Proxy-Info AVPs, WMM supports up to three records in the
following S6a messages: IDR/A, DSR/A, CLR/A, and RSR/A. This allows WMM to receive
and ignore up to 3 Route-Record AVPs in HSS messages. WMM never sends Route-Record
AVPs in AIR, ULR, NOR, and PUR. When WMM receives Proxy-Info AVPs in the
following HSS request messages: IDR, DSR, CLR, and RSR, WMM echoes back those
Proxy-Info AVPs in the same order with corresponding Protect bit for each Proxy-Info record
and it applies to both success and error answer messages.
The DRA support for S6a, S13, or SLg is enabled or disabled in the Remote-End-Point form.
The Remote End-Point form has support for a Disconnect Peer Request (DPR) cause for
diameter based interfaces. The global parameters S6a DRA Roaming Supported and S13
Retry Different EIR have been added.
8.2.2.1.1 WMM Support for Enhanced Disconnect Peer Request /Disconnect Peer Answer
Messages
When the WMM receives a Disconnect-Peer-Request (DPR) message from the HSS it will
reply with a Disconnect-Peer-Answer (DPA) however the WMM does not close the SCTP
connection since the DPA needs to reach the HSS first and then it is up to the HSS that
initiated the DPR to close the connection. The WMM initiated DPR can be applied to a
provisioning change or a link state change. When the HSS link is blocked, prior to un-
provisioning, the corresponding Diameter connection is put in a Blocked/Not Used mode, and
the WMM sends DPR and waits for DPA (or timeout) before closing the connection. To
reduce the detection time in the case of a loss of Primary HSS via the DWR/DWA monitoring
messages, the default Diameter timers can be adjusted in 100 ms steps to closely match the
timer settings of a peer DRA or HSS.
The WMM disconnect cause can be configured in the Remote End-Point form, the default
value is DO_NOT_WANT_TO_TALK_TO_YOU.
8.2.3 SCTP
MME components involves in SCTP are:
• MIF (MME Interface Function)
• MPH (MME Packet Handler)
The Interface Board terminates and manages all logical interface links to the MME. It receives
(/sends) message payload internally over TCP from (/to) the MPH.
The MPH service runs on the HSPP4 AMC cards on the Ethernet Hubs.
The MPH terminates the external MME signaling SCTP, UDP and TCP stacks.
The payload of the MME signaling messages is sent to the MIF over an internal TCP LAN connection.
Reciprocally MME signalling coming into the MPH from the MIF is sent to the correct MME external
layer SCTP, UDP or TCP.
On S1-MME, S6a and SGs the MME supports local Multi-Homing as well as remote Multi-Homing.
The MME does not support local Multi-Homing nor remote Multi-Homing on the S13, M3, SBc, SLg
and SLs.
MME supports up to 2 local IPv4 or IPv6 addresses or up to 2 local IPv4 + 2 local IPv6 addresses.
The SGs interface can only be provisioned with 2 local IPv4 addresses
For S6a/SGs interfaces, MME supports the provisioning of up to 2 remote IPv4 or IPv6 addresses or
up to 2 remote IPv4 + 2 remote IPv6 addresses.
For S1-MME interface, eNodeB’s IP adress(es) are learned by MME at SCTP association establishment.
The SGs interface can only be provisioned with 2 remote IPv4 addresses
When MME is the SCTP client, even though up to 2 remote addresses can be provisioned for a
remote multi-homed SCTP peer, it does not prevent the remote SCTP peer from having more than 2
local addresses. The remote SCTP peer will include all its local addresses in the INIT-ACK chunk
(may exclude the address that is in the IP header source IP address field).
If the address(es) returned in the INIT-ACK from the remote SCTP peer is different than the remote
addresses locally provisioned on the MME, the MME generates a event notification to indicate the
mismatch between provisioned and derived (received from far end) IP addresses .
When MME is the SCTP server, the remote SCTP peer may be single-homed or multi-homed with 2 or
more IP addresses. At SCTP establishment, the remote SCTP peer will include all its local addresses
in the INIT chunk. It may exclude the address that is in the IP header source IP address field.
The MME SCTP stack accepts and uses all the remote SCTP peer IP addresses after their respective
paths are verified.
MME uses IP addresses of the same IP version (IPv6 or IPv4) for different paths in the association.
One SCTP associations may use IPv4 or IPv6 independently of the other associations.
Once the MME successfully established a SCTP association with a remote SCTP peer, later if the
remote SCTP peer changes from SH to MH or MH to SH, the remote SCTP peer could send an Address
Configuration Change Chunk (ASCONF) to MME as per IETF RFC 5061 “SCTP Dynamic Address
Reconfiguration”.
MME SCTP stack does not support IETF RFC 5061, the ASCONF chunk is dropped by MME.
Once the MME successfully established a SCTP association with a remote SCTP peer, later the
remote SCTP peer may perform a SCTP association restart by sending an INIT chunk to MME on the
existing association.
Rule: <MME> <SCTP> <Standard>
As per IETF RFC 4960, if an INIT chunk adds new addresses to the association, the MME responds
with an ABORT. The SCTP association is torn down and the MME re-establishes the association.
When the provisioned remote addresses of a remote S6a/SGs SCTP peer is added/deleted/changed,
the MME tears down the existing S6a/SGs SCTP association and re-establishes the S6a/SGs SCTP
association.
A SCTP Profile is used to provision the SCTP stack to handle the associated interface type(s) that use
SCTP as the transport protocol.
A SCTP Profile is a set of SCTP parameters values characterizing the dialogues between SCTP nodes
in a SCTP IP network.
The customer can assign a SCTP profile to a SCTP stack chosen in the list of provisioned SCTP
Profiles.
For SGs, MME supports the ability to set up SGs SCTP connections with different SCTP profile based
on the remote MSC. Up to 6 different SGs SCTP profiles are supported.
To change the SCTP profile of a stack, all the associations carried by the stack must first be
cancelled.
MME support fragmentation when sending DATA chunks and reassembly when receiving DATA
chunks.
The valid cookie life time at sctp association establishment is configured through:
• Table: STCP Profile, Parameter: Cookie Life, Value: [5-120] s (in 1-second intervals)
Default recommendation for SCTP valid cookie life time at association establishment:
Cookie Life = 60 s
This is the default value as per IETF RFC 4960.
MME uses the SCTP heartbeat mechanism for detecting link failure in case of peer SCTP node failure
or network failure (e.g., cable cut, router/switch failure). The intervals that MME sends Heartbeat
chunks to its SCTP peer are determined by the Retransmission Timeout (RTO) and the Heartbeat
Interval. Since the RTO value may change due to changing transport network conditions, the
successive Heartbeat intervals may not be the same.
