2 ZTE LTE Signaling Analysis

LTE Signaling Analysis

Objectives

Understanding LTE interfaces and protocols

Understanding RRC protocol status, the probability of bearing, and

common signaling of the SM and MM protocols

Understanding the components of broadcast messages and signaling

analysis of SIBs

Understanding RRC layer signaling and signaling analysis of the

RRC connection establishment flow, RRC connection

reestablishment flow, RRC connection reconfiguration flow, and RRC

Connection Release flow

Understanding signaling analysis of common Attach, Detach,

ServiceRequest, and bearer establishment flows

Contents

LTE Interfaces and Protocols

Broadcast Message Analysis

RRC Signaling Analysis

Common Signaling Flows and Analysis

© ZTE Corporation. All rights reserved

LTE Protocol Stack Structure

The eNodeB is the only NE on the LTE wireless side. The core network (EPC)

control plane and user plane are divided into two NEs: the MME and SGW. The

protocol interfaces supported by the eNodeB include the control plane and user

plane of the Uu, S1, and X2 interfaces.

Signaling flow

eNB

PHY

UE

PHY

MAC

RLC

MAC

MME

RLC

NAS

NAS

RRC RRC

PDCP PDCP

APP

UDP

GTPU

IP

S1AP

SCTP

SGW

IP

UDP

GTPU

IP

SCTP

S1AP

X2AP

Data flow


E-UTRAN: Control Plane Protocol Stack

RRC

PDCP

RLC

MAC

PHY

RRC

PDCP

RLC

MAC

PHY

S1AP X2AP

SCTP

L2

L1

IP

S1AP X2AP

SCTP

L2

L1

IP

NAS NAS

UE

eNodeB

MME/ eNodeB

24.301

36.331

36.323

36.322

36.321

36.211~36.214

36.413 36.423

36.412 36.422

S1-MME/X2-C LTE-Uu

GTP-C

UDP

L2

L1

IP

PDN/S-GW

29.274


RRC Protocol Functions

RRC protocol functions can be divided into three categories:

Providing connection management and messaging for the NAS layer

Sends paging and system information

Establishes, modifies, and releases RRC connection and radio data bearer

Transfers NAS messages between the UE and NAS

Providing parameter configurations for the lower-layer protocol entities

Radio configuration control (physical layer and L2 configurations)

Common cell parameters and user-specific parameters

QoS management (such as semi-persistent scheduling and rate control configurations)

Providing measurement and control related to UE mobility management

IDLE status: cell selection and reselection

CONNECTED status: handover


RRC Status Transition

RRC_IDLE status

Broadcast messages are sent.

Power is saved through Discontinuous Reception (DRX) (related to the paging

cycle) .

Mobility control is dominated by the UE.

The UE monitors a paging channel, performs cell selection and cell reselection, and

obtains system information.

Neighboring cell measurement is performed.

RRC_CONNECTED status

Broadcast messages are sent, and unicast data is sent and received.

Power is saved by configuring DRX (related to service activity).

Mobility control is dominated by the network.

The UE monitors and shares control channel related to channel allocation, provides

channel quality and feedback information, performs neighboring cell

measurements, and obtains system information.


LTE Bearers

The Signal Radio Bearer carries air interface RRC and NAS signaling.

The S1 Bearer carries the S1-AP signaling between the eNB and MME.

NAS messages can also be sent as NAS PDU in RRC messages.

P-GWS-GW Peer

Entity

UE eNB

EPS Bearer

Radio Bearer S1 Bearer

End-to-end Service

External Bearer

Radio S5/S8

Internet

S1

E-UTRAN EPC

Gi

E-RAB S5/S8 Bearer


Radio Bearer Classification

The data bearer is DRB, carried by the PDSCH assigned by the eNB.

Signaling is carried by SRB. Three types of SRBs exist in the LTE network:

SRB0: carries RRC messages, mapped to the CCCH channel

SRB1: carries RRC messages or NAS message, mapped to the DCCH channel

SRB2: carries NAS messages, mapped to the DCCH channel

Before UE's RRC connection is established, RRC signaling is carried by SRB0. Before SRB2 is established,

NAS signaling is carried by SRB1.

