On the (In)Security of 4G - Part V: Logical Channels

4G Logical Channels

Following our general description of a wireless communication system in Part I, we now go on the MAC layer to look for the LTE logical channels and can compare them with the L-band Digital Aeronautical Communications System LDACS. The document TS 36.321 defines the MAC layer for the E-UTRA.

In general, LTE has two types of channels: (1) Control channels for transferring control plane information and (2) Traffic channels for transferring user plane information.
Control Channels offered by the MAC layer are [TS 36.321]:

• Broadcast Control Channel (BCCH) A downlink channel for broadcasting system control information.
• Paging Control Channel (PCCH) A downlink channel that transfers paging information and system information change notifications. This channel is used for paging when the network does not know the location cell of the UE.
• Common Control Channel (CCCH) Channel for transmitting control information between UEs and network. This channel is used for UEs having no RRC connection with the network.
• Dedicated Control Channel (DCCH) A point-to-point bi-directional channel that transmits dedicated control information between a UE and the network. Used by UEs having an RRC connection.

Traffic Channels offered by the MAC layer are [TS 36.321]:

• Dedicated Traffic Channel (DTCH) A point-to-point channel, dedicated to one UE, for the transfer of user information. A DTCH can exist in both uplink and downlink.
• Multicast Traffic Channel (MTCH) (from Release 9) A point-to-multipoint downlink channel for transmitting traffic data from the network to the UE. This channel is only used by UEs that receive Multimedia Broadcast Multicast Service (MBMS).

4G Channel Mapping

In this part we want to have a look at the question how logical channels translate to transport and physical channels on the layers below.

4G Downlink Channel Mapping

To break figure down, let’s have a look at the downlink first:

4G Downlink Channel Mapping - PHY

On the physical channel level, we see several not aforementioned channels. Let’s go through each and check their functionality:

• Physical Downlink Control Channel (PDCCH): carries scheduling assignments and other control information [Source].
• Physical Broadcast Channel (PBCH): carries the information about the antenna configuration [Source]
• Physical Downlink Shared Channel (PDSCH): carries user data [Source]
• Physical Control Format Indicator Channel (PCFICH): carries the number of symbols that can be used for control channels (PDCCH and PHICH) [Source]
• Physical channel HybridARQ Indicator Channel (PHICH): secially designed downlink only channel which carries ACK or NACK for the Physical Uplink Shared Channel (PUSCH) received by the network [Source]
• Physical Multicast Channel (PMCH): contains Multimedia Broadcast Multicast Service (MBMS) traffic and control information and is transmitted with Multicast/Broadcast Single Frequency Network Reference Signal (MBSFN-RS). [Source]

4G Downlink Channel Mapping - Between PHY and Transport Channels

Connected to PDCCH is the Downlink Control Indicator (DCI), which “carries those detailed information like “which resource block carries your data ?” and “what kind of demodulation scheme you have to use to decode data ?” and some other additional information. It means you (the reciever) first have to decode DCI and based on the information you got from the DCI you can decode the real data. It means without DCI, decoding the data delivered to you is impossible.” [Source]
Connected to the PCFICH is the Control Format Indicator (CFI), which “is a indicator telling how many OFDM symbols are used for carrying control channel (e.g, PDCCH and PHICH) at each subframe. If CFI is set to be 1 for a subframe, it means one symbol (the first symbol) at the subframe is used for PDCCH allocation. If CFI is 2, it means two symbols (the first and the second symbol) are used for PDCCH. [And so on.]” [Source]
Connected to the PHICH is the HybridARQ Indicator (HI).

4G Downlink Channel Mapping - Transport Channels

Now we have finally reached the transport channel layer.

• Paging Channel (PCH): used to convey the PCCH [Source]
• Broadcast Channel (BCH): The LTE transport channel maps to Broadcast Control Channel (BCCH) [Source]
• Downlink Shared Channel (DL-SCH): This transport channel is the main channel for downlink data transfer. It is used by many logical channels. [Source]
• Multicast Channel (MCH): This transport channel is used to transmit MCCH information to set up multicast transmissions. [Source]

4G Downlink Channel Mapping - Logical Channels

Like in the chapter about logical channels, we find some of our previously discussed channels here again. The logical Paging Control Channel (PCCH) is connected to the transport PCH and then physical PDSCH channel. The logical Broadcast Control Channel (BCCH) is connected to the transport BCH and DL-SCH channel, which are connected to the physical PBCH and PDSCH channel. The logical Common Control Channel (CCCH), Dedicated Control Channel (DCCH), Dedicated Traffic Channel (DTCH), Multicast Control Channel (MCCH) (new with release 9 - provides necessary control information to receive MBMS services, including subframe allocation and used Modulation Coding Scheme (MCS) [Source]) and Multicast Traffic Channel (MTCH) are all connected to the transport DL SCH channel, which in turn is connected to the physical PDSCH channel. The logical MTCH is also connected to the transport MCH channel and the phyical PMCH channel.
MCCH, MTCH, MCH and PMCH were added in release 9.

