. 81
( 132 .)


Security Mode Command

Security Mode Complete

Figure 6.114 Security procedure

6.19.7 Broadband SS7
For the Iu and Iur interfaces, a broadband SS7 stack is introduced to support the control
transport, as shown in Figure 6.115. The components of this are explained brie¬‚y.

• Message transfer part level 3 broadband (MTP3b): this layer allows signalling mes-
sages to be transported over a complex network, i.e. there does not need to be any
direct connection between signalling points (network elements). This layer deals with

(e.g. RANAP)

SCCP Q.2150.1



Figure 6.115 Use of broadband SS7

message routing, re-routing when a link fails and congestion control. It has many
similarities with the IP layer on the Internet. By insertion of this SS7 stack, it decou-
ples the ATM layer from the UMTS protocols, which provides the ¬‚exibility that the
ATM can be removed and replaced with any transport network that can support the
same functionality.
• Signalling connection control part (SCCP): this sits on top of the message transfer part
and provides both connectionless and connection-oriented network services. In UMTS,
the connectionless mode is used, since it sits on top of the SAAL, which already
provides the connection-oriented service (see Chapter 7). General control and noti¬ca-
tion messages use connectionless, and dedicated control uses connection-oriented. The
application part (AP) sitting on top of SCCP could be RANAP or RNSAP. Together
with MTP it is referred to as the network service part (NSP). For dedicated messages,
SCCP is used to support transfer of signalling messages between the CN and the RNC,
providing the service of establishing a unique RANAP or RNSAP signalling connection
per active user.

Signalling points can have a number of attached applications operating simultaneously,
SCCP introduces the subsystem number (SSN) to ensure that the correct application is
accessed. In this case, the SSN will identify RANAP or RNSAP. This layer can be seen
as analogous to TCP in the Internet suite of protocols. For RANAP, SCCP can also be
used to provide address translation capabilities, known as global title translation (GTT).
However, use of this is implementation dependent.
Consider the initial establishment of a signalling connection with the RANAP initial
UE message. The SCCP message used to transport this is the connection request (CR)
message (Figure 6.116). The CR contains a local reference which uniquely identi¬es
the signalling connection being created. The CN will cite this number as a destination
local reference in subsequent messages relating to this connection. The CR also con-
tains calling and called party addresses, which identify the RANAP subsystem. The CN
replies with a connection con¬rm (CC) message, which provides another reference num-
ber for associated messages in the opposite direction. Should the connection have failed
or been refused, the connection refused (CREF) would have been sent. Now the con-
nection is established, and the following RANAP signalling messages sent will contain


SCCP: Connection Request
Source Local Reference Destination Local Reference
- 084045h - 084045h
RANAP: Initial UE Message
Protocol Class Source Local Reference
- 2h, connection oriented - C4F154h
Called Party Address Protocol Class
- subsystem: RANAP - 2h, connection oriented
SCCP: Connection Confirm
Calling Party Address
- point code : 48 (30h)
- subsystem: RANAP
Destination Local Reference
SCCP User Data
- 084045h
- data :
SCCP: Data Form 1 Segmenting/Reassembling
<RANAP Initial UE Message>
RANAP - no more data
SCCP User Data
- length: 31 (1Fh)
- data :
<RANAP Message>

Figure 6.116 SCCP connection establishment. Reproduced by permission of NetHawk Oyj


SCCP: Data Form 1
RANAP: Iu Release Command
SCCP: Data Form 1
RLC - RELEASE COMPLETE Destination Local Reference
RANAP: Iu Release Complete
Destination Local Reference - 084045h
- C4F154h Source Local Reference
SCCP: Released
Source Local Reference - C4F154h
- 084045h Release Cause
- SCCP user originated

SCCP: Release Complete

Figure 6.117 SCCP connection release. Reproduced by permission of NetHawk Oyj

the connection reference at the SCCP layer to link the message to a speci¬c UE. These
RANAP/RNSAP signalling messages are transported in the data form 1 format, which is
an unacknowledged connectionless service used to transparently transport the user data
between two nodes.
Once the CN has completed a signalling transaction, it will issue an Iu release mes-
sage. Once the RNC has acknowledged this, SCCP will then release the SCCP con-
nection (Figure 6.117). The released message speci¬es the reference in both directions
to identify which connection to release, which is in turn acknowledged by the release
complete message.