Thanks to increased bandwidth and enhanced data transfer performance, the data carrying

capacity of LTE RRC messages has been significantly improved. Therefore, all LTE NAS

messages can be carried and transmitted in RRC messages, further simplifying the signaling

process.

NAS messages are transmitted through the following four RRC messages:

ULInformationTransfer and DLInformationTransfer (carried by SRB2 or SRB1 before SRB2 is established)

RRCConnectionSetupComplete and RRCConnectionReconfiguration (carried by SRB1)

RRCConnectionSetupComplete (carries only the initial direct transfer message of NAS messages)

Bearer content

Bearer methods of NAS messages


RRC Signaling Messages

RRC signaling involves the

following messages:

System broadcast message

Paging message

RRC connection message (request,

establishment, and release)

RRC connection reestablishment

message

RRC connection reconfiguration

message

Inter-system mobility management

message

Measurement message

Refer to the 3GPP 36.311 protocol.


Common procedures 5.4.1 GUTI reallocation procedure 5.4.2 Authentication procedure 5.4.3 Security mode control procedure 5.4.4 Identification procedure 5.4.5 EMM information procedure

Specific procedures 5.5.1 Attach procedure 5.5.1.2 Attach procedure for EPS services 5.5.1.3 Combined attach procedure for EPS services and non-EPS services 5.5.2 Detach procedure 5.5.2.2 UE initiated detach procedure 5.5.2.3 Network initiated detach procedure 5.5.3 Tracking area updating procedure 5.5.3.2 Normal and periodic tracking area updating procedure 5.5.3.3 Combined tracking area updating procedure

Connection management (ECM) procedures 5.6.1 Service request procedure 5.6.2 Paging procedure 5.6.3 Transport of NAS messages procedure 5.6.4 Generic transport of NAS messages procedure

NAS EPS MM Signaling Messages

3GPP 24.301


Network initiated ESM procedures(Procedures related to EPS bearer contexts)

6.4.1 Default EPS bearer context activation procedure

6.4.2 Dedicated EPS bearer context activation procedure

6.4.3 EPS bearer context modification procedure

6.4.4 EPS bearer context deactivation procedure

UE requested ESM procedures(Transaction related procedures)

6.5.1 UE requested PDN connectivity procedure

6.5.2 UE requested PDN disconnect procedure

6.5.3 UE requested bearer resource allocation procedure

6.5.4 UE requested bearer resource modification procedure

Miscellaneous procedures

6.6.1.2 ESM information request procedure

6.6.1.3 Exchange of protocol configuration options in other messages

6.6.2 Notification procedure

NAS EPS SM Signaling Messages

3GPP 24.301

Contents






System Broadcast Message

The UE in either idle or connected status needs to receive system

messages. The UE needs to receive broadcast messages in the

following cases:

The UE selects or reselects to a cell.

Handover completes.

The UE enters the E-UTRAN from other systems.

The UE returns to the coverage area from outside.

The UE receives system message change instructions.

The UE receives ETWS or CMAS notifications.

The maximum validity period is exceeded.

Connected

to a new

cell

System

message

changes


System Message Flow

System message acquisition and change

E-UTRAN

MasterInformationBlock

UE

SystemInformationBlockType1

SystemInformation

BCCH modification period (n)

Change notification Updated information

BCCH modification period (n+1)


LTE System Message Components

A system broadcast message is divided into multiple System

Information Blocks (SIBs), with a "block" named the Master

Information Block (MIB). Therefore, the system broadcast

information is divided into an MIB and several SIBs.

SIB 2

SIB 3

SIB 4

SIB 5

SIB 6

SIB 7

SIB 8

SIB 9

SIB 10

SIB 11

MIB SIB 1

System Information Broadcast Message


MIB and SIB1

The MIB scheduling period is 40 ms, and the MIB is sent repeatedly on other

frames. As for the time domain, the MIB is transmitted in slot1 of subframe #0. As

for the frequency domain, the MIB occupies six RBs in the middle.

