Posts Tagged ‘PCRF’

This is a continuation of the 4G – IMS topic I’ve started a while back.

Still, before continuing the IMS registration started in

I would like to show a preview of the Specs describing this fancy IMS thinggie.

[This information is not structured by me, but it was on tech-invite, before they decided to put a price on all that information.]

The General aspects:

3GPP TS 22.228 Service Requirements for the IP Multimedia Core Network (IM CN) Subsystem – Stage 1
3GPP TS 23.228 IP Multimedia Subsystem (IMS) – Stage 2
RFC 3327SIP “Path” Extension Header Field for Registering Non-Adjacent Contacts
RFC 3608SIP Extension Header Field for Service Route Discovery during Registration
3GPP TS 29.109GAA – Zh and Zn Interfaces based on the Diameter protocol – Stage 3
3GPP TS 29.229Cx and Dx interfaces based on the Diameter protocol – Protocol Details
3GPP TS 29.230Diameter Applications – 3GPP Specific Codes and Identifiers
3GPP TS 29.329Sh Interface based on the Diameter protocol – Protocol Details
3GPP TS 32.299 Charging Management – Diameter Charging Applications
RFC 3588Diameter Base Protocol
RFC 3589Diameter Command Codes for 3GPP Release 5
RFC 4740 Diameter Session Initiation Protocol (SIP) Application
3GPP TS 23.228 IP Multimedia Subsystem (IMS) – Stage 2
3GPP TS 29.229 Cx and Dx interfaces based on the Diameter protocol – Protocol Details
RFC 4282 The Network Access Identifier
3GPP TS 23.203 Policy and Charging Control Architecture
3GPP TS 29.207Policy Control over Go Interface
3GPP TS 29.208End-to-end Quality of Service (QoS) Signalling Flows
3GPP TS 29.209Policy control over Gq Interface
3GPP TS 22.115Service Aspects – Charging and Billing
3GPP TS 32.240Charging Architecture and Principles
3GPP TS 32.260 IP Multimedia Subsystem (IMS) Charging
3GPP TS 23.125 Overall high level functionality and architecture impacts of flow based charging – Stage 2
3GPP TS 23.203 Policy and Charging Control Architecture
3GPP TS 29.210Charging Rule Provisioning over Gx Interface
3GPP TS 29.211Rx Interface and Rx/Gx Signalling Flows
3GPP TS 23.203Policy and Charging Control Architecture
3GPP TS 32.295Charging Data Record (CDR) Transfer
3GPP TS 32.296Online Charging System (OCS): Applications and Interfaces
3GPP TS 32.297Charging Data Record (CDR) File Format and Transfer
3GPP TS 32.298Charging Data Record (CDR) Parameter Description
3GPP TS 32.299Diameter Charging Applications
3GPP 33-series3GPP Specifications related to Security
3GPP TS 23.107Quality of Service (QoS) Concept and Architecture
3GPP TS 23.207End-to-end Quality of Service (QoS) Concept and Architecture
3GPP TS 29.208End-to-end Quality of Service (QoS) Signalling Flows
3GPP TS 22.127 Service Requirement for the Open Service Access (OSA) – Stage 1
3GPP TS 23.198Open Service Access (OSA) – Stage 2
3GPP TS 29.19829.198 series: Open Service Access (OSA) API
3GPP TS 29.19929.199 series: OSA Parlay X Web Services
3GPP TS 22.078 CAMEL – Service description – Stage 1
3GPP TS 23.078CAMEL Phase 4 – Stage 2
3GPP TS 23.278CAMEL Phase 4 – Stage 2 – IM CN Interworking
3GPP TS 29.078CAMEL Phase X – CAMEL Application Part (CAP) specification
3GPP TS 29.278CAMEL Phase 4 – CAP specification for IP Multimedia Subsystems (IMS)
3GPP TS 29.002Mobile Application Part (MAP) specification
WLAN Access:
3GPP TS 22.234 Requirements on 3GPP system to Wireless Local Area Network (WLAN) interworking
3GPP TS 23.2343GPP System to WLAN Interworking – System Description
3GPP TS 24.234 WLAN User Equipment (WLAN UE) to Network Protocols – Stage 3
3GPP TS 29.161Interworking between the PLMN supporting Packet based Services with WLAN Access and PDNs
3GPP TS 29.2343GPP System to WLAN Interworking – Stage 3
3GPP TS 32.252WLAN Charging
3GPP TS 33.234WLAN Interworking Security
CSICS: Circuit Switched IMS Combinational Services:
3GPP TS 22.279 Combined CS and IMS Sessions – Stage 1
3GPP TS 23.279 Combining Circuit Switched (CS) and IMS Services – Stage 2
3GPP TS 24.279 Combining Circuit Switched (CS) and IMS Services – Stage 3
3GPP TS 22.141Presence Service – Stage 1 – Requirements
3GPP TS 23.141Presence Service – Stage 2 – Architecture and functional description
3GPP TS 24.141Presence service using the IP Multimedia (IM) Core Network (CN) subsystem – Stage 3
3GPP TS 26.141IMS Messaging and Presence – Media formats and codecs
3GPP TS 33.141 Presence service – Security OMA Presence Simple OMA Presence Simple V1.0.1 Approved Enabler
PoC: Push-to-talk over Cellular:
3GPP TR 23.979Push-to-talk over Cellular (PoC) Services – Stage 2
3GPP TS 32.272 Push-to-talk over Cellular (PoC) charging
And now, let’s get down to business.

As I was describing in the previous episode – 4G to IMS call flow – Register to IMS – part 1 – the IP-CAN Session Establishment is scheduled for today.

The procedure of IP-CAN (Connectivity Access Network) establishment is described in TS 23.203.

Basically, the IP-CAN is the IP address that the User Equipment gets:

– either during Initial Attach

– or at a Dedicated Bearer creation

that connects that UE to the IMS APN. There are multiple ways of getting this IP address, ways varying from DHCP/DHCPv6, PPP and so on. With regards to IMS, the IP-CAN is given by the PGW, following the PCC rules from its local PCRF.

But, before displaying the actual IP-CAN Session Establishment, let’s take a look at the functional entities and the architectures involved.