Maximum number of retransmissions per SCTP path of Data and/or Heartbeat messages is configured
through:
• Table: STCP Profile, Parameter: Max Path Retrans, Value: [1-25]
Default recommendation for the maximum number of Data/Heartbeat retransmissions per path:
Max Path Retrans = 5
Maximum number of total retransmissions of Data and/or Heartbeat messages is configured through:
• Table: STCP Profile, Parameter: Max Association Retrans, Value: [1-50]
For ensuring that MME does not consider the peer is reachable while all paths are in failure there
must be verified that;
Default recommendation for the SCTP Acknowledgement period and frequency are:
SACK Period = 200 ms
SACK Frequency = 2
These are the default values as per IETF RFC 4960.
MME MIF/MPH components have an active/standby redundancy scheme. When the active fails the
standby becomes active and all signalling is switched to the newly active. Switchover to the standby
MIF/MPH is preformed maintaining IP address and SCTP port numbering.
In the case where the MME acts as the SCTP server (S1-MME, SLg, M3, SBc) then 3GPP allows MME to
use the SCTP association restart procedure as defined in IETF RFC 4960.
When MIF/MPH switches over, the newly active MIF/MPH sends SCTP INIT chunk to each SCTP peer
end point to initiate a restart of the already established SCTP association with that SCTP peer end
point. The source port of the INIT packet is the MME SCTP listening port, and the destination port is
the SCTP peer’s SCTP source port.
On MME MIF/MPH switchovers, MME sends a SCTP INIT to initiate a restart of an already established
SCTP association, using the same transport address pair as the original SCTP association.
Data Req/Ind
DATA, HEARTBEAT
MIF switchover
Acquired floating IP @
SCTP already exists. INIT
MME restart treated as
per RFC 4960.
INIT-ACK
COOKIE-ECHO
COOKIE-ACK
SCTP restart
Data Req/Ind
DATA, HEARTBEAT
8.2.4 S1 interface
8.2.4.1 IP
MME supports dual IP stack for IPv4 and IPv6 for the MME S1 interface.
This provides flexibility so that the eNodeB can change the IP format of the eNodeB Telecom
interface, while the MME operation is not affected.
Using the LCP platform SCDT tool, the MME is configured with a fixed or floating IP address for use
in S1-MME communications
MME uses floating IP addresses for all the MME external interfaces except for the MH-SCTP
eNodeB starts the communication with the MME. MME learns the eNodeB Telecom IP address and IP
format from the source IP address field in the IP packets at the time the SCTP association between
the eNodeB and the MME is set up.
MME does not need to be provisioned with the eNodeB IPv4 or IPv6 Telecom address(es)
An S1-MME Interface Managed Object (MO) is created when an eNodeB sends an S1 Setup Message
and an MO instance does not yet exist to represent that eNodeB S1 interface.
When an Interface MO is created at the MME, the MME saves the local IP address(es) type and value
plus the remote IP address(es) type and value of the interface instance in the Interface MO. Because
the SAM can read the MO values over the SNMPv3 interface, the SAM will be able to obtain the local
IP address(es) used at the MME as well as the remote IP address(es) used at the eNodeB.
This feature adds support for separation of S1-MME traffic for clusters of eNB (e.g. eNB owned by
different PLMNs but MME is shared).
The feature supports up to 9 S1-MME local IP addresses and for each instance of S1-MME for which
the MME supports a separate SCTP profile. These IP addresses can be in the same subnet or different
subnets. An eNB can be configured to use one of the 9 IP addresses.
The s1mme links can be multi-homed or single homed (1+1/1+3 connectivity). Also the single home
and multi-home s1mme links can co-exist.
On each MME, up to 12000 eNodeBs can be supported across all S1-MME local interfaces.
The feature also covers the support for 28 bit global Home eNB ID to distinguish between Home eNB
and macro eNB.
Without this feature, every eNodeB attaching to a particular MME would share the same IP address
of the MME (Local address on the MME). With the addition of this feature, it is now possible to
associate a distinct MME IP address with a group of enodeBs. It is up to the customer to create such
a logical grouping: for instance if eNodeBs belonging to different customers are terminating on one
MME, then all of the eNodeBs of one particular customer can be grouped to have one MME IP
address.
The feature is provisioned using the SAM GUI. The basic outline for provisioning the feature is
presented below:
Note: Follow procedures for IP/subnet growth in the Configuration Management chapter of Release 6.0.1 MME OAM
Guide (Alcatel-Lucent 9471 Wireless Mobility Manager (WMM) Operations, Administration, and Maintenance
418-111-201WM6.0.1).
o Create an SCTP profile for each of the new S1-MME interfaces if required. S1-MME interfaces
can share SCTP profiles or can have different S1-MME profiles.
o Create an interface profile for each S1-MME interface and assign SCTP profiles to the
interface profiles.
Note: Multiple S1-MME interfaces have a specific naming convention, such as S1MME_2 and
S1MME_5. The value of the Interface Type specified in the Interface profile must correspond to the
name of the local interface.
o As required, choose one of the following options to an eNodeB between S1-MME interfaces:
Update eNodeB S1-MME connections using the 9952 WPS and WO deployment.
Update eNodeB S1-MME connections using a RAN S1-MME profile.
Support for Home eNB and Local IP Access (LIPA) (m14000-01) capabilities introduces a new timer
parameter added to the MME Timers configuration form. The new timer added will be to specify the
time to wait to initiate an S1 Release when Closed Subscriber Group (CSG) registration expires. The
timer is called the S1 Release on CSG Expiration. The default value is 2000 msec with a range of 500
to 5000 msec.
8.2.4.2 SCTP
MME supports up to 2 local IPv4 or IPv6 addresses or 2 local IPv4 + 2 local IPv6 addresses.
The MME SCTP stack accepts and uses all the eNodeB IP addresses after their respective path is
verified (as per IETF RFC 4960).
There must be only 1 SCTP association established between an eNodeB and an MME. [3GPP TS
36.412]
S1-MME SCTP associations are initiated by eNodeB via INIT message sent from eNodeB.
Within the SCTP association established between an eNodeB and an MME a single pair of stream
identifiers is used for S1 common procedures and a single pair of stream identifiers is used for S1
dedicated procedures.
IANA has defined the eNodeB SCTP destination port supporting S1-AP traffic as = 36412. [3GPP TS
36.412]
S1 SCTP is provisionned through the configuration of; 1 S1 SCTP Profile + 1 S1 Interface Profile.
36412
Diameter messages on the S6a interface between the MME and a HSS are transported either over
SCTP/IP or over TCP/IP.
ALU MME supports Diameter over TCP/IP and Diameter over SCTP.
The MME acts as a Diameter Client and the HSS acts as a Diameter Server.
MME supports provisioning of up to 4 HHSs.
8.2.5.1 IP
MME supports dual IP stack for IPv4 and IPv6 for the MME S6a interface.
