1. MIDLANDS STATE UNIVERSITY
Presentation: INFO405-ADVANCED DATA COMMUNICATION AND COMPUTER NETWORKS
Level 4.1
SURNAME NAME REG NO:
BRANDON CHINEMBIRI R186128Y
TAKUDZWA UTETE R188985B
ELIOT GAMA R187714J
KUDAKWASHE MADZEDZE R188671Y
KINGSLEY JERE R188163E
IVAINASHE MATSHANJA R1812566Z
BONGINKOSI MOYO R184048N
BRADLEY T CHIKUMBIRIKE R1811818Y
MUNASHE MATSATE R189175H
2. 3G Networks Architecture, Security and Handover (GSM AND UMTS).
• 3G Network is the third generation of wireless mobile telecommunications technology, it is the upgrade over 2G, 2.5G, GPRS
and 2.75G EDGE networks, offering faster data transfer, and better voice quality. This network was superseded by 4G and later
on 5G.
The 3G Networks Architecture
• The 3G system consists of two main parts: the User Equipment (UE) and the UMTS Terrestrial Radio Access Network
(UTRAN). The UE is the mobile phone and the UTRAN is the base station and the network intelligence. Both the UE and the
UTRAN are composed of different layers.
• The four lowest layers are: the physical layer (PHY), the Medium Access Layer (MAC), the Radio Link Layer (RLC) and the
Radio Resource Layer (RRC). This text will provide a general description of the UE and the function of the different layers with
the focus on the RRC layer since this is the only layer involved in the assignment layer.
• The RRC layer is the highest layer in the protocol stack and it handles most of the decisions and supervisory functions. Below
follows a sample of the functions:
3. Broadcast of information.
Establishment, maintenance and release of an RRC connection between the UE and UTRAN.
Establishment, reconfiguration and release of Radio Bearers.
Assignment, reconfiguration and release of radio resources for the RRC connection.
RRC connection mobility functions.
Control of requested Quality of Service.
UE measurement reporting and control of the reporting.
Outer loop power control
Control of ciphering.
Paging
Initial cell selection and cell re-selection.
RRC message integrity protection. The RRC layer dynamically establishes and releases logical communication channels
(Transport Entities), which is used by the various services in the UMTS network. It controls the parameters available, for
example: bit rate, level of retransmission and coding scheme. It can give commands to each of the other layer through separate
communication channels.
4. The RLC layer is the layer below the RRC in the protocol stack and it is focused on the actual data transfers. Below follows a
sample of the functions:
• Segmentation and reassembly.
• Padding.
• Error correction.
• In-sequence delivery of upper layer Packet Data Units (PDU:s).
• Duplicate detection.
• Flow control.
• Sequence number check.
• Protocol error detection and recovery.
• Ciphering.
The RLC is responsible for retransmission, segmentation and reassembly. This layer contains the transport entities, which are
created and deleted dynamically in pairs as services are established or released. One transport entity handles the incoming traffic
and the other handles the outgoing traffic.
5. The MAC layer is responsible for the handling of the logic channels and most of the priority and multiplexing issues. The
functions of MAC include:
Mapping between logical channels and transport channels.
Selection of appropriate Transport Format for each Transport Channel.
Priority handling between data flows of one UE.
Multiplexing/demultiplexing of upper layer PDU:s into/from transport blocks delivered to/from the physical layer on common
transport channels.
Traffic volume measurement.
Transport Channel type switching.
Ciphering for transparent mode RLC. The MAC layer handles the timing of the packet releases and the adding of transport
entity addresses on the outgoing traffic. The received traffic is sent to the corresponding transport entity via the MAC layer,
which reads the address and removes it.
6. The physical layer takes care of coding, interleaving and the adding of CRC to the packets. Some of the features of the physical
layers are:
Error detection on transport channels and indication to higher layers.
Encoding/decoding of transport channels. • Modulation and spreading/demodulation and dispreading of physical channels.
Frequency and time (chip, bit, slot, frame) synchronisation.
Radio characteristics measurements and indication to higher layers.
Inner - loop power control.
Radio frequency processing. The Physical layer administrates all radio communication. It handles power control, modulation
and measurements. The UMTS protocol stack is an enormous project with specifications involving thousands of pages.
Therefore, the stack used in this project is a much smaller version with a limited number of features. However, even it is
reduced with the ambition to be true to the original standard, the system is more likely to give a picture of the principle behind
the standard than an accurate description of it.
