第三代行動通訊系統之通話控制與身份認證

全文

(1)國立交通大學資訊科學與工程研究所. 博士論文. 第三代行動通訊系統之通話控制與身份認證 Design of Call Control and Authentication for UMTS. 研究生：吳怜儀指導教授：林一平. 博士. 中華民國九十五年七月. a.

(2) 第三代行動通訊系統之通話控制與身份認證 Design of Call Control and Authentication for UMTS 研究生：吳怜儀. Student：Lin-Yi Wu. 指導教授：林一平博士. Advisor：Dr. Yi-Bing Lin. 國立交通大學資訊科學與工程研究所博士論文. A Dissertation Submitted to Department of Computer Science College of Computer Science National Chiao Tung University in partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy in Computer Science. July 2006 Hsinchu, Taiwan, Republic of China. 中華民國九十五年七月 b.

(3) 第三代行動通訊系統之通話控制與身份認證學生：吳怜儀. 指導教授：林ㄧ平博士. 國立交通大學. 資訊工程研究所摘要. Universal Mobile Telecommunication System (UMTS) 為第三代行動通訊標準的主流之ㄧ，該系統整合了數據服務與多媒體服務，並且具有高服務容量、高速傳輸、服務品質保證、客製化服務等特性。UMTS 網路可以分為四層，包括無線傳輸層、UMTS 核心網路、多媒體子系統、與應用服務層。在本論文中，我們分別就各層討論設計的議題。在無線傳輸層中，無線網路與 UMTS 的整合將 UMTS 的服務擴及到無線網路的涵蓋範圍中，因此使用者可以透過無線網路存取服務，獲得較高的服務品質。在本論文，我們提出了ㄧ個整合的架構稱之為 WLAN-based GPRS Support Node (WGSN)。WGSN 符合 3GPP 標準文件 TS 22.934 中第三階段的整合特徵。WGSN 為了省電，手機上的網路電話程式可能會被關閉，因而打到該手機的電話便無法接通。為了解決這樣的問題，我們提出了 push mechanism 以簡訊的方法開啟受話端手機上的程式，以接通電話。在 UMTS 網路中，Authentication Vector (AV) usage mechanism 可以減低 SGSN 與 HSS/AuC 之間的訊號交換，然而該機制也會造成 SGSN 所需的記憶體增多。本論文利用數學分析以及電腦模擬的方法來研究 AV usage mechanism 的效能。我們的研究結果可以提供行動通訊業者用以設定 AV usage mechanism 的相關參數。針對使用者的身分認證問題，3GPP 制定了 two-pass authentication 程序，分別在 General Packet Radio Service (GPRS)網路以及多媒體子系統認證使用者。我們發現在 two-pass authentication 中，有許多步驟是重複的，因此在論文中我們提出了 one-pass authentication 的方法。在此方法中，GPRS 網路執行相同的認證程序，但是多媒體子系統以簡化的方法在使用者註冊的過程完成認證。我們證明， one-pass authentication 可以正確的認證使用者，同時省下了 50%的訊息交換。. i.

(4) UMTS 的應用服務層可以 Open Service Access (OSA)做為服務開發的平台。在這個平台之上，我們實作了 Push to Talk over Cellular (PoC)服務。我們描述了使用者端程式的設計架構，也詳盡說明了服務運作的流程。以上的研究成果提供讀者在研究 UMTS 通話控制以及身分認證的議題上，可供參考之基礎。. 關鍵字: 第三代行動通訊、Universal Mobile Telecommunications System (UMTS)、 General Packet Radio Service (GPRS)、多媒體子系統、無線網路、Push to Talk over Cellular (PoC), 身分認證、Session Initiation Protocol (SIP)、通話控制。. ii.

(5) Design of Call Control and Authentication for UMTS Student: Lin-Yi Wu. Advisor: Dr. Yi-Bing Lin. Department of Computer Science and Information Engineering, Nation Chiao Tung University. ABSTRACT Universal Mobile Telecommunication System (UMTS) is an integrated solution for multimedia and data services with wide area coverage. UMTS is developed towards large system capacity, high data transmission, and customized services with quality of services. The UMTS all-IP architecture can be horizontally partitioned into four layers: radio network layer, UMTS core network, IP Multimedia Subsystem (IMS), application layer. In this dissertation, we discuss design issues of each layer. In the radio network layer, UMTS and WLAN interworking extends the UMTS services to the WLAN coverage, and the UMTS subscribers can acquire services with better quality through WLAN. We propose WLAN-based GPRS Support Node (WGSN), which is a loosely-coupled architecture satisfying Scenario 3 features in 3GPP TS 22.934. A push mechanism is implemented in WGSN to connect the MS-terminated call where the Voice over IP (VoIP) client in the callee is not activated. In the UMTS authentication, the Authentication Vector (AV) usage mechanism is used to reduce the signaling traffic between the SGSN and the HSS/AuC. However the AV usage mechanism also consumes extra storage at the SGSN. Therefore, we propose analytic and simulation models to investigate the performance of the AV usage mechanism. In UMTS two-pass authentication, many steps in the GPRS authentication and IMS authentication are duplicated. Therefore, we propose an one-pass authentication procedure, in which only the GPRS authentication procedure is performed. In the IMS network, the authentication is implicitly executed in the IMS registration. We formally iii.

(6) prove that the IMS user is correctly authenticated, and the one-pass authentication saves up to 50% of the IMS registration/authentication traffic. In the application layer, we implement the Push to Talk over Cellular (PoC) on the Open Service Access (OSA) platform. We focus on the design and implementation of the PoC client. The detailed architecture and message flows are described. These research results presented in this dissertation can be viewed as a useful foundation for further study in UMTS call control and authentication.. Key Words: Third Generation (3G), Universal Mobile Telecommunications System (UMTS), General Packet Radio Service (GPRS), IP Multimedia Subsystem (IMS), Call Session Control Function (CSCF), Wireless LAN (WLAN), Push to Talk over Cellular (PoC), floor control, cellular network, authentication, security function, Session Initiation Protocol (SIP).. iv.

(7) Acknowledgement I would like to express my deep and sincere gratitude to my advisor Prof. Yi-Bing Lin for his continuous support, encouragement, and guidance throughout my graduate study. His extensive knowledge and creative thinking have been an invaluable help for me. Without his perspicacious advice, I can not complete this dissertation. Also, I would like to deliver a special gratitude to Prof. Ming-Feng Chang for his stimulating suggestions and guidance helped me to accomplish several researches. Special thank to my committee members, Prof. Ming-Feng Chang, Prof. Han-Chieh Chao, Dr. Sheng-Lin Chou, Dr. Herman Chunng-Hwa Rao, Prof. Wen-Nung Tsai, Prof. Chu-Sing Yang for their valuable comments and suggestations. Moerover, I am grateful to the colleagues in the Laboratory 117 for their friendship and many helpful discussions. Especially, I am indebted to my dear father, mother, sister, amd brother. This dissertation is dedicated to them. It is their love, dedication, and encouragement that made everything I have possible. Last but not least, I would like to express my deepest love and gratitude to my boyfriend and soul mate, Fu-Yuan, for his company over the past ten years. His patient love, warm support, and sharing of successful academic experience help me to overcome all kinds of difficulties and challenges. Also thank my little pet Dolly for his absolute trust and selfless company that make my life full of joy and happiness.. v.

