Evolved Packet Core (EPC) – 4G

LTE is a 3GPP Trademark

Course Goals
By the end of this course you will have a deep understanding about the following topics in LTE
• Introduction
• Motivation for LTE (4G)
• How is LTE different from other technologies ?
• Evolution in LTE.
• Network Architecture – Introduction
• E-UTRAN Architecture
• EPC Architecture
• LTE Architecture Summary
• Identifiers in LTE – (IMSI, GUTI, TAC, APN, MNC, MCC)
• Interfaces in LTE EPC
• LTE Protocol Stack
• LTE QoS
• Bearers in LTE
• Traffic Flow Templates
Course Goals Contd.
By the end of this course you will have a deep understanding about the following topics in LTE
• EPC Core Elements – Deep Dive
• MME
• HSS
• SGW
• PGW
• PCRF
• Security in LTE
• Authentication
• Encryption
• Integrity
• Wireshark Logs from real network – Analysis and call/message flow
• LTE UE Attach Call flow
• Review message flow.
• Wireshark logs from real network – Analysis
• LTE Roaming
• Review of 3GPP and GSMA based architectures
 Further Your Learning with These courses

After Completing this course if you want to further your learning of 4G you can
check out the course below (referral Code Included) -

https://www.udemy.com/course/4g-lte-epc-advanced-troubleshooting-using-wiresha
rk/?referralCode=2BA5F6FDE6C76FC74EA5

For becoming an expert on 5G I also recommend checking out this course (referral
Code Included) -

https://www.udemy.com/course/5g-core-architectures-concepts-and-call-flows/?refe
rralCode=399C46706125617AA682
 Introduction:
Motivation for 4G LTE
Time For The Next Generation of Mobility?
2020s

2010s 5G
2000s 4G
1990s
1980s 3G •
•
LTE/LTE-A, 802.16m
Broadband data

1G 2G • WCDMA, CDMA2000
& video

• Voice & data

• Digital
• Analog • GSM, IS-95, IS-136
• AMPS • Voice capacity
• Voice

Market Disruptors Business Models Technology Landscape

• Open Source Software • Consumption based • Virtualization
• Hyper Connectivity • Agile & On Demand • Cloud Workloads
• Internet of Everything • Software Innovations • Programmability

Source: Cisco
Global Mobile Speed Growth
Average Mobile Speed Will More Than Triple from
2.0 Mbps (2015) to 6.5 Mbps (2020)

North America Western Europe Central & Eastern Europe

2.6-fold Growth 3.5-fold Growth 4.7-fold Growth

5.9 to 15.3 Mbps 4.1 to 14.1 Mbps 2.3 to 10.6 Mbps

Latin America Middle East & Africa Asia Pacific

3.3-fold Growth 6.3-fold Growth 3.6-fold Growth

1.5 to 4.9 Mbps 0.8 to 4.8 Mbps 2.4 to 8.6 Mbps

Source: Cisco VNI Global Mobile Data Traffic Forecast, 2015–2020

Comparison of Wireless technologies
Generation 1G 2G 3G 4G 5G

Deployment 1970-84 1980-89 1990-2002 2000-18 2018-2020+

Throughput 2Kbps 14-64 Kbps 2 Mbps 200 Mbps 1Gbps+

Services Analog Voice Digital Voice Integrated High Speed Ultra-low

SMS,MMS HD Video Data, Voice Latency,
and data over LTE massive
(VoLTE) IoT,V2V
Underlying AMPS,TACS D-AMPS,CDMA CDMA2000, LTE, VoLTE, 5G-NR
Technology (IS-95) EVDO,W- LTE
std. CDMA,HSPA Advanced,
+ LTE
Advanced Pro
 Introduction:
How is LTE different from the previous
technologies ?
How is LTE different ?
LTE benefits (Compared to 3G) include :

• High Data rates

• Reduced Latency for user applications.
• Improved end-user throughputs for applications such as a Voice and
Video
• Flexibility of radio frequency deployment since LTE can be deployed in
various bandwidth configurations (1.4, 3, 5, 10, 15, 20 MHz)
• Multiple Input Multiple Output (MIMO)
• Flat all-IP network with fewer network elements which leads to lower
latency.
• Offers a TDD solution (LTE-TDD) in addition to FDD (LTE-FDD)
4G, LTE and LTE-A Drivers
 Introduction:
Evolution in LTE
Evolution in LTE