The SIB1 scheduling period is 80 ms, and the SIB1 is sent repeatedly on SFN%2 =

0. As for the time domain, the SIB1 is transmitted in subframe #5.

Initial scheduling

sending Repeated

sending

Repeated

sending

Repeated

sending

Initial scheduling

sending Repeated

sending

Repeated

sending

Repeated

sending

4N 4N+1 4N+2 4N+3 4(N+1) 4(N+1)+1 4(N+1)+2 4(N+1)+3 ……

#2 #3 #4 #5 #6 #7 #8 #9#0 #1

Slot0 Slot1

8N 8N+1 8N+2 8N+3 8N+4 8N+5 8N+6 8N+7 ……

#2 #3 #4 #5 #6 #7 #8 #9#0 #1

Initial scheduling

sendingRepeated

sending

Repeated

sendingRepeated

sending

Initial scheduling

sending

MIB

SIB1


SIBn

Other SIBs (except the MIB and SIB1) should be mapped to the

SIs before they are sent.

The System Information (SI) can be seen as a group consisting of

multiple SIBs, which are mapped to an SI for unified scheduling.

The scheduling period of each SI can be configured dynamically,

and the Tn = 2 ^ n * 4. Therefore SIBn messages are scheduled

as follows:

SIB1 80ms

SIB2 160ms

SIB3 320ms

SIB4/5 640ms

SIB6/7/8 1280ms


MIB Message Analysis

The MIB is sent through BCHs, carrying several important SI

parameters:

1. Downlink system bandwidth

2. PHICH configuration information

3. System frame number


SIB1 Message Analysis

The SIB1 contains other necessary information, and is sent

through the DL-SCH. The SIB1 evaluates whether a UE is allowed

to access a cell and the scheduling information of other SIs.

• Cell access information

• Cell selection information

• SIB scheduling information

• TDD parameter configuration

• SI window length • ValueTag


SIB1 Signaling Analysis


SIBn Message Components

SIB2

SIB3

SIB4

SIB5

SIB6

SIB7

SIB8

SIB9

SIB10

SIB11

Radio cell configuration, and other basic configurations

Cell reselection information, mainly about the serving cell

Intra-frequency neighboring cell list, whitelist/blacklist

Inter-frequency neighboring cell list

UTRAN neighboring cell list (W+TD)

GSM neighboring cell list

CDMA2000 neighboring cell list

Home eNB identifier

ETWS notification

ETWS information, voice, and images


SIB2 Signaling Analysis

The SIB2 message contains the configuration information of barring parameters

related to cell selection and access, common parameters related to radio

resources, physical channels, uplink power control, and timers and counters on

the UE side.

• Barring parameters • Public radio resource

configuration parameters • BCCH channel configuration • PCCH channel configuration

information • Paging nB configuration

information • PRACH configuration

information • PDSCH channel configuration

information • PUSCH configuration

information • PUCCH channel configuration • Uplink power control

configuration information • Timers and counters on the UE

side


SIB2 Message Analysis

Contents






RRC Connection Establishment

Cause for triggering

This process is initiated when the UE transits from idle to connected status, such as

calling, responding to paging, TAU, and Attach, with the purpose of establishing SRB1.

RRC connection establishment succeeded

RRC connection request: The UE sends the request on SRB0 through the UL_CCCH,

carrying the initial NAS identifier and establishment reasons. This message corresponds

to Msg3 in the random access process.

RRC connection establishment: The eNB sends this message on SRB0 through the

DL_CCCH, carrying complete SRB1 configuration information. This message corresponds

to Msg4 in the random access process.

RRC connection establishment completion: The UE sends this message on SRB1 through

the UL-DCCH, carrying uplink NAS messages such as the Attach Request, TAU Request,

Service Request, and Detach Request. The eNB establishes the S1 interface according to

these messages.

RRC connection establishment failed

If the eNB rejects to establish RRC connection for the UE, it returns an RRC connection

rejection message on SRB0 through the DL_CCCH.