(8) Contents 摘要.......................................................................................................................................i ABSTRACT....................................................................................................................... iii Acknowledgement ...............................................................................................................v Contents ..............................................................................................................................vi List of Figures ......................................................................................................................x List of Tables.................................................................................................................... xiii Chapter 1. Introduction......................................................................................................1. 1.1. UMTS All-IP Architecture ...............................................................................3. 1.2. UMTS and WLAN Interworking.....................................................................5. 1.3. Two-Pass Authentication..................................................................................8. 1.4. Open Service Access...................................................................................... 11. 1.5. Design and Performance Issues .....................................................................13. Chapter 2 2.1. WGSN: WLAN-based GPRS Support Node with Push Mechanism ............15 The WGSN Approach ....................................................................................16 2.1.1. WGSN Network Architecture ............................................................16. 2.1.2. WGSN Features .................................................................................18. 2.2. Implementation of WGSN .............................................................................20. 2.3. Attach and Detach Procedures .......................................................................26. vi.

(9) 2.4. 2.5 Chapter 3 3.1. WGSN Push Mechanism ...............................................................................30 2.4.1. Performance Analysis ........................................................................33. 2.4.2. Analytic Model ..................................................................................34. 2.4.3. Simulation Model...............................................................................36. 2.4.4. Numerical Results..............................................................................39. Summary ........................................................................................................43 Authentication Vector Management for UMTS.............................................45 UMTS Authentication Vector Management...................................................46 3.1.1. Sequence Number Mechanism ..........................................................46. 3.1.2. Array Mechanism...............................................................................47. 3.1.3. Motivation..........................................................................................48. 3.2. The AV Usage Mechanism.............................................................................48. 3.3. Analytic Model ..............................................................................................50 3.3.1. Derivation of Probability α ................................................................51. 3.3.2. Derivation for β..................................................................................52. 3.3.3. Derivation for δ..................................................................................56. 3.4. Simulation Model...........................................................................................58. 3.5. Numerical Examples ......................................................................................61. 3.6. Summary ........................................................................................................65. Chapter 4. One-Pass Authentication Procedure. for UMTS and IMS ..........................66. 4.1. Fraudulent IMS Usage ...................................................................................67. 4.2. One-Pass Authentication Procedure...............................................................68 vii.

(10) 4.2.1. SIP Message Flow..............................................................................68. 4.2.2. Cost Analysis .....................................................................................70. 4.3. Correctness of The One-Pass Procedure........................................................72. 4.4. Summary ........................................................................................................75. Chapter 5. A Client-Side Design for PoC Service...........................................................77. 5.1. Introduction to PoC Service...........................................................................78. 5.2. Implementation of PoC Client .......................................................................79 5.2.1. User Interface Module .......................................................................79. 5.2.2. Call Control Module ..........................................................................81. 5.2.3. Floor Control Module ........................................................................83. 5.2.4. Other PoC Client Modules.................................................................84. 5.3. PoC Message Flow ........................................................................................85 5.3.1. Outgoing Call Setup Procedure .........................................................86. 5.3.2. Incoming Call Setup Procedure .........................................................89. 5.3.3. Floor Reservation Procedure..............................................................92. 5.3.4. Floor Release Procedure ....................................................................94. 5.3.5. Call Disconnection Procedure............................................................97. 5.4 Chapter 6. Summary ........................................................................................................98 Conclusions and Future Works ......................................................................99. 6.1. Conclusions....................................................................................................99. 6.2. Future Works................................................................................................100. Appendix A. Notation...................................................................................................102 viii.

(11) A.1 Notation for Chapter 2 ......................................................................................102 A.2 Notation for Chapter 3 ......................................................................................102 Reference .........................................................................................................................105 Curriculum Vita................................................................................................................ 111 Publication Lists............................................................................................................... 112. ix.

(12) List of Figures Figure 1-1. Horizontal Structure of UMTS All-IP Network ................................................1 Figure 1-2. UMTS All-IP Architecture ................................................................................4 Figure 1-3. Two Approaches for Interconnection of UMTS and WLAN ............................6 Figure 1-4. Message Flow for 3GPP GPRS Authentication ................................................9 Figure 1-5. Message Flow for 3GPP IMS Authentication .................................................10 Figure 1-6. Open Service Access Platform ........................................................................12 Figure 2-1. WGSN Architecture ........................................................................................16 Figure 2-2. WGSN Protocol Stack.....................................................................................21 Figure 2-3. WGSN MS Architecture..................................................................................22 Figure 2-4. WGSN User Interface .....................................................................................23 Figure 2-5. WGSN Node Architecture...............................................................................24 Figure 2-6. Message Flow for the Attach Procedure .........................................................27 Figure 2-7. Messahe Flow for the MS-Initiated Detach Procedure ...................................29 Figure 2-8. Message Flow of the SPC in WGSN ..............................................................31 Figure 2-9 The FSM State Transition Diagram for the SPC Status Record.......................32 Figure 2-10. The Timing Diagram .....................................................................................33 Figure 2-11. The Simulation Flowchart of Performance ...................................................38 Figure 2-12. Effects of µ and λ on the Expected Number of Lost Calls............................41. x.

(13) Figure 2-13. Effects of Variances Vµ and Vγ ......................................................................42 Figure 3-1. MS Authentication Activities at an SGSN ......................................................49 Figure 3-2. Two-dimensional SGSN Layout for the Random Walk Model.......................51 Figure 3-3. The State Transition Diagram for the AVs Size at SGSN L0 ...........................53 Figure 3-4. The Simulation Flowchart...............................................................................60 Figure 3-5. Effects of T on α..............................................................................................62 Figure 3-6. Effects of T and K on β (λ=20µ)......................................................................63 Figure 3-7. Effects of T and K on δ (λ=20µ) ......................................................................63 Figure 3-8. Effects of Vs (λ=20µ, T=27/µ, and K=10) ........................................................64 Figure 4-1. Illegal IMS Registration..................................................................................68 Figure 4-2. IMS Registration (One-Pass Authentication)..................................................69 Figure 4-3. Improvement of the One-Pass Procedure over the Two-Pass Procedure ........72 Figure 5-1. PoC Architecture .............................................................................................78 Figure 5-2. PoC Client Architecture ..................................................................................80 Figure 5-3. Functionalities of the User Interface ...............................................................81 Figure 5-4. The User Interface...........................................................................................81 Figure 5-5. State Diagram of the Call Control FSM..........................................................82 Figure 5-6. State Diagram of the Floor Control FSM........................................................84 Figure 5-7. Outgoing Call Setup Procedure.......................................................................86 Figure 5-8. Incoming Call Setup Procedure ......................................................................90 Figure 5-9. Floor Reservation Procedure (the requesting PoC client)...............................92 Figure 5-10. Floor Reservation Procedure (a listening PoC client)...................................94 xi.

(14) Figure 5-11. Floor Release Procedure (the releasing PoC client)......................................95 Figure 5-12. Floor Release Procedure (a listening PoC client) .........................................96 Figure 5-13. Floor Revoking Procedure ............................................................................96 Figure 5-14. Call Disconnection Procedure.......................................................................97. xii.

(15) List of Tables Table 1-1. Interworking Scenarios and Service Capabilities ...............................................7 Table 2-1. The E[N] Values (Analytic vs. Simulation) ......................................................40 Table 4-1. Identical Steps in GPRS and IMS Authentications...........................................68 Table 4-2. Comparing the One-Pass and the Two-Pass Authentication Procedures in IMS Registration ......................................................................................................70. xiii.