• 3G UMTS Radio Network Subsystem This is the section of the 3G UMTS / WCDMA network that interfaces to both the UE
and the core network. The overall radio access network, that is collectively all the Radio Network Subsystem is known as the
UTRAN UMTS Radio Access Network. The radio network subsystem is also known as the UMTS Radio Access Network or
UTRAN.
7. • 3G UMTS Core Network The 3G UMTS core network architecture is a migration of that used for GSM with further elements
overlaid to enable the additional functionality demanded by UMTS. In view of the different ways in which data may be carried,
the UMTS core network may be split into two different areas: Circuit switched elements: These elements are primarily based on
the GSM network entities and carry data in a circuit switched manner, that is a permanent channel for the duration of the call.
Packet switched elements: These network entities are designed to carry packet data.
• This enables much higher network usage as the capacity can be shared and data is carried as packets which are routed according
to their destination. Some network elements, particularly those that are associated with registration are shared by both domains
and operate in the same way that they did with GSM. UMTS Network Architecture Overview Circuit switched elements The
circuit switched elements of the UMTS core network architecture include the following network entities: Mobile switching
centre (MSC): This is essentially the same as that within GSM, and it manages the circuit switched calls under way. Gateway
MSC (GMSC): This is effectively the interface to the external networks.
• Packet switched elements The packet switched elements of the 3G UMTS core network architecture includes the following
network entities: Serving GPRS Support Node (SGSN): As the name implies, this entity was first developed when GPRS was
introduced, and its use has been carried over into the UMTS network architecture. The SGSN provides a number of functions
within the UMTS network architecture. Mobility management When a UE attaches to the Packet Switched domain of the UMTS
Core Network, the SGSN generates MM information based on the mobile's current location. Session management: The SGSN
manages the data sessions providing the required quality of service and also managing what are termed the PDP (Packet data
Protocol) contexts, for example the pipes over which the data is sent. Interaction with other areas of the network: The SGSN is
able to manage its elements within the network only by communicating with other areas of the network, for example. MSC and
other circuit switched areas. Billing: The SGSN is also responsible billing. It achieves this by monitoring the flow of user data
across the GPRS network. CDRs (Call Detail Records) are generated by the SGSN before being transferred to the charging
entities (Charging Gateway Function, CGF).
8. • Gateway GPRS Support Node (GGSN): Like the SGSN, this entity was also first introduced into the GPRS network. The
Gateway GPRS Support Node (GGSN) is the central element within the UMTS packet switched network. It handles inter-
working between the UMTS packet switched network and external packet switched networks, and can be considered as a very
sophisticated router. In operation, when the GGSN receives data addressed to a specific user, it checks if the user is active and
then forwards the data to the SGSN serving the particular UE. Shared elements.
• The shared elements of the 3G UMTS core network architecture include the following network entities: Home location register
(HLR): This database contains all the administrative information about each subscriber along with their last known location. In
this way, the UMTS network is able to route calls to the relevant RNC / Node B.
• When a user switches on their UE, it registers with the network and from this it is possible to determine which Node B it
communicates with so that incoming calls can be routed appropriately. Even when the UE is not active (but switched on) it re-
registers periodically to ensure that the network (HLR) is aware of its latest position with their current or last known location on
the network.
• Equipment identity register (EIR): The EIR is the entity that decides whether a given UE equipment may be allowed onto the
network. Each UE equipment has a number known as the International Mobile Equipment Identity. This number, as mentioned
above, is installed in the equipment and is checked by the network during registration. Authentication centre (AuC) : The AuC is
a protected database that contains the secret key also contained in the user's USIM card
9. The 3G Networks Security
In UMTS that is Universal Telecommunication Mobile System, security mechanism is developed to take care of all the GSM
(Global System Mobile) security shortfalls. UMTS security is also referred as 3G security.
• Five security groups exist in 3G networks as shown below.
Network Access Security
Network domain security
User domain security
Application domain security
visibility, configurability of security
10. Below is a diagram that shows the five security groups in 3G networks.
• Network Access Security helps protect air interface and also provide 3g subscribers to access the 3g network securely. In UMTS
authentication, key 'K' is shared between network and UE. The network transmits random generated number 'RAND' and
'AUTN' in the message authentication challenge to the UE. AUTN makes it possible for UE to authenticate the 3g network.