Using the LCP platform SCDT tool, the MME is configured with a fixed or floating IP address for use
in S6a communications
MME uses floating IP addresses for all the MME external interfaces except for the MH-SCTP
MME starts the communication with the HSS. HSS IP address(es) are provisionned through the MME
Provisioning GUI.
Even though up to two remote addresses can be provisioned for a remote multi-homed HSS, it does
not prevent the HSS from having more than two local addresses. The HSS includes all its local
addresses in the INIT-ACK chunk. It may exclude the address that is in the IP header source IP
address field.
The MME SCTP stack accepts and uses all the HSS IP addresses after their respective path is verified
(as per IETF RFC 4960).
8.2.5.2 SCTP
MME supports up to 2 local IPv4 or IPv6 addresses or 2 local IPv4 + 2 local IPv6 addresses.
MME supports the provisioning of up to 2 remote IPv4 or IPv6 addresses or 2 remote IPv4 + 2 remote
IPv6 addresses.
The MME SCTP stack accepts and uses all the HSS addresses after their respective path is verified
(as per IETF RFC 4960).
The MME initiates the establishment of the SCTP association toward the HSS via INIT message.
“A given Diameter instance of the peer state machine MUST NOT use more than one transport
connection to communicate with a given peer.” [IETF RFC 3588]
A Diameter node MAY initiate connections from a source port other than the one that it declares it
accepts incoming connections on, and MUST be prepared to receive connections on port 3868. [IETF
RFC 3588]
IANA has defined the SCTP port for supporting Diameter traffic as = 3868. [IETF RFC 3588]
An MME at the initialization time sets up an SCTP association with the HSS.
The HSS listens on the S6a SCTP port = 6838 for SCTP INIT chunk from MME.
When no transport connection exists with a peer, an attempt to connect SHOULD be periodically
made. This behavior is handled via the Tc timer, whose recommended value is 30 seconds. [IETF
RFC 3588]
When the SCTP association to an HSS is closed, the MME periodically attempts to re-establish the
SCTP association with that HSS, as long as that HSS is known to the MME.
The periodicity is set to 30 s. It is not configurable.
S6a SCTP is provisioned through the configuration of; 1 SCTP Profile + 1 S6a Interface Profile + 1
Diameter Profile + 1 Diameter Connection + 1 (to 4) Remote End Point Configuration.
3868
S6A
‘Number of Authentication Vectors’ parameter is only used with the S6a interface.
Range: [0-5]. Default: 1 when interface type is S6a. 0 (unused) for other interface types.
A Diameter Connection points to a Diameter Profile through parameter ‘Profile ID’, Value: [1 -
65535].
A S6a Diameter Connection is identified by an ‘Application Type’ = ‘S6A’.
The Diameter Connection configures which transport protocol is used (SCTP or TCP) and points to
the HSS through the “Destination IP Id [1-4]” identifier(s).
When “Use SCTP” button is checked it means that Diameter is over SCTP.
S6A
3868
It is recommended to use the following ranges when defining Remote End Points:
[0], reserved for an unused profile
[1-100], for S6a and S13 interfaces
[101-200], for SGs interfaces
This allows for enough S6a and S13 entries when converting HSS/EIR from IPv4 to IPv6.
8.2.5.4 TCP
The MME uses the IANA registered Diameter/tcp port number 3868 as the destination port number.
The MME initiates the setup of the TCP connection toward the HSS.
A Diameter node MAY initiate connections from a source port other than the one that it declares it
accepts incoming connections on, and MUST be prepared to receive connections on port 3868. [IETF
RFC 3588]
IANA has defined the TCP port for supporting Diameter traffic as = 3868. [IETF RFC 3588]
When TCP is the transport protocol and 2 MME local IP addresses were provisioned in the SCDT
database for the S6a interface, then MME uses the first configured local IP address.
S6a SCTP is provisioned through the configuration of; 1 Diameter Connection + 1 (to 4) Remote End
Point Configuration.
When “Use SCTP” button is unchecked it means that Diameter is over TCP.
S6A
3868
It is recommended to use the following ranges when defining Remote End Points:
[0], reserved for an unused profile
[1-100], for S6a and S13 interfaces
[101-200], for SGs interfaces
This allows for enough S6a and S13 entries when converting HSS/EIR from IPv4 to IPv6.
SGs-AP messages are used on the SGs interface between MME and the MSC/VLR to:
• coordinate UEs location information that are IMSI attached to both EPS and non-EPS services
• relay messages related to GSM CS services over the EPS system via the MME
This is applicable to UEs with CS Fallback capability activated and to UEs configured for SMS delivery
using the CS core.
The MME acts as a SCTP Client and the MSC/VLR acts as a SCTP Server.
8.2.6.1 IP
MME does not support IPv6 for the MME SGs interface.
Using the LCP platform SCDT tool, the MME is configured with a fixed or floating IP address for use
in SGs communications
MME uses floating IP addresses for all the MME external interfaces except for the MH-SCTP
MME starts the communication with the MSC. For each MSC/VLR the MME supports up to 4 pairs of IP
addresses.
MSC IP address(es) are provisionned through the MME Provisioning GUI.
If pairs of MSC addresses are provisioned, each pair of addresses indicate the two remote end IP
addresses to use in establishing an SCTP multi-homing Association.
Even though up to two remote addresses can be provisioned per pair for a remote multi-homed MSC,
it does not prevent the MSC from having more than two local addresses. The MSC includes all its
local addresses in the INIT-ACK chunk. It may exclude the address that is in the IP header source IP
address field.
The MME SCTP stack accepts and uses all the MSC IP addresses after their respective path is
verified (as per IETF RFC 4960).
8.2.6.2 SCTP
The MME SCTP stack accepts and uses all the MSC addresses after their respective path is verified
(as per IETF RFC 4960).
The MME initiates the establishment of the SCTP association toward the MSC via INIT message.
MME may use of multiple SCTP associations with a given MSC [3GPP].
MME distributes the UEs across the set of SCTP associations to the MSC/VLR in a round-robin fashion.
One SCTP profile is associated with an MSC regardless of the number of SGs interface instances
(SCTP associations) an MSC will have.
MME supports provisioning of up to 6 SCTP profiles for use of the SGs interface.
A SGs interface can be assigned anyone of these 6 SCTP profiles.
MME supports at least two SCTP stream IDs, 0 and 1, for the transport of SGsAP messages.
MME is prepared to receive SGsAP messages from a MSC/VLR on any of the SCTP streams.
The MME distributes individual UEs over the SCTP streams in a round-robin fashion.
IANA has defined the MSC SCTP port for supporting SGsAP messages as = 29118. [3GPP TS 29.118]
An MME at the initialization time sets up an SCTP association with the MSC.
The MSC listens on the SGs SCTP port = 29118 for SCTP INIT chunk from MME.
SGs is provisioned through the configuration of; 1 (to 6) SCTP Profile + 1 (to 4) SGs Interface Profile
+ 1 (to 4) Remote End Point Configuration.