(16) Chapter 1 Introduction Universal Mobile Telecommunication System (UMTS) [37] is a Third-Generation (3G) mobile telecommunication system evolved from Global. System. for. Mobile. Communication (GSM) and General Packet Radio Service (GPRS) [5]. UMTS provides an integrated solution for multimedia and data services with wide area coverage. Comparing to GSM and GPRS, UMTS is developed towards larger system capacity, higher data transmission (384 kbps for high mobility situations, and 2Mbps for stationary user environments), and customized services with quality of services. Currently, the UMTS service is commercially available in 47 countries supported by more than 100 mobile operators. The UMTS all-IP network can be horizontally partitioned into four layers as illustrated in Figure 1-1.. Figure 1-1. Horizontal Structure of UMTS All-IP Network Radio Network Layer provides wireless access for the subscribers to obtain the UMTS services. Two radio networks are defined in the Third Generation Partnership Project (3GPP) specifications: GSM Enhanced Data Rates for Global Evolution (EDGE) Radio Access Network (GERAN) and UMTS Terrestrial Radio Access Network (UTRAN). 1.

(17) UMTS Core Network provides switching, routing, transit for data and multimedia services. The UMTS core network is also responsible for mobility management and session management. The core network is divided in circuit switch (CS) and packet switch (PS) domains. In the PS domain, IP technology is utilized as the transport protocol. IP Multimedia Subsystem (IMS) is responsible to deliver signaling and voice data for IP multimedia services. The IMS is connected to the UMTS core network, IP multimedia network, and Public Switch Telephone Network (PSTN). The IMS routes the signaling between different networks and maps the Session Initiation Protocol (SIP) signaling used in Voice over IP (VoIP) service form/to SS7 signaling used in PSTN. Application Layer supports flexible services through a common service platform. The third parties can implement the application servers following the Application Programming Interfaces (APIs) provided by the mobile operators, and run the application server on the common service platform. Many research studies have been conducted to investigate various aspects of the UMTS design in each of the layers. In the radio network layer, integration of UMTS with Wireless LAN (WLAN) has been intensively studies. UMTS and WLAN interworking extends the 3G services and functionality to the WLAN environment. Since WLAN provides higher data transmission rate and bandwidth, the subscribers can acquire 3G service with better service quality through WLAN environment. Authentication is an important issue in the core network layer. Before a subscriber accesses the UMTS services or IMS services, authentication function is performed to identify and authenticate the subscriber, and then validates the service request type to ensure that the subscriber is authorized to access the service. The 3GPP specifications define mutual authentication mechanisms in both the UMTS core network and the IMS. In this dissertation, we will investigate the performance of authentication function, and provide the suggestions to setup the related configuration.. 2.

(18) In the application layer, the design on a flexible common service platform speeds up the development of various 3G service. Open Service Access (OSA) is a common service platform specified in the 3GPP specification. OSA provides a service creation and execution environment that is independent of the underlying communication technologies. In the following sections, we first briefly present the UMTS all-IP architecture, and then elaborate more on the UMTS design issues.. 1.1. UMTS All-IP Architecture. Figure 1-2 illustrates the UMTS all-IP network architecture. The UMTS network includes five parts: Mobile Station (MS; Figure 1-2 (1)) is the equipment through which a user accesses UMTS services. Core Network (Figure 1-2 (3)) provides mobility management, session management and transport for IP-based services. UMTS Terrestrial Radio Access Network (UTRAN; Figure 1-2 (2)) provides wireless connectivity between the MS and the core network. IP Multimedia Subsystem (IMS; Figure 1-2 (4)) supports multimedia services such as voice telephony, video, real-time interactive games, messaging, and multimedia conferencing [7]. Application and Service Network (Figure 1-2 (5)) supports flexible services through a common service platform. UTRAN consists of Radio Network Controllers (RNCs; Figure 1-2 (10)) and Node Bs (Figure 1-2 (9)). In the core network, Serving GPRS Support Node (SGSN; Figure 1-2 (11)) and Gateway GPRS Support Node (GGSN; Figure 1-2 (12)) provide mobility and session services to mobile users. One SGSN connects to several RNCs, and one RNC connects to one or more Node Bs. The coverage of the Node Bs connected to the same SGSN is called an SGSN area. In Figure 1-2, SGSN area 1 (Figure 1-2 (13)) corresponds to SGSN1, and SGSN area 2 (Figure 1-2 (14)) corresponds to SGSN2. The GGSN connects to the external Packet Data Network (PDN; Figure 1-2 (6)) by an IP-based interface. The MS obtains the. 3.

(19) Figure 1-2. UMTS All-IP Architecture PS services by connecting to the SGSN via UTRAN, and then accesses the external data network through the GGSN. Both SGSN and GGSN communicate with the Home Subscriber Server/Authentication Center (HSS/AuC; Figure 1-2 (15)) through Mobile Application Part (MAP) [21] to retrieve subscriber data and authentication information of an MS. The HSS/AuC is the master database containing all user-related subscription and location information. The IMS, which provides the SIP-based multimedia service, is located between the GGSN and the PDN. In IMS, the Call Session Control Function (CSCF; Figure 1-2 (16)) is the SIP server handling the call setup procedures. If the calling party is in the PDN, the CSCF transport the signaling to VoIP call control server or a terminal in the PDN. After the call is connected, the voice data is transferred from the GGSN to the PDN directly. If 4.

(20) the calling party resides in the Public Switch Telephone Network (PSTN; Figure 1-2 (8)), the signaling is transferred from the GGNS to the Media Gateway Control Function (MGCF; Figure 1-2 (17)), and then is forwarded to the Transport Signaling Gateway (T-SGW; Figure 1-2 (19)). The T-SGW maps the SIP signaling to the SS7 signaling, and transfers the SS7 signaling to the PSTN. If the signaling requests to setup, modify, or disconnect the media channels, the MGCF controls the Media Gateway Function (MGW Figure 1-2 (18)) to provide the voice data transportation between the UMTS and the PSTN. While a call is successfully setup, the voice data is transferred from GGSN to MGW, and then is delivered to the PSTN. In order to provide flexible and global services, the 3GPP defines three possible alternatives to construct the Application and Service Network: SIP application server (Figure 1-2 (20)) is either developed by the mobile operator or purchased from the trusted third parties. Customized Application Mobile Enhanced Logic (CAMEL) Service Environment (CSE; Figure 1-2 (21)), which has already been built in the UMTS CS domain, is reused by the mobile operator to provide CAMEL services to IMS user. Open Service Access (OSA; Figure 1-2 (22)) is constructed by the mobile operator, and provides the third parties a platform to run their own applications without concerning the underlying network environment. 1.2. UMTS and WLAN Interworking. Two approaches for interconnection of UMTS and WLAN are proposed in HiperLan/2, which is developed by the European Telecommunication Standard Institute (ETSI) Broadband Radio Access Network (BRAN) project [20]. The first approach is a tightlycoupled architecture shown in Figure 1-3 (a). In this architecture, the WLAN is treated as another radio access network of the UMTS. The RNC emulator plays as the gateway in the WLAN, which hides the details of the WLAN network to the UMTS network. The RNC emulator is responsible for all the functionalities required in a UMTS radio access network, and provides the Iu interface connected to the SGSN. The WLAN uses the same. 5.

(21) authentication, signaling, transport, and billing infrastructures as those in UMTS network. Figure 1-3 (b) illustrates the loosely-coupled architecture, in which the WLAN is an independent and parallel network to the UMTS network. In the WLAN, the GSN emulator integrates both SGSN and GGSN functionalities, and connects to the UMTS core network through Internet. The interconnection between the WLAN and the UMTS network relies on IP-based protocols. For example, the Authentication, Authorization, and Accounting (AAA) mechanism [19] is used to perform the authentication and accounting procedure, and Mobile IP [44] is used for managing the mobility and roaming between the UMTS access network and WLAN.. (a) Tightly-Coupled Architecture. (b) Loosely-Coupled Architecture Figure 1-3. Two Approaches for Interconnection of UMTS and WLAN 3GPP Technical Report 22.934 [3] conducts a feasibility study on Third Generation (3G) system and Wireless LAN (WLAN) interworking that extends 3G services to the WLAN environment. In this interworking, WLAN serves as an access technology to the 3G system, which scales up the coverage of 3G services. Six scenarios were proposed for incremental development of 3G and WLAN interworking. Each scenario enhances interworking. 6.