USIM generates response back to the network with ciphering and integrity keys. This helps network authenticate the UE.
Provides secure access to 3G services and protects against attacks on the radio interface link.
11. • The major difference between GSM security and 3g security is that network authentication was not possible with GSM
compliant UE. This is possible in UMTS compliant UE. cipher key (Kc) in 3g security is of length 128 bits which was 64 bits in
GSM. In GSM, ciphering was provided to air interface only and ciphering between MS and BTS is not provided. In UMTS,
security is provided between UTRAN and RNC. Hence 3G security is extended between UE and RNC.
• Network domain security: Allows nodes in the operator’s network to securely exchange signalling data and protects against
attacks on the wireline network.
• User domain security (III): Secures access to mobile stations.
• Application domain security: Enables applications in the user and in the provider domain to securely exchange messages.
• Visibility and configurability of security: Allows the user to get information about what security features are in operation or
not and whether provision of a service depends on the activation or not of a security feature.
The 3G Networks Handover.
• In cellular telecommunication handover is a process of transferring an ongoing call or data session from one channel connected
to the core network to another channel. For example there is a mobile device which is connected to node b1 and it is in
communication based on node b1 but it is moving o node b2.In that case the power it is receiving from node b2 is p2 and from
node b1 is p1 so with time the power it is receiving from node b2 increases while the power it is receiving from node b1
decreeases.so when the difference between those powers p1 and p2 increases with a certain threshold value eg 8DBM the
device connected to node b2 and disconnect from node b1.
12. Handover types
• Soft handover means that radio links are added and removed in such a way that UE is always have at least one radio link to the
network. Normally soft handover can be used, when cells are operated on same frequency but different sites cells. For example,
the mobile device is connected to node b1 and it is moving to node b2. The information about the received power is send to
radio network controller. This measurement of power received from nodes is send to RNC and the process is called
measurement report.
• When node b2 increases the power with a certain threshold value the RNC instruct the mobile device to connect to node B2 and
this is called active set update. Then when it disconnects with node be it inform the RNC which is set update complete, refer to
above diagram
13. Hard handover
• The name hard handover indicates that there is a "hard" change during the handover process. For hard handover the radio links are
broken and then re-established. Although hard handover should appear seamless to the user, there is always the possibility that a short
break in the connection may be noticed by the user.
• The basic methodology behind a hard handover is relatively straightforward. There are a number of basic stages of a hard handover:
• The network decides a handover is required dependent upon the signal strengths of the existing link, and the strengths of broadcast
channels of adjacent cells.
• The link between the existing NodeB and the UE is broken. A new link is established between the new NodeB and the UE.
• Although this is a simplification of the process, it is basically what happens. The major problem is that any difficulties in re-establishing
the link will cause the handover to fail and the call or connection to be dropped.
• UMTS hard handovers may be used in a number of instances:
• When moving from one cell to an adjacent cell that may be on a different frequency.
• When implementing a mode change, e.g. from FDD to TDD mode, for example.
• When moving from one cell to another where there is no capacity on the existing channel, and a change to a new frequency is required.
14. • One of the issues facing UMTS hard handovers was also experienced in GSM. When usage levels are high, the capacity of a
particular cell that a UE is trying to enter may be insufficient to support a new user. To overcome this, it may be necessary to
reserve some capacity for new users. This may be achieved by spreading the loading wherever possible - for example UEs that
can receive a sufficiently strong signal from a neighbouring cell may be transferred out as the original cell nears its capacity
level.
3G UMTS softer handover
• A form of handover referred to as softer handover is really a special form of soft handover. It is a form of soft handover that
occurs when the new radio links that are added are from the same NodeB. This occurs when several sectors may be served from
the same NodeB, thereby simplifying the combining as it can be achieved within the NodeB and not require linking further back
into the network.
• UMTS softer handover is only possible when a UE can hear the signals from two sectors served by the same NodeB. This may
occur as a result of the sectors overlapping, or more commonly as a result of multipath propagation resulting from reflections
from buildings, etc.