3GPP
Rel.
13,14

*Source – 3GPP
*Source – Qualcomm
Network Architecture – Introduction:
Network Architecture in LTE:

Evolved Packet Core

LTE architecture is composed of 2 parts – (EPC)

• Radio Access Network: Evolved UTRA

Network (E-UTRAN)

• Core Network Architecture : Evolved

Packet Core (EPC)
Radio Access
Network (RAN a.k.a
E-UTRAN)
Network Architecture in LTE contd:
Evolution of Network Services
Evolution of network architecture through cellular generations.
Evolution of 3GPP Architecture.
Network Architecture – Introduction:

E-UTRAN- Evolved UTRA Network

 Network Architecture in LTE contd.
EUTRAN:

Evolved NodeB (eNodeB)

• Unlike 3G there is no central

controller for unicast data traffic.
EUTRAN is referred to as a
distributed architecture.

• eNodeBs are connected to the MME

via the S1-C/S1-MME interface.

• eNodeBs can be connected to each

other logically over X2 interface.
 Network Architecture in LTE contd.
EUTRAN:

Evolved NodeB (eNodeB) Functions -

• Radio Resource management

• Synchronization and Interference

control

• MME Selection among MME Pool

• Routing of User Plane data from/to S-

GW

• Encryption/Integrity protection of
user data

• IP Header Compression
 Network Architecture in LTE contd.
EUTRAN:

User Equipment (UE)

• Represents the mobile/fixed device

used to connect to the network.

• Specifications specified by 3GPP

• 3GPP has defined various categories

in accordance to capabilities. \\Below
are some categories as defined by
3GPP

UE Categories
 Network Architecture in LTE contd.
EUTRAN:

User Equipment (UE)

• Each Category is has a given set of

capabilities.

• RAN keeps track of each of the

connected UE’s capabilities in order
to optimize experience.

• IoT – example

UE Categories
Network Architecture – Introduction:

EPC – Evolved Packet Core

 Network Architecture in LTE contd.
EPC:

Mobility Management Entity (MME)

• NAS (non-access stratum) signaling

and its security

• Tracking Areas List management

• PDN GW and SGW selection.

• Roaming and Authentication

• EPS bearer management

• Signaling for mobility management

between 3GPP RANs
 Network Architecture in LTE contd.
EPC Contd.:

Home Subscription Server (HSS)

• User Authentication

• Subscription/Profile management –

• Roaming

• Speed/throughput limits
 Network Architecture in LTE contd.
EPC Contd.:

Serving Gateway (S-GW)

• Packet routing and forwarding

• EUTRAN Idle mode DL packet

buffering

• EUTRAN and inter-3GPP mobility

anchoring

• UL and DL charging per UE, PDN and

QCI
 Network Architecture in LTE contd.
EPC Contd:

Packet Data Network Gateway (P-GW)

• IP Address allocation

• Packet filtering and Policy

enforcement

• Transport Level QoS mapping and

marking.

• User Info anchoring for 3GPP and

non-3GPP handovers.
Network Architecture – Introduction:

LTE-Architecture- Summary
Network Architecture in LTE contd:
Identifiers in LTE - EPC
IMSI