(22) functionalities over the previous scenarios as illustrated in Table 1-1. The service and operational capabilities of each scenario are described as follows. Table 1-1. Interworking Scenarios and Service Capabilities Scenario1. Scenario2. Scenario3. Scenario4. Scenario5. Scenario6. Common Billing. ˇ. ˇ. ˇ. ˇ. ˇ. ˇ. Common Customer Care. ˇ. ˇ. ˇ. ˇ. ˇ. ˇ. 3G-based Access Control. ˇ. ˇ. ˇ. ˇ. ˇ. 3G-based Access Charging. ˇ. ˇ. ˇ. ˇ. ˇ. ˇ. ˇ. ˇ. ˇ. ˇ. ˇ. ˇ. ˇ. ˇ. Service Capabilities. Access to 3G PS Services Service Continuity Seamless Service Continuity Access to 3G CS Services with Seamless Mobility. ˇ. Scenario 1 provides common billing and customer care for both WLAN and 3G mobile operators. That is, a customer receives single monthly billing statements combining both 3G and WLAN services. The customer also consults the same customer care center about the problems for both services. Scenario 2 reuses 3G-access control and charging mechanisms for WLAN services. The WLAN customers are authenticated by the 3G core network without introducing a separate procedure. In addition, the roaming mechanism between 3G system and WLAN is supported. In this scenario, users can access traditional Internet services but cannot access 3G services (such as Circuit-Switched (CS) voice and GPRS data services) through WLAN. Scenario 3 allows a customer to access 3G Packet-Switched (PS) services over WLAN. The PS services include Short Message Service (SMS) [4], Multimedia Message Service (MMS) [1], and IP Multimedia Subsystem Service (IMS) [2]. Customers equipped with both WLAN card and 3G module can simultaneously but independently access WLAN and 3G networks. Scenario 4 allows a customer to change access between 3G and WLAN networks during a. 7.

(23) service session. The system is responsible for re-establishing the session without user involvement. Service interruption during system switching is allowed in this scenario. Scenario 5 provides seamless service switching (i.e., handover) between 3G system and WLAN. Techniques must be developed to minimize data lost rate and delay time during switching so that the customer would not experience significant interruption during handover. Scenario 6 supports 3G CS services in the WLAN environment. The seamless continuity feature described in Scenario 5 is also required to support CS services when customers roam between different networks.. 1.3. Two-Pass Authentication. This section describes the 3GPP two-pass authentication procedure. We first describe the GPRS authentication, and then we elaborate more on the IMS authentication. When an MS invokes the GPRS access (e.g., turns on its power), the MS sends an attach request to the SGSN. This message will trigger the GPRS authentication [5], which is implemented by GPRS Mobility Management (GMM) between the MS and the SGSN, and Signaling System Number 7 (SS7) Mobile Application Part (MAP) between the SGSN and the HSS/AuC [35]. This procedure consists of the following steps (see Figure 1-4). Step G.1. Consider an MS with the IMSI value imsi and the IMPI value impi. To access the GPRS services, the MS sends a GMM Attach Request (with the parameter IMSI = imsi) to the SGSN. Step G.2. If the SGSN has the AVs of the MS, then Steps G.2 and G.3 are skipped. Otherwise, the SGSN must obtain the AV’s from the HSS/AuC. That is, the SGSN invokes. the. authentication. vector. distribution. procedure. by. sending. a. MAP_SEND_AUTHENTICATION_INFO Request message to the HSS/AuC (with. 8.

(24) Figure 1-4. Message Flow for 3GPP GPRS Authentication the parameter IMSI = imsi). Step G.3. The HSS/AuC uses imsi to retrieve the record of the MS, and generates an ordered array of AVs (based on the preshared secret key K in the MS record). The generated. AV. array. is. sent. to. the. SGSN. through. a. MAP_SEND_AUTHENTICATION_INFO Response message. Step G.4. The SGSN selects the next unused authentication vector in the ordered AV array and sends the parameters RAND and AUTN (from the selected authentication vector) to the MS through a GMM Authentication and Ciphering Request message. Step G.5. The MS checks whether the received AUTN can be accepted. If so, it produces a response RES that is sent back to the SGSN through a GMM Authentication and Ciphering Response message. The SGSN compares the received RES with the XRES. If they match, then the authentication and key agreement exchange is successfully completed. Step G.6. The SGSN sends a GMM Attach Accept message to the MS, and the attach procedure is completed. After GPRS authentication, GPRS registration follows (details of GPRS registration can 9.

(25) be found in [36]). Then, the MS performs Packet Data Protocol (PDP) context activation to obtain access to the GPRS network. The PDP context specifies the application-layer packet data protocol and the routing information used for the GPRS communication session (see [37] for the details). After PDP context activation, the MS can request the IMS services through the registration procedure illustrated in Figure 1-5. In this procedure, the MS interacts with the S-CSCF possibly through P-CSCF and I-CSCF. To simplify our discussion, Figure 1-5 uses the term “CSCF” to represent the proxy, interrogating, and service functions of CSCF. Details of message exchanges among these CSCFs are given in [37]. IMS authentication/registration is implemented by SIP and Cx protocols [8][9][11], which consists of the following steps.. Figure 1-5. Message Flow for 3GPP IMS Authentication Step I.1. The MS sends a SIP Register message to the CSCF (with the parameter IMPI = impi) through the SGSN. Step I.2. Assume that the CSCF does not have the AVs for the MS. The CSCF invokes the authentication vector distribution procedure by sending a Cx Multimedia Authentication Request message to the HSS/AuC (with the parameter IMPI = impi). 10.

(26) Step I.3. The HSS/AuC uses impi to retrieve the record of the MS, and generate an ordered array of AVs. The HSS/AuC sends the AV array to the CSCF through a Cx Multimedia Authentication Answer message. Step I.4. The CSCF selects the next unused authentication vector from the ordered AV array and sends the parameters RAND and AUTN (from the selected authentication vector) to the MS through a SIP 401 Unauthorized message. Step I.5. The MS checks whether the received AUTN can be accepted. If so, it produces a response RES. The MS sends this response back to the CSCF through a SIP Register message. The CSCF compares the received RES with the XRES. If they match, then the authentication and key agreement exchange is successfully completed. Step I.6. The CSCF sends a Cx Server Assignment Request message to the HSS/AuC. Step I.7. Upon receipt of the Server Assignment Request, the HSS/AuC stores the CSCF name and replies a Cx Server Assignment Answer message to the CSCF. Step I.8. The CSCF sends a 200 ok message to the MS through the SGSN, and the IMS registration procedure is completed. In the above procedure, Steps I.1–I.5 exercise authentication, and Steps I.6–I.8 perform registration.. 1.4. Open Service Access. 3GPP Technical Report 23.127 [6] specifies the OSA architecture deployed in the UMTS application and service network, which is illustrated in Figure 1-6. The OSA consists of three parts: z. Applications (Figure 1-6 (1)) implemented in one or more application servers.. z. Service Capability Servers (SCSs; Figure 1-6 (2)) provide the applications the access. 11.