RRC Connection Establishment Flow

RRCConnectionSetup

RRCConnectionRequest

UE EUTRAN

RRCConnectionSetupComplete

RRCConnectionReject


UE EUTRAN

Succeeded

Failed


RRC Connection Request Analysis

The RRC Connection Request message contains ue_Identity and

establishmentCause.

The options for ue_Identity include

s-TMSI and randomValue. If valid S-

TMSI exists on the UE side, select S-

TMSI. Otherwise, select randomValue.

The options for establishmentCause

include:

emergency

highPriorityAccess

mt-Access

mo-Signalling

mo-Data


RRC Connection Setup Analysis

rrc_TransactionIdentifier

identifies the RRC signaling

sending and receiving processes.

Value range: 0–3.

The dedicated resource

configurations carried by

radioResourceConfigDedicated is

used to establish SRB1.



RRC Connection Setup is used to

establish SRB1, and therefore

should carry srb_ToAddModList.

The srb_Identity has two options: 1

indicates SRB1, and 2 indicates

SRB2.

PhysicalConfigDedicated includes

pdsch, pucch, pusch,

uplinkPowerControlDedicated,

tpc_PDCCH_ConfigPUCCH,

tpc_PDCCH_ConfigPUSCH,

cqi_ReportConfig,

soundingRS_UL_ConfigDedicated,

antennaInfo,

schedulingRequestConfig, and

other dedicated configurations.



P_a downlink power allocation

parameter

tddAckNackFeedbackMode: This

parameter indicates the TDD

ACK/NACK feedback mode.

Options: bundling and

multiplexing.

transmissionMode { tm1, tm2,

tm3, tm4, tm5, tm6, tm7, tm8}:

indicates the transmission mode.

For example, tm1 indicates

transmission mode 1, and tm2

indicates transmission mode 2.


RRC Connection Setup Complete Message Analysis

The rrc_TransactionIdentifier field

is the same as that in RRC

Connection Setup.

SelectedPLMN_Identity is the index

of plmn-IdentityList in SIB1

broadcast messages. If

SelectedPLMN_Identity is set to 1,

it indicates the first one in the

plmn-IdentityList of SIB1.

RegisterMME indicates the MME

to which the UE has registered.

The NAS message carried by

dedicatedInfoNAS includes

ATTACH REQUEST, TAU REQUEST,

and SERVICE REQUEST messages.


RRC Connection Reject Message Analysis

WaitTime in seconds indicates the wait time for reinitiate access

after the connection is rejected.


RRC Connection Reestablishment

Cause for triggering In the RRC connected status, this process is triggered if handover failure, radio link

failure, integrity protection failure, or RRC reconfiguration failure occurs.

RRC connection reestablishment succeeded RRC connection reestablishment request: The UE sends the request on SRB0

through the UL_CCCH, carrying the initial AS-layer identifier and establishment reasons. This message corresponds to Msg3 in the random access process.

RRC connection reestablishment: The eNB sends this message on SRB0 through the DL_CCCH, carrying complete SRB1 configuration information. This message corresponds to Msg4 in the random access process.

RRC connection reestablishment completion: The UE sends this message on SRB1 through the UL-DCCH without carrying any practical information, but provides the function of RRC layer confirmation.

RRC connection reestablishment rejected If the eNB does not provide context information of the UE, RRC connection

establishment for the UE is rejected, and the eNB returns an RRC connection reestablishment rejection message on SRB0 through the DL_CCCH.


RRC Connection Reestablishment Flow

Succeeded

Failed

RRCConnectionReestablishmentRequest

UE EUTRAN

RRCConnectionReestablishment

RRCConnectionReestablishmentComplete

RRCConnectionReestablishmentRequest

UE EUTRAN

RRCConnectionReestablishmentReject


RRC Connection Reestablishment Request Analysis

The RRC Connection reestablishment Request message contains

ReestabUe_Identity and ReestablishmentCause.

The options for

ReestabUe_Identity include C-

RNTI, PCI, and ShortMAC-I.