• International Mobile Subscriber Identity

The IMSI allows unambiguous identification of a particular SIM or USIM card. The IMSI is composed of three parts -
• The Mobile Country Code (MCC), consisting of three digits. The MCC uniquely identifies the
country of domicile of the mobile subscriber. MCC values are administrated and allocated by an
international numbering plan.
• The Mobile Network Code (MNC), consisting of two or three digits for GSM/UMTS applications.
The MNC identifies the home PLMN of the mobile subscriber. The length of the MNC (two or
three digits) depends on the value of the MCC. A mixture of two- and three-digit MNC codes
within a single MCC area is not recommended and is beyond the scope of this specification.
• The Mobile Subscriber Identification Number (MSIN), identifying the mobile subscriber within a
PLMN. As a rule the first two or three digits of the MSIN reveal the identity of the Home Location
Register (HLR) or HSS that is used for Signaling Connection Control Part (SCCP) Global Title
translation procedures when roaming subscribers register in foreign networks
GUTI
• Globally Unique Temporary Identifier.
• The GUTI is assigned only by the MME during initial attach of a UE to the E-UTRAN
• The purpose of GUTI is to provide an unambiguous identification of the UE that does not reveal the UE
or the user’s permanent identity in the E-UTRAN. It also allows identification of the MME and network to
which the UE attaches. The GUTI can be used by the network to identify each UE unambiguously during
signaling connections.
• The GUTI has two main components: the Globally Unique Mobility Management Entity Identifier
(GUMMEI) that uniquely identifies the MME which allocated the GUTI; and the M-TMSI that uniquely
identifies the UE within the MME that allocated the GUTI. The GUMMEI is constructed from the MCC,
MNC, and Mobility Management Entity Identifier (MMEI).
• The MMEI should be constructed from a Mobility Management Entity Group ID (MMEGI) and a MMEC.
Tracking Area
• The Tracking Area Identity (TAI) is the identity used to identify tracking areas. The TAI is constructed from
the MCC, MNC, and TAC (Tracking Area Code).
• A Tracking Area (TA) includes one or several E-UTRAN cells.
• Tracking Areas are used for Paging Idle mode Subscribers.
• UE informs MME every time it changes its TA via the TAU (tracking area
Update) procedure, or at expiration of a timer (T3412).
Access Point Name (APN)
• APN represents a PDN (packet data network).
• UE during attach presents an APN to the network as part of attach. There also exist provisions in LTE
where the NW can provide UE an APN as part of attach.
• APNs often look like Internet domain names and have two parts:
• Network identifier—This defines the PDN the user connects to through a P-GW. This part of the
APN is mandatory. It can be as simple as internet or have a more complicated structure such
as juniper.net.
• Operator identifier—This defines the operator whose PDN the user connects to through a P-
GW. This part of the APN is optional and is often omitted. If present, it consists of the
operator’s Mobile Country Code (MCC) and Mobile Network Code (MNC). A more complex APN
would be something like internet.mnc012.mcc345.gprs or, more realistically, Web.omnitel.it.
Interfaces in LTE Network
Interfaces in LTE
• What is an interface ?
Interface represents a channel on which 2 network entities exchange information.

• Why do we need interfaces ?

Interfaces are needed in LTE to deliver information (signaling or user data) for a subscriber or network
element.

• Who defines these interfaces ?

The various network interfaces are defined by 3GPP. All network vendors or
manufacturers are required to comply to these standards.

• Do these interfaces remain static ?

No. Depending on new capabilities and requirements 3GPP continues to make changes to the interface
standards. However in most cases they are backward compatible.
Interfaces in LTE contd: 3GPP References:
• EUTRAN
TS 36.401,36.300,23.002
• S1 Interface
TS 36.41x series, TS 29.274, 24.301
• X2 Interface
TS 36.42x series
• MME functions and interfaces
TS 23.401, 23.402, 23.002
• S10/S11
TS 29.274
• S6a
TS 29.272
• SGW and PGW functions
TS 23.401, 23.402, 23.002
• S5/S8 interface
TS 29.274, 29.275
• SGi Interface
TS 29.061

http://www.3gpp.org/specifications/
specifications
LTE-Protocol Stack
Protocol Stack in LTE:
Protocol Stack in LTE:
- Protocol Data Units
(PDU)
- Service Data Unit
(SDU)

On the transmit side

packets are transferred
from layer N to layer N-1.

At a given layer N-1 data

received from the layer N
is treated as SDU. Layer
N adds header
information to SDU. The
new packet is then
referred to as PDU.
Protocol Stack in LTE:
 QoS in LTE:

Bearers in LTE
Bearers in LTE

• In LTE data-plane traffic is carried via virtual connections known as service data
flows (SDF). The SDFs are carried over bearers that are virtual connections.
Each bearer has a QoS requirement.
Bearers in LTE

Each Bearer can have specific QoS requirements.