(27) to the undering UMTS network functionalities. The network functionalities offered by the SCSs (e.g. call control, user location, etc.) are defined as a set of Service Capability Features (SCFs; Figure 1-6 (4)) in the OSA API (Figure 1-6 (5)). z. Framework (FW; Figure 1-6 (3)) authorizes the request of accessing the SCFs from the applications.. Figure 1-6. Open Service Access Platform The SCSs are implemented all kinds of interfaces to communicate with the entities in the IMS and UMTS core networks. For example, the SCSs communicate with the HSS through MAP, and also play as a SIP server to connect to the S-CSCF through SIP protocol. Before a SCS provides services, the SCFs offered by the SCS have to be registered at the FW through OSA internal API (Figure 1-6 (6)). The FW is considered as one of the SCSs, and exactly one FW exists in an OSA environment. Before an application accesses the OSA API, the FW authenticates the application and determines if the application is authorized to access the certain SCFs. After successful authentication, the application obtains the information of the authorized SCFs through the discovery function provided by FW. Then the application accesses the network functionalities through SCFs. Following the OSA APIs, the third party can implement their own applications on the. 12.

(28) UMTS network, and the applications can also run on other networks which provide the same OSA APIs. If the mobile operator wants to release the restriction of operating system and programming language on implementing applications, the object-oriented techniques, such as CORBA, SOAP, etc., can be used to build the OSA environment.. 1.5. Design and Performance Issues. In this dissertation, we will discuss the four design issues in each of the UMTS protocol layers. In the radio network layer, we propose an UMTS and WLAN interworking solution called WLAN-based GPRS Support Node (WGSN). WGSN is a loosely-coupled architecture that satisfies the Scenario 3 features in the 3GPP TS 22.934. Our survey with several mobile service providers indicates that the Scenario 3 features are essential for commercial operation of 3G/WLAN interworking in the first stage deployment. Depending on the business strategies, the Scenario 4 features may or may not be deployed in the long-term commercial operation. Scenarios 5 and 6 are typically ignored because the benefits of the extra features might not justify the deployment costs. In the UMTS core network, the GPRS authentication function provides mutual authentication between the MS and UMTS core network. When a MS enters a SGSN area, the SGSN obtains an array of AVs from the HSS, and utilizes one AV for each authentication procedure. After the MS leaves the SGSN area, the SGSN may stores the unused AVs for a time period called Reservation Timeout (RT) period. If the MS returns to the SGSN area within the RT period, the SGSN uses the stored AVs for authentication instead of obtaining new AVs from the HSS. Because the AV usage mechanism consumes extra storage in the SGSN, it is desirable to selecting an appropriate RT period to reduce the access to the HSS and also consume acceptable storage in the SGSN. In this dissertation, we propose an analytic model to investigate the performance of AV usage mechanism. The results provide the mobile operators the suggestions to configure their system. In addition to GPRS authentication, it is necessary to authenticate the MS before it can 13.

(29) access IMS services. Without IMS authentication, a mobile user who passes the GPRS authentication can easily fake being another IMS user. Although both GPRS and IMS authentications are necessary, most steps in these two “authentication passes” are duplicated. Therefore, we propose an one-pass authentication procedure to reduce the IMS authentication traffic. We also formally prove that the one-pass procedure correctly authenticate the IMS users. In the application layer, a CORBA-based OSA platform has been implemented in the Industrial Technology Research Institute (ITRI) and National Chiao Tung University (NCTU) Joint Research Center [17]. Based on the service platform, we implement the Push to Talk over Cellular (PoC) service, which provides a walkie-talkie like service in the cellular communication infrastructure. In this dissertation, we focus on the design and implementation of the PoC client. In the proposed PoC client architecture, most standard VoIP modules are reused for the PoC service, and the VoIP software can be easily extended to support PoC service. The dissertation is organized as follows. Chapter 2 proposes the WGSN solution. A push mechanism is specified in the WGSN to forward the VoIP calls to the MS on which the VoIP client or WLAN module is not activated. Chapter 3 presents the analytic model for the AV usage mechanism. Chapter 4 proposes the one-pass authentication procedure for UMTS. Chapter 5 describes the design of the OSA-based PoC client. Finally, we conclude this dissertation with discussing our contribution and future work.. 14.

(30) Chapter 2 WGSN: WLAN-based GPRS Support Node with Push Mechanism This chapter proposes WLAN-based GPRS Support Node (WGSN), a solution for integrating 3G and WLAN services. We show that the 3G mechanisms can be re-used for WLAN user authentication and network access without introducing new procedures and without modifying the existing 3G network components. We describe the WGSN features and show how they are designed and implemented. To reduce the power consumption and computation complexity of a Mobile Station (MS), the WGSN applications may not be activated in the MS if they are not used. For an MS terminated application, a push mechanism is implemented in WGSN, which automatically activates the application at the MS side. An analytic model is proposed to investigate the requirements on the WGSN transmission delay of the push operation. Our approach has similar development goals as the approaches described in [27][48]. We focus more on SIP applications (i.e., SIP Application Level Gateway (ALG) and the SIP push mechanism) in the WGSN system. A WGSN prototype has been implemented in Industrial Technology Research Institute (ITRI) and National Chiao-Tung University (NCTU) Joint Research Center.. 15.

(31) 2.1. The WGSN Approach. This section describes the architecture and the features of the WLAN-based GPRS Support Node (WGSN). WGSN interworks UMTS with WLAN to support Scenario 3 features described in Section 1.2.. 2.1.1. WGSN Network Architecture. Figure 2-1 illustrates the inter-connection between a UMTS network and a WLAN network through WGSN. The UMTS network (Figure 2-1 (1)) provides 3G PS services. The WLAN network (Figure 2-1 (2)) provides access to Internet. The customers are allowed to roam between the two networks as long as the MS is equipped with both a 3G module and a WLAN card.. Figure 2-1. WGSN Architecture (dashed lines: signaling; solid lines: data and signaling) The UMTS network includes two sub-networks. The UMTS Terrestrial Radio Access. 16.

(32) Network (UTRAN; Figure 2-1 (3)) consists of Radio Network Controllers (RNCs) and Node Bs (i.e., base stations). The radio interface between a Node B and an MS is based on WCDMA radio technology [28]. The UMTS core network (i.e., GPRS network; Figure 2-1 (4)) consists of Serving GPRS Support Node (SGSN) and Gateway GPRS Support Node (GGSN), which provide mobility management and session management services to mobile users. An SGSN connects to the UTRAN by Asynchronous Transfer Mode (ATM) links, and communicates with the GGSN through an IP-based backbone network. The GGSN connects to the external Packet Data Network (PDN) by an IP-based interface Gi. Both SGSN and GGSN communicate with the Home Subscriber Server (HSS) through the Gr and Gc interfaces, respectively. These two interfaces are based on the Mobile Application Part (MAP) [21]. The HSS is the master database containing all user-related subscription and location information. The WLAN radio network includes 802.11-based Access Points (APs) that provide radio access for the MSs. The WGSN acts as a gateway between the PDN and the WLAN node, which obtains the IP address for an MS from a Dynamic Host Configuration Protocol (DHCP)[18] server and routes the packets between the MS and the external PDN. The WGSN node communicates with the HSS to support GPRS/UMTS mobility management following 3GPP Technical Specification 23.060 [5]. Therefore, the WLAN authentication and network access procedures are exact the same as that for GPRS/UMTS. The WGSN node integrates both SGSN and GGSN functionalities. Like an SGSN, the WGSN communicates with the HSS through the Gr interface. On the other hand, like a GGSN, the WGSN communicates with the external PDN via the Gi interface. Therefore, for other GPRS/UMTS networks, the WGSN node and the corresponding WLAN network are considered as a separate GPRS network. The WGSN node can be plugged in any 3G core network without modifying the existing 3G nodes. To integrate the billing system for both UMTS and WLAN, WGSN communicates with the Charging Gateway using the same UMTS protocols (the GPRS Tunneling Protocol (GTP’) protocol implemented in the Ga interface [5] or by FTP). To access the WGSN services, the MS must be either a 3G-WLAN dual mode handset or a. 17.