The options for

ReestablishmentCause include:

reconfigurationFailure,

handoverFailure,

otherFailure


RRC Connection Reestablishment Analysis

Similar to the RRC Connection Setup messages, this message

contains the rrc_TransactionIdentifier and

radioResourceConfigDedicated.

NextHopChainingCount is used for updating KeNB. Value range:

0–7.


RRC Connection Reestablishment Complete and RRC Connection Reestablishment Reject Analysis

RRC connection reestablishment completion and the messages

carried by reestablishment rejection


RRC Connection Release


This process is triggered when the network releases RRC connection from the

UE.

RRC connection release

RRC connection release: The eNB sends this request on SRB1 through the

DL_DCCH, carrying the redirection information or dedicated priority

allocation information (for controlling UE cell selection and reselection).

In some cases, the RRC layer of the UE releases RRC connection as instructed

by the NAS layer without notifying the network side, and enters idle status.

For example, authentication check fails during the NAS layer authentication

process.

RRCConnectionRelease

UE EUTRAN


RRC Connection Release Analysis

RedirectedCarrierInfo carries the

frequency point information for

redirecting to the E-UTRA, UTRA-FDD,

UTRA-TDD, and CDMA networks, and

the frequency point group information

for redirecting to the GSM network.

idleModeMobilityControlInfo carries

the frequency point priority

information for cell reselection. The

frequency point priority information

contained in this message is valid

before T320 expires.

releaseCause carries the causes for

release, including

loadBalancingTAUrequired and other.


RRC Connection Reconfiguration


This process is triggered when SRB and DRB management, low-level parameter

configuration, handover execution, and measurement control are initiated.


RRC connection reconfiguration: The eNB sends this message on SRB1 through

the DL_DCCH, carrying different configuration information depending on the

functions. A message may carry the information units for multiple functions.

RRC connection reconfiguration completion: The UE sends this message on SRB1

through the UL_DCCH without carrying any practical information, and provides the

function of RRC layer confirmation.

RRC connection reconfiguration exception

If the UE fails to execute the content carried in the RRC connection reconfiguration

message, the UE rolls back to the previous configuration, and initiates RRC

connection reestablishment.


RRC Signaling Message Simplification

Radio Bearer Setup

Radio Bearer Release

Radio Bearer Reconfiguration

Transport Channel Reconfiguration

Transport Format Combination Control

Physical Channel Reconfiguration

Measurement Control

RRC Connection Reconfiguration

RRC signaling simplification


RRC Connection Reconfiguration Signaling

Flow

RRCConnectionReconfigurationComplete

RRCConnectionReconfiguration

UE EUTRAN

RRC connection re-establishment


UE EUTRAN

Succeeded

Failed


RRC Connection Reconfiguration Analysis


contains the following

configuration items:

measConfig: measurement

configuration

mobilityControlInfo: mobility control

configuration

dedicatedInfoNASList: carries NAS

messages

radioResourceConfigDedicated:

dedicated radio resource

configuration

securityConfigHO: security

parameters configured during

handover (handover within the E-

UTRAN or to the E-UTRAN)

Different configuration items are carried in different cases.


Measurement Overview

In RRC_IDLE status, UE measurement parameters are obtained through E-UTRAN broadcast.

In RRC_CONNECTED status, the E-UTRAN sends the measurement configuration information to the UE through dedicated signaling, for example, carried in the RRCConnectionReconfiguration message.

Measurement types to be executed by the UE Intra-frequency measurement: measures the downlink frequency point of a

neighboring cell, whose downlink frequency point is the same as that of the current serving cell.

Inter-frequency measurement: measures the downlink frequency point of the local cell or a neighboring cell, whose downlink frequency point is the different from that of the current serving cell.

Inter-system measurement with the UTRA

Inter-system measurement with the GERAN

Inter-system measurement with the CDMA2000 HRPD or CDMA2000 1xRTT system


Measurement Configuration

A measurement configuration database is maintained on the UE side, where each measId corresponds to a measObjectId and a reportConfigId. MeasId is the index of database measurement configuration entries, and measObjectId indicates the measurement object ID, corresponding to a measurement object configuration item. ReportConfigId indicates the measurement report ID, corresponding to a measurement report configuration item. In addition, common configuration items unrelated to measId are also included, such as quantityConfig, measurement amount configuration, and s-Measure serving cell quality threshold control.