Bearers in LTE
Bearers in LTE
Bearers in LTE
EPS QoS Parameters

QCI, ARP

GBR Bearer Non-GBR Bearer

GBR, MBR AMBR

QoS in LTE:

TFTs in LTE
Traffic Flow Templates (TFT)

• IP Packets belong to different service data flows

• TFTs defines how IP packets are mapped to EPS Bearers.
• TFTs are applied at 2 places in the network –
• Uplink – at the UE
• Downlink – at the PGW
Traffic Flow Templates (TFT)

IP Packets (UE) Service Data Flow EPS Bearer

GBR SDF Non-GBR SDF GBR EPS Bearer Non-GBR EPS

QCI,ARP,MBR,GBR QCI,ARP,MBR QCI,ARP.GBR.MBR Bearer
QCI,ARP,MBR
Summary of QoS parameters in LTE
EPC Core Elements – Deep Dive
MME
Mobility Management Entity (MME):
● Responsible for NAS connection with the UE. All NAS messages are exchanged between the UE
and MME to trigger further procedures in the Core network if necessary.

● NAS security – Integrity and Encryption

● Paging for Idle mode UEs.

● SGW and PGW selection

● Perform management of S1 based and inter-RAT handovers.

● Sets up, modifies and releases default and dedicated bearers for UEs
Mobility Management Entity (MME):
● Managing and storing UE contexts

● Generating temporary UE Identifiers

● S1-MME is the standard reference point between the enodeb and MME.
○ S1-MME has 2 components – S1-C (enb <-> MME) and S1-U (enb <-> SGW)

○ SCTP is used for reliable transport of messages on the S1-C.

Mobility Management Entity (MME):
States in MME -
• The EPS Mobility Management (EMM) states describe the Mobility Management.
• The EPS Connection Management (ECM) states describe the signaling connectivity
between the UE and the EPC.
State of a UE in MME
Definition of main EPS Mobility Management states
• EMM-DEREGISTERED EMM ECM

– The UE is not reachable by a MME.

– UE context can still be stored in the UE and MME Connecte
Reg De-Reg Idle
d
• EMM-REGISTERED
– UE enters to EMM-Registered with Attach or Tracking Area Update procedure.
– The UE location is known an accuracy of the tracking area list.
– UE has at least one active PDN connection;
– After Detach procedure the state is changed to EMM-DEREGISTERED
Mobility Management Entity (MME):

SCTP (Stream control transmission protocol) is a tunneling protocol used between eNodeB and
MME. S1-AP uses SCTP.
Mobility Management Entity (MME):
EUTRAN EPC
“S1-MME” MME
MME
eNode
B

S-GTW
eNode
S-GTW
B

“S1-U”

One to Many relationship

HSS
Home Subscriber Server (HSS):
HSS is responsible for the following functions in EPC –

● Master database that stores subscription related information to support call control and session management entities

● Storehouse for subscription profiles and user Identities

● Involved in User authentication

● Works with MME to authenticate user

Serving Gateway (S-GW)
Serving Gateway (S-GW):
SGW is responsible for the following functions in EPC –

● Terminates interface to the EUTRAN. A particular LTE subscriber will be connected to one SGW

● In case of an inter-enodeb Handover, the S-GW acts as a mobility anchor of the connection and remains the same while the
path fir the transport of signaling and user plane will be switched onto the S1 interface.

● Mobility anchoring of the S-GW is also defined for inter-3GPP mobility, Here the S-GW acts as the terminating point of the S4
interface and routes traffic between the 2G/3G SGSN and the P-GW of the EPC.

● If the UE is in idle mode the S-GW will buffer packets until the UE is paged and the bearers are setup.

● Provides interface for lawful intercept.

● S-GW is responsible for marking packets based on QoS. It marks packets with appropriate DSCP values.
Serving Gateway (S-GW):

GTP-U is used on top of UDP/IP to carry the user plane PDUs between the
enodeb and SGW
Packet Gateway (P-GW)
Packet Gateway (P-GW):
PGW is responsible for the following functions in EPC –

● Acts as router for the UE traffic

● Allocates IP address to the UE/bearer

● Performs DSCP/QoS marking for UE packets

● P-GW can be connected to a PCRF (Policy

control and charging function via the Gx

interface. PCRF provides subscriber level QoS

parameters.
Protocols for Control and User Plane
LTE Security
LTE Security – key Pillars

Valid Subscriber/Valid No man-in-the middle

Privacy!
Network attacks
● To understand how the overall LTE security concept works, it is crucial to understand the hierarchy of LTE
security keys first. This LTE security key hierarchy, shown in Figure below, includes the following keys: KeNB,
KNASint, KNASenc, KUPenc, KRRCint, and KRRCenc:

● K = This is the master Key and is stored in the SIM and

the HSS/AuC

● All Keys are derived from K Key.