(33) laptop/Personal Data Assistant (PDA) that equips with both WLAN Network Interface Card (NIC) and a 3G module.. 2.1.2. WGSN Features. Based on the seven interworking aspects listed in 3GPP Technical Report 22.934 [3], we describe the features implemented in WGSN [23]. Service aspects: WGSN provides general Internet access and VoIP services based on SIP protocol [46]. Since a Network Address Translator (NAT) is built in the WGSN node, the VoIP voice packets delivered by the Real Time Protocol (RTP) [49] connection cannot pass through the WGSN node. This issue is resolved by implementing a SIP Application Level Gateway (ALG) [13] in the WGSN node, which interprets SIP messages and modifies the source IP address contained in these SIP messages. In UMTS, an MS must activate the PDP [5] context for VoIP service before a caller from the external PDN can initiate a phone call to this MS. Also, for both UMTS and WLAN, a SIP User Agent (UA) must be activated in an MS before it can receive any incoming VoIP call. Therefore, a SIP-based Push Center (SPC) is implemented in the WGSN node to provide MS terminated SIP services. The SPC is implemented on a SMS-based IP service platform called iSMS [45], where none of the UMTS/GPRS components is modified. SPC also provides push mechanism through WLAN for a WGSN user who does not bring up the SIP UA. Therefore, the SIP terminated services (e.g., incoming VoIP calls) can be supported in WGSN. Access control aspects: WGSN utilizes the standard UMTS access control for users to access WLAN services. Our mechanism reuses the existing UMTS Subscriber Identity Module (SIM) card and the subscriber data records in the HSS. Therefore, the WGSN customers do not need a separate WLAN access procedure, and the maintenance for customer information is simplified. User profiles for both UMTS and WLAN are combined in the same database (i.e., the HSS). Security aspects: WGSN utilizes the existing UMTS authentication mechanism [34]. That 18.

(34) is, the WLAN authentication is performed through the interaction between an MS (using 3G SIM card) and the 3G Authentication Center. Therefore, WGSN is as secured as existing 3G networks. We do not attempt to address the WLAN encryption issue [35]. It is well known that WLAN based on IEEE 802.11b is not secured. For a determined attack, Wired Equivalent Privacy (WEP) is not safe, which only makes a WLAN network more difficult for an attacker to intrude. The IEEE 802.11 Task Group I is investigating the current 802.11 Media Access Control Address (MAC) security. WGSN will follow the resulting solution. Roaming aspects: WGSN provides roaming between UMTS and WLAN. We utilize the standard UMTS mobility management mechanism without introducing any new roaming procedures. Terminal aspects: A terminal for accessing WGSN is installed with a Universal IC Card (UICC) reader (a smart card reader implemented as a standard device on the Microsoft Windows platform). The UICC reader interacts with the UMTS SIM card (i.e., the UICC containing the SIM application) to obtain authentication information for WGSN attach procedure. Naming and addressing aspects: The WGSN user identification is based on Network Access Identification (NAI) format [12] following the 3GPP recommendation. Specifically, the International Mobile Subscriber Identity (IMSI) is used as WGSN user identification. Charging and billing aspects: The WGSN acts as a router, which can monitor and control all traffic for the MSs. The WGSN node provides both offline charging and online charging (for pre-paid services) based on the Call Detail Records (CDRs) delivered to the charging gateway. Besides the seven aspects listed above, WGSN also provides automatic WLAN network configuration recovery. A WGSN MS can be a notebook, which is used at home or office with different network configurations. The network configuration information includes IP address, subnet mask, default gateway, WLAN Service Set Identifier (SSID), etc. When the MS enters the WGSN service area, its network configuration is automatically reset to the. 19.

(35) WGSN WLAN configuration if the MS is successfully authenticated. The original network configuration is automatically recovered when the MS detaches from the WGSN. This WGSN functionality is especially useful for those users who are unfamiliar with network configuration setup.. 2.2. Implementation of WGSN. This section describes the implementation of WGSN. We first introduce the protocol stack among MS, AP, WGSN, and HSS. Then we elaborate on the WGSN components for the WGSN network node and the MS. Figure 2-2 illustrates the WGSN protocol stack. In the current implementation, the lower-layer protocol between the MS and the WGSN node is IP over 802.11 radio (through WLAN AP). In the control plane, standard GPRS Mobility Management (GMM) defined in 3GPP Technical Specification 23.060 [5] is implemented on top of TCP/IP between the MS and the WGSN node. The standard UMTS Gr interface is implemented between the WGSN node and the HSS through Signaling System Number 7 (SS7)-based MAP protocol [35]. The layers of the SS7 protocol include Message Transfer Part (MTP), Signaling Connection Control Part (SCCP), and Transaction Capabilities Application Part (TCAP). Details of SS7 can be found in [35]. The WGSN node communicates with the charging gateway through the IP-based GTP’ protocol, which is not shown in Figure 2-2. In the future, the TCP/IP layers in the control plan will be replaced by Extensible Authentication Protocol / EAP Over LAN (EAP/EAPOL) [14][31]. EAP/EAPOL operates over 802.11 MAC layer, which allows authentication of an MS before it is assigned an IP address. Therefore, the IP resource of WGSN system can be managed with better security. Also, between the WGSN node and the HSS, the lower-layer SS7 protocols (i.e., MTP and SCCP) will be replaced by IP-based Stream Control Transmission Protocol (SCTP) [50] to support all-IP architecture. The WGSN user plane follows standard IP approach. That is, the MS and the WGSN node interact through the Internet protocol. The MS communicates with the CN in the external PDN using the transport layer over IP. In the user plane, the WGSN node serves as a. 20.

(36) Figure 2-2. WGSN Protocol Stack gateway between the WLAN network and the external PDN. The WGSN MS must be either a 3G-WLAN dual mode handset or a laptop/PDA that equips with both WLAN NIC and a 3G module. The UICC reader (which can be contained in the 3G module or a separate smart card reader) communicates with the standard SIM card to obtain the authentication information required in both 3G network and WLAN. In the current WGSN implementation, we use GPRS module instead of 3G module. The WGSN UICC reader is implemented as a standard device on the Microsoft Windows platform. The WGSN software modules are implemented on the Window 2000 and XP OS platforms for notebooks and WinCE for PDAs. A WGSN client is implemented to carry out tasks in the control plane. Several SIP user agents are implemented for SIP-based applications in the user plane. The modules for WGSN client are described as follows.. 21.

(37) Figure 2-3. WGSN MS Architecture SIM Module (Figure 2-3 (1)): As in UMTS, a WGSN user is authenticated using the UMTS SIM card (or GPRS SIM card in the current implementation) before the user can access the WLAN network. Through the UICC smart card reader, the SIM module retrieves the SIM information (including IMSI, SRES and Kc) [34] and forwards the information to the GMM module. GMM Module (Figure 2-3 (2)): Based on the SIM information obtained from the SIM module, the GMM module communicates with the WGSN node to perform MS attach and detach. The authentication action is included in the attach procedure. NIC Module (Figure 2-3 (3)): The network configurations of different WLANs may be different. With the Operating System (OS) support, the NIC module dynamically sets up appropriate network configurations when a WGSN user moves across different WLAN networks. WGSN utilizes DHCP for IP address management. The WGSN MS must obtain a legal IP address and the corresponding network configuration through the DHCP lease request. On the other hand, when the MS terminates a WGSN connection, it should send the IP release message to the WGSN node, and the IP address is reclaimed for the next WGSN user. The NIC module. 22.

