• Save
Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)
Upcoming SlideShare
Loading in...5
×
 

Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1)

on

  • 280 views

 

Statistics

Views

Total Views
280
Views on SlideShare
232
Embed Views
48

Actions

Likes
0
Downloads
0
Comments
0

1 Embed 48

http://www.netmanias.com 48

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1) Netmanias.2012.09.03 [en] emm_procedure_1._initial_attach_(part_1) Presentation Transcript

  • Netmanias Technical Document: Initial Attach for Unknown UE (Part 1) www.netmanias.com www.nmcgroups.com About NMC Consulting Group NMC Consulting Group was founded on year 2002 and is advanced, professional network consulting company which is specialized for IP Network area like FTTH, Metro Ethernet and IP/MPLS, Service area like IPTV, IMS and CDN lastly, Wireless network area like Mobile WiMAX, LTE and Wi-Fi. Copyright © 2002-2012NMC Consulting Group. All rights reserved. Initial Attach for Unknown UE (Part 1) Case of Initial Attach August 27, 2012 (Last Updated: September 3, 2012) NMC Consulting Group www.netmanias.com www.nmcgroups.com
  • Copyright © 2002-2012NMC Consulting Group. All rights reserved. Netmanias Technical Document: Initial Attach for Unknown UE (Part 1) 2 Preliminary: Criteria for Classification of Initial Attach  Operation Step for Initial Attach  Criteria for Classification of Initial Attach Step Function Description Step 1 UE ID Acquisition Network needs a UE ID (IMSI or GUTI) to identify and authenticate subscriber • IMSI is acquired from UE and GUTI is acquired from UE or old MME Mandatory Step 2 Authentication Acquiring a IMSI, EPS –AKA procedure is performed to authenticate the user [1] • HSS creates authentication vector(s) and delivers the AV(s) to MME • MME on behalf of HSS performs mutual authentication with UE Mandatory • If UE ID is a IMSI • If UE ID is a Old GUTI and integrity check fails Step 3 NAS Security Setup UE and MME derive NAS Security Keys (KNASint, KNASenc) to safely deliver NAS messages [2] Step 4 Location Update HSS updates MME where the user is registered, and the MME downloads the subscription information of the user from the HSS Mandatory • If MME has changed since the last detach • If MME has no valid subscription context • If UE provides a IMSI • If MME has no valid UE context Step 5 EPS Session Establishment A EPS Session and a Default EPS Bearer are established Mandatory UE Attach Request (UE ID) MME that UE has detached lastly (Old MME) MME that UE is trying to attach to since the last detach (New MME) UE Context? UE Context? MME1 MME2 HSS Detach UE (i) With which UE ID? § IMSI or § Old GUTI UE (ii) To which MME? § New MME = Old MME or § New MME ≠ Old MME (iii) Whether UE Context exists anywhere in Network (MMEs)? § Yes or (Known UE from the MME viewpoint) § No (Unknown UE from the MME viewpoint) Network (MMEs) Criteria
  • Copyright © 2002-2012NMC Consulting Group. All rights reserved. Netmanias Technical Document: Initial Attach for Unknown UE (Part 1) 3 Case of Initial Attach: Unknown UE (1/2) Authentication (IMSI) Location Update (IMSI, New MME) NAS Security Setup MME performs... Authentication (IMSI) Location Update (IMSI, New MME) NAS Security Setup MME performs... Identification Request (Old GUTI, complete Attach Request message) Identification Response (error cause) Identity Request Identity Response (IMSI) Attach Request Attach Case 2 Attach Case 1 Attach Case 3 UE IMSI New MME - Authentication (IMSI) Location Update (IMSI, New MME) NAS Security Setup MME performs... Attach RequestUE IMSI Old GUTI KSIASME NAS-MAC NAS seq. no New MME - 1. New MME = Old MME 2. Unknown UE (Old GUTI) Identity Request Identity Response (IMSI) Attach RequestUE IMSI Old GUTI KSIASME NAS-MAC NAS seq. no New MME - 1. New MME ≠ Old MME 2. Unknown UE (Old GUTI) Old MME - MMEChanged AttachwithGUTIAttachwithIMSI MMEUnchanged Unknown UE (MME viewpoint) 1. Unknown UE (IMSI)