29118
SGS
3
SGS
29118
It is recommended to use the following ranges when defining Remote End Points:
[0], reserved for an unused profile
[1-100], for S6a and S13 interfaces
[101-200], for SGs interfaces
This allows for enough S6a and S13 entries when converting HSS/EIR from IPv4 to IPv6.
8.2.7 SLg
In order to support LoCation Services (LCS) MME supports the SLg interface to Gateway Mobile
Location Center (GMLC).
SLg interface is not allowed between a GMLC in one network to an MME in a different network.
GMLC must be in the same PLMN as the MME home PLMN.
GMLC receives UE positioning request from a LCS external client and triggers the MME over the SLg
interface to obtain UE positioning data.
EPC LCS Protocol (ELP) defines procedures and coding of messages over the SLg interface. The
protocol is specified in 3GPP TS 29.172. The ELP is a vendor specific diameter application.
The protocol stack used for the SLg interface is presented in the following figure.
MT-LR and NI-LR flow charts are shown below. See TS23.271.
UE Uu eNB S1-MME MME SLs
E-SMLC SLg GMLC
Location Request
MME starts T3x01
Positioning procedure
Location Report
MME stops T3x01
Note: E-SMLC performs the positioning procedure (see SLs interface section).
Emmergency Attach
or Setup Emergency Bearer
Location Request
MME starts T3x01
Positioning procedure
Location Report
MME stops T3x01
For Network Induced Location Request (NI-LR), MME sends the location report to a provisioned
GLMC for emergency calls:
- the emergency primary GMLC if the SCTP association to the primary is available, or
- the emergency alternate GMLC if the SCTP association to the primary is not available.
8.2.7.1 IP
MME supports dual IP stack for IPv4 and IPv6 for the MME SLg interface.
Using the LCP platform SCDT tool, the MME is configured with a fixed or floating IP address for use
in SLg communications
MME uses floating IP addresses for all the MME external interfaces except for the MH-SCTP
8.2.7.2 SCTP
GMLC establishes SCTP association with MME either at GMLC initialization time (MME allows
connections from a list of provisioned GMLC) or at the time GLMC sends a positioning request to
MME.
MME acts as SCTP server.
MME SCTP stack does not support local multi-homing as well as remote multi-homed GMLCs.
The GMLC initiates the establishment of the SCTP association toward the MME via INIT message.
“A given Diameter instance of the peer state machine MUST NOT use more than one transport
connection to communicate with a given peer.” [IETF RFC 3588]
A Diameter node MAY initiate connections from a source port other than the one that it declares it
accepts incoming connections on, and MUST be prepared to receive connections on port 3868. [IETF
RFC 3588]
IANA has defined the SCTP port for supporting Diameter traffic as = 3868. [IETF RFC 3588]
A GMLC at the initialization time sets up an SCTP association with the MME.
The MME listens on the SLg SCTP port = 6838 for SCTP INIT chunk from GMLC.
When no transport connection exists with a peer, an attempt to connect SHOULD be periodically
made. This behavior is handled via the Tc timer, whose recommended value is 30 seconds. [IETF
RFC 3588]
This does not apply as MME does not establish the SCTP association with GMLC.
8.2.7.3 Diameter
SLg SCTP is provisioned through the configuration of; 1 SCTP Profile + 1 SLg Interface Profile + 1
Diameter Profile + 1 Diameter Connection + 1 (to 4) Remote End Point Configuration.
3868
SLG
4
A Diameter Connection points to a Diameter Profile through parameter ‘Profile ID’, Value: [1 -
65535].
A SLg Diameter Connection is identified by an ‘Application Type’ = ‘SLG’.
The Diameter Connection configures which transport protocole is used (SCTP or TCP) and points to
the GMLC through the “Destination IP Id [1-4]” identifier(s).
SLG
SLg
3868
It is recommended to use the following ranges when defining Remote End Points:
[0], reserved for an unused profile
[1-100], for S6a and S13 interfaces
[101-200], for SGs interfaces
This allows for enough S6a and S13 entries when converting HSS/EIR from IPv4 to IPv6.
For Emergency services, the primary vs. alternate GMLC is configured through:
• Table: Add Emergency Profile, Parameters: Emergency GMLC Primary & Emergency GMLC
Alternate, Value: [1-1024], 0 (note: 0 is reserved for ‘not used’)
The value must be one of the "Destination IP Id" values populated in the Diameter Connection table
for application type "SLg". Any one of the 4 GMLCs can be specified to be the GMLC to use in support
of Emergency Service Access to the LTE network, namely Emergency GMLC Primary. Same for its
alternate.
8.2.8 SLs
In order to support LoCation Services (LCS) MME supports the SLs interface to EPS Serving Mobile
Location Center (E-SMLC).
The protocol stack used for the SLs interface is presented in the following figure.
The MME selects a E-SMLC to serve a location request for a UE. MME provides an ability to configure
a TAI to E-SMLC mapping to select an E-SMLC for a UE positioning based on UE’s last seen Tracking
Area Identity (TAI). It provides load balancing between E-SMLCs.
MME provisioning allows up to two E-SMLC entities for each TAI that is covered by the MME.
Furthermore, the operator can specify whether the two E-SMLCs associated with a particular TAI
are used in a load sharing manner or in Primary/Secondary manner.
E-SMLC manages the overall co-ordination and scheduling of resources required for the location of a
UE that is attached to E-UTRAN. It also calculates the final location and velocity estimate and
estimates the achieved accuracy. The E-SMLC interacts with the UE in order to exchange location
information applicable to UE assisted and UE based position methods and interacts with the E-
UTRAN in order to exchange location information applicable to network assisted and network based
position methods.
E-SMLC uses LTE Positioning Protocol (LPP and LPPa) to UE and eNB respectively for UE positioning.
The positioning protocols are transparent to the MME.
LPP LPP
NAS Relay
Relay
RRC RRC S1-AP S1-AP LCS-AP LCS-AP
RLC RLC IP IP IP IP
MAC MAC L2 L2 L2 L2
L1 L1 L1 L1 L1 L1
LTE Uu S1-MME SLs
UE eNode B MME E-SMLC
Positioning
Request (LPP PDU)
S1 AP DL NAS
Transport (LPP PDU)
RRC DL Information
Transfer (LPP PDU)
Positioning
Measurements
RRC UL Information
Transfer (LPP PDU)
S1 AP UL NAS
Transport (LPP PDU)
Positioning
Response (LPP PDU)
LPPa LPPa
IP IP IP IP
L2 L2 L2 L2
L1 L1 L1 L1
S1-MME SLs
eNode B MME E-SMLC
Positioning Request
(LPPa PDU)
S1 AP Location
Reporting Control
(LPPa PDU)
S1 AP Location
Report (LPPa PDU)
Positioning Response
(LPPa PDU)
8.2.8.1 IP
MME supports dual IP stack for IPv4 and IPv6 for the MME SLs interface.
