As seen in earlier posts, the 3GPP release 13 IoT system architecture work done by the SA2 group had 2 key optimizations on the system architecture
- Control plane optimizations
- User plane optimizations
This post is a deep dive on the control plane optimizations.
Why is control plane optimization needed?
Today in LTE when the UE needs to send uplink data while in EMM-IDLE state, it has to send a Service Request to the core network, which then triggers radio bearer establishment and setup of S1U GTPU tunnel between eNB and SGW (which involves a Modify Bearer Request signaling from MME to SGW).
For battery constrained IoT devices that need to send uplink data once in a week or a month and that too a small payload, such elaborate signaling procedures are a waste of unnecessary signaling and energy (battery drain). Instead its much simpler and efficient to send the small data payload over the control plane signaling and let MME that receives the small data over NAS (control plane) send the data to SGW.
Ways of routing data sent over control plane to applications:
For cellular IoT optimizations, 3GPP SA2 introduced a new PDN type - non-IP. Upto release 13 the following PDN types were already supported for LTE
- IPv4
- IPv6
- IPv4v6
From release 13 onwards non-IP PDN type is added as the 4th PDN type. When a UE uses control plane optimization it can establish PDNs with IP PDN types (v4 / v6 or v4v6) or non IP PDN type. An IP PDN can only go through SGW and PGW.
A non IP PDN established when UE uses control plane optimization has 2 possible paths
- via MME —> SGW —> PGW
- via MME —> SCEF
So when data is sent over control plane (NAS), it can either get routed through SGW —> PGW (if its a IP PDN or a non IP PDN which is not an SCEF PDN) or through the SCEF if its a non IP PDN established through SCEF.
How the UE sends uplink data over control plane (NAS) when in EMM-IDLE state?
When the UE is in EMM-IDLE state, the eNodeB has no context about the UE and has no security relationship. For LTE when data is sent over the DRB (user plane), the UE and eNB establish a security context and that security context is used to encrypt the data between the UE and the eNB. Similarly for data sent over NAS, the data has to be encrypted. The UE has an established NAS security context. The UE initiates a new message called CONTROL PLANE SERVICE REQUEST (ref TS 24.301 section 8.2.33) which carries the ESM DATA TRANSPORT inside the ESM Message Container IE and the data is carried inside this ESM DATA TRANSPORT message payload of the CONTROL PLANE SERVICE REQUEST. This data payload is encrypted using the NAS security context that the UE already has.
So why a new CONTROL PLANE SERVICE REQUEST message is required and why not extend the existing SERVICE REQUEST message? The answer lies in how the UE state machine behaves for the normal SERVICE REQUEST message. As per section 5.6.1.1 of TS 24.301, once the UE sends SERVICE REQUEST, it starts T3417 timer and the timer is stopped when RRC indicates successful establishment of radio bearers. So how to indicate the UE that data sent over NAS is successfully received at MME if its sent over the normal SERVICE REQUEST message? 3GPP CT1 debated about using a new SERVICE ACCEPT message in response to SERVICE REQUEST to indicate the UE. However the UE vendors were not in favour of modifying the existing SERVICE REQUEST state machine to accept a new SERVICE ACCEPT message as yet another condition to stop T3417. Instead a new message called CONTROL PLANE SERVICE REQUEST was introduced with SERVICE ACCEPT as the response to indicate successful handling of data over NAS at MME.
Since only the data sent in the ESM DATA TRANSPORT payload of CONTROL PLANE SERVICE REQUEST is ciphered and not the full NAS message, this introduces a new case of partially ciphered NAS message. As CONTROL PLANE SERVICE REQUEST is an initial NAS message it cant be fully ciphered. It can only be integrity protected. Hence only the data part alone can be partially ciphered. It is important to note that for ciphering the keystream length to be given is the length of the ESM-DATA-TRANSPORT message.
Other key aspects of control plane optimization
- UE can attach without PDN. In LTE an attach without PDN is not possible. However with cellular IoT optimization, attach without PDN was introduced (applicable to both control plane and user plane optimization). To handle this case, the UE shall include a ESM DUMMY MESSAGE instead of the PDN CONNECTIVITY REQUEST in the ESM container (which is a mandatory IE) of the Attach Request
- MME to use GTP-U (S11U) tunnel towards SGW to send the data received over control plane for PDNs set up through SGW/PGW.
- Transfer of the S11U GTPU FTEIDs across MMEs during inter MME TAU procedure.
- Robust Header Compression (RoHC) between MME and UE for IP PDNs data sent over control plane.
- APN rate control and Serving PLMN rate control
- Change of PDN from control plane to user plane optimization (for PDNs established through SGW/PGW, all such PDNs of the UE shall either follow control plane optimization or user plane optimization). PDNs established with SCEF shall always use control plane optimization only and that too non IP PDN type only.
Why APN and serving PLMN rate control?
LPWA IoT devices will be sending very minimal data and their bandwidth consumption will be very less. Using consumer PDN tariff (which typically is of the order of few GBs of data per month for X $) will not allow the operators to meaningfully charge for the IoT consumption. For IoT devices the charging should rather be at X number of messages in a week / month. APN rate control is a parameter that enforces this in the form of number of messages per time unit. APN rate control is applicable to both control plane and user plane optimization.