  • Copyright © 2002-2012NMC Consulting Group. All rights reserved. Netmanias Technical Document: Initial Attach for Unknown UE (Part 1) 4 Case of Initial Attach: Unknown UE (2/2) Unknown UE: No UE Context Exists Anywhere in Network (MMEs) § Attach Case 1: UE with IMSI 1) UE sends a Attach Request message to a MME identifying itself with IMSI (UE ID = IMSI). The message is not integrity protected 2) The MME acquires the IMSI, therefore performs Authentication and NAS Security Setup 3) MME performs location update to HSS, i.e. MME informs HSS of registration of a UE and downloads the subscription information of the user from HSS § Attach Case 2: UE with GUTI, MME Unchanged (New MME = Old MME) 1) UE sends a Attach Request message to a MME identifying itself with Old GUTI (UE ID = Old GUTI). The message is integrity protected using NAS integrity key, KNASint (i.e. with NAS-MAC) 2) The MME (New MME) checks the Old GUTI which includes a MME ID and recognizes that the Old GUTI has been allocated by itself (Old MME). But the MME fails to find the UE Context of the Old GUTI 3) The MME sends an Identity Request message to the UE to request the IMSI 4) The UE sends IMSI to the MME by responding with an Identity Response (IMSI) message 5) Now the MME performs Authentication, NAS Security Setup and Location Update as “step 2) & 3) of Attach Case 1” § Attach Case 3: UE with GUTI, MME Changed (New MME ≠ Old MME) 1) UE sends a Attach Request message to a MME identifying itself with Old GUTI (UE ID = Old GUTI). The message is integrity protected using NAS integrity key, KNASint (i.e. with NAS-MAC) 2) The MME (New MME) recognizes that the Old GUTI has been allocated by another MME (Old MME) 3) The New MME requests UE Context to the Old MME by sending an Identification Request (Old GUTI, Complete Attach Request message) message 4) The Old MME fails to find the UE Context of the Old GUTI 5) The Old MME notifies the New MME that there’s no UE Context by sending an Identification Response (error cause) message 6) The New MME gets the IMSI of the UE by sending an Identity Request message to the UE, and then performs Authentication, NAS Security Setup and Location Update as “step 3) ~ 5) of Attach Case 2”
  • Copyright © 2002-2012NMC Consulting Group. All rights reserved. Netmanias Technical Document: Initial Attach for Unknown UE (Part 1) 5 Case of Initial Attach: Known UE (1/2) Authentication (IMSI) NAS Security Setup In case of NAS Integrity Check Failure, MME performs... Attach Case 4 Attach Case 5 Attach RequestUE IMSI Old GUTI KSIASME NAS-MAC NAS seq. no New MME 1. New MME = Old MME 2. Known UE (Old GUTI) IMSI Old GUTI KASME KSIASME UE-AMBR ... AttachwithGUTI MMEUnchanged Known UE (MME viewpoint) Identity Request Identity Response (IMSI) Authentication (IMSI) NAS Security Setup Location Update (IMSI, New MME) MME performs... Identification Request (Old GUTI, complete Attach Request message) Identification Response (error cause) Attach RequestUE IMSI Old GUTI KSIASME NAS-MAC NAS seq. no New MME - 1. New MME ≠ Old MME 2. Known UE (Old GUTI) Old MME IMSI Old GUTI KASME KSIASME UE-AMBR ...New MME i) Case of NAS Integrity Check Failure Location Update (IMSI, New MME) MME performs... Identification Request (Old GUTI, complete Attach Request message) Identification Response (IMSI, UE MM Context) Attach RequestUE IMSI Old GUTI KSIASME NAS-MAC NAS seq. no New MME - 1. New MME ≠ Old MME 2. Known UE (Old GUTI) Old MME IMSI Old GUTI KASME KSIASME UE-AMBR ...New MME IMSI Old GUTI KASME KSIASME UE-AMBR ... ii) Case of NAS Integrity Check Success - MMEChanged