● K Key is never transmitted

● K Key is used to derive the Cipher Key CK and

Integrity Key IK.

● With CK and IK, the HSS and UE are able to

derive the KASme.

● With KASme, the MME is able to derive the NAS and

AS keys.
KeNB is a key derived by the UE and MME from KASME or by the UE and target eNB from KeNB*
during eNB handover.KeNB should only be used for the derivation of keys for RRC traffic and
the derivation of keys for UP (User Plane) traffic, or to derive a transition key KeNB* during an
eNB handover.

Keys for NAS traffic:

• KNASint is a key which should only be used for the protection of NAS traffic with a particular
integrity algorithm. This key is derived by the UE and MME from KASME, as well as an identifier
for the integrity algorithm.
• KNASenc is a key which should only be used for the protection of NAS traffic with a particular
encryption algorithm. This key is derived by the UE and MME from KASME, as well as an identifier
for the encryption algorithm.

Keys for UP traffic:

• KUPenc is a key which should only be used for the protection of UP traffic with a particular
encryption algorithm. This key is derived by the UE and eNB from KeNB, as well as an identifier
for the encryption algorithm.
Keys for RRC traffic:
• KRRCint is a key which should only be used for the protection of RRC traffic with a particular
integrity algorithm.KRRCint is derived by the UE and eNB from KeNB, as well as an identifier for
the integrity algorithm.
• KRRCenc is a key which should only be used for the protection of RRC traffic with a particular
encryption algorithm.KRRCenc is derived by the UE and eNB from KeNB as well as an identifier for
the encryption algorithm.

* Keys in LTE/EPC is a pretty vast topic. Refer to 3GPP TS 33.401 for more details.
LTE Security – Big picture
 Subscriber
Database

HSS Delivers
the Auth
Vectors to
the MME
MME sends
AUTN and RAND KSAME is
to UE also sent
to MME

MME uses KASme

to derive the to
other Keys for NAS
and KeNB
Since UE has K in its
SIM, it uses RAND to
If RES == XRES the UE is
come up with RES
Authenticated.
 UE uses
the Upon Auth Succ the
previous MME sends a security
informati mode command to UE
on and with all the
derives information re to Enc
the NAS and Int algos
Keys

MME sends enb the

KeNB. eNB derives the
RRC and UP enc Keys
LTE Security – Real Logs
Authentication Information Request. Sent my MME -> HSS
On S6a using Diameter protocol

User is identified by IMSI

Details about the visited network

are passed onto the HSS
Authentication Vectors are delivered to MME
from HSS over S6a (Diameter) interface
 MME sends a
Authentication
Request to UE
on NAS Layer

RAND, AUTN and some other

values are sent to UE to assist
in calculation of RES
 Based on the information received in AIR UE sends the response

UE sends RES to MME on NAS

Layer

If RES == XRES then IMSI is authenticated.

If AUTN (UE) == AUTN (Network) the network is authenticated
 MME sends information re
Enc and Integrity algos to
UE

MME can request IMEI for HW check (optional)

 UE Sends a Security Mode
complete using Keys

UE responds with IMEI

RRC: Security Mode command

Message Sent from eNB -> UE over RRC

Layer.

Objective of the message is to tell UE about the

ciphering and integrity algorithms
 RRC: Security Mode command
Complete.

Message Sent from UE -> eNB over RRC

Layer.

Objective of the message is to tell eNB that

Ciphering and Integrity Algos. have been
negotiated and are in use.