The possible scenarios when talking about PCC (Policy and Charging Control) functionality, presented in TS 23.203. I have just copied the architecture pictures. The functional entities are described separately in the same TS 23.203 spec – section 6.2. Functional Entities. I will just underline, where the case requires, which entity from this “PCC Reference Architecture” matches which entity on the 4G architecture.

Before, let’s clarify a few things about these 3 funky pictures:

The acronyms:

HPLMN == Home Public Land Mobile Network

VPLMN == Visited Public Land Mobile Network (the user is in roaming)

SPR == Subscription Profile Repository

TS 23.203 – section 6.2.4 – SPR :

The SPR logical entity contains all subscriber/subscription related information needed for subscription-based policies and IP‑CAN bearer level PCC rules by the PCRF. The SPR may be combined with or distributed across other databases in the operator’s network, but those functional elements and their requirements for the SPR are out of scope of this document.

** The SPR is connected to the PCRF via the Sp interface.

AF == Application Function

TS 23.203 – section 6.2.3 – AF:

The Application Function (AF) is an element offering applications that require dynamic policy and/or charging control over the IP‑CAN user plane behaviour. The AF shall communicate with the PCRF to transfer dynamic session information, required for PCRF decisions as well as to receive IP‑CAN specific information and notifications about IP‑CAN bearer level events. One example of an AF is the P‑CSCF of the IM CN subsystem.

** The AF is connected to the PCRF via the Rx interface.

OCS == Online Charging System

– The OCS is described in TS 32.240. In the PCC architecture we are only interested in its component called Service Data Flow Based Credit Control – its main purpose being to perform online credit control functions.

** The OCS is connected to the PCEF via the Gy interface.

PCRF == Policy Control and Charging Rules Function

TS 23.203 – section 6.2.1 PCRF:

The PCRF encompasses policy control decision and flow based charging control functionalities.

The PCRF provides network control regarding the service data flow detection, gating, QoS and flow based charging (except credit management) towards the PCEF.

The PCRF shall apply the security procedures, as required by the operator, before accepting service information from the AF.


Here we are talking about 2 PCRF entities:

a) there is only one PCRF involved in the first case, when the UE is NOT in roaming; this is the local/home PCRF

b) in the home routed access and local breakout scenarios there is on one hand the V-PCRF (visited) – the PCRF entity from the visited network and on the other hand the H-PCRF (home) – the PCRF entity from the home network

** The PCRF is connected to the:

– AF via the Rx interface

– SPR via the Sp interface

– BBERF via the Gxx interface

– PCEF via the Gx interface

– H-PCRF and V-PCRF are connected via the S9 interface

BBERF == Bearer Binding and Even Reporting Function

TS 23.203 – section 6.2.7 BBERF:

The BBERF includes the following functionalities:

–     Bearer binding.

–     Uplink bearer binding verification.

–     Event reporting to the PCRF.

–     Sending or receiving IP‑CAN-specific parameters, to or from the PCRF.

* Note: As far as I understand, and in order to somehow “map” the names of the “PCC” entities to the names of the “EPC” entities I’ve first learned about, I believe this BBERF role is actually played by the SGW as we know it from the EPC terminology. Please correct me if I’ve got this wrong.

CORRECTION (further reading on TS 23.203): In the GTP-based 3GPP access network the BBERF entity does NOT apply.

** The BBERF is connected to the PCRF via the Gxx interface.

PCEF == Policy and Charging Enforcement Function

TS 23.203 – section 6.2.2 PCEF:

The PCEF encompasses service data flow detection, policy enforcement and flow based charging functionalities.

This functional entity is located at the Gateway (e.g. GGSN in the GPRS case, and PDG in the WLAN case). It provides service data flow detection, user plane traffic handling, triggering control plane session management (where the IP‑CAN permits), QoS handling, and service data flow measurement as well as online and offline charging interactions.


*Note: The EPC entity assuming the role of the PCEF in the PCC Architecture is the PGW.

** The PCEF is connected to the:

– PCRF via the Gx interface

– OCS via the Gy interface

– OFCS via the Gz interface

OFCS == Offline Charging System

TS 23.203 – section 6.2.6 OFCS:

The Offline Charging System is specified in TS 32.240 [3].

There may be several OFCSs in a PLMN. The default OFCS addresses (i.e. the primary address and secondary address) shall be locally pre-configured within the PCEF. OFCS addresses may also be passed once per IP‑CAN session from the PCRF to the PCEF. The addresses provided by the PCRF shall have a higher priority than the pre-configured ones.

** The OFCS is connected to the PCEF via the Gz interface.

[I’ll keep the pictures numbering for future referencing.]


Figure 5.1.1 Overall PCC logical architecture (non-roaming)

This architecture describes the simplest case where the User Equipment is located in his home network – in the network of the operator he subscribed to.


Figure 5.1.2 Overl PCC architecture (roaming with home routed access)

As the picture shows, here only the BBERF (which can be an SGW or a SGSN) is located in the visited network. This implies that the local (visited) PCRF is also to be used when locating the UE. The visited PCRF will contact the home PCRF via the S9 interface.


Figure 5.1.3 Overall PCC architecture for roaming with PCEF in visited network (local breakout)

This is the case where basically the entire access network is a visited network as the UE is concerned about. The BBERF (SGW or SGSN) and the PCEF (GGSN or SGW) [at least as far as the 3GPP implementations go…WiMAX guys, please help me out complete this article] are in the visited network. This implies: the use of (at least) the local (visited) PCRF, possibly the use of a local AF and the existence of a local OFCS.

This being said, let’s see how the IP-CAN Session Establishment process takes place – shamelessly copy-pasted from TS 23.203 – section 7.2 IP-CAN Session Establishment – with the consideration that, at least this spec is concise enough when describing these procedures so that I won’t feel the need to add anything else (afaik):

** Careful with the local notes, as in this single picture there are represented the IP-CAN procedures for all the 3 roaming/non-roaming scenarios described above:


This procedure concerns both roaming and non-roaming scenarios. In the roaming case when a Gateway Control Session is used, the V-PCRF should proxy the Gateway Control Session Establishment information between the BBERF in the VPLMN and the H-PCRF over S9 based on PDN-Id and roaming agreements.

