On the (In)Security of 4G - Part III: 4G Entities - A First Look

Table of Contents

In the previous article we gained a broad understanding of the evolution of mobile phone networks and general characteristics of wireless communication systems. Now let’s dig deeper on 4G by starting with relevant entities.

4G Entities

When talking about 4G, we should start with the basics, thus the communicating entities.

The Evolved Packet System (EPS) consists of three (four) entities:

• User Equipment - Cellphone
• Radio Access Network (enhanced - Universal Mobile Terrestrial Radio Access Network (e-UTRAN))
• Evolved Packet Core (EPC)
• Networks that it connects to (Internet, IP Multimedia Subsystem (IMS) Network, Packet Data Network (PDN) etc.)

A good overview of the EPC and the interconnections with legacy systems can be found in 3GPP TS 23.002, which gives an overview the architecture of the 3GPP system. In particular, it describes all the network elements used in the EPC and also in legacy core networks.
Also 3GPP TS 23.401 is important for us as it defines the architecture of the EPC for E-UTRAN access.

To get a better understanding of the UMTS Mobile Terrestrial Radio Access Network (UTRAN), we look into the document 3GPP TS 25.401 V15.0.0. In general the User Equipment (UE) is connected via the Uu (a Radio interface between UTRAN and the User Equipment) to the UTRAN and the UTRAN connects via the Iu (interface between an Radio Network Controller (RNC) and an Mobile-services Switching Centre (MSC), Serving GPRS Support Node (SGSN) or Cell Broadcast Centre (CBC) - providing an interconnection point between the RNS and the Core Network) to the Core Network (CN). Thus the e-UTRAN consists of:

• evolved Node B (eNB) (base station), which is responsible for scheduling, handovers and security

Due to legacy reasons figure 1 also points out the GSM/EDGE Radio Access Network (GERAN), specified in the document 3GPP TS 43.501 v15.0.0.
For now we will focus on the e-UTRAN.
This page here has a nice visualization about the network solutions from GSM, GPRS, UMTS to EPS, thus from GSM to LTE. It also depicts the evolution from GERAN, via UTRAN to E-UTRAN.
Let’s continue now with the Evolved Packet Core (EPC) as specified in 3GPP TS 23.401. The EPC consists of:

• Home Subscriber Service (HSS), which is a central repository of subscriber information
• Mobility Management Entity (MME), which maintains mobility and session management/mobility and data bearer control
• Serving Gateway (SGW), which is for serving mobility between e-UTRAN and EPC and exchanging user data traffic
• 3GPP AAA, which is responsible for Authentication, Authorization and Accounting
• Policy and Charging Rules Function (PCRF), which controls charging and the amount of data, a user is entitled to
• Packet Data Network Gateway (PDN GW), which exchanges data between EPC and Packet Data Network
• Public Data Network Gateway (P-GW), which is responsible for routing the user data through to the public net work (e.g. Internet)

Finally with all the abbreviations in place, let’s paint a picture with all relevant entities in place:

4G Entity Functionality

Here we dive deeper in the functionalities of each component within the EPC. The mentioned functionalities are by no means complete, but help understanding the role of each entity. To gain a good overview, I browsed through some of the specific documents, as well as through this presentation by Huawei about LTE in 2010.

UE

• Consists of the Mobile Equipment (ME) and the Universal Subscriber Identity Module (USIM)
• Providing the user access to the System Architecture Evolution (SAE)
• Providing long- and short identities for the Mobile Equipment (ME) and the subscriber
• Authentication with the network
• Non Access Stratum (NAS) signalling
• NAS signalling security
• Access Stratum (AS) security
• Requesting handovers into new cells when signal becomes weak

eNB

• Radio Resource Management functions
  • Radio Bearer Control, Radio Admission Control, Connection Mobility Control, Scheduling of UEs in both uplink and downlink
• Measurement and measurement reporting configuration for mobility and scheduling
• Access Stratum (AS) security
• IP header compression and encryption of user data stream
• Selection of an MME at UE attachment when no routing to an MME can be determined from the information provided by the UE
• Routing of User Plane data towards Serving Gateway
• Scheduling and transmission of paging messages (originated from the MME)
• Scheduling and transmission of broadcast information (originated from the MME)
• Scheduling and transmission of PWS messages (originated from the MME)

MME

• Non Access Stratum (NAS) signalling
• NAS signalling security
• Access Stratum (AS) security control
• Inter CN node signalling for mobility between 3GPP access networks
• Tracking Area list management
• PDN GW and Serving GW selection
• MME selection for handovers with MME change
• SGSN selection for handovers to 2G or 3G 3GPP access networks
• Roaming
• Authentication
• Bearer management functions including dedicated bearer establishment
• Support for Public Warning System (PWS) message transmission
• UE reachability in idle state (including control and execution of paging retransmission

S-GW

• The local Mobility Anchor point for inter-eNB handover
• Mobility anchoring for inter-3GPP mobility
• E-UTRAN idle mode downlink packet buffering and initiation of network triggered service request procedure
• Lawful Interception
• Packet routing and forwarding
• Transport level packet marking in the uplink and the downlink
• Accounting on user and QCI granularity for inter-operator charging
• UpLink (UL) and DownLink (DL) charging per UE and Packet Data Network (PDN)

PDN-GW

• Per-user based packet filtering (by e.g. deep packet inspection)
• Lawful Interception
• UE IP address allocation
• Transport level packet marking in the downlink
• UL and DL service level charging, gating and rate enforcement
• DL rate enforcement based on Access Point Name Aggregate Maximum Bit Rate (APN AMBR)
• Credit control for online charging

HSS

• Database with user-related and subscriber-related information
• Support functions in mobility management
• Call and session setup
• User authentication
• Access authorization
• Based on pre 3GPP Release 4: Home Location Register (HLR) and Authentication Center (AuC)

Summary

Phew, that is a lot to take in. We have looked at various 4G entities and its functionality. The UE (i.e. the user’s smartphone) is the moving node in the network and should bring joy to the user. The eNBs are essentially antennae and signal processing stations bridging the air gap to the mobile phone. In the EPS we have the MME, which is super important for authentication and mobility, the HSS, a database with all user-related and subscriber-related information, the S-GW, a mobility anchor in between eNBs during handover, and the PDN-GW, providing the user final access to the Internet.

Here you can read Part II and Part IV.

See you soon! :)

Abbreviations

• Access Point Name Aggregate Maximum Bit Rat (APN AMBR)
• Access Stratum (AS)
• Authentication Center (AuC)
• Cell Broadcast Centre (CBC)
• Core Network (CN)
• DownLink (DL)
• evolved Node B (eNB)
• Evolved Packet Core (EPC)
• GSM/EDGE Radio Access Network (GERAN)
• Home Location Register (HLR)
• Home Subscriber Service (HSS)
• IP Multimedia Subsystem (IMS)
• Mobile Equipment (ME)
• Mobile-services Switching Centre (MSC)
• Mobility Management Entity (MME)
• Non Access Stratum (NAS)
• Packet Data Network (PDN)
• Packet Data Network Gateway (PDN GW)
• Policy and Charging Rules Function (PCRF)
• Public Data Network Gateway (P-GW)
• Public Warning System (PWS)
• Radio Network Controller (RNC)
• Serving Gateway (SGW)
• System Architecture Evolution (SAE)
• UMTS Mobile Terrestrial Radio Access Network (UTRAN)
• Universal Subscriber Identity Module (USIM)
• UpLink (UL)
• User Equipment (UE)