Transcript week8-ee522x

Structure of Primary and Secondary Synchronization
Channels (SCH)
Slot #0
Primary
SCH
acp
Secondary
SCH
acs
i,0
Slot #1
acp
Slot #14
acp
i,1
i,14
acs
acs
256 chips
2560 chips
One 10 ms SCH radio frame
cp
𝑐𝑠𝑖,𝑘
Primary Synchronisation Code ( It is the same for every cell in the system)
Secondary Synchronisation Codes ( Where i=0,1….63 is the number of the scrambling
code group, and k= 0,1,…14 is the slot number. Each code is chosen from a set of
16 different codes of length 256).
1
Fast Cell Search
Downlink primary scrambling codes
PSC0
PSC1
Secondary synchronisation codes
associated
0,k
Group 1
Cs
Group 2
Cs
Group 64
Cs
PSC7
PSC8
PSC9
1,k
PSC15
PSC504
PSC505
63,k
PSC511
2
SSC Sequences
3
Cell Search
 Downlink scrambling code and common channel frame synchronization of that
cell will be determined during cell search
 All common physical channel timings are related to the timing of P-CCPCH, so only
the timing of P-CCPCH need to be found out
 Step 1, Slot synchronization:
 SCH’s primary synchronization code is used to acquire slot synchronization to a
cell
 primary synchronization code is common to all cells, so slot timing of the cell can
be obtained by detecting peaks in a single matched filter output
 Step 2, Frame synchronization and code-group identification:
 now secondary SCH is used to find frame synchronization and identify the codegroup of the cells found in the first step. This is done by correlating the received
signal with all possible secondary synchronization code sequences and identifying
the max correlation value.
 Step 3, Scrambling code identification:
 Mobile station determines the exact primary scrambling code used by the found
cell. The primary scrambling code is identified through symbol-to-symbol
correlation over the CPICH with all codes within the group identified in step 2.
 After the primary scrambling code has been detected, the primary CCPCH can be
detected, and the system and cell specific BCH information can be read.
5
Slotted Downlink Transmission
 MS Single-receiver
 Measurements on other frequencies without affecting normal
data flow.
 The information is compressed in time
 An idle time period of 5ms is created within each frame.
6
Idle period available for
interfrequency measurement
Instantaneous
Rate/Power
Tf
Normal transmission
Slotted transmission
Downlink slotted transmission
7
Handover [1/7]
1. Intra-mode handover
 Include soft handover, softer handover and hard handover.
 Rely on the Ec/Io measurement performed from the CPICH.
2. Inter-mode handover
 Handover to the UTRAN TDD mode.
3. Inter-system handover
 Handover to other system, such as GSM.
 Make measurement on the frequency during compressed
mode (Slotted transmission).
8
Handovers [2/7]
Intra-frequency HO
1.1
Softer Handover
• Between two adjacent sectors of a base station
• Communication take place concurrently via two air interface channels, one
for each sector separately.
• The two signals combined at BS
• Only one power control loop per connection
1.
UE1
BS 1
BS 2
9
Handovers [3/7]
1.2
Soft Handover
 Between cell coverage area of two different base stations
 The main difference between softer and soft HO is in the uplink direction
 Data at different BS from the MS is combined at RNC
 Frame reliability indicator is used to select the best frame
 Two power control loops per connection are active, one per BS
UE1
BS 1
BS 2
10
Soft Handover
11
MS
Serving NB
DCCH
Measurement report
RNC
Target NB
Measurement reports
DTCH
Traffic
1 MS monitors the pilots
level from neighbouring
NBs and compares them
to a set of thresholds and
reports them
2 MS acquires the Target
NB and adds it to its active
list
1 MS monitors the pilot
levels of the serving NBs
and compares it with a
Threshold and reports them
2 MS removes one of the
serving NBs, from its active
list
DCCH
Handover "add" request
Handover "add" request
DCCH
Handover "add" request
Handover "add" request
DCCH
Handover "add" completion
Handover "add" completion
DCCH
Handover "add" completion
Handover "add" completion
DTCH
Traffic
DCCH
Measurement report
Measurement report
DCCH
Measurement report
Measurement report
DCCH
Handover "drop" request
Handover "drop" request
DCCH
Handover "drop" request
DCCH
Handover "drop" completion
DCCH
Handover "drop" completion
Handover "drop" request
Add
Phase
Soft
handover
phase
Drop
Phase
Handover "drop" completion
Handover "drop" completion
Backward Soft Handover Procedure Example
12
Handovers [4/7]
Inter-frequency HO
• Hard handover
• The handover between two base stations operating at two different
frequencies
• e.g. HO between two different UMTS operators
2.
Inter System HO
• Hard handover
• take place between the WCDMA FDD system and another system
• e.g. such as HO between UMTS to GSM
3.
13
WCDMA Handovers [5/7]
 Terminology:
 Active set (AS), represents the number of links that UE is
connected to.
 Neighbor set (NS), represents the links that UE monitors
which are not already in active set.
WCDMA Handovers [6/7]
 Handover parameters:
 Add window