For the Local Breakout scenario (Figure 5.1.3) the V-PCRF shall proxy the Indication and Acknowledge of IP‑CAN Session Establishment over S9 between the PCEF in the VPLMN and the H-PCRF

In the non-roaming case (Figure 5.1.1) the V-PCRF is not involved.

1.   The BBERF initiates a Gateway Control Session Establishment procedure as defined in clause 7.7.1 (applicable for cases 2a during initial attach and 2b, as defined in clause 7.1).

2.   The GW(PCEF) receives a request for IP‑CAN Bearer establishment. A PDN Connection Identifier may be included in the request. The GW(PCEF) accepts the request and assigns an IP address for the user.

3.  The PCEF determines that the PCC authorization is required, requests the authorization of allowed service(s) and PCC Rules information. The PCEF includes the following information: UE Identity (e.g. MN NAI), a PDN identifier (e.g. APN), the IP‑CAN type and the IP address(es), if available, the PDN Connection Identifier received for IP‑CAN Bearer establishment and, if available, the default charging method and the IP‑CAN bearer establishment modes supported. The PDN identifier, IP address(es) and UE identity enables identification of the IP‑CAN session. The IP‑CAN Type identifies the type of access from which the IP‑CAN session is established. If the service data flow is tunnelled at the BBERF, the PCEF shall provide information about the mobility protocol tunnelling encapsulation header. The PCEF may also include the Default Bearer QoS and APN-AMBR (applicable for case 1, as defined in clause 7.1). In case 2a the PCEF may also include charging ID information.

4.   If the PCRF does not have the subscriber’s subscription related information, it sends a request to the SPR in order to receive the information related to the IP‑CAN session. The PCRF provides the subscriber ID and, if applicable, the PDN identifier to the SPR. The PCRF may request notifications from the SPR on changes in the subscription information.

5.   The PCRF stores the subscription related information containing the information about the allowed service(s) and PCC Rules information.

6.   The PCRF makes the authorization and policy decision.

7.  The PCRF sends the decision(s) , including the chosen IP‑CAN bearer establishment mode, to the PCEF. The GW(PCEF) enforces the decision. The PCRF may provide the default charging method and may include the following information: the PCC Rules to activate and the Event Triggers to report. The Policy and Charging Rules allow the enforcement of policy associated with the IP‑CAN session. The Event Triggers indicate to the PCEF what events must be reported to the PCRF.

8.   If online charging is applicable, and at least one PCC rule was activated, the PCEF shall activate the online charging session, and provide relevant input information for the OCS decision. Depending on operator configuration PCEF may request credit from OCS for each charging key of the activated PCC rules.

9.   If online charging is applicable the OCS provides the possible credit information to the PCEF and may provide re-authorisation triggers for each of the credits.

In cases 2a and 2b if the OCS provides any re-authorisation trigger, which can not be monitored at the PCEF, the PCEF shall request PCRF to arrange those to be reported by the BBERF via the PCRF.

10. If at least one PCC rule was successfully activated and if online charging is applicable, and credit was not denied by the OCS, the GW(PCEF) acknowledges the IP‑CAN Bearer Establishment Request.

11. If network control applies the GW may initiate the establishment of additional IP-‑CAN bearers. See Annex A and Annex D for details.

12.  If the PCRF in step 7 requested an acknowledgement based on PCC rule operations, the GW(PCEF) sends the IP‑CAN Session  Establishment Acknowledgement to the PCRF in order to inform the PCRF of the activated PCC rules result.

Many more information on this on TS 23.203. Insist on the QoS parameter interaction.

Specially: Annex 4. 3GPP Accesses (GERAN/UTRAN/E-UTRAN) GTP-based EPC

So, let’s talk about 4G and IMS. This will describe the registration to the IMS core, when the IMS equipment is located in a Visited Network, in roaming.

The normal lines (and arrows) represent the main protocol:

– while in the 4G environment (UE, eNodeB, MME, SGW, PGW): it is eGTP (GTPv2-C) protocol

– while in the IMS environment(P-CSCF, I-CSCF, S-CSCF, HSS): it is plain IP or Diameter protocol

The dotted lines (and arrows) represent the inner IP protocol messages, which are encapsulated in GTPv1-U header.

The specs impacted by this are:

TS 23.401 : for the 4G UE equipment Initial Attach to the network

TS 23.203 : description of the IP-CAN Session Establishment procedures

TS 23.228 : description of the P-CSCF Discovery procedures

TS 21.905 : vocabulary for 3GPP Specifications

TS 29.061 : interworking of 4G and IMS

TS 29.212 : PCC (Policy and Charging Control) over Gx interface

TS 29.213 : PPC signaling flows and QoS parameters

TS 24.229 : IP multimedia call control over SIP and SDP

RFC 3261 : SIP – Session Initiation Protocol

The IMS protocols are just too many and diverse to list here all the TSs and RFCs related to them.


Let’s describe – shortly, very shortly – the messages exchanged here:

[Some of the message descriptions are simply and shamelessly copy-pasted from the spec :p  ]