Measurement objects: For intra-frequency and inter-frequency measurement, the

measurement object is a single E-UTRA bearer frequency.

For inter-RAT UTRA measurement, the measurement object is a cell set on a single UTRA bearer frequency.

For Inter-RAT GERAN measurement, the measurement object is a GERAN bearer frequency set.


Measurement Configuration

Reporting configurations:

Report standard: The standard

triggers a measurement report sent

by the UE. It describes a single event

or periodical events.

Report format: the number of UEs

contained in the measurement report

and related information (such as the

number of report cells).


mobilityControlInfo

The mobilityControlInfo field is

involved in handover rather than

initial access. It contains the

following parts:

targetphyscellid: target cell ID

carrierFreq: carrier frequency

carrierBandwidth: carrier bandwidth

T304 timer

newUE-Identity: new UE ID, C-RNTI

radioResourceConfigCommon: sets

the radio resource information of

some target cells


NAS and Security Configuration Information Carried in Reconfiguration

dedicatedInfoNASList

The NAS request response of InitialUeMessage is carried in the

reconfiguration message for the initial access process.

securityConfigHO

This field is included for handover rather than the initial access process.

Two options: intraLTE or interRAT.


Major Paging Flow

Initiated by the network to the UE in idle or connected status

Paging messages are sent to all cells with UE registration (in the TA List).

Triggered by the core network: The UE receives paging requests (called, data

push).

Triggered by the eNodeB: The system is notified of message updates, and the

UE is notified to receive ETWS and other information.

In an S1AP Interface message, the MME sends paging messages to

the eNB, with each message carrying the information of a paged UE.

The eNB reads the TA list from a paging message, and pages the air

interfaces from the cells in the list.

If the UE has notified the MME of the DRX message through the

NAS, the MME notifies the eNB of the information through the

paging message.

When the air interface transmits the paging message, the eNB maps

the UE paging content on the same paging occasions to a paging

message.

The paging message is mapped to the logical PCCH, and sent

through the PDSCH according to UE DRX period.


Paging Message Analysis

The eNodeB sends paging messages to the terminal through the

Uu interface, carrying pagingRecordList, system information

updates, and ETWS notifications.

The pagingRecordList field indicates the number of paging

records, with a maximum value of 16. The UE identification

information carried can be IMSI or S-TMSI.


Security Mode

The main purpose of security mode is to activate AS security

after an RRC connection is established.

SecurityModeComplete

SecurityModeCommand

UE EUTRAN

SecurityModeFailure

SecurityModeCommand

UE EUTRAN

Succeeded

Failed


Security Mode Signaling Analysis

This message is sent by the eNodeB to the

UE, and contains negotiated security

algorithms, including ciphering algorithms

and integrity protection algorithms.

cipheringAlgorithm = 0: ciphering

algorithms (0: eea0; 1: eea1; 2: eea2)

integrityProtAlgorithm = 0: integrity

protection algorithms (0: served; 1: eia1; 2:

eia1)

Contents





Attach and Detach Signaling Flow Analysis

Service Request Signaling Flow Analysis

Bearer Establishment Signaling Flow Analysis


Attach and Detach

In the Attach process, the UE completes registration in the

network, and the EPC establishes the default bearer for the UE.

In the Detach process, the UE cancels registration on the network

side and deletes all EPS bearers.

Attach descriptions:

In LTE networks, Attach accompanies the establishment of the default bearer

in the core network.

Detach descriptions:

The UE/MME/SGSN/HSS can initiate the detach process.

Here we take the Attach flow and Detach flow in idle status for signaling analysis.