Represents a value of how much worse a new signal can be compared
to the best one in the current active set in order to be added into the
set
Adding link to combining set can be done only if maximum number of
links is not full yet (defined with parameter).
Moreover a new link is added to the active set only if the difference
between the best and the new is still at least as good after the ‘add
timer’ is expired. Timer is started when the signal first reaches the
desired level.
 Drop window
 Represents a value of how much poorer the worst signal can be when
compared to the best one in the active set before it is dropped out
 Similarly to adding, signal which is to be dropped needs to fulfill the
drop condition after the corresponding drop timer is expired.
WCDMA Handovers [7/7]
 Replace window



Represents a value for how much better a new signal has to be
compared to the poorest one in the current active set in order
to replace its place
Replace event takes place only if active set is full as otherwise
add event would be applied
Similarly to add and drop events, also with replace event there
exist a replace timer
Active set management
17
Power Control in WCDMA [1/4]
 The purpose of power control (PC) is to ensure
that each user receives and transmits just enough
energy to prevent:
Blocking of distant users (near-far-effect)
 Exceeding reasonable interference levels
Without PC received
power levels would
be unequal

UE1
UE2
UE3
UE1
UE2
UE1 UE2 UE3
In theory with PC
received power levels
would be equal
UE3
18
Power Control in WCDMA [2/4]
 Power control can be divided into two parts:
 Open loop power control (slow power control)


Used to compensate e.g. free-space loss in the beginning of the
call
Based on distance attenuation estimation from the downlink
pilot signal
 Closed loop power control (fast power control)


Used to eliminate the effect of fast fading
Applied 1500 times per second
19
Power Control in WCDMA [3/4]
 Closed loop power control can also be divided into two
parts:
 Innerloop power control

Measures the signal levels and compares this to the target
value and if the value is higher than target then power is
lowered otherwise power is increased
 Outerloop power control


Adjusts the target value for innerloop power control
Can be used to control e.g. the Quality of Service (QoS)
20
Power Control in WCDMA [4/4]
 Example of inner loop
power control
behavior:
 With higher velocities
channel fading is more
rapid and 1500 Hz
power control may not
be sufficient
21
Application protocols in UTRAN
• Iub interface (between RNC and base station)
NBAP (Node B Application Part)
• Iur interface (between Serving RNC and Drift RNC)
RNSAP (Radio Network Subsystem Application Part)
- Link management for inter-RNC soft handover
• Iu interface (between RNC and core network)
RANAP (Radio Access Network Application Part)
- Radio Access Bearer (RAB) management
- SRNS Relocation
- Transfer of higher-level signalling messages
22
Serving RNC and Drift RNC in UTRAN
SRNC
BS
Iub
RNC
Iu
UE
Iur
BS
Iub
Core network
RNC
DRNC
Concept needed for:
Soft handover between base stations belonging to different RNCs
23
Serving RNS (SRNS) Relocation
RNS = Radio Network Sub-system =
RNC + all base stations controlled by this RNC
• SRNS Relocation means that the Serving RNC
functionality is transferred from one RNC (the
“old” SRNC) to another (the “new” SRNC,
previously a DRNC) without changing the radio
resources and without interrupting the user data
flow.
• RANAP provides the signalling facilities over the
two Iu interfaces involved (Iu interfaces to “old”
and “new” SNRC) for performing SRNC
Relocation in a co-ordinated manner.
24
SRNS Relocation (cont.)
SRNC
BS
Iub
RNC
Iu
UE
Core network
Iur
BS
Iub
RNC
Iu
DRNC
SRNC
SRNC provides: 1) connection to core network
2) macrodiversity combining point
25
Soft handover concept
SRNC
Leg 1
UE
BS
BS
Iub
RNC
Leg 2
Iur
Leg 3
BS
Iub
RNC
Iu
Core network
Signal combining
point is in SRNC
(downlink: in UE)
DRNC
Legs 1 and 2: Iur interface is not needed
Leg 3 is added: Iur interface is needed!
26
Radio propagation, fading and receivers
 When transmitted radio signal
travels in the air interface it is
altered in many ways before it
reaches the receiver
 reflections, diffractions,
attenuation of the signal energy,
etc.
 These different multipath
components of the transmitted
signal arrive at different times to
the receiver and can cause either
destructive or constructive
addition to the arriving plane
waves
Destructive
Constructive
27
Radio propagation, fading and receivers
 Fast changes of the radio channel
conditions caused by the fading
channel conditions (destructive
and constructive addition) is
called fast fading
 Example of the fast fading
channel in the function of time is
in the right hand figure
 Illustrates, for instance, deep
fades in the channel that power
control would need to react to
28
RAKE receiver building block
 The most commonly used receiver is so called RAKE receiver
 Especially designed to compensate the effects of fading
 Every multipath component arriving at the receiver more than one chip time
(0.26 μs) apart can be distinguished by the RAKE receiver
 Compensating is done by using several ’sub-receivers’ referred as fingers
 Each of those fingers can receive individual multipath components
 Each component is then decoded independently and after that combined in
order to make the most use of the different multipath components and thus
reduce the effect of fading
 This kind of combining method is so called Maximum Ratio Combining (MRC)
29
Radio propagation, fading and receivers
Transmitted
symbol
Received
symbol at
each time
slot
Phase
modified
using the
channel
estimate
Combined
symbol
Finger #1
Finger #2
Finger #3
30
Diversity [1/2]
 Different components of the transmitted signal can be used to enhance the end
quality of the received signal
 Components differ from each other by their amplitudes and delays
 There exists different types diversity which can be used to improve the quality,
e.g.:
 Multipath