1. Attach Request [TS 23.401]

The UE initiates the Attach procedure by the transmission, to the eNodeB, of an Attach Request (IMSI or old GUTI, last visited TAI (if available), UE Core Network Capability, UE Specific DRX parameters, PDN Type, Protocol Configuration Options, Ciphered Options Transfer Flag, Attach Type, KSIASME, NAS sequence number, NAS-MAC, additional GUTI, P-TMSI signature) message together with RRC parameters indicating the Selected Network and the old GUMMEI. The old GUTI may be derived from a P TMSI and RAI. IMSI shall be included if the UE does not have a valid GUTI or a valid P TMSI available. The UE stores the TIN in detached state. If the UE’s TIN indicates “GUTI” or “RAT-related TMSI” and the UE holds a valid GUTI then the old GUTI indicates this valid GUTI. If the UE’s TIN indicates “P TMSI” and the UE holds a valid P TMSI and related RAI then these two elements are indicated as the old GUTI. Mapping a P TMSI and RAI to a GUTI is specified in TS 23.003 [9]. If the UE holds a valid GUTI and the old GUTI indicates a GUTI mapped from a P-TMSI and RAI, then the UE indicates the GUTI as additional GUTI. If the old GUTI indicates a GUTI mapped from a P-TMSI and RAI and the UE has a valid P-TMSI signature associated to it, the P-TMSI signature shall be included.
If available, the last visited TAI shall be included in order to help the MME produce a good list of TAIs for any subsequent Attach Accept message. Selected Network indicates the PLMN that is selected for network sharing purposes. The RRC parameter “old GUMMEI” takes its value from the “old GUTI” contained in the Attach Request. UE Network Capability is described in UE capabilities, see clause 5.11.
If the UE has valid security parameters, the Attach Request message shall be integrity protected by the NAS-MAC in order to allow validation of the UE by the MME. KSIASME, NAS sequence number and NAS-MAC are included if the UE has valid EPS security parameters. NAS sequence number indicates the sequential number of the NAS message. If the UE does not have a valid EPS security association, then the Attach Request message is not integrity protected. In this case the security association is established in step 5a. The UE network capabilities indicate also the supported NAS and AS security algorithms. PDN type indicates the requested IP version (IPv4, IPv4/IPv6, IPv6). Protocol Configuration Options (PCO) are used to transfer parameters between the UE and the PDN GW, and are sent transparently through the MME and the Serving GW. The Protocol Configuration Options may include the Address Allocation Preference indicating that the UE prefers to obtain an IPv4 address only after the default bearer activation by means of DHCPv4. If the UE intends to send PCO which require ciphering (e.g., PAP/CHAP usernames and passwords) or send an APN, or both, the UE shall set the Ciphered Options Transfer Flag and send PCO or APN or both only after authentication and NAS security setup have been completed (see below). If the UE has UTRAN or GERAN capabilities, it should send the NRSU in the PCO to indicate the support of the network requested bearer control in UTRAN/GERAN. Attach Type indicates “Handover” when the UE has already an activated PDN GW/HA due to mobility with non-3GPP accesses.

2. Attach Request [TS 23.401]

The eNodeB derives the MME from the RRC parameters carrying the old GUMMEI and the indicated Selected Network. If that MME is not associated with the eNodeB or the old GUMMEI is not available, the eNodeB selects an MME as described in clause on “MME selection function”. The eNodeB forwards the Attach Request message to the new MME contained in a S1-MME control message (Initial UE message) together with the Selected Network and TAI+ECGI of the cell from where it received the message to the new MME.

3. Create Session Request [TS 23.401]

If a subscribed PDN address is allocated for the UE for this APN, the PDN subscription context contains the UE’s IPv4 address and/or the IPv6 prefix and optionally the PDN GW identity. In case the PDN subscription context contains a subscribed IPv4 address and/or IPv6 prefix, the MME indicates it in the PDN address. For Attach Type indicating “Initial Attach”, if the UE does not provide an APN, the MME shall use the PDN GW corresponding to the default APN for default bearer activation. If the UE provides an APN, this APN shall be employed for default bearer activation. For Attach type indicating “Handover”, if the UE provides an APN, the MME shall use the PDN GW corresponding to the provided APN for default bearer activation, If the UE does not provide an APN, and the subscription context from HSS contains a PDN GW identity corresponding to the default APN, the MME shall use the PDN GW corresponding to the default APN for default bearer activation. The case where the Attach type indicates “Handover” and the UE does not provide an APN, and the subscription context from HSS does not contain a PDN GW identity corresponding to the default APN constitutes an error case. If the attach type indicates “Initial Attach” and the selected PDN subscription context contains no PDN GW identity the new MME selects a PDN GW as described in clause on PDN GW selection function (3GPP accesses). If the PDN subscription context contains a dynamically allocated PDN GW identity and the Attach Type does not indicate “Handover” the MME may select a new PDN GW as described in clause PDN GW selection function, e.g. to allocate a PDN GW that allows for more efficient routing. The new MME selects a Serving GW as described in clause on Serving GW selection function and allocates an EPS Bearer Identity for the Default Bearer associated with the UE. Then it sends a Create Session Request (IMSI, MSISDN, MME TEID for control plane, PDN GW address, PDN Address, APN, RAT type, Default EPS Bearer QoS, PDN Type, APN-AMBR, EPS Bearer Identity, Protocol Configuration Options, Handover Indication, ME Identity, User Location Information (ECGI), MS Info Change Reporting support indication, Selection Mode, Charging Characteristics, Trace Reference, Trace Type, Trigger Id, OMC Identity, Maximum APN Restriction, Dual Address Bearer Flag, the Protocol Type over S5/S8) message to the selected Serving GW.

The RAT type is provided in this message for the later PCC decision. The subscribed APN AMBR for the APN is also provided in this message. The MSISDN is included if provided in the subscription data from the HSS. Handover Indication is included if the Attach type indicates handover. Selection Mode indicates whether a subscribed APN was selected, or a non-subscribed APN sent by the UE was selected.. Charging Characteristics indicates which kind of charging the bearer context is liable for. The MME may change the requested PDN type according to the subscription data for this APN as described in clause The MME shall set the Dual Address Bearer Flag when the PDN type is set to IPv4v6 and all SGSNs which the UE may be handed over to are Release 8 or above supporting dual addressing, which is determined based on node pre-configuration by the operator. The Protocol Type over S5/S8 is provided to Serving GW which protocol should be used over S5/S8 interface.


The charging characteristics for the PS subscription and individually subscribed APNs as well as the way of handling Charging Characteristics and whether to send them or not to the P GW is defined in TS 32.251 [44]. The MME shall include Trace Reference, Trace Type, Trigger Id, and OMC Identity if S GW and/or P GW trace is activated. The MME shall copy Trace Reference, Trace Type, and OMC Identity from the trace information received from the HLR or OMC.

The Maximum APN Restriction denotes the most stringent restriction as required by any already active bearer context. If there are no already active bearer contexts, this value is set to the least restrictive type (see clause 15.4 of TS 23.060 [7]). If the P GW receives the Maximum APN Restriction, then the P GW shall check if the Maximum APN Restriction value does not conflict with the APN Restriction value associated with this bearer context request. If there is no conflict the request shall be allowed, otherwise the request shall be rejected with sending an appropriate error cause to the UE.

NOTE 7:The Dual Address Bearer Flag is not used when the Protocol Type over S5/S8 is PMIP.