15. 4G NETWORK
LTE (LONG TERM EVOLUTION) ARCHITECTURE
• 4G networks are expected to consist of a collection of wireless networks. These
would include the Personal Area Networks using, for example, Bluetooth, the
local area networks using WLAN, the satellite-based mobile networks, and
enhanced 3G cellular networks, besides others. The vision of 4G mobile networks
is to bind these different wireless technologies together in such a manner so as to
provision broadband access and global roaming using the most appropriate of
these technologies. Features of 4G Networks While it is not clearly defined as to
what networks can be categorized as 4G networks, there are some features that are
expected to be supported by most 4G networks. These features include: Higher
Bandwidths: It is expected that 4G networks would provide higher bandwidths to
support multimedia services.
16. • Bandwidths up to 100 Mbps will be possible to achieve in 4G networks. Packet-switched Network: While 3G networks
consisted of both circuit switched and packet-switched domains, 4G networks are expected to be entirely based on packet-
switched networks. IP is expected to be used as the packet-switched network in 4G. Stringent Network Security: Network
security in 4G networks is expected to be further improvised. Security mechanisms in 3G networks may be enhanced to provide
better and tighter security.
• Overall architecture is called the Evolved Packet System (EPS) 3GPP standards divide the network into – Radio access network
(RAN) – Core network (CN) (they each evolved independently)
• Long Term Evolution (LTE) is the RAN – Called Evolved UMTS Terrestrial Radio Access (E-UTRA) – Enhancement of
3GPP’s 3G RAN Called the Evolved UMTS Terrestrial Radio Access Network (EUTRAN) – eNodeB is the only logical node in
the E-UTRAN – No RN
4G Network Architecture
• Packet Core (EPC)
• Operator or carrier core network
• It is important to understand the EPC to know the full functionality of the architecture
• Some of the design principles of the EPS
• Clean slate design
17. • Traditionally circuit switched but now entirely packet switched – Based on IP – Voice supported using voice over IP (VoIP).
Core network was first called the System Architecture Evolution (SAE). Packet-switched transport for traffic belonging to all
QoS classes including conversational, streaming, real-time, non-real-time, and background –
• Radio resource management for the following: end-to-end QoS, transport for higher layers, load sharing/balancing, policy
management/enforcement across different radio access technologies – Integration with existing 3GPP 2G and 3G networks –
Scalable bandwidth from 1.4 MHz to 20 MHz – Carrier aggregation for overall bandwidths up to 100 MHz.
Functions of the EPS
Network access control, including network selection, authentication, authorization, admission control, policy and charging
enforcement, and lawful interception
Packet routing and transfer
Security, including ciphering, integrity protection, and network interface physical link protection Mobility management to keep
track of the current location of the UE
Radio resource management to assign, reassign, and release radio resources taking into account single and multi-cell aspects
Network management to support operation and maintenance
IP networking functions, connections of eNodeBs, EUTRAN sharing, emergency session support, among others
18. LTE ARCHITECTURE
• evolved NodeB (eNodeB) – Most devices connect into the network through the eNodeB
• Evolution of the previous 3GPP NodeB – Now based on OFDMA instead of CDMA – Has its own control functionality, rather
than using the Radio Network Controller (RNC)
• eNodeB supports radio resource control, admission control, and mobility management
• Originally the responsibility of the RNC.
Driving factors for LTE
19. 4G NETWORK SECURITY
• Security Features Security features of 4G cellular networks are the different types of security measures a 4G network possesses.
• These security features are explained below
• Configuration of security: It is the most beautiful feature of the 4g network that a user can check that the security operations
are functional or not. If the user finds it's not working that user can report and save him/her self.
• User Security: In this security measure, we check that the access to the mobile stations by the user should be secure. This
makes the 4G network more secure as the transmission is secured.
• Application Security: It is responsible for establishing a secure connection at the application layer where the security is at its
high risk. This feature makes it possible to be secured always
• Network domain security: It is responsible for the secure transmission of data over the network. It also prevents signals and
many elements of the network.
• Network Access security: It is responsible for the secure access of the user to the service.
• These are some security features of 4G cellular networks that make the 4G network a secured network to use but it is also true
that nothing is perfect so 4G cellular network also has some limitations so let's talk about security risks of the 4G cellular
network.
20. Security risk
• Security risk We shall talk about the risk one by one as explained below
• As the speed increases in the 4G network, it simply means that the bandwidth increases so when you use 2G and 3G connection,
you use 26 kb to 256 kb but now in 4G, we use up to 150 Mbit 4G networks. This increases the area of attack for
cybercriminals. They consume your new bandwidth which you pay to use 4G but instead, they are using your bandwidth and
you still get the 3G speed.