Using the LCP platform SCDT tool, the MME is configured with a fixed or floating IP address for use
in SLs communications
MME uses floating IP addresses for all the MME external interfaces except for the MH-SCTP
8.2.8.2 SCTP
MME establishes SCTP connections with a set of E-SMLCs at the initialization time or when an E-SMLC
is provisioned.
MME acts as SCTP client.
MME SCTP stack does not support local multi-homing as well as remote multi-homed E-SMLCs.
The MME initiates the establishment of the SCTP association toward the E-SMLC via INIT message.
A MME at the initialization time sets up an SCTP association with the E-SMLC.
The E-SMLC listens on the SLs SCTP port = 9082 for SCTP INIT chunk from MME.
SLs SCTP is provisioned through the configuration of; 1 SCTP Profile + 1 SLs Interface Profile + 1 (to
4) Remote End Point Configuration.
9082
SLS
5
SLs
9082
It is recommended to use the following ranges when defining Remote End Points:
[0], reserved for an unused profile
[1-100], for S6a and S13 interfaces
[101-200], for SGs interfaces
This allows for enough S6a and S13 entries when converting HSS/EIR from IPv4 to IPv6.
8.2.9 M3
MBMS is a point-to-multipoint service in which data is transmitted from a single source entity to
multiple recipients.
The MBMS bearer service offers two modes:
- Broadcast
- Multicast
Restriction: <MME> <M3> <Standard>
In order to support Multimedia Broadcast/Multicast Service (MBMS) MME supports the M3 interface to
the Multicast Coordination Entity (MCE) which is within the eNodeB.
The M3 Application Protocol (M3AP) supports the signaling control functions. The protocol is
specified in 3GPP TS36.444. M3AP defines procedures and coding of messages over the M3 interface.
M3AP includes:
MME determines the eNodeBs which are in the MBMS Broadcast Service Area and transmits them
MBMS Session Management messages.
The protocol stack used for the M3 interface is presented in the following figure.
Radio
Network M3AP
Layer
SCTP
Transport IP
Network
Layer L2
L1
For information, MBMS Bearer traffic for broadcasting routes directly from MBMS GW to eNodeB over
M1 interface.
Session Start
Session Start Session Start Request/Response
Request Request
RAN resource setup
Session Start
Session Start Response
Response
Session Update
Session Update Session Update Request/Response
Request
RAN resource setup Request
or release
Session Update
Session Update Response
Response
Session Stop
Session Stop
Session Stop Request/Response
Request
Request
RAN resource release Session Stop
Response
Session Stop
Response
Note: MBMS-GW triggers MBMS service procedures to MME (see Sm interface section).
8.2.9.1 IP
MME supports dual IP stack for IPv4 and IPv6 for the MME M3 interface.
Using the LCP platform SCDT tool, the MME is configured with a fixed or floating IP address for use
in M3 communications
MME uses floating IP addresses for all the MME external interfaces except for the MH-SCTP
eNodeB starts the communication with the MME. MME learns the eNodeB M3 IP address and IP format
from the source IP address field in the IP packets at the time the SCTP association between the
eNodeB and the MME is set up.
MME does not need to be provisioned with the eNodeB IPv4 or IPv6 M3 address(es)
An M3 Interface Managed Object (MO) is created when an eNodeB establishes a SCTP association
with the MME at the M3 local IP address(es) and an MO instance does not yet exist to represent that
eNodeB M3 interface.
When an Interface MO is created at the MME, the MME saves the local IP address(es) type and value
plus the remote IP address(es) type and value of the interface instance in the Interface MO. Because
the SAM can read the MO values over the SNMPv3 interface, the SAM will be able to obtain the local
IP address(es) used at the MME as well as the remote IP address(es) used at the eNodeB.
If an M3 interface to a eNodeB fails, then MME set its Operational State to Disabled and sends an
Event to OAM. If the M3 interface is in a failed condition longer than a provisioned timer then MME
deletes the M3 interface.
The timer is configured through:
• Table: Update Timers, Parameters: Timer Name = “MBMS Response from MCE” & Timer Value,
Value: [1-30] in second, default: 5s.
8.2.9.2 SCTP
MME sends MBMS M3AP message only to the eNodeBs which have initialized an M3 SCTP association.
Thus, each eNodeB may, depending on SCTP association initialization, setup a M3 SCTP association
to 1, 2 or all the MMEs in an MME pool.
MME SCTP stack does not support local multi-homing as well as remote multi-homed eNodeBs.
The eNodeB initiates the establishment of the SCTP association toward the MME via INIT message.
IANA has defined the SCTP port supporting M3AP traffic as = 36444. [3GPP TS 36.444]
An eNodeB at the initialization time sets up an SCTP association with the MME.
The MME listens on the M3 SCTP port = 36444 for SCTP INIT chunk from eNodeB.
M3 SCTP is provisioned through the configuration of; 1 SCTP Profile + 1 M3 Interface Profile.
36444
M3
8.2.10 SBc
Warning message delivery is an ability to send warning messages to UE in a particular area. MME
receives warning messages from Cell Broadcasting Center (CBC) and forwards these messages to
eNodeBs.
The MBMS bearer service offers two modes:
- CMAS (Commercial Mobile Alert System)
- ETWS (Earthquake & Tsunami Warning System)
In order to support Warning Message Delivery MME supports the SBc interface to the CBC (TS
28.268).
The SBc Application Protocol (SBcAP) supports the signaling control functions. The protocol is
specified in 3GPP TS36.413. SBcAP defines procedures and coding of messages over the SBc used to
transport messages associated with Warning Message Delivery function. These messages consist of
text warning of safety events which may impact a geographical region. MME forwards these
messages to the appropriate eNodeB(s) based on the TAI(s) they must be sent to. Finally the
warning messages are broadcast to UEs via the paging channel..
The protocol stack used for the SBc interface is presented in the following figure.
SBcAP
SCTP
IP
L2
L1
The ‘Warning Message’ timer is an S1-MME interface timer. It indicates the time MME waits for the
Warning Message Delivery Service. Failure to receive a Write-Replace Warning Response (or Kill
Response) form the eNodeB before the timer expires indicates the broadcast (or broadcast
cancellation) is unsuccessful with that eNodeB.
The timer is configured through:
• Table: Update Timers, Parameters: Timer Name = “Warning Message” & Timer Value, Value: [1-
60] in second, default: 8s.
8.2.10.1 IP
MME supports dual IP stack for IPv4 and IPv6 for the MME SBc interface.
Using the LCP platform SCDT tool, the MME is configured with a fixed or floating IP address for use
in SBc communications
MME uses floating IP addresses for all the SBc external interfaces except for the MH-SCTP
CBC starts the communication with the MME. MME learns the CBC SBc IP address and IP format from
the source IP address field in the IP packets at the time the SCTP association between the CBC and
the MME is set up.