  • Copyright © 2002-2012NMC Consulting Group. All rights reserved. Netmanias Technical Document: Initial Attach for Unknown UE (Part 1) 6 Case of Initial Attach: Known UE (2/2) Known UE: UE Context Exists Anywhere in Network (MMEs) § Attach Case 4: UE with GUTI, MME Unchanged (New MME = Old MME) 1) UE sends a Attach Request message to a MME identifying itself with Old GUTI (UE ID = Old GUTI). The message is integrity protected using NAS integrity key, KNASint (i.e. with NAS-MAC) 2) The MME (New MME) checks the Old GUTI which includes a MME ID and recognizes that the Old GUTI has been allocated by itself (Old MME). The MME finds the UE Context (IMSI, Old GUTI, NAS Security Context, UE-AMBR) of the Old GUTI 3) The MME verifies the integrity of the Attach Request message by NAS-MAC i) If the integrity verification fails, then the MME should perform Authentication and NAS Security Setup ii) If the integrity verification successes, then the MME can omit Authentication and NAS Security Setup § Attach Case 5: UE with GUTI, MME Changed (New MME ≠ Old MME) 1) UE sends a Attach Request message to a MME identifying itself with Old GUTI (UE ID = Old GUTI). The message is integrity protected using NAS integrity key, KNASint (i.e. with NAS-MAC) 2) The MME (New MME) recognizes that the Old GUTI has been allocated by another MME (Old MME) 3) The New MME requests UE Context to the Old MME by sending an Identification Request (Old GUTI, Complete Attach Request) message 4) The Old MME finds the UE Context (IMSI, Old GUTI, NAS Security Context, UE-AMBR) of the Old GUTI 5) The Old MME verifies the integrity of the received Attach Request message by NAS-MAC 6) The Old MME transfers the result of the integrity verification to the New MME by sending an Identification Response message i) If the integrity check fails, then the Old MME responds with an error cause ii) If the integrity check successes, then the Old MME responds with the UE Context (IMSI, Old GUTI, NAS Security Context, UE-AMBR)
  • Copyright © 2002-2012NMC Consulting Group. All rights reserved. Netmanias Technical Document: Initial Attach for Unknown UE (Part 1) 7 Simplified Call Flows of Initial Attach Cases (1/3) Attach Case 2 Identity Request Identity Response (IMSI) Attach RequestUE IMSI Old GUTI KSIASME NAS-MAC NAS seq. no New MME - 1. Old MME = New MME 2. Unknown UE (Old GUTI) MME Performs... Authentication Location Update NAS Security Setup UE ID Acquisition Attach Request (IMSI) Authentication (IMSI) Location Update (New MME) EPS Session Establishment Identification Request to Old MME (GUTI) Attach Request (GUTI) Attach Request (GUTI) Attach Request (GUTI) Attach Request (GUTI) Identification Request to Old MME (GUTI) Authentication (IMSI) Authentication (IMSI) Location Update (New MME) Location Update (New MME) Location Update (New MME) & Cancel Location (Old MME) EPS Session Establishment EPS Session Establishment EPS Session Establishment EPS Session Establishment Identity Request to UE (IMSI) Attach Case 1 NAS Security Setup NAS Security Setup NAS Security Setup UE ID Acquisition UE ID Acquisition UE ID Acquisition UE ID Acquisition Attach Case 2 Attach Case 3 Attach Case 4 Attach Case 5 Attach with IMSI MME Unchanged Unknown UE (MME viewpoint) Attach with GUTI Known UE (MME viewpoint) MME Changed MME Unchanged MME Changed Attach RequestUE IMSI New MME - Authentication Location Update NAS Security Setup MME Performs... Attach RequestUE IMSI Old GUTI KSIASME NAS-MAC NAS seq. no New MME 1. Old MME = New MME 2. Known UE (GUTI) IMSI Old GUTI KASME KSIASME UE-AMBR ... Identification Request (Old GUTI, complete Attach Request message) Identification Response (IMSI, UE MM Context) Attach RequestUE IMSI Old GUTI KSIASME NAS-MAC NAS seq. no New MME - 1. Old MME ≠ New MME 2. Known UE (Old GUTI) Old MME IMSI Old GUTI KASME KSIASME UE-AMBR ...New MME IMSI Old GUTI KASME KSIASME UE-AMBR ... Location Update (IMSI, New MME) MME Performs... Identification Request (Old GUTI, complete Attach Request message) Identification Response (error cause) Identity Request Identity Response (IMSI) Attach RequestUE IMSI Old GUTI KSIASME NAS-MAC NAS seq. no New MME - 1. Old MME != New MME 2. Unknown UE (GUTI) Old MME - MME Performs... Authentication Location Update NAS Security Setup Authentication (IMSI) Authentication (IMSI) NAS Security Setup NAS Security Setup Location Update (New MME) Identity Request to UE (IMSI)
