VoLTE Call Flow and Procedures

VoLTE call flow and procedures is very big area to cover because of the
many scenarios to consider from both UE and network perspective.

In this article I will try to put some examples of VoLTE call flow from UE
point of view. These procedures are the most important for VOLTE calls.

From the UE’s point of view the initial step is to camp on the network and
read system information in the form of Master Information Blocks (MIBs)
and System Information Blocks (SIBs). Once that information has been
processed the UE can initiate its own processes.
EPS Attach for VoIP and Defa

ult Bearer Setup

Let’s discuss how UE attach to network after camping on and how default
bearer is created for IMS services. We are discussing the whole procedure
from UE point of view. This process consists of some important sub-
procedures as follows:

 PDN Connectivity
 Authentication
 Bearer Setup and EPS Attach
 P-SCCF Discovery

PDN Connectivity

UE starts connection by sending RRC Connection Request message.

This is similar to UMTS registration. This is a UE originated message and it
contains important information as what the UE wants.

For example the cause value in RRC Connection Request can be “Mobile
Originated Signalling” or “Emergency”. If there is no problem in the network
then network or eNodeB will respond with RRC Connection Setup
message. This message contains signalling radio bearer information and is
transmitted over downlink DCCH (Dedicated Control Channel) channel.

After receiving the RRC Connection Setup message UE responds with

RRC Connection Complete message. At this point Attach Request is
already sent to the network which is an exception from old UMTS system.

Authentication

To protect UE and network from security and man in the middle attacks all
UEs in the network need to be checked and secured before they can use
any network resources. To begin this process network sendAuthentication
Request message or a challenge to make sure the UE is a valid entity. In
response UE sends Authentication Response.
After that network sends Security Mode Command to UE. IT is also good to
know that Security Mode Command is integrity protected. This message
carries vital information on ciphering. In response UE sends Security Mode
Complete message.

In order to protect EPS Session Management (ESM) information, the

network now sends an ESM Information Request; the UE reacts with an
ESM Information response describing the now-protected protocol
configuration options.

Bearer Setup

At this point network must set up additional bearers to carry out IMS VoLTE
call. To establish EPS bearer network sends Radio Bearer
Reconfigurationmessage. UE responds with Radio Bearer
Reconfiguration Completemessage.

P-CSCF Discovery

Before sending any Session Initiation Protocol (SIP) requests, the UE must
perform “P-CSCF Discovery”, the process of identifying (by address) the
correct Proxy-Call Session Control Function (P-CSCF). The P-CSCF
address may be discovered in one of three different ways:

 It may be stored in the IP Multimedia Services Identity Module (ISIM).

 The UE may request it as part of the PDN connectivity request during
the Attach process.
 The UE may request an IP address and Fully Qualified Domain Name
(FQDN) from a DHCP server and then perform a DNS query on the
returned IP address and FQDN.
SIP IMS Call Flow

SIP Registration
After UE finishes radio procedures and it establishes radio bearers UE can
start SIP registration towards the IMS for VoLTE call.

Here is a typical IMS SIP registration call flow.

1. The IMS client attempts to register by sending a REGISTER request

to the P-CSCF.
2. The P-CSCF forwards the REGISTER request to the I-CSCF.
3. The I-CSCF polls the HSS for data used to decide which S-CSCF
should manage the REGISTER request. The I-CSCF then makes that
decision.
4. The I-CSCF forwards the REGISTER request to the appropriate S-
CSCF.
5. The S-CSCF typically sends the P-CSCF a 401 (UNAUTHORIZED)
response as well as a challenge string in the form of a “number used
once” or “nonce”.
6. The P-CSCF forwards the 401 – UNAUTHORIZED response to the
UE.
7. Both the UE and the network have stored some Shared Secret Data
(SSD), the UE in its ISIM or USIM and the network on the HSS. The
UE uses an algorithm per RFC 33101 (e.g. AKAv2-MD5) to hash the
SSD and the nonce.”
8. The UE sends a REGISTER request to the P-CSCF. This time the
request includes the result of the hashed nonce and SSD.
9. The P-CSCF forwards the new REGISTER request to the I-CSCF.
10. The I-CSCF forwards the new REGISTER request to the S-
CSCF.
11. The S-CSCF polls the HSS (via the I-CSCF) for the SSD,
hashes it against the nonce and determines whether the UE should
 be allowed to register. Assuming the hashed values match, the S-
CSCF sends 200 – OK response to the P-CSCF. At this point an
IPSec security association is established by the P-CSCF.
12. The P-CSCF forwards the 200 – OK response to the UE.

NOTE: It is typical that UE makes a deliberate unauthenticated registration

attempt. It waits for the expected 401 response, extracts the nonce from
the response and hashes it with the SSD before including the result in a
second REGISTER request.

QoS Class Identifier (QCI)

QCI parameter generally targets a specific service type based on delay and
packet loss requirements. For VoLTE call the bearer is associated with QCI
value from row 1 as described in the following table.

Chapter #5 – IMS SIP Requests and Codes