4. Create Session Request [TS 23.401]
The Serving GW creates a new entry in its EPS Bearer table and sends a Create Session Request (IMSI, MSISDN, APN, Serving GW Address for the user plane, Serving GW TEID of the user plane, Serving GW TEID of the control plane, RAT type, Default EPS Bearer QoS, PDN Type, PDN Address, subscribed APN-AMBR, EPS Bearer Identity, Protocol Configuration Options, Handover Indication, ME Identity, User Location Information (ECGI), MS Info Change Reporting support indication, Selection Mode, Charging Characteristics, Trace Reference, Trace Type, Trigger Id, OMC Identity, Maximum APN Restriction, Dual Address Bearer Flag) message to the PDN GW indicated by the PDN GW address received in the previous step. After this step, the Serving GW buffers any downlink packets it may receive from the PDN GW without sending a Downlink Data Notification message to the MME until it receives the Modify Bearer Request message in step 23 below. The MSISDN is included if received from the MME.
5. IP-CAN Session Establishment [TS 23.203] – next episode
6. Create Session Response [TS 23.401]
The P GW creates a new entry in its EPS bearer context table and generates a Charging Id. The new entry allows the P GW to route user plane PDUs between the S GW and the packet data network, and to start charging. The way the P GW handles Charging Characteristics that it may have received is defined in TS 32.251 [44].
The PDN GW returns a Create Session Response (PDN GW Address for the user plane, PDN GW TEID of the user plane, PDN GW TEID of the control plane, PDN Type, PDN Address, EPS Bearer Identity, EPS Bearer QoS, Protocol Configuration Options, Charging Id, Prohibit Payload Compression, APN Restriction, Cause, MS Info Change Reporting Action (Start) (if the PDN GW decides to receive UE’s location information during the session), APN-AMBR) message to the Serving GW. The PDN GW takes into account the received PDN type, the Dual Address Bearer Flag and the policies of operator when the PDN GW selects the PDN type to be used as follows. If th received PDN type is IPv4v6 and both IPv4 and IPv6 addressing is possible in the PDN but the Dual Address Bearer Flag is not set, or only single IP version addressing for this APN is possible in the PDN, the PDN GW selects a single IP version (either IPv4 or IPv6). If the received PDN type is IPv4 or IPv6, the PDN GW uses the received PDN type if it is supported in the PDN, otherwise an appropriate error cause will be returned. The PDN GW allocates a PDN Address according to the selected PDN type. If the PDN GW has selected a PDN type different from the received PDN Type, the PDN GW indicates together with the PDN type IE a reason cause to the UE why the PDN type has been modified, as described in clause PDN Address may contain an IPv4 address for IPv4 and/or an IPv6 prefix and an Interface Identifier. If the PDN has been configured by the operator so that the PDN addresses for the requested APN shall be allocated by usage of DHCPv4 only, or if the PDN GW allows the UE to use DHCPv4 for address allocation according to the Address Allocation Preference received from the UE, the PDN Address shall be set to, indicating that the IPv4 PDN address shall be negotiated by the UE with DHCPv4 after completion of the Default Bearer Activation procedure. In case of external PDN addressing for IPv6, the PDN GW obtains the IPv6 prefix from the external PDN using either RADIUS or Diameter client function. In the PDN Address field of the Create Session Response, the PDN GW includes the Interface Identifier and IPv6 prefix. The PDN GW sends Router Advertisement to the UE after default bearer establishment with the IPv6 prefix information for all cases.
If the PDN address is contained in the Create Session Request, the PDN GW shall allocate the IPv4 address and/or IPv6 prefix contained in the PDN address to the UE. The IP address allocation details are described in clause 5.3.1 on “IP Address Allocation”. The PDN GW derives the BCM based on the NRSU and operator policy. Protocol Configuration Options contains the BCM as well as optional PDN parameters that the P GW may transfer to the UE. These optional PDN parameters may be requested by the UE, or may be sent unsolicited by the P GW. Protocol Configuration Options are sent transparently through the MME.

7. Create Session Response
[TS 23.401]
If the MS Info Change Reporting Action (Start) is received for this bearer context, then the S GW shall store this for the bearer context and the S GW shall report to that P GW whenever a UE’s location change occurs that meets the P GW request, as described in clause 15.1.1a of TS 23.060 [7].
The Serving GW returns a Create Session Response (PDN Type, PDN Address, Serving GW address for User Plane, Serving GW TEID for User Plane, Serving GW TEID for control plane, EPS Bearer Identity, EPS Bearer QoS, PDN GW addresses and TEIDs (GTP-based S5/S8) or GRE keys (PMIP-based S5/S8) at the PDN GW(s) for uplink traffic, Protocol Configuration Options, Charging Id, Prohibit Payload Compression, APN Restriction, Cause, MS Info Change Reporting Action (Start), APN-AMBR) message to the new MME.