MME does not need to be provisioned with the CBC IPv4 or IPv6 SBc address(es)
An SBc Interface Managed Object (MO) is created when a CBC establishes a SCTP association with
the MME at the SBc local IP address(es) and an MO instance does not yet exist to represent that CBC
SBc interface.
When an Interface MO is created at the MME, the MME saves the local IP address(es) type and value
plus the remote IP address(es) type and value of the interface instance in the Interface MO. Because
the SAM can read the MO values over the SNMPv3 interface, the SAM will be able to obtain the local
IP address(es) used at the MME as well as the remote IP address(es) used at the CBC.
If a SBc interface to a CBC fails, then MME set its Operational State to Disabled and sends an Event
to OAM.
A multi-homed CBC includes all its local addresses in the INIT chunk. It may exclude the address
that is in the IP header source IP address field.
Rule: <MME> <SBc> <Design>
The MME SCTP stack accepts and uses all the CBC IP addresses after their respective path is
verified (as per IETF RFC 4960).
8.2.10.2 SCTP
MME SCTP stack does not support local multi-homing as well as remote multi-homed eNodeBs.
MME supports up to 2 local IPv4 or IPv6 addresses or 2 local IPv4 + 2 local IPv6 addresses.
MME supports the provisioning of up to 2 remote IPv4 or IPv6 addresses or 2 remote IPv4 + 2 remote
IPv6 addresses.
The MME SCTP stack accepts and uses all the eNodeB addresses after their respective path is
verified (as per IETF RFC 4960).
The CBC initiates the establishment of the SCTP association toward the MME via INIT message.
IANA has defined the SCTP port supporting SBcAP traffic as = 29168. [3GPP TS 29.168]
A CBC at the initialization time sets up an SCTP association with the MME.
The MME listens on the SBc SCTP port = 28168 for SCTP INIT chunk from eNodeB.
SBc SCTP is provisioned through the configuration of; 1 SCTP Profile + 1 SBc Interface Profile.
29168
SBC
This feature adds support for an Access Control list of valid peer IP addresses for the SBc link. The
MME shall accept CMAS alert requests on the transport layer only from the provisioned CBC IP
addresses on the Access Control List. MME shall be provisioned with a global parameter ‘Support
SBc Access Control’ to indicate whether the feature should be turned on or off. The default value
shall be off which indicates that MME shall accept alert requests regardless of provisioned
information.
8.2.11 GTP
A GTP Profile is used to provision the GTP attributes to handle the associated interface type(s) that
use GTP as the transport protocol.
The customer can assign a GTP profile to an interface chosen in the list of provisioned GTP Profiles.
A GTP profile is provisioned per interface in the Interface Profile table. In another word, all GTP
tunnels of an interface type share the same GTP attributes regardless of the remote node it
connects to.
MME uses the GTP echo mechanism for detecting link failure in case of peer GTP node failure or
network failure (e.g., cable cut, router/switch failure).
• Table: Add GTP Profile, Parameter: Echo Response Timer, Value: [1-600] (s), Default: 6s.
This is parameter T3-RESPONSE as per TS 29.274. It specifies the time to wait for an Echo Response
to be received before re-transmitting the Echo Request message.
• Table: Add GTP Profile, Parameter: Echo Requests, Value: [9-20] (s), Default: 9.
This is parameter N3-REQUESTS as per TS 29.274. It specifies the total number of Echo Request
messages to be transmitted without receiving a corresponding Echo Response message.
The periodicity of Echo Request message must be higher than the time to wait an Echo Response:
Inter −Echo Re questTimer ≥ (Echo Response Timer ∗ Echo Requests )
MME sends a GTP Echo Request every “Inter-Echo Request Timer” seconds.
If an Echo Response is not received within “Inter-Echo Request Timer” seconds (it is late or lost)
then the Echo Request is considered a failure.
After “Echo Requests” consecutive Echo Request failures MME notifies OAM with message indicating
a failure.
After a failure is reported, MME resets the failure count and continues sending Echo Requests. On
the first successfully received Echo Response after a failure, MME notifies OAM with a message
indicating a recovery.
With the default recommended setting, the time before GTP echo reports that Sm interface is down
is: 6 + 6 x 9 = 51s
The ability to turn on and off the sending GTP echoes will be a configurable parameter in an
upcoming SAM release.
• Table: Add GTP Profile, Parameter: GTP Message Send Attempts, Value: [1-4], Default: 3.
This parameter is used in conjunction with the Message Response Timer. If MME does not receive an
ACK in response to a request message or a response message that expects an ACK before the timer
expires, the request or response is resent. The message is considered undeliverable after if is sent
the number of times indicated here without receiving an ACK.
Default recommendation for the GTP Acknowledgement timer and re-send are:
GTP Message Response Timer = 2 s
GTP Message Send Attempts = 3
8.2.12 Sm
MBMS is a point-to-multipoint service in which data is transmitted from a single source entity to
multiple recipients.
The MBMS bearer service offers two modes:
- Broadcast
- Multicast
Restriction: <MME> <Sm> <Standard>
In order to support Multimedia Broadcast/Multicast Service (MBMS) MME supports the Sm interface
to the MBMS Gateway (MBMS-GW).
The protocol stack used for the Sm interface is presented in the following figure.
GTPv2-C
UDP
IP
L2
L1
For information, MBMS Bearer traffic for broadcasting routes directly from MBMS-GW to eNodeB over
M1 interface.
Session Start
Session Start Session Start Request/Response
Request Request
RAN resource setup
Session Start
Session Start Response
Response
Session Update
Session Update Session Update Request/Response
Request
RAN resource setup Request
or release
Session Update
Session Update Response
Response
Session Stop
Session Stop
Session Stop Request/Response
Request
Request
RAN resource release Session Stop
Response
Session Stop
Response
Note: MME triggers MBMS service procedures to eNodeB (see M3 interface section).
8.2.12.1 IP
MME supports dual IP stack for IPv4 and IPv6 for the MME Sm interface.
Using the LCP platform SCDT tool, the MME is configured with a fixed or floating IP address for use
in Sm communications
MME uses floating IP addresses for all the MME external interfaces except for the MH-SCTP
MBMS-GW starts the communication with the MME. MME learns the MBMS-GW Sm IP address and IP
format from the source IP address field in the IP packets at the time the GTP tunnel between the
MBMS-GW and the MME is set up.
MME does not need to be provisioned with the MBMS-GW IPv4 or IPv6 Sm address(es)
An Sm Interface Managed Object (MO) is created when an MBMS-GW establishes a GTP-C tunnel with
the MME at the Sm local IP address(es) and an MO instance does not yet exist to represent that
eNodeB Sm interface.