Normal Attach Flow

MSG2-Random Access Response

MSG1


eNB MMEUE

INITIAL UE MESSAGE

（Attach request）

UECapabilityInformation

INITIAL CONTEXT SETUP REQUEST

(Attach Accept）

UECapabilityEnquiry

RRCConnectionSetup


(Attach request)


SecurityModeCommand


(Attach accept)


INITIAL CONTEXT SETUP RESPONSEULInformationTransfer

(Attach Complete)

UPLINK NAS TRANSPORT

(Attach Complete)

UE CAPABILITY INFO INDICATION

Identity/Authentication/Security

For RRC layer

signaling, refer to

the previous slides

(such as RRC

connection

establishment)


Attach Signaling


Initial UE Message Analysis

Analysis of major signaling contents: eNB_UE_SAP_ID indicates the UE context

ID on the S1 interface of the eNodeB.

NAS_PDU indicates the NAS PDU information carried in the RRCConnectionSetupComplete message.

TAI indicates the tracing area information of the UE, including PLMN Identity and TAC:

TAC: tracing area code. Uniquely identifies a tracing area.

EUTRAN_CGI: globally identifies a cell in the EUTRAN, including PLMN Identity and CellID.

CellID: cell ID.

RRC_ESTABLISHMENT_CAUSE: indicates the causes for RRC reestablishment, including emergency, highPriorityAccess, mt-Access, mo-Signalling, and mo-Data.


Initial Context Setup Request Analysis

UE Aggregate Maximum Bit Rate:

applicable to all non-GBR E-RABs

of the UE.

E-RAB to Be Setup List: E-RAB list

to be established in the initial

context.



E-RAB to Be Setup List: E-RAB list

to be established in the initial

context.

ERAB ID: This element uniquely identifies

a radio access bearer for a UE, and

generates the only E-RAB ID for S1

connection. The E-RAB ID remains the

same as that in the E-RAB duration, even

if the logical S1 connection related to

the UE is released or removed through

S1 handover. Value range: 0–15. The

default bearer starts from 5, with the

previous ones reserved.

E-RAB Level QoS Parameters: ERAB QoS

parameters, including QCI, ARP, and GBR

QoS Information.

NAS_PDU: NAS message content

carried in the InitialUeMessage.



UE Security Capabilities: defines

the encryption and integrity

protection algorithms supported

by the UE.

Encryption Algorithms: indicates an

encryption algorithm.

Integrity Protection Algorithms:

indicates an integrity protection

algorithm.

Security Key: security key of the

eNB.


Initial Context Setup Response Analysis

E-RAB Setup List: E-RAB list that

has been established.

TransportLayerAddress: The radio

network layer does not resolve the

address information but transmits it

to the network layer for resolution.

This is the IP address.

GTP_TEID: This is the GTP Tunnel

Endpoint Identifier, which is used for

user plane transmission on the eNB

and service gateway.


Initial Context Setup Failure Analysis

MME_UE_S1AP_ID = 0: UE

context ID of the S1 interface in

the MME.

ENB_UE_SAP_ID = 0: UE context

ID of the S1 interface in the

eNodeB.

Cause .t = 1: release at the

wireless network layer (1:

Wireless network layer; 2:

Transport layer; 3: NAS layer; 4:

protocol)

Cause.u = 32: Security

algorithms are not supported.


UE Context Release Command

The message is sent by the MME to the

eNodeB to release UE context on the

S1 interface. This message carries

context ID on the S1 interfaces of the

MME and eNodeB, and the cause for

release.

MME_UE_S1AP_ID = 16810618: UE

context ID of the S1 interface in the

MME.

ENB_UE_SAP_ID = 66: UE context ID of

the S1 interface in the eNodeB.

Cause.t = 3: release at the NAS layer (1:

Wireless network layer; 2: Transport

layer; 3: NAS layer; 4: protocol).

Cause.u = 2: The cause for release is

Detach.


UE Context Release Complete

Releases the communication

context of the UE.

MME_UE_S1AP_ID = 16810618:

UE context ID on the S1 interface

of the MME. ENB_UE_SAP_ID =

66: UE context ID on the S1

interface of the eNodeB.


Detach Flow: Idle Status

The initial UE message, UE

context release command, and

UE context release complete

signaling messages are similar to

those in the Attach flow, but the

information carried is about the

Detach process.