8. Initial Context Setup Request/ Attach Accept[TS 23.401]
If an APN Restriction is received, then the MME shall store this value for the Bearer Context and the MME shall check this received value with the stored value for the Maximum APN Restriction to ensure there are no conflicts between values. If the Bearer Context is accepted, the MME shall determine a (new) value for the Maximum APN Restriction. If there is no previously stored value for Maximum APN Restriction, then the Maximum APN Restriction shall be set to the value of the received APN Restriction.
If the MS Info Change Reporting Action (Start) is received for this bearer context, then the MME shall store this for the bearer context and the MME shall report whenever a UE’s location change occurs that meets the request, as described in clause 15.1.1a of TS 23.060 [7].
The MME determines the UE AMBR to be used by the eNB based on the subscribed UE-AMBR and the APN AMBR for the default APN, see clause 4.7.3.
The new MME sends an Attach Accept (APN, GUTI, PDN Type, PDN Address, TAI List, EPS Bearer Identity, Session Management Request, Protocol Configuration Options, KSIASME, NAS sequence number, NAS-MAC, IMS Voice over PS session supported Indication) message to the eNodeB. GUTI is included if the new MME allocates a new GUTI. This message is contained in an S1_MME control message Initial Context Setup Request. This S1 control message also includes the AS security context information for the UE, the Handover Restriction List, the EPS Bearer QoS, the UE-AMBR, EPS Bearer Identity, as well as the TEID at the Serving GW used for user plane and the address of the Serving GW for user plane. In the Attach Accept message, the MME does not include the IPv6 prefix within the PDN Address. The MME includes the EPS Bearer QoS parameter QCI and APN-AMBR into the Session Management Request. Furthermore, if the UE has UTRAN or GERAN capabilities, the MME uses the EPS bearer QoS information to derive the corresponding PDP context parameters QoS Negotiated (R99 QoS profile), Radio Priority, Packet Flow Id and TI and includes them in the Session Management Request. If the UE indicated in the UE Network Capability it does not support BSS packet flow procedures, then the MME shall not include the Packet Flow Id. Handover Restriction List is described in clause “Mobility Restrictions”. The MME sets the IMS Voice over PS session supported Indication as described in clause
If the MME or PDN GW has changed the PDN Type, an appropriate reason cause shall be returned to the UE as described in clause
9. RRC Connection Reconfiguration[TS 23.401]
The eNodeB sends the RRC Connection Reconfiguration message including the EPS Radio Bearer Identity to the UE, and the Attach Accept message will be sent along to the UE. The UE shall store the QoS Negotiated, Radio Priority, Packet Flow Id and TI, which it received in the Session Management Request, for use when accessing via GERAN or UTRAN. The APN is provided to the UE to notify it of the APN for which the activated default bearer is associated. For further details, see TS 36.331 [37]. The UE may provide EPS Bearer QoS parameters to the application handling the traffic flow(s). The application usage of the EPS Bearer QoS is implementation dependent. The UE shall not reject the RRC Connection Reconfiguration on the basis of the EPS Bearer QoS parameters contained in the Session Management Request.
When receiving the Attach Accept message the UE shall set its TIN to “GUTI” as no ISR Activated is indicated.
If the UE receives an IPv4 address set to, it may negotiate the IPv4 address with DHCPv4 as specified in TS 29.061 [38]. If the UE receives an IPv6 interface identifier, it may wait for the Router Advertisement from the network with the IPv6 prefix information or it may send a Router Solicitation if necessary.
NOTE 10:The IP address allocation details are described in clause 5.3.1 on “IP Address Allocation”.
10. RRC Connection Reconfiguration Complete[TS 23.401]
The UE sends the RRC Connection Reconfiguration Complete message to the eNodeB. For further details, see TS 36.331 [37].
11. Initial Context Setup Response[TS 23.401]
The eNodeB sends the Initial Context Response message to the new MME. This Initial Context Response message includes the TEID of the eNodeB and the address of the eNodeB used for downlink traffic on the S1_U reference point.
12. Direct Transfer[TS 23.401]
The UE sends a Direct Transfer message to the eNodeB, which includes the Attach Complete (EPS Bearer Identity, NAS sequence number, NAS-MAC) message.
13. Attach Complete[TS 23.401]
The eNodeB forwards the Attach Complete message to the new MME in an Uplink NAS Transport message.
After the Attach Accept message and once the UE has obtained a PDN Address, the UE can then send uplink packets towards the eNodeB which will then be tunnelled to the Serving GW and PDN GW. If the UE requested for a dual address PDN type (IPv4v6) to a given APN and was granted a single address PDN type (IPv4 or IPv6) by the network with a reason cause indicating that only single IP version per PDN connection is allowed sent together with the PDN type, the UE may request for the activation of a parallel PDN connection to the same APN with a single address PDN type (IPv4 or IPv6) other than the one already activated. If the UE receives no reason cause in step 18 in response to an IPv4v6 PDN type and it receives an IPv6 Interface Identifier apart from the IPv4 address or in the PDN Address field, it considers that the request for a dual address PDN was successful. It can wait for the Router Advertisement from the network with the IPv6 prefix information or it may send Router Solicitation if necessary.
14. Modify Bearer Request[TS 23.401]
Upon reception of both, the Initial Context Response message in step 21 and the Attach Complete message in step 22, the new MME sends a Modify Bearer Request (EPS Bearer Identity, eNodeB address, eNodeB TEID, Handover Indication) message to the Serving GW.
15. Modify Bearer Response[TS 23.401]
The Serving GW acknowledges by sending Modify Bearer Response (EPS Bearer Identity) message to the new MME. The Serving GW can then send its buffered downlink packets.
—— in the next episode —–
16. P-CSCF Discovery
17. Register
18. DNS Query
19. Register
20. Diameter UAR
21. Diameter UAA
22. Register
23. Diameter MAR
24. Diameter MAA
25. 401 Unauthorized
26. 401 Unauthorized
27. 401 Unauthorized
28. Register
29. Register
30. Diameter UAR
31. Diameter UAA
32. Register
33. Diameter SAR
34. Diameter SAA
35. 200OK
36. 200OK
37. 200OK

4G – IMS

Posted: August 13, 2010 in technical
Tags: , , , , , , , , , , , , ,

I’ve been looking, as one of this blog’s readers asked for, a 3GPP spec to describe the functionality of the PGW (or SGW)..or, for the matter of fact, the 4G network element that deals with the IMS interaction. The common sense advised me the “culprit” in this matter should be the PGW.

[The reader is Jason Miller – RCS Engineer at Verizon Wireless :d ]

And TS 29.061 confirmed my idea 🙂

First let’s take a short look at the 4G – IMS picture.