When an Interface MO is created at the MME, the MME saves the local IP address(es) type and value
plus the remote IP address(es) type and value of the interface instance in the Interface MO. Because
the SAM can read the MO values over the SNMPv3 interface, the SAM will be able to obtain the local
IP address(es) used at the MME as well as the remote IP address(es) used at the eNodeB.
8.2.12.2 UDP
IANA has defined the UDP port supporting GTP-C traffic as = 2123.
8.2.12.3 GTP-C
In order to process GTP Echo Requests, MME listens on a UDP socket bound to the MME’s Sm IP
address for traffic destined for the GTP-C UDP port (port # 2123, as specified by TS 29.274).
In response to GTP Echo Requests received MME builds a GTP Echo Response and sends it to the
source IP and UDP port that it came from.
Sm SCTP is provisioned through the configuration of; 1 GTP-C Profile + 1 Sm Interface Profile.
SM
8.2.13 S102
The S102 interface allows CS fallback to 1xRTT to establish voice call in the Cicuit Switch domain through
support of registration over EPS procedures.
The S102 application is based on UDP/IP transport medium and utilizes a registered UDP destionation port
23272, for signalling interconnection between an MME and a 1x Circuit Swiched Inter-Working Solution for the
S102 application.
3 Configure the S102 Services Allowed parameter in UE PLMN and served PLMN service agreement
profiles, as required.
1. In the WMM Instance (Edit) form, navigate to the UE PLMN and Served PLMN Service
Agreement Profile tab. The path is Profiles UE PLMN and Served PLMN Service Agreement
Profile.
2. Select a profile from the list and click on the Properties button. The UE PLMN and Served
PLMN Service Agreement Profile (Edit) form opens with the General tab displayed.
3. Configure the S102 Services Allowed parameter.
4. Click on the OK button. The form closes.
5. Click on the Apply button in the WMM Instance (Edit) form. A dialog box appears.
6. Click on the Yes button. The changes are saved.
5 Associate UE PLMN and served PLMN service agreement profiles with the UE PLMN Services IMSI
range services objects, as required.
[See (Procedure 8-112 in the SAM guide) for information about configuring IMSI range services
objects.]
In the WMM Instance (Edit) form navigation tree, expand the UE PLMN Services object to display
the child objects.
Click on a child object. The WMM Instance (Edit) form displays the object data.
Click on the IMSI Range Services tab to configure the assosiation.
6 Configure other optional parameters such as S102 Paging policy, (If do not provision S102 Paging
Policy for S102 Page Attempts, S102 A21 Signaling message would defer to default Paging Policy.),
S102 Call Priority Paging Profile (this table maps A21 message Priority Level to the Paging Priority IE
in the S1AP Paging message), UE PLMN Services (also has S102 Paging Profile ID), S102 Paging
Priority Profile (Includes S102 Pagning Profile ID, services or S102 Call Priority Pagning Profile), Call
Trace Global Setting(S102 for Call Trace) and Message retransmissions (NS102 parameter).
8.2.14 Gn
The Gn interface is the reference point between the MME and the SGSN.. In the 9471
WMM combined MME-SGSN, the interface is internal.
The Gn interface allows the MME to affect a handover for a user who transitions between
LTE and UTRAN, and also supports reselection between LTE and GERAN (GSM).
The Gn interface allows the MME to affect a handover for a user who transitions between
LTE and UTRAN, and also supports reselection between LTE and GERAN (GSM). The
Gn interface transports both signaling and bearer information. The signaling is directed to
the MME and the bearer is directed to the PGW/GGSN.
IPv4v6 SGSN
R99 QoS Mapping Method
TEID to SGSN
SGSN IPv4 Addrss for user traffic
Include R7 QoS Extensions Gn
o Timer – Configure values for the following timers as required
HO2G3Deletion
SRNS Completion
S3Gn Indirect Forwarding
S3 Gn HO Complete
TAU After Ho
• Apply the changes in the WMM Instance (Edit) form, if required
MME BFD implementation requires a single network connection between the MME and the primary
and secondary first hop router. A layer 2 failover redundant connectivity network can not be
implemented if BFD is used.
Figure 177: BFD Network Architecture
Engineering: <MME> <BFD>
• Fault Detection is established to the first hop router (only). Multi-hop BFD is not supported.
• Only Asynchronous BFD mode is supported. (Demand Mode is not supported).
– The MME will operate in the Active mode. The First hop router can operate in
either in Active or Passive mode.
• BFD Poll sequence is supported for parameter change.
• BFD Echo functionality is not supported.
• IETF RFC 5880 optional support of Authentication is not required.
• BFD Version 1 support is required.
• BFD over UDP/IP is supported.
• BFD support over IPv4 and IPv6
• Only one fault detection mechanism should be enabled on an external interface. Either
EIPM-BFD, EIPM-ACM or Multi-Homing SCTP (MH-SCTP) can be provisioned mutually
exclusive.
a. It is recommended that MH-SCTP be used whenever possible.
• IETF RFC 5881 recommendation for distinguishing BFD traffic is used in the MME
implementation. The UDP destination port is 3784. The UDP source port can be within the
range of 49152 through 65535.
As discussed in the BFD general section, the Asynchronous (non echo) mode expiration time is
calculated with the following formula.
After which the link is declared down and traffic is failed over to the redundant link.
This failure decision is based on each BFD session independent of any other BFD session. If a physical
link has several BFD sessions, each BFD session is treated independently. If a physical link has for
example a IPv4 BFD session and a IPv6 BFD session, and the IPv4 BFD session fails, the IPv4 traffic
will be the only traffic switched. The IPv6 traffic will remain on the primary first hop router.
BFD traffic switchover from current outbound path to the alternate path with 500 milliseconds
after detecting a BFD failure.
BFD configuration is a multiphase step. The BFD subnet and static route configuration will be
performed on the Field install phase. The BFD session configuration can be performed after the FI
phase via CLI commands.
BFD session parameters are defined for all BFD sessions in the MME.
• BFD subnets allow for /31 and /32 prefix lengths for IPv4 and /128 for IPv6.
• If BFD is used in conjunction with external VLAN tagging, the BFD subnet and the service
subnet that BFD is pretecting will have to be in the same VLAN. This is required to ensure
that the BFD traffic will follow the same path as the protected service.
A BFD session alarm (major) will be raised when a BFD session is down. The Alarm is cleared when
the session is in the up state.
• The router is a customer piece of equipment that interfaces to the MME for traffic routing.
MME BFD only supports static routes. Therefore the proper weighting should be used to allow for
using BFD primary and secondary routes before using the default routes for the subnets. The order
of preference would be to:
In WM7.0.0 and later releases, external routing of messages is based on the source, or
local WMM, address. In earlier releases, the WMM did routing based on the remote, or
far end, IP address. The WMM routes to the outgoing RTM port based on the source address in the IP
packet. That is, the WMM will route to the port for S1 based on the S1–MME local IP address,
not the destination IP address of the eNodeB for which the message is destined.