(38) then recovers the original network configuration for the MS. If the MS is abnormally terminated, the NIC module cannot immediately recover the network configuration. Instead, the NIC module offers a Window OS program called WGSN Service. When the MS is re-started, this service will check if the network configuration has been recovered. If not, the configuration previously recorded by the NIC module is used. User Interface (Figure 2-3 (4)): A user interacts with the WGSN system through the MS user interface. As illustrated in Figure 2-4, the user types the Global System for Mobile communications (GSM) / General Packet Radio Service (GPRS) pin number to initiate the WGSN connection. Like the usage of a GPRS handset, the pin number can be disabled. Based on the received command, the corresponding modules are instructed to carry out the desired tasks. During a WGSN session, the user interface indicates the status of the execution and displays the elapsed time of the WGSN connection.. Figure 2-4. WGSN User Interface On the network side, the WGSN node is implemented on the Advantech Industrial Computer platform S-ISXTV-141-W3. The black boxes in Figure 2-5 illustrate the WGSN communication modules, which include. 23.

(39) Figure 2-5. WGSN Node Architecture. z. A SS7 module for communications with the HSS (through the SS7 network). In this module, the MTP, SCCP and TCAP layers (see Figure 2-2 (a)) are based on Connect7 2.4.0-Beta version software developed by SS8 Networks Cooperation.. z. An internal Ethernet module for communications with the WLAN APs. z. An external Ethernet module for communications with the external PDN. z. A GPRS module for communications with the MS (through the GPRS network). The software architecture of the WGSN node includes four major components: Authentication Center (Figure 2-5 (1)) consists of the GMM and the Gr handlers. Through the internal Ethernet module, the GMM handler receives the GMM messages from the WGSN MS, and dispatches the corresponding tasks to the other WGSN modules (the details are described in Step 4 and Step 8 in the attach procedure in Section 2.3). The Gr handler implements the standard GMM primitives for the Gr interface [5]. Through the SS7 module, the Gr handler interacts with the HSS for MS network access and authentication. Specifically, it obtains an array of authentication. 24.

(40) vectors (including a random number Rand, a signed result SRES, and an encryption key Kc) from the GPRS authentication center (which may or may not be co-located with the HSS). The size of authentication array can be dynamically adjusted (see [34] for the details). Each time the WGSN MS requests for authentication, the Gr handler uses an authentication vector to carry out the task as specified in 3GPP Technical Specification 33.102 [10]. Furthermore, when an MS detaches, the Gr handler should inform the HSS to update the MS status. The current WGSN version has implemented. two. MAP. service. primitives:. the. MAP_SEND_AUTHENTICATION_INFO and MAP_PURGE_MS services. These primitives are implemented on MAP version 1.4 software developed by Trillium Digital Systems Inc. Network Controller (Figure 2-5 (2)) provides the following functions for Internet access: z. IP address management: A DHCP server is implemented in the WGSN node to distribute private IP addresses to the MSs. An NAT server performs address translation when the IP packets are delivered between the private (WLAN) and the public (external PDN) IP address spaces.. z. Internet access control: The WGSN node only allows the authenticated users to access Internet services. Unauthorized packets will be filtered out by the firewall.. z. SIP application support: To support SIP-based applications under the NAT environment, the WGSN node implements a SIP ALG that modifies the formats of SIP packets so that these packets can be delivered to the WGSN MSs through the WGSN node.. Operation, Administration and Maintenance (OA&M; see Figure 2-5 (3)) controls and monitors individual WGSN user traffics. WGSN utilizes Simple Network Monitoring Protocol (SNMP) as the network management protocol. With Management Information Base (MIB), every managed network element is represented by an object with an identity and several attributes. An SNMP agent is implemented in the WGSN node, which interacts with the managed network element through SNMP. For. 25.

(41) example, the traffic statistics of an AP can be accessed by the OA&M (through the corresponding MIB object) and displayed in a web page using Multi Router Traffic Grapher (MRTG 2.9.22) [41]. The SNMP agent can also detach an MS through the MIB object of the MS. A log handler is implemented in the OA&M to record all events occurring in the WGSN node. A billing handler generates CDRs, which communicates with the billing gateway through the GTP’ protocol or File Transfer Protocol (FTP). SIP-based Push Center (SPC; see Figure 2-5 (4)) provides a push mechanism for GPRS networks [39] that support private IP addresses. Since GPRS significantly consumes the MS power, a mobile user typically turns on GSM but turns off GPRS unless he/she wants to originate a GPRS session. In this case, services cannot be pushed to the users from the network side. For an MS that is GSM attached but GPRS detached, the SPC can push a SIP request to the MS through a SMS application server called iSMS AS [45]. SPC also provides push mechanism through WLAN for a WGSN user who does not bring up the SIP UA. Therefore, the SIP terminated services (e.g., incoming VoIP calls) can be supported in WGSN. We will elaborate more on SPC in Section 2.4.. 2.3. Attach and Detach Procedures. In WGSN attach and detach procedures, the message flows between the WGSN node and the HSS are the same as that for the SGSN and the HSS in UMTS. The message flows between the MS and the WGSN node are specific to the WGSN network, which are not found in UMTS. The attach procedure is illustrated in Figure 2-6, which consists of the following steps: Step 1: When the WGSN user brings up the MS user interface, the SIM module is invoked to configure the smart card reader and (optionally) requests the user to input the Personal Identification Number (PIN) number. The card reader. 26.

(42) Figure 2-6. Message Flow for the Attach Procedure authenticates the user through the pin number just like a GPRS mobile phone. Step 2: The MS NIC module is invoked to store the current WLAN network configuration. To obtain the network configuration of WGSN, MS broadcasts a DHCP DISCOVER message on its subnet and looks for a DHCP server. The DHCP server in the WGSN node replies MS a DHCP OFFER message which includes an available IP address. Then, MS sends a DHCP REQUEST message to DHCP server 27.

(43) and asks for the usage of the available IP address contained in DHCP OFFER message. If the DHCP server accepts the request, it reports the IP lease event to the Log handler and sends MS a DHCP ACK message with network configuration parameters. Finally, the MS NIC module sets up the new network configuration. Step 3: The MS GMM module is invoked to perform the attach operation. The GMM module first obtains the IMSI from the SIM module. Then it sends the GMM Attach Request (with the parameter IMSI) to the WGSN node. Step 4: When the GMM handler of the WGSN node receives the attach request, it reports this event to the Log handler, and sends the authentication information request to the Gr handler. Step5: The GMM handler sends the MAP_SEND_AUTHENTICATION_INFO Request (with the argument IMSI) to the HSS. The HSS returns the authentication vector (Rand, SRES, Kc) through the MAP_SEND_AUTHENTICATION_INFO Response message. Step 6: The WGSN Gr handler issues the SS7 Alarm message to the Log handler, and the event is logged. The Gr handler returns the authentication vector to the GMM handler. Step 7: The GMM handler sends the GMM Authentication and Ciphering Request (with the parameters IMSI and Rand) to the GMM module of the MS. The GMM module passes the random number Rand to the SIM module, and the SIM module computes the signed result SRES* and the encryption key Kc based on the received Rand and the authentication key Ki stored in the SIM card. These results are returned to the GMM module. The GMM module returns the computed SRES* to the GMM handler of the WGSN node using the GMM Authentication and Ciphering Response (with the parameters IMSI and SRES*). The GMM handler compares SRES with SRES*. If they match, the authentication is successful. Step 8: The GMM handler sends the Attach IP message to the firewall, which will allow the packets of this IP address to pass the WGSN node. Then the GMM handler 28.