[nggallery id=44]

As you should know by now:

1. MME, unlike SGSN, only does control-plane traffic, only GTPv2-C signaling

2. SGW does both signaling and user-plane traffic

3. all user-plane traffic that flows from the eNB via the SGW to the PGW is encapsulated in GTPv1-U tunnels

4. there is a “default” bearer structure that represents the connection of the UE to the PGW (PGW being the one that allocates the IP for the UE and it is also the main anchor point for mobility purposes) – this bearer is only used for fallback and the specs don’t recommend sending user-data over it; the QoS and attributes of the default bearer reside in the local 4G HSS database, connected via S6a to the MME

5. in order to be able to better shape the user-plane traffic, there are “dedicated” bearer structures that have a QoS class associated; the PCRF contains the information about these bearers, classifying traffic according to its importance; the PGW is the one responsible to communicate with PCRF, gather these rules and trigger the dedicated bearers creation to sustain this traffic

6. the PGW deals with encapsulation of the downlink data into the correct GTPv1-U tunnels according to the appropriate QoS settings – which results in specific user-plane bearer identifiers being used to identify these tunnels; also, the PGW deals with the decapsulation of the uplink data traffic and routing it to the appropriate destination in the Internet/IMS networks/intranet…etc. As the enforcer of the QoS patterns, the PGW acts as border MPLS router, translating the bearer QoS structures into plain IP QoS structures

In the TS 29.061 – section 13.a, the 3GPP guys shortly define the roles of the PGW:

Interworking with the IP Multimedia Core Network Subsystem (IMS) puts additional requirements on the GGSN/P-GW. When the MS/UE connects to the IP Multimedia Core Network Subsystem (IMS), specific parameters in Session Management messages may be handled. The IMS specific parameters are: IMS signalling flag, P-CSCF address request, returned P-CSCF address(es) and flow identifier(s).

For interworking with the IMS, the Gx interface (see 3GPP TS 29.212 [75]) is used to correlate the session (SIP/SDP) and the bearer (PDP Contexts).

The mechanisms in GGSN/P-GW to support IMS shall be:

–     P-CSCF discovery.

–     Dedicated signalling bearer (e.g. PDP contexts) (with or without enhanced QoS) for IMS signalling; with associated packet filters to permit signalling to/from designated servers.

–     Gx interface for policy and charging control of bearer (e.g. PDP contexts) for IMS media flows.

These mechanisms are however not restricted to the IMS and could be used for other services that could benefit from these mechanisms.

* the details can be read from the TS

4G – IMS

Posted: July 16, 2010 in technical
Tags: , , , , , , , , , , , , , , , ,

The 3GPP project consists of major telecommunications organizations worldwide and one of the latest architectures described by this organization is 4G – SAE – System Architecture Evolution. SAE consists of a radio network, named LTE – Long Term Evolution and a core network, named EPC – Evolved Packet Core, a network architecture based only on IP addressing. The radio network is

out of the scope of this paper, the focus being on the components located in EPC. Another architectural design created by 3GPP is IMS – IP Multimedia Subsystem, dealing initially with VoIP signaling, and later on with multiple types of services and applications, like push-to-talk, presence and MBMS.

The figure below describes the components most commonly found in EPC, along with their IMS interaction.


EPC – IMS Architecture

As described in Figure 1, one of the main components of the EPC is the eNodeB, which has the functionality of the antenna and the controller. This component has the role of UE – User Equipment radio management, it is the first point of contact for the UE when connecting to a 4G network, it deals with the signaling for the UE management and also with the forwarding of the user-plane traffic to and from the UE. The signaling protocol specific to 4G is called GTPv2 or eGTP – evolved GTP. This protocol is present on the following EPC interfaces: S1-MME, S11 and S5/S8 and S4 (not presented in the picture, it appears between the SGSN and SGW). The user-plane protocol present in EPC is GTPv1 – user plane, and it appears on the following interfaces: S1-U and S5/S8. One or more eNodeBs (a pool of eNBs) is managed by an entity called MME – Mobility Management Entity. This device has the role of authenticating the UE to the HSS, it manages the UE sessions and controls its mobility over the network, and, unlike its homologous SGSN (Serving GPRS Support Node) device from 3G, only has role in the signaling path of the EPC, no user-plane traffic flowing through it. The MME is the entity responsible with the selection of the following entity, SGW – Serving Gateway (it’s homologous in 3G being the GGSN – Gateway GPRS Support Node). The SGW is the local mobility anchor for the UE: it manages the UE sessions and mobility, whether the UE is in active or in idle state, does QoS enforcement and forwards the control-plane and user-plane messages to the next entity, the PGW – PDN (Packet Data Network) Gateway. This entity has the role of allocating IP addresses to the UE, to route the traffic between the EPC and the PDN, to filter the traffic and assign it to different QoS classes, as well as to enforce this QoS for certain traffic. It is as well the mobility anchor for inter-working with non-3GPP technologies.

Another important aspect of the EPC is the QoS and the way it is enforced by the EPC elements. The traffic is assigned to different QoS classes based on the rules present in the PCRF. The HSS – Home Subscriber Server is a database system used to keep the SAE – related information about a certain UE, like the authentication information or the APN – Access Point Name it can connect to. Unlike HSS, the PCRF – Policy Control and Rules Function contains the charging information about a certain user subscription, information based on which the PCEF – Policy Control Enforcement Function component of the PGW provides QoS authorization (class identifiers and bitrates) and enforces this on the traffic routed through this device. In order to signal the creation of a QoS pattern for the traffic, the EPC uses the concept of bearers. A bearer is a data structure reserved on all the EPC components, it refers to the connection between a certain UE and an APN, for a certain traffic (identified by a TFT – Traffic Flow Template – a set of TCP/IP port numbers and a QoS: QCI – QoS Class Identifier and a set of uplink and downlink bit rates). The role of the bearer is to have independent classes of traffic granularly identified on the EPC components, situation useful when doing traffic shaping and for charging. One other important situation where these bearers are very useful is the handover process; the handover process is the process when an UE moves from the coverage area of an eNB to another eNB’s area. The target antenna and the connected EPC components may or may not support the bitrates and bandwidth supported before the mobility took place. In the case where the target components no longer support the services the UE had before mobility, the EPC drops some of the bearers; the decision of what bearers to drop, meaning what services will no longer be available for that user is taken based on the bearers classification, created from a field called ARP – Allocation and Retention Priority: the bearers with the poorest ARP will be the ones dropped in a situation like the one described.