All the following RRC signaling will be protected using the algorithms as
negotiated during this process.
Mind Map – Showing LTE Authentication/Security
LTE Attach Call Flow
Life Cycle of a UE

5. Security
6. ESM Information Request/Response

4. Authentication 7. Bearer Setup

3. Attach 8. IP connectivity/Data Transfer

2. Signaling connection 9. Handover

1. Network Acquisition 10. Release

UE
LTE Attach – Complete Picture
1. Initial UE Message (Attach
Request)
UE eNB MME HSS SGW
1. Initial UE Message – Attach Request

Type of Attach, temp/permanent UE identity, PDP connection request message (IPv4/6 etc.)

2. Diameter: Authentication – Information Request

RAT type, VPLMN, IMSI

3. Diameter: Authentication Information Answer
4. Nas: Auth Request
AUTN,XRES,MAC,RAND
AUTN,RAND
5. Nas: Auth Answer

RES
6. NAS: Security Mode Command

7. NAS:Security Mode Complete

UE eNB MME HSS SGW

8. NAS: ESM Information Request

9. NAS: ESM Information Answer

UE eNB MME HSS SGW
10. Diameter – Update Location Request

11. Diameter – Update Location Answer

UE eNB MME SGW PGW
12. GTP – Create
Session Request
13.GTP – Create
Session Request

14. GTP – Create

Session Response
15. GTP – Create
Session Response
UE eNB MME HSS SGW

16. S1AP:Initial Context Setup Request

UE eNB MME HSS SGW

17. S1AP:Initial Context Setup Response

UE eNB MME HSS SGW
18. NAS Attach Accept & Activate default bearer accept
UE eNB MME HSS SGW
19. GTP – Modify bearer Request

20. GTP – Modify bearer Response

Signaling and user plane connection after successful attach
LTE Roaming Architecture
LTE Roaming
Roaming is an important functionality, where operators share their networks with each other’s
subscribers. Typically roaming happens between operators serving different areas, such as
different countries, since this does not cause conflicts in the competition between the
operators,
and the combined larger service area benefits them as well as the subscribers.

The words home and visited are used as prefixes to many other architectural terms to describe
where the subscriber originates from and where it roams to respectively.

3GPP SAE specifications define which interfaces can be used between operators, and what
additional considerations are needed if an operator boundary is crossed. In addition to the
connectivity
between the networks, roaming requires that the operators agree on many things at
the service level, e.g. what services are available, how they are realized, and how accounting
and charging is handled. This agreement is called the Roaming Agreement, and it can be made
directly between the operators, or through a broker. The 3GPP specifications do not cover
these
items, and operators using 3GPP technologies discuss roaming related general questions in a
private forum called the GSM Association, which has published recommendations to cover
these additional requirements.
LTE Roaming

https://www.gsma.com/newsroom/wp-
content/uploads//IR.88-v18.0.pdf
LTE Roaming
LTE Roaming

Home Routed
LTE Roaming
Local breakout
Interworking between 5G and
4G Core
4G - 5G Interworking
4G - 5G Interworking

● To ensure successful interworking with appropriate EPS functionality, only one PGW-C + SMF is
allocated per APN to the UE, and this is enforced by the HSS+UDM. HSS+UDM sends the PGW-C +
SMF FQDN per APN to the MME.
● As discussed before when the UE has been registered in one system and moves to the other, the
UE has no native UE ID for the target system. Therefore UE maps the temp ID of the source system
to the target system. 4G GUTI <-> 5G-GUTI
● When moving from 5GS -> EPS, UE includes GUMMEI in RRC as a native GUMMEI. In addition UE
states that 4G -GUTI has been mapped from 5G-GUTI
● When moving from EPS -> 5G, UE includes GUAMI in RRC as a native GUAMI. Also it mentions 5G-
GUTI has been mapped from 4G-GUTI.
 Further Your Learning with These courses
After Completing this course if you want to further your learning of 4G you can
check out the course below (referral Code Included) -

https://www.udemy.com/course/4g-lte-epc-advanced-troubleshooting-using-wiresha
rk/?referralCode=2BA5F6FDE6C76FC74EA5

For becoming an expert on 5G I also recommend checking out this course (referral
Code Included) -

https://www.udemy.com/course/5g-core-architectures-concepts-and-call-flows/?refe
rralCode=399C46706125617AA682