Serving PLMN rate control is a rate of message per 6 minute interval allowed by the serving PLMN and signaled to the HPLMN in case of roaming UEs so that the HPLMN will not bombard the VPLMN with too many messages. Serving PLMN rate control is applicable only for PDNs pinned to control plane (i.e SCEF PDNs). Its not applicable to user plane optimization.
A deep dive into user plane optimization changes in the core network will follow in subsequent posts.
When the ciot user is in idle state and sends a control plane service request, will the state change from idle to connected?
ReplyDeleteIt will only change once you get establishment confirm from rrc
DeleteThanks for asking this question. After the completion of Control Plane Service Request, the core network can tear down the S1 connection if no longer needed. In that case UE will go to EMM-IDLE state. If core network keeps the S1 connection, the UE will move to EMM-CONNECTED state.
ReplyDeleteWhat is the difference between NON IP PDN control plane data transfer and IP PDN control plane Data transfer.. and advantages ?
ReplyDeleteThanks for asking this question and apologies for the late reply.
DeleteNon IP control plane data transfer implies transfer of data over NAS with the payload being not a IP packet. It could be any protocol like OMA LWM2M or MQTT-SN (with framing directly over NAS instead of TCP or UDP)
IP data over control plane means the data payload over NAS is a IP packet (IPv4 or IPv6).
While non IP data over control plane can be carried from MME onwards in two different paths (1. MME --> SCEF --> SCS/AS 2. MME --> SGW --> PGW --> Application Function), the IP data over control plane can only go via SGW-->PGW path.
Can APN rate control feature some how also be helpful for the IOT device can do attach without PDN for charging purpose?
ReplyDeleteThanks for asking this question.
DeleteAPN rate control is applicable only when PDN is used. For attach without PDN case - the only communication mechanism with UE is SMS over NAS. For SMS - the regular SMS charging architecture applies. However operators could deploy special SMSC for M2M SMS data and could charge differentially for M2M SMS.
Just to add.
DeleteUE which has done attach without pdn can activate PDN later after attach.
At that time, APN rate control will come into picture for this APN.
But can this be use for charging purpose ? I have some doubts, since this feature is to limit UE sending data in given time. So it should not matter, as UE cannot send data more that APN rate control.
@Anonymous Hollow - Yes the APN rate control is applicable only when PDN connection is setup. It is used for "rate control" to cap message usage at a defined limit. The limit could be derived based on the agreed monthly message limit for example. In that aspect its bit related to the tariff plan - but rather as a derivative of it - and not directly linked to charging.
DeleteHello,
ReplyDeleteI have 4 questions:
1. The apn rate controle is enforced in UL by the UE as specified in the PCO sent from the PGW ... how serving plmn rate control could be enforced in UL?
2. For Data buffering HL Com there is any difference between TCP and UDP protocols? All are buffered ?
3. for SMS delivery this could be sent either via SGd or SGs assuming that this interface is existing how would the MME take such as decision ? Any spec to read ?
4. for Legal interception do you have any elements to start looking into ?
Thank you
Regards
1. Uplink serving PLMN rate control is enforced at MME and not at UE. You may refer to clause 4.7.7.2 of TS 23.401
Delete2. 3GPP just transports IP packet. Irrespective of transport protocol used above IP, the buffering treatment at 3GPP nodes is the same - from a standards perspective. But various gateway products can implement transport specific optimizations. These are implementation specific.
3. Use of SGd / SGs depends on deployment configuration + requiring subscription for SMS at HSS. SMS over SGd is typically used in networks that do not have SMS over CS network as a legacy baggage. You may refer Annex C of TS 23.272.
4. So far I have not seen LI requirements for non IP data and data over control plane defined for MME / SCEF in TS 33.107 / 33.108.
4.
Is serving PLMN rate control only applicable for NON-IP PDNs?
ReplyDeletefor attach without PDN, in case of MO/MT SMS via NAS towards MME and further towards SGd the SMS will come to MTC-IWF via T4.But there is no UE session at MTC-IWF.So how it will process it towards SCS.Please help me to understand
ReplyDeletefor serving plmn rate control, UE can send x messages of ESM_DATA_TRANSPORT in 6 minutes (10 < x < 65535).
ReplyDeleteSending most of allowed messages in the end of 6 minutes interval and most of allowed messages in the beginning of next 6 minutes interval make a possible situation that the UE can send almost double amount of messages compared to value configured by the NW.
from the other hand- implementation using "moving window" actually can waste a large amount of memory (need to save the time received each x last messages per APN) Seems this is not the meaning of this feature..because these devices intend to send messages infrequently, this feature is useful in case of roaming UEs so that the HPLMN will not bombard the VPLMN with too many messages.
Do you have any idea what the standard meant?
in APN Rate control, what is the maximum packet we can allow per unit of time?
ReplyDeleteYour article has piqued a lot of positive interest. I can see why since you have done such a good job of making it interesting.
ReplyDeleteWebdesign