• Q.2150.1: this is a signalling converter, which adapts the AAL2 signalling messages
to be transported by MTP3b. For the Iub interface, Q.2150.2 is used, which is designed
for an UNI interface.

For the Iu-PS domain, in R99, the speci¬cations allow for the use of IP to transport
signalling in addition to data. This is covered in more detail in Section 8.9.

The UTRAN connection to the packet core network domain uses the Iu-PS interface for
operation. The operation of the packet core consists of three states, referred to as the packet
mobility management (PMM) states. These Iu states are PMM-detached, PMM-idle and
PMM-connected, as described below.

6.20.1 PMM-detached
In the detached state there is no communication between the mobile device and the
SGSN, and the SGSN does not hold a valid location for the device. In order to establish a
MM context, the mobile device has to perform a GPRS attach procedure. This is usually
executed by the subscriber switching on the mobile device. The packet switched signalling
connection consists of two separate parts, the RRC connection and the Iu connection.

6.20.2 PMM-idle
In PMM-idle state, the location of the mobile device is known in the SGSN to the
accuracy of a routing area. Paging is required from the network if the mobile device is
to be reached. The mobile device will monitor its routing area and will perform a routing
area update if its routing area changes.

6.20.3 PMM-connected
In the PMM-connected state, the location of the mobile device is known in the SGSN
to the serving RNC. This is different to the 2G GPRS system, where the SGSN keeps
track of the location of the mobile device to the precise cell. It is the responsibility of
the serving RNC to keep track of the location of the mobile device to the cell or URA.
The mobile device will, however, inform the SGSN if its routing area changes. While
the mobile device is in PMM-connected state, a packet switched signalling connection is
established between the mobile device and the SGSN. If this connection is lost then the
mobile device will revert to the PMM-idle mode.
Figure 6.118 shows how the mobile device may change between the three different
states. The mobile device may have a packet data protocol (PDP) connection in either
PMM-idle or PMM-connected states. The mobile device can move directly from the
PMM-detached state to the PMM-connected state by issuing the GPRS attach request









Signalling Connection
PMM-Idle PMM-Connected
Signalling Connection

Figure 6.118 Mobility management

message. The mobile device may move from PMM-connected to PMM-detached when
the GPRS detach command has been issued, when an RA update is rejected by the SGSN
or if a GPRS attach request has been rejected by the SGSN. The mobile device will
move from PMM-idle to PMM-detached by an implicit GPRS detach. This would occur
if the battery expires or the SIM card is removed from the device. The mobile device will
move from PMM-idle to PMM-connected when a signalling connection is established.
This would occur, for example, if the mobile device wished to transfer some data. After
a certain period of inactivity the mobile device would revert back to PMM-idle from the
PMM-connected state.


Security is an integral part of UMTS to provide a robust, secure framework on which
a subscriber can rely. UMTS security has evolved from principles ¬rst used in GSM.
However, there have been a number of key enhancements compared with GSM security,
to address perceived weaknesses in the GSM security architecture. Also, UMTS integrates
security mechanisms to re¬‚ect the nature of traf¬c that the network is intended to trans-
port, and here borrows heavily from the experience with security on the Internet. The
UMTS system has a major advantage over other networks such as the Internet since the
issue of key exchange is solved through the issuing of a user services identity module
(USIM) card containing the key, which is also stored in the home environment HLR/AuC.
However, the keys used in the system all use a standard key length of 128 bits, which
is assumed to be currently unbreakable by brute force. A brute force attack is where the
attacker exhaustively tries all the possible keys for a match. Statistically, the probabil-


. 81
( 132 .)