4G Uplink Channel Mapping

As we have now seen all channels in the downlink, let’s continue with the uplink:

4G Uplink Channel Mapping - PHY

The first channel that we see here is the Physical Random Access Channel (PRACH). As this is an important channel, we go briefly through the random access procedure.
The random access procedure is a four step procedure to (re-)establish an RRC connection or perform a handover or acquire uplink synchronization or obtain UpLink (UL)-Shared Channel (SCH) resources. A good resource about the overall process is this page. In general works as follows:

• Preamble transmission on PRACH
  • Timing estimation at eNB
• Random access response
  • Timing Advance command
  • UL-SCH resource assignment for step 3
  • Temporary Cell-Radio Network Temporary Identifier (C-RNTI) C-RNTI3.
• First UL-SCH transmission
  • Payload depends on use-case 1-4 above
  • Used for Contention resolution
• Contention resolution on DL-SCH
  • Echo terminal identity from step 3
  • also other signaling/data
    The next channel we see is the Physical Uplink Shared Channel (PUSCH). This channel carries user data. It supports QPSK and 16 QAM modulation with 64QAM being optional [Source].
    Finally we have the Physical Uplink Control Channel (PUCCH). “This LTE channel is used to carry Uplink Control Information (UCI). UCI can also be transported using PUSCH channel. An LTE UE can never transmits both PUCCH and PUSCH during the same subframe.” []

4G Uplink Channel Mapping - Between PHY and Transport Channels

The aforementioned Uplink Control Information (UCI) carries mainly three different information: (1) Scheduling Request (SR), (2) HARQ ACK/NACK, (3) Channel Quality Indicator (CQI). [Source1, Source2]

4G Uplink Channel Mapping - Transport Channels

The Random Access Channel (RACH) is located on the transport layer, and plays an important role for gaining access to a radio cell, as “[it] is the first message from UE to eNB when you power it on” [Source].
The Uplink Shared Channel (UL-SCH) is a transport channel and the main channel for uplink data transfer. It is used by many logical channels like CCCH, DCCH DTCH. [Source]

4G Uplink Channel Mapping - Logical Channels

Like in the chapter about logical channels, we find all of our previously discussed channels here again. The logical CCCH, DCCH and DTCH channnels are all connected to the transport UL-SCH channel and then to the physical PUSCH channel.

Summary

Phew, that is a lot to take in. We have looked at logical channels and the mapping from logical to transport and physical channels and their respective inner workings. We got a good first look at 4G now. I think it is time to start with security related stuff. We will do that in the next post.

Here you can read Part IV and Part VI.

See you soon! :)

Abbreviations

• Broadcast Channel (BCH)
• Broadcast Control Channel (BCCH)
• Cell-Radio Network Temporary Identifier (C-RNTI)
• Channel Quality Indicator (CQI)
• Common Control Channel (CCCH)
• Control Format Indicator (CFI)
• Dedicated Control Channel (DCCH)
• Dedicated Traffic Channel (DTCH)
• Downlink Control Indicator (DCI)
• Downlink Shared Channel (DL-SCH)
• HybridARQ Indicator (HI)
• L-band Digital Aeronautical Communications System (LDACS)
• Modulation Coding Scheme (MCS)
• Multicast Channel (MCH)
• Multicast Control Channel (MCCH)
• Multicast Traffic Channel (MTCH)
• Multicast/Broadcast Single Frequency Network Reference Signal (MBSFN-RS)
• Multimedia Broadcast Multicast Service (MBMS)
• Paging Channel (PCH)
• Paging Control Channel (PCCH)
• Physical Broadcast Channel (PBCH)
• Physical Control Format Indicator Channel (PCFICH)
• Physical Downlink Control Channel (PDCCH)
• Physical Downlink Shared Channel (PDSCH)
• Physical Multicast Channel (PMCH)
• Physical Random Access Channel (PRACH)
• Physical Uplink Control Channel (PUCCH)
• Physical Uplink Shared Channel (PUSCH)
• Physical channel HybridARQ Indicator Channel (PHICH)
• Random Access Channel (RACH)
• Scheduling Reques (SR)
• UpLink (UL)
• Uplink Control Information (UCI)
• Uplink Shared Channel (UL-SCH)
• Shared Channel (SCH)