Reflections, diffractions, attenuation of the signal energy, etc.
 Macro

Different base stations or Node Bs send the same information
 Site Selection Diversity Transmission (SSTD)

Maintain a list of available base stations and choose the best one, from which the transmission
is received and tell the others not to transmit
31
Diversity [2/2]
 Time:

Same information is transmitted in different times
 Receiver:

Transmission is received with multiple antennas
 Transmit:

Transmission is sent with multiple antennas
Micro- / macrodiversity combining
(uplink)
SRNC
BS
Iub
RNC
Iu
Core network
Iur
Rake
receiver
UE
Multipath
propagation
RNC
Iub
DRNC
Macrodiversity
combining point in
SRNC
BS
Microdiversity combining point in base station
33
Micro- / macrodiversity combining
(uplink)
Microdiversity combining: multipath signal
components are processed in RAKE “fingers” and
combined (= summed) using MRC
(MRC = Maximum Ratio Combining)
Macrodiversity combining: the same bit sequences
(with different bit error positions) are combined at the
SRNC (usually: selection combining).
Hard handover: slow (a lot of signalling)
Soft handover: fast selection in SRNC
34
Macrodiversity - active set
Cell A
Cell B
Ec/No
Signal
Time margin
margin
ADD threshold
DROP threshold
Cell C
Soft handover
region
Time
35
Security in UMTS
GSM
UMTS
SIM authentication
(PIN code)
USIM authentication
(PIN code)
User authentication
User authentication
Network authentication
Ciphering (air interface)
Ciphering (air interface)
KASUMI algorithm (known)
Signalling data integrity
UMTS: larger key lengths than
in GSM
IP security (e.g. IPSEC)
36
Security in digital networks: terminology
Authentication:
• SIM authentication (PIN code)
• user authentication (GSM, UMTS)
• network authentication (UMTS)
Integrity:
• signalling data integrity (UMTS)
Confidentiality ( privacy):
• ciphering of signals over radio interface
• hiding of user identifiers over radio interface
• end-to-end encryption (offered by service provider)
37
Authentication
Authentication: Procedure of verifying the authenticity of
an entity (user, terminal, network, network element). In
other words, is the entity the one it claims to be?
• SIM authentication is local (network is not involved)
• In GSM, only user is authenticated
• In UMTS, both user and network are authenticated
• User/network is authenticated at the beginning of
each user-network transaction (e.g. location updating
or connection set-up) and always before ciphering
starts.
See Security in GSM for
more details
38
Integrity
Data integrity: The property that data has not been altered
in an unauthorised manner.
• “Man-in-the-middle” security attack, e.g. false BS
• Data integrity checking is not done in GSM
• In UMTS, signalling messages are appended with a
32 bit security field (MAC-I) at the terminal or RNC
before transmission and checked at the receiving end
• In UMTS, also volume of user data (not the user data
itself) is integrity protected
39
Signalling integrity protection in UMTS
Both in
terminal
and RNC
Algorithm f 9
Signalling message MAC-I
MAC-I generation
UE
MAC-I checking
Integrity Key (IK)
and other
keys/parameters
MAC-I checking
RNC
MAC-I generation
Confidentiality
Confidentiality: The property that information is not
made available to unauthorised individuals, entities or
processes.
Example 1: Ciphering (encryption) over the air interface
Example 2: Preventing unencrypted transmission of user
ID information such as IMSI number over the air interface
=> Temporary Mobile Subscriber Identity (TMSI) is
generated (at the end of each MM or CM transaction) and
is used at the beginning of the next transaction instead of
IMSI.
Example 1: ciphering (encryption)
GSM
MS
BTS
BSC
Core Network
GPR
SMS
BTS
BSC
SGSN
Signalling integrity protection
UMT
S UE
BS
Air interface
RNC
Core Network
Both CS and PS information
Network domain security
Circuit switched network => quite good
IP-based network (Internet) => rather poor at present
(security mechanisms are developed by IETF, 3GPP...)
Some security threats in IP-based network:
Confidentiality
Sniffing (electronic eavesdropping)
Integrity
Spoofing, session hijacking
Denial of service (DoS), ”spamming”
WCDMA: More Information?
 http://www.3gpp.org
 21.101  guide to all other documents
 25.XXX series  radio access network (RAN)
 25.211  frame structure etc.
 25.212  channel coding etc.
 25.213  spreading and modulation
 25.214  physical layer procedures (tx diversity, etc.)
 25.321  medium access control (MAC)
 25.322  radio link control (RLC)
 26.XXX series  voice coding
44