  • Copyright © 2002-2012NMC Consulting Group. All rights reserved. Netmanias Technical Document: Initial Attach for Unknown UE (Part 1) 8 Simplified Call Flows of Initial Attach Cases (2/3) Initial Attach with IMSI § Attach Case 1: Unknown UE UE sends a Attach Request (IMSI) message to a MME 1) The MME acquires IMSI from UE (Attach Request message) 2) Then, the MME performs Authentication, NAS Security Setup, Location Update and EPS Session/Default EPS Bearer Establishment Initial Attach with GUTI § Attach Case 2: Unknown UE, MME Unchanged UE sends a Attach Request (Old GUTI) message to a MME The MME has no the GUTI, so requests IMSI to the UE 1) The MME acquires IMSI from UE (Identity Response message) 2) Then, the MME performs Authentication, NAS Security Setup, Location Update and EPS Session/Default EPS Bearer Establishment § Attach Case 3: Unknown UE, MME Changed UE sends a Attach Request (Old GUTI) message to a MME The MME (New MME) didn’t allocate the GUTI, requests UE Context to Old MME but fails, so requests IMSI to the UE 1) The MME acquires IMSI from UE (Identity Response message) 2) Then, the MME performs Authentication, NAS Security Setup, Location Update and EPS Session/Default EPS Bearer Establishment EPS Entity Procedure for UE ID Acquisition [UE  MME] Attach Request (Old GUTI) [MME] No UE Context [UE MME] Identity Request (UE ID = IMSI) [UE  MME] Identity Response (IMSI) EPS Entity Procedure for UE ID Acquisition [UE  New MME] Attach Request (Old GUTI) [New MME  Old MME] Identification Request (Old GUTI) [Old MME] No UE Context [New MME Old MME] Identification Response (error cause) [UE  New MME] Identity Request (UE ID = IMSI) [UE  New MME] Identity Response (IMSI) EPS Entity Procedure for UE ID Acquisition [UE  MME] Attach Request (IMSI)
  • Copyright © 2002-2012NMC Consulting Group. All rights reserved. Netmanias Technical Document: Initial Attach for Unknown UE (Part 1) 9 Simplified Call Flows of Initial Attach Cases (3/3) § Attach Case 4: Known UE, MME Unchanged UE sends a Attach Request (Old GUTI) message to a MME The MME has the GUTI and UE Context 1) The MME acquires a valid Old GUTI and UE Context from UE (Attach Request message) 2) Then the MME performs EPS Session/Default EPS Bearer Establishment § Attach Case 5: Known UE, MME Changed UE sends a Attach Request (Old GUTI) message to a MME The MME (New MME) didn’t allocate the GUTI, requests UE Context to Old MME and receives the UE Context from the Old MME 1) The MME acquires a valid Old GUTI from the Old MME (Identification Response message) 2) Then the MME performs Location Update and EPS Session/Default EPS Bearer Establishment EPS Entity Procedure for UE ID Acquisition [UE  New MME] Attach Request (Old GUTI) [New MME  Old MME] Identification Request (Old GUTI) [Old MME] UE Context (IMSI, Old GUTI, NAS Security Context, UE-AMBR) [New MME Old MME] Identification Response (UE Context) EPS Entity Procedure for UE ID Acquisition [UE  MME] Attach Request (Old GUTI) [MME] UE Context (IMSI, Old GUTI, NAS Security Context, UE-AMBR)
  • Copyright © 2002-2012NMC Consulting Group. All rights reserved. Netmanias Technical Document: Initial Attach for Unknown UE (Part 1) 10 References and Abbreviations [1] Netmanias Technical Document, “LTE Security I: LTE Security Concept and LTE Authentication”, August 2012, http://www.netmanias.com/bbs/zboard.php?id=1x_TechdocsForum_4G [2] Netmanias Technical Document, “LTE Security II: NAS and AS Security LTE Security Concept and LTE Authentication”, August 2012, http://www.netmanias.com/bbs/zboard.php?id=1x_TechdocsForum_4G [3] 3GPP TS 23.401, “GPRS Enhancements for E-UTRAN Access”. [4] NMC Consulting Group Report, “E2E LTE Network Design”, August 2010. [ AKA ASME AV EPS GUTI HSS IMSI LTE MME NAS NAS-MAC UE : Authentication and Key Agreement : Access Security Management Entity : Authentication Vector : Evolved Packet System : Globally Unique Temporary Identifier : Home Subscriber Server : International Mobile Subscriber Identity : Long Term Evolution : Mobility Management Entity : Non Access Stratum : Message Authentication Code for NAS for Integrity : User Equipment Abbreviations