Get started !
online LTE test
online C test

Updated or New
Site traffic (Oct-13)
GMSK modulation
Case of frequency correction burst
Solving modulation equations
One bit change
Normal duration burst

Information Theory
Multiple Access
OSI Model
Data Link layer
Word about ATM
Standard Reference
Reference books
Resources on Web
Mind Map
Perl resources
Magic MSC tool
Bar graph tool
C programming
ASCII table
Project Management
Simple Google box
HTML characters
Site traffic
Page view counter
4 1 1 , 8 4 1
another knowledge site

LTE - end-to-end UE initial attach

LTE - end-to-end UE initial attach [Under LTE]
» E-UTRA and E-UTRAN overall description - 36.300, Rel 8 «
» E-UTRAN access - 23.401, Rel 8 «
» EMM and ESM - 24.301, Rel 8 «
» GTPv2-C - 29.274, Rel 8 «
» S1AP - 36.413, Rel 8 «
» NAS overall - 24.007/8, Rel 8 «
» RRC - 36.331, Rel 8 «
» Numbering - 23.003, Rel 8 «
» SAE Security architecture - 33.401, Rel 8 «
» 3G Security - 33.102, Rel 8 «
» USIM Application - 31.102, Rel 8 «

In SAE/EPS article, we looked at LTE network architecture; in this article, we will look at end-to-end initial UE attach signaling.

What is different with LTE UE initial attach ? In LTE, initial attach is combined with (default) PDN (IP) connectivity. You can call this default PDN (IP) connectivity as default (or basic or initial) PDP context activation. This default connectivity is always of non-guaranted bit rate type (basically something which handles mostly bursty internet traffic). This default connectivity is called "default bearer". LTE no more use NAS terminology of "PDP Context" for "Sessions". By the way, LTE NAS consists only of Mobility Management (EMM) and Session Management (ESM). Additional PDP Contexts or Sessions (with different QoSs than default bearers) are called "dedicated bearers". Yes, it is misleading to call it "dedicated" !

Just like "Secondary PDP Context" in GPRS/UMTS, dedicated bearer has same PDN (IP) address as default bearer and specific QoS. Yes, TFT (Traffic Flow Template) is utilised here (UE and PGW) too ! QoS is defined differently in LTE (check out 3GPP TS 36.300 section 13 and 23.401, section 4.7.3).

Below is a end-to-end signaling diagram for UE initial attach. I have included lot of specification references to dig in further.









UE powers on.

Synchronisation and cell selection procedures initiated. MM/RR/PLMN data taken from USIM application.

To start attach procedure, EMM request RRC Connection.
Initial attach 23.401:
RRC initiation 36.331:

RRC Connection Request (Cause, Identity - S-TMSI or random).
eNB invokes RRM and RRC procedures.

RRC Connection Setup (Radio configs - RLC/PDCP/MAC/PHY related to SRB1)
RRC initiation 36.331:
RRC Connection Setup Complete
(PLMN identity, NAS PDU) NAS PDU contain EMM Attach Request (old GUTI or IMSI, ESM PDN Connectivity Request).
RRC initiation 36.331:
EMM Attach 24.301:
ESM PDN Connectivity 24.301:
GUTI 23.003:2.8
S1AP - Initial UE Message
(UE S1AP ID, NAS PDU, RRC cause)
36.413 Initial UE:
MME may trigger authentication, security & ciphering procedures.
23.401 Overall:

Diameter - Authentication Info Request
S6a interface/Diameter authentication 29.272:5.2.3
Diameter - Authentication Info Answer
S1AP - DL NAS Transport
(NAS PDU - EMM Authentication Request {RAND, AUTN} )
36.413 Initial UE:
UE-EPC authentication 33.401:6.1
EMM authentication 24.301:5.4.2
RRC DL Information Transfer
RRC DL Info:5.6.1
UICC - Authenticate
UE would execute AUTHENTICATE command in USIM application to get SRES and CK (Cihpering Key).
USIM Authenticate 31.102:5.2.1
RRC UL Information Transfer
(NAS PDU - EMM Authentication Response {SRES} )
RRC UL Info:5.6.2
S1AP - UL NAS Transport
36.413 Initial UE:
MME compares SRES (received from UE and HSS).
33.102 Authentication:6.3
MME triggers NAS security procedure. NAS encryption and integriry keys (KNASenc and KNASint respectively) will be derived from KASME received from HSS.
33.401 Security keys:6.2
UE NAS would start ciphering and integrity protection (starting from next Security Mode Complete messsage). UE would derive KASME from CK received from USIM (as part of Authenticate command. UE would then derive NAS encryption and integriry keys (i.e. KNASenc and KNASint respectively).
EMM - Security Mode Command over RRC/S1AP transport
(UE Security capabilities, Ciphering algorithm, Integrity algorithm)
33.401 NAS security:
24.301 EMM Security:
EMM - Security Mode Complete over RRC/S1AP transport
Diameter - Update Location Request
(IMSI, Visited PLMN ID, RAT type)
S6a interface/Diameter authentication 29.272:
MME does the SGW (and PGW ?) selection.
23.401 SGW selection:
Diameter - Update Location Answer
(Subscription data)
GTP-C - Create Session Request
(IMSI, APN, PGW S5/S8 address/F-TEID, PDN type, EPS Bearer ID, Default EPS QoS, Aggregate Maximum Bit Rate, PDN address (fixed?), PCO)
29.274 Create Session:7.2.1
GTP-C - Create Session Request
(IMSI, APN, SGW User plane TEID, PDN type, EPS Bearer ID, Default EPS QoS, Aggregate Maximum Bit Rate, PDN address (fixed?), PCO)
29.274 Create Session:7.2.1
PGW uses QoS policy (local or received from PCRF) to come out with a list of bearers (default + optional dedicated beares).
GTP-C - Create Session Response
(PDN address, Aggregate Maximum Bit Rate, PCO, Default/Dedicated bearer contexts {EPS bearer ID, PGW User plane TEID, QoS} )
29.274 Create Session:7.2.2
User DL data (if any) thru GTP tunnel (over S5/S8 interface).
MME has now everything in place to instruct eNB to start Initial Context Setup procedures. S1 UE context {S1AP ID, Bearer ID, TEIDs} would be created. KeNB is derived from KASME.
33.401 Security keys:6.2
GTP-C - Create Session Response
(PDN address, Aggregate Maximum Bit Rate, PCO, Default/Dedicated bearer contexts, SGW User plane TEID)
29.274 Create Session:7.2.2
RRM procedures would "admit" EPS bearer, create S1 UE context {S1AP ID, Bearer ID, TEIDs}, inform GTP-U about Bearer ID-Tunnel ID mapping and initiate further RRC procedures. First procedure would be AS Security procedure to start Ciphering and Integrity protection. eNB would derive User data encryption and RRC encryption & integrity keys from KeNB. These keys resepectively are KUPenc, KRRCint, and KRRCenc.
33.401 Security keys:6.2
Along with Security, RRC Reconfig procedure can be started.
S1AP - Initial Context Setup Request
(UE S1AP ID, Aggregate Maximum Bit Rate, default/dedicated bearer {E-RAB IDs, QoS, SGW GTP TEID, NAS PDU, EPC Transport address}, UE Security Capabilities, Security key KeNB)
36.413 Initial Context Setup:8.3.1
Transport address is EPC IP address to which user (UL) IP packets are to be forwarded.
36.414 Transport address:5.3
NAS PDU contain EMM Attach Accept (GUTI, ESM message). ESM message would be Activate Default EPS Bearer Context Request (EPS bearer ID, QoS no ARP, PDN Address, APN)
24.301 EMM Attach Accept:
24.301 ESM Default Bearer request:
RRC AS Security Mode Command
(Ciphering algorithm, Integrity algorithm)
33.401 AS Security:
36.331 RRC Security:5.3.4
Similar to eNB, UE derives KUPenc, KRRCint, and KRRCenc from KeNB to start Ciphering and Integrity protection. This would be acknowledged to network.
RRC Connection Reconfiguraion
[EPS bearer ID, DRB ID, Radio configs - RLC/PDCP/MAC/PHY, NAS pdu]
RRC 36.331:5.3.5
RRC Security Mode Complete
RRC 36.331: RRC/L2/PHY would be configured for SRB2 and DRB. RRC would acknowledge this is to eNB and pass on NAS PDU to EMM.
RRC Connection Reconfiguration Complete
RRC 36.331:5.3.5
UE NAS would construct EMM Attach Complete message which would contain ESM reply as well.
S1AP - Initial Conext Setup Response
(UE S1AP IDs, E-RABs setup {E-RAB ID, eNB GTP-U TEID, eNB Transport address})
36.413 Initial Conext Setup:
EMM - Attach Complete over RRC/S1AP transport
ESM PDU would contain ESM Activate default EPS bearer Context Accept message (PCO).
24.301 EMM Attach:
24.301 ESM Default bearer activation:
MME would trigger GTP-C procedure towards SGW to inform eNB related details to SGW.
GTP-C - Modify Bearer Request
(EPS bearer IDs, eNB F-TEID)
29.274 Modify Bearer Request:7.2.7
For handover scenarios, SGW will have to trigger GTP modify bearer procedure towards PGW over S8 interface.
GTP-C - Modify Bearer Response
29.274 Modify Bearer Response:7.2.8
User UL data through DRB
User UL data through GTP tunnel (S11 interface)
User UL data through GTP tunnel (S5/S8 interface)
User DL data (if any buffered earlier) through GTP tunnel (S11 interface)

User DL data through DRB
This complete LTE initial attach procedure. UE is attached, default bearer active. RRC-Connected, EMM-Registered, ECM-Connected state.

In next article, we will look at end-to-end signaling for dedicated bearer setup.

References: 3G Evolution: HSPA and LTE by Dahlman, Parkvall, Sköld, and Beming, LTE - From Theory to Practice, Edited by Sesia, Toufik, and Baker, and SAE and the Evolved Packet Core: Driving the Mobile Broadband Revolution by Olsson, Sultana, Rommer, Frid, and Mulligan.

Copyright © Samir Amberkar 2010-11§

LTE - QoS « LTE Index » LTE - dedicated bearer setup