The signaling display sequence is not adjusted


MSG1


eNB MMEUE

INITIAL UE MESSAGE

（Detach request）

RRCConnectionSetup


(Detach request)

RRCConnectionRelease

UE CONTEXT RELEASE COMMAND

UE CONTEXT RELEASE COMPLETE


Signaling Analysis

Contents









Normal Service Request Flow

This flow is similar to the Attach flow, and the difference lies in

the NAS message carried in the initial UE message.


MSG1


eNB MMEUE

INITIAL UE MESSAGE

(Service request)

UECapabilityInformation

UECapabilityEnquiry

RRCConnectionSetup


(Service request)


SecurityModeCommand


INITIAL CONTEXT SETUP

RESPONSE

INITIAL CONTEXT SETUP REQUEST

UE CAPABILITY INFO INDICATION



Service Request Signaling


Service Request Signaling

It can be seen from the initial UE message that this is the service

request flow.

Contents









Second Default Bearer Establishment

The second default bearer is

transmitted through direct

transfer messages, and

completed through E-RAB

establishment messages.

UE EPCeNB

3. Bearer

Allocation

request

10. Bearer

Allocation

Response

1. ULInformationTransfer

(PDN CONNECTIVITY REQUEST)

2. UPLINK NAS TRANSPORT(PDN CONNECTIVITY REQUEST)

4. E-RAB SETUP REQUEST(ACTIVATE DEFAULT EPS BEARER CONTEXT

REQUEST)

5. RRCConnectionReconfiguration

(ACTIVATE DEFAULT EPS BEARER CONTEXT REQUEST)

6. RRCConnectionReconfigurationComplete

7. E-RAB SETUP RESPONSE

Uplink Data

Downlink Data


(Activate DEFAULT EPS bearer context accept)

9. UPLINK NAS TRANSPORT

(Activate DEFAULT EPS bearer context accept)

© ZTE Corporation. All rights reserved Resolves the signaling in the red box


Second Default Bearer Establishment Flow

The UE in connected status transfers the PDNConnectivity Request message

to the eNB through the ULinformationTransfer message.

The eNB sends the PDN Connectivity Request message to the EPC through

the UPLINK NAS TRANSPORT message.

The EPC transfers the Activate default EPS bearer context request message to

the eNB through the E-RAB SETUP REQUEST.

The eNB sends the Activate default EPS bearer context request of the NAS

message to the UE through reconfiguration messages.

The UE establishes the default bearer, and returns the

RRCConnectionReconfigurationComplete message.

The eNB sends the E-RAB SETUP RESPONSE message to the EPC, indicating

that the radio bearer is established.

After sending the reconfiguration message, the UE sends Activate default

EPS bearer context accept message to the eNB through the

ULinformationTransfer message.


E-RAB SETUP REQUEST Message Analysis

E-RAB_ID is the bearer identifier.

QCI indicates the QoS level.

AllocationRetentionPriority is the

allocated QoS parameter.


E-RAB SETUP RESPONSE Message Analysis


Dedicated Bearer Establishment and Modification

Similar to the establishment of

the second default bearer, the

NAS message carried in the

UPLINK NAS TRANSPORT

message is different. For

establishment of the second

default bearer, the PDN

Connectivity Request is carried.

For establishment of the

dedicated bearer, the Bearer

resource allocation Request

message (or the Bearer resource

modification request message) is

carried and sent to the eNB.

UE EPCeNB

3. Bearer

resource

allocation

request

10. Bearer

resource

allocation

response


(Bearer resource allocation request)


(Including bearer resource allocation

request)

4. E-RAB SETUP REQUEST

(Activate dedicated EPS bearer

context request)

5. RRCConnectionReconfiguration(Activate dedicated EPS bearer

Context request)

6. RRCConnectionReconfigurationComplete

7. E-RAB SETUP RESPONSE

Uplink Data

Downlink Data

8. ULInformationTransfer(Activate dedicated EPS bearer

context accept)


(Activate dedicated EPS bearer

context accept)

Documents

2 ZTE LTE Signaling Analysis