Source Based routes are provided as a benefit for minimizing configuration changes when a new
network component is added to the core network. Source based routes are only available for GTP
interfaces on the MPH as well as SCTP based interfaces. The interfaces include, S11, S10, S3, Gn, Sv
MPH interfaces and SLs, SBc, SLg SCTP interfaces.
The configuration of the source based route is automatic. The source based route is added by using
the CE gateway address that was provisioned in the field install or IP configuration procedures. The
source based route is the only available route for the specified interfaces after release LM4.0.2. All
preexisting routes related to the specified interfaces are deleted in the process (destination and
default routes pertaining to the GTP MPH interfaces and SLs, SBc, SLg SCTP interfaces.
2 GIGE LAG configuration. The following diagram depicts a 2 GIGE LAG configuration. If a 1+1
configuration is used, Link 3 and 4 do not exist.
• The MME will revert traffic from the secondary oRTM back to the primary oRTM when the
primary oRTM connection is available.
• The 1+1 GIGE configuration will perform physical link switch over based on faults detected
via the EIPM-ACM or EIPM-BFD.
BFD.
8.6 SECURITY
8.6.1 IPsec
This section assumes the reader has prior knowledge of IPsec functionality. A Generic IPsec
Description section has been included in this document for the reader’s reference.
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
The MME IPsec implementation for the CALEA X1_1 and X2 interfaces support a flexible Network
Architecture where the MME can connect to either a Security Gateway for directly to the CALEA
devices via IPsec. The configuration options for IPsec are flexible to accommodate various Security
Gateways and CALEA devices. The following picture depicts the hub and Spoke IPsec architecture
for Security Gateway configuration. The Security Gateway is the HUB and terminates all IPsec
communications from the MME. All traffic to/from the MME to the CALEA entities are via the
Security Gateway.
The following picture depicts the IPsec architecture to support IPsec Point to Point ccommunications
ommunications
between the MME and CALEA devices.
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
The following diagram depicts the redundant IPsec architect utilizing the Security Gateway.
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
The picture depicts the CALEA X1_1 and X2 interfaces on separate IPsec tunnels. The MME is capable
of supporting
ing X1_1 and X2 traffic over the same IPsec tunnel. The table below further displays the
possible configuration.
Configuration X1_1 X2
1 IP
IPsec T1
2 IPsec T1
3 IP
IPsec T1 IPsec T2
Alcatel-Lucent
Lucent - Proprietary - Use pursuant to applicable agreements
The following table represents the IPsec parameters supported by the MME X1_1 and X2 interfaces.
Description Specification
IKE IKEv1 (Main Mode only) or IKEv2
Encryption AES CBC 128 (IETF RFC 3602)
AES
AES 256
3DES
Authentication Diffie-Hellman exchange group 2 with
1024 MODP (IETF RFC 2409, IETF RFC 4307 and IETF RFC 3526),
MODP1536
MODP2048
MODP3072
MODP4096
Integrity NULL
HMAC-MD5-96
HMAC-SHA-1-96
Key Distribution IKE shared secret with PFS support
Encapsulation ESP
AH
NULL
Mode Tunnel
Transport
Key Generation Diffie-Hellman
Resiliency and High IPsec Failover
Availability Dead Peer Detection (DPD)
IP Version IPv4 Support (only)
The MME IPsec tunnel configuration will consist of two separate steps. An IPsec profile must be
configured to setup the IKE Parameters. Secondly an IPsec connection must be configured with the
ipsec tunnel specific paramters. An MME IPsec connection is associated with an MME IPsec profile to
define an IPsec Tunnel.
Please refer to CALEA/LI Administration document (418-111-213) for the commands to configure the IPsec
Profile and IPsec Connections.
IKE Algorithm: This option specifies the encryption alogorithm used (i.e. AES128). This is valid for
the IKE session only, not the IPsec session.
IKE Hash: This is an optional alogorithm used to authenticate the remote end (i.e. md5, SHA1). This
is valid for the IKE session only, not the IPsec session.
IKE PFS Group: This option specifies the Perfect Forwarding Secrecy settings that allow the
renegotiation of keys in the IKE phase two negotiation (i.e. modp1024).
IKE Lifetime: This option specifies the time before IKE re-negotiates new keys.
Phase 2 Algorithm: This option specifies the encryption alogorithm used (i.e. AES128). This is the
encryption method used in the IPsec tunnel.
Phase 2 Hash: is an optional alogorithm used to authenticate the remote end (i.e. md5, SHA1). This
is the encryption method used in the IPsec tunnel.
SA Lifetime: This is the optional Security Association timer that specifies the time before the phase
2 algorithm and phase 2 hash become invalid and require a re-nogotiation.
IPsec Interface: This parameter specifies the interface associated with this IPsec tunnel (i.e. X1_1
or X2).
IPsec Address: This is the remote Security Gateway address. (Note: IPv4 address only, IPv6 not
supported).
IPsec Profile: The number identifier associated with the IPsec connection.
IPsec Subnet: The network Mask associated with the remote IP network.
IPsec Subnet Length: The remote subnet length for the IPsec Connection.
IPsec Type: The IPsec mode (i.e Tunnel or Transport). Additional information provided in the
general IPsec section of this document.
9.1 ABBREVIATION
9.2 DEFINITION
eNodeB parameters are grouped into 3 distinct categories depending on the impact to support
online change:
• Class A (or Class 0) = Full impact: these parameters need a global eNodeB reset to be taken into
account. This means a full service impact.
• Class B (or Class 2) = Partial impact: these parameters change is managed on-line but will impact
the service. This change will not trigger any OAM interface outage, meaning that the eNodeB is kept
under supervision. Transport Layers impact: Reset of the eNodeB's transport network layers.
It implies reset of the SCTP, S1 and X2 layer instance(s) that are mapped to the transport layers.
• Class C (or Class 3) = No impact: these parameters are changed on-line, without any impact on
the service, and without any outage from an OAM supervision point of view (the eNodeB is kept
under supervision during the parameters change).
eNB parameter "Service impact" specifies the temporary impact upon eNB services of an update of
the parameter value.
• partial: specifying that there will be a temporary interruption to some eNB services.
• critical: specifying that there will be a temporary interruption to all eNB services.
eNB parameter "Update transient impacts details" qualifies the "Service impact", providing further
detail as to the temporary impact upon eNB services of an update of the parameter value.
The possible values of the property are given below, together with brief explanations.
- Transport-Layers: Reset of the eNB's transport network layers. Implies reset of the SCTP, S1
and X2 layer instance(s) that are mapped to the transport layers.
- New-set-ups: No temporary service impact. However, the new parameter value will take effect
for new established activities that are supervised by the eNB.
End of DOCUMENT