• This is also known as Architectural private network (APN) flooding which is responsible for connecting mobile with 4G
network. So, when you use 3G, all the traffic goes into Core IP address but in 4G is an IP based network and it can travel from
one mobile to another with the help of APN. Thus, this makes 4G less secure as one mobile can leak the information of other
mobiles. Therefore, this is also a very high risk in 4G.
• The VoLTE service in the 4G network which means that voice over LTE that we can now use the call feature with the internet.
This is a good feature but it also comes with can danger as many attackers use the VOIP for the attacks on Volte that makes
Volte vulnerable. So, these are some main security risks with the 4G cellular network which makes sense that nothing can be
perfect.
21. Handover in 4G
• it is when a device (UE) moves from cell coverage serving it towards another. It is a process where the user established session
must not be interrupted due to this change in location. There are two types of handovers available in the 4G namely X1 based
and S1.
X2 Based handover
• It is performed without evolved packet Core (EPC) involved that is preparation of messages are directly exchanged between the
S-eNB and T-eNB. The eNB is responsible for this type of handover. Functions of the eNB include (functions include radio
resource management, radio bearer control, radio admission control, connection mobility control, connection mobility control,
dynamic allocation of resources).
• The following two diagrams shows the S1 interface based handover in 4G network.
22.
23.
24. X2 handover protocol
• A connection has to be established among eNBs in order to signal with each other’s for handovering. This is managed through
X2 interface, using X2 Application Protocol (X2-AP).
• The initialization of X2 interface starts with the neighbor identification, i.e., based on configuration or Automatic Neighbor
Relation Function (ANRF) process.
• Subsequently, the Transport Network Layer (TNL) is set using the TNL address of the neighbor. Once the TNL is established,
the X2 setup procedure is ready to run to exchange application-level data needed for two eNBs in order to operate correctly via
X2 interface.
• Specifically, the source eNB (i.e., the initiating eNB in which the UE is attached) sends the X2 Setup Request to the target
eNodeB (i.e., the candidate eNB in which the UE intends to handover). The target eNB replies with the X2 Setup Response.
X2 handover features
• The whole procedure is directly performed between the two eNBs. MME is involved only after the handover procedure is
completed for the path switch procedure contrary to the S1 handover that is MME assisted decreasing the delay and the network
signaling overhead. The release of source eNB resources is triggered via the target eNB at the end of the path switch procedure.
25. The X2 Procedure
Before Handover
• UE is attached to the source eNB. The Dedicated Radio Bearers (DRBs) and Signaling Radio Bearers (SRBs) are established
and UL/DL traffic is transmitted between the source eNB and the UE. The UE remains in the Radio Resource Control (RRC)-
Connected, EMM-Registered, and ECM-connected states with respect to the source eNB, and keeps all the resources allocated
by E-UTRAN and EPC
• Handover execution
• UE receives the RRC Connection Reconfiguration message and transits to the RRC idle state triggering the detachment from the
source eNB. The source eNB sends the Sequence Number (SN) status transfer message that contains the Packet Data
Convergence Protocol (PDCP) sequence numbers to the target eNB through X2 interface.
• For UL the first missing data unit is included and for DL the next sequence number to be allocated. Then, UE is synchronized
with the target based on the given parameters and send the HO Confirm message that encloses the RRC Connection
Reconfiguration Complete to acknowledge the successful handover to the target eNB.
• As a result, the UE transits to the RRC connected state with respect to the target eNB. Concerning the UE synchronization, if a
dedicated random-access preamble has been received in the RRC Connection Reconfiguration message, the UE does not need to
perform the random-access procedure, i.e., contention free Random-Access Channel (RACH) process. If this is not the case, the
UE performs the normal random-access procedure described in [9] (contention-based RACH).
26. Handover Completion
• The target eNB receives the RRC Connection Reconfiguration Complete message and the path switch procedure is initiated
between the target eNB and the MME/S-GW. The target eNB starts to forward all the packets received from the X2 interface to
the UE before any new ones coming from the Serving Gateway (S-GW) (i.e., target eNB receives the end-marker from the old
path switch and starts transmitting packets from the new path switch).
• Afterwards, the source eNB UE context is released via receiving UE release context message from the target eNB. Finally, the
S1 bearer that was initially established between source eNB and UE is also released.
After Handover
• UE is attached to the target eNB. The DRB and SRB are established and UL/DL traffic is transmitted as in the initial step.