The PGW connects the UE to an APN via the Gi interface. This interface is a simple IP addressing network, but the APN can be an intranet, the Internet or an IMS – IP Multimedia Subsystem network. In case this is an IMS network, the PGW will most probably be connected to the P-CSCF entity of IMS. The center of the IMS is the CSCF – Call Session Control Function, functionality divided into three components: a Proxy – P-CSCF, an Interrogating unit – I-CSCF and a Serving unit – S-CSCF. The P is the first point of contact in the IMS network, whether the user is in the home network or in roaming; it is also the entity sitting in the signaling path, being able to do message inspection, can do compression of the SIP header (SigComp) and it is the one establishing IPSec sessions to the UE. If it includes a PDF – Policy Decision Function component, it can also do media-plane QoS enforcement and bandwidth management. The S is the central SIP server of the architecture, doing registrations, inspection of the messages (as it sits in the message path) and it decides the SIP AS – Application Server which serves a certain service request. In its turn, the S is assigned to the UE by the HSS. Being in the path of the messages, the S is also responsible for charging records generation. The I is another component located at the edge of the administration domain, where the other servers locate it by doing DNS interrogations (as it uses NAPTR, DNS and SRV records). It has the role of interrogating the HSS and finding out which S that HSS is allocating for that specific user. Just as the EPC, the IMS also relies on the existence of an HSS database, as well as a PCRF system. In case there are multiple IMS networks working together, and therefore multiple HSS databases present, a new element appears – SLF – Subscriber Location Function, which has the purpose of delivering a view from all the databases in order to find information about a user. The protocol dominant in IMS is SIP – Session Initiation Protocol, standardized by IETF, having multiple extensions and improvements added to it. The protocol used to access the HSS is called Diameter, the more secure and more flexible follower of RADIUS protocol. The interfaces to HSS are all running Diameter, as well as the P interface to PCRF, Rx.

Everybody knows about this Quality of Service thinggie that helps admins to classify traffic and better allocate network and system resources to accommodate traffic needs and also to enforce the policies that exist for each user/groups of users – basically according to the amount of money they pay for this service 😛

In order to enforce a QoS on SAE entities, there are a few things to keep in mind:

A. PCRF – Policy Charging Rules Function device, which basically is a database that holds specific service QoS associations for each UE – this device is interrogated by the PGW in order to find out which QoS is applied on which traffic for each UE that requests a dedicated bearer

B. HSS – Home Subscriber Server, which has _nothing_ to do with QoS; this is a static database that holds information about the UE as is, and no information about any SLA of that UE with the provider

C. Only dedicated bearers hold a QoS level as part of their TFT association

D. The QoS on SAE has multiple variants, dividing the bearers into 2 groups:

GBR bearers (Guaranteed Bit Rate)

non-GBR bearers

E. The TFT (Traffic Flow Template – containing the filtering components for the traffic) that is associated with a bearer is not per flow, but per direction:

TFT-UL (TFT uplink)

TFT -DL (TFT downlink)

Also, the TFT can be:


SDF-level (service data flow level)

Now, we are interested in the GBR bearers. The GBR profile includes the following parameters:

1. QCI – QoS Class Identifier


a. 1 QCI corresponds to 1 bearer only

b. 2 services having different QCI values can NOT be on the same bearer (TFT)

c. 2 services having the different QCI values can NOT have the same ARP (see below) value

d. QCI values must belong to [1..255]

2. ARP – Allocation & Retention Priority


a. this value has NO influence on QoS

b. this value is set per eNB, following the PGW’s decision

c. it is established by PCRF according to a tuple of —activity type — subscription information — admission policies—

3. GBR – Guaranteed Bit Rate

4. MBR – Maximum Bit Rate

** There are also aggregated GBR bearers: AMBR (this is per APN) and UE-AMBR (the per-non-GBR, per UE rate) — [note to myself] to study more on this!

***Things to consider:

Thinking about the Mobility/Handover scenarios, keep in mind that, when a UE moves from one eNB to another, or from one MME to another, or from one SGW to another, the QoS is enforced on ALL the EPS components. This means that the QCI, ARP, GBR, MBR rates will all be verified on the resources of the destination (destination eNB, destination MME and so on). This means further on that, should at least one of the components not have enough resources to sustain all the QoS of a specific UE, some bearers will be dropped – this, again, is a decision of the SGW, taking into consideration, of course, the signaling came from the rest of the components.

[courtesy of my LTE guru colleagues]

What about those LTE bearers? What exactly is a bearer?

Well, if we are to believe the 3GPP guys (3GPP TS 23.401 version 8.6.0 Release 8), an EPS bearer is a data structure (that appears on the UE, MME, SGW and PGW), a way of uniquely identifying a traffic flow between the UE and the PGW. We need to _uniquely_ identify these flows because of the QoS we want to use for that UE traffic.

When are these bearers created?

First of all, there are at most 11 bearers that can be created for a specific UE. 11 bearers TOPS – per UE. Why is this so important?


1. the first time an UE connects to an anchor point (PGW) – procedure called Initial Attach, simply by allowing that UE access on the PGW – a new (default) bearer is created – and, yes, those 11 bearers tops decrease once this happens!!!

2. an UE can be “attached” to more than 1 anchor point (PGW) – which means, an UE can have more than 1 “default”/”initial” bearers (of course, created via multiple Initial Attach procedures) – which means those 11 bearers tops decrease again

Leaving us with the rest of the bearers, those NOT created “by default” at the Initial Attach procedure, those which we call dedicated bearers.

***Note: there are not necessarily 11 bearers up and running all the time. The “11” is just the max number that can be active at a certain moment.

How do I use the bearers for QoS?

Each bearer, once created, has assigned a certain TFT set. “TFT” stands for Traffic Flow Template, the set of all packet filters associated with that certain bearer (we’ll look later on soon at the wireshark capture to see exactly how these “bearer” and “tft” look like).

How do I use the TFT for QoS?

TFT, being a set of packet filters, resides as a database tuple in the PCRF – Policy Control and charging Rules Function, a separate cute device that tells the PGW how to route, where to route, and what QoS to use for traffic flowing to and from a certain UE.

! Moment of thinking 1:

HSS – Home Subscriber Server

PCRF – Policy Control and charging Rules Function

The HSS is a database that holds only information regarding the default bearer (which basically identifies the UE as belonging to this network), while the PCRF has the role of “traffic shaping”.

! Moment of thinking 2:

Although the default bearer is more or less automatically created when the UE attaches to this network, as a network confirmation that this UE belongs to it, the dedicated bearer is NEVER initiated by the MME/UE (even if it is, the PGW will gracefully ignore it 😛 ) – the dedicated bearer will ALWAYS be initiated by the PGW, in response to a certain traffic pattern matching a rule in PCRF, though triggering the creation a new and shiny TFT.