(44) reports to the Log handler that the attach is successful (with the corresponding IMSI and IP address). Step 9: The GMM handler sends the GMM Attach Accept message to the GMM module of the MS, and the GMM module passes the Attach Response message to the user interface. At this point, the attach procedure is completed. The WGSN connection can be detached by the MS or by the network (the WGSN OA&M). The message flow for MS initiated detach is illustrated in Figure 2-7, and the steps are described. as follows.. Figure 2-7. Message Flow for the MS-Initiated Detach Procedure Step 1: When the user presses the detach button in the user interface, the GMM module is invoked to send the GMM Mobile Originated Detach Request (with parameters IMSI and IP address) to the GMM handler of the WGSN node. The GMM handler reports this detach event to the Log handler. Step 2: The GMM handler sends the detach IP request to the firewall. From now on, the. 29.

(45) packets of this IP address will be filtered out by the firewall of the WGSN node. Step 3: The GMM handler invokes the Gr handler to send the MAP_PURGE_MS Request (with the parameters IMSI and the SSN address of the WGSN node) to the HSS. The HSS updates the MS status in the database and replies the MAP_PURGE_MS Response to the Gr handler. The Gr handler reports this event to the Log handler. Step 4: Through Mobile Originated Detach Response, the GMM handler informs the MS GMM module that the detach operation is complete. Step 5: The MS NIC module is instructed to recover the original network configuration. It sends the DHCP RELEASE message to the DHCP server in the WGSN node. The DHCP server reclaims the IP address and reports this event to the Log handler. The NIC module then recovers the original network configuration (which was saved in Step 2 of the attach procedure). The message flow for the network-initiated detach procedure is similar to that illustrated in Figure 2-7, and the details can be found in [23].. 2.4. WGSN Push Mechanism. To reduce the power consumption and computation complexity of a WGSN MS, most WGSN applications are not activated at the MS until the user actually accesses them. This approach does not support “always-on” or MS terminated services such as incoming VoIP calls. To address this issue, a push mechanism called Session Initiation Protocol (SIP)-based Push Center (SPC) has been implemented in the WGSN node. In this approach, the mobile Short Message Service (SMS) mechanism, which consumes much less power than the WLAN modules, is always on. Figure 2-8 illustrates the message flow of the push mechanism performed in WGSN. Suppose that a SIP VoIP caller in the external PDN issues a call request to a WGSN MS through SIP [46], the request is first sent to the WGSN node (path (a) in Figure 2-8). The 30.

(46) Figure 2-8. Message Flow of the SPC in WGSN SPC checks if the SIP User Agent (UA) of the called MS is activated. If so, the request is directly forwarded to the called MS (path (d) in Figure 2-8). Otherwise, the request is suspended, and the SPC sends a GSM short message to the MS to activate the corresponding SIP UA (path (b) in Figure 2-8). After the SIP UA is activated, the MS informs the SPC (path (c) in Figure 2-8), and the call request from the caller is then delivered to the SIP UA following the standard SIP call setup procedure. We note that the VoIP call model is typically handled by the SIP UAs or a call server (or softswitch) that control the call setup process and indicate whether the called party is busy or idle [24]. The WGSN SPC is only responsible for pushing the SIP requests to the MSs where the SIP UAs are not activated. For every SIP UA (an MS may have several SIP UAs for different applications), a status record is maintained in the SPC. A four-state Finite State Machine (FSM) is associated with the record. These states are State 0: The SPC has not initiated the activation process. State 1: The SPC has initiated the activation process, and one incoming call is waiting for setup. 31.

(47) State 2: The SPC has initiated the activation process. No incoming call is waiting for setup. State 3: The SIP UA is active. The incoming call waiting for setup at State 1 is referred to as the outstanding call. There is at most one outstanding call during the SIP UA activation process. The state transition diagram for the FSM of a status record is illustrated in Figure 2-9 and the details are given below:. Figure 2-9 The FSM State Transition Diagram for the SPC Status Record Transition 1: An incoming call request arrives at State 0. The SPC sends a message to activate the SIP UA. The SPC sets a timer T1 and changes the state to “1”. Transition 2: The timer T1 expires at State 1. The SPC drops the current incoming call request by sending a timeout message to the caller. The state changes to “2”. Transition 3: An incoming call arrives at State 1. The SPC drops this call request (because the called MS is already engaged in an outgoing call setup). The state remains in “1”. Transition 4: An incoming call request arrives at State 2. This call becomes the outstanding call. The SPC sets the timer T1 and changes the state to “1”. Transition 5: When the SPC receives the activation complete message from the called MS at State 1, the SPC forwards the outstanding call request to the SIP UA of the called MS following the standard SIP protocol. The state is changed to “3”. Transition 6: When the SPC receives the activation complete message from the called MS. 32.

(48) at State 2, the SPC changes the state to “3”. Transition 7: When the SPC receives a call request at State 3, it directly forwards the call request to the SIP UA of the called MS following the standard SIP protocol. It is clear that for every SIP UA, the FSM eventually moves to State 3. There is exact one outstanding call at State 1, and there is no outstanding call at State 2. During the state transition, an incoming call is “lost” if either Transition 2 or 3 occurs.. 2.4.1. Performance Analysis. Figure 2-10. The Timing Diagram (A dot “.” represents dropping of an incoming call immediately after it arrives at the SPC) Figure 2-10 illustrates the timing diagram for the execution of SIP UA activation procedure in the SPC mechanism. This procedure is initiated by the first incoming call arriving at time τ0 (Figure 2-10 (1)). Suppose that the SPC detects that the SIP UA of the destination MS is not activated. This incoming call is suspended at the SPC. The SPC sends a GSM short message to activate the destination MS (see Figure 2-8 (b)) and sets a timer T1 for this outstanding call. If the activation procedure is not complete before T1 expires, the call is dropped. In Figure 2-10, the timer T1 for the first outstanding call expires at time τ2 (Figure 2-10 (4)), and the SPC receives the activation complete message from the called MS at time τ6 (Figure 2-10 (9)), where τ6>τ2. During SIP UA activation, new incoming calls for the destination MS may arrive. If the outstanding call has not been dropped when a 33.

(49) new incoming call arrives, then this new incoming call is dropped (see Figure 2-10 (2), (3), and (8)). Otherwise, this incoming call becomes the next outstanding call (see Figure 2-10 (5) and (7)). In the following sub-sections, we investigate the performance of SIP push mechanism, where the expected number of lost calls during SIP UA activation is computed. The lost calls include the dropped outstanding calls due to T1 expiration (see Figure 2-10 (4) and (6)) and the incoming calls arriving when an outstanding call exists (see Figure 2-10 (2), (3), and (8)).. 2.4.2. Analytic Model. In this section, we present an analytic model to investigate the performance of push mechanism. We make the following assumptions: 1. The incoming call arrivals are a Poisson process with rate λ; therefore, the inter call arrival time t0 is Exponentially distributed with the density function f t (t 0 ) = λ e − λ t . In 0. 0. Figure 2-10, t0 = τ1- τ0. 2. The T1 timeout period (denoted as t1) has the density function f t (t1 ) . In Figure 2-10, 1. t1 =τ2 - τ0. We consider T1 with fixed interval 1/µ. 3. The SIP UA activation time is denoted as t2 = τ6-τ0. In this section, we assume t2 to be Exponentially distributed with the mean 1/γ, and the density function f t (t 2 ) = γ e − γ t . 2. 2. We will also consider Gamma distributed t2 in the simulation model. In our study, the output measure is the expected number E[N] of the lost calls during the activation period. Consider the following two cases. Case 1) The first outstanding call is successfully set up; i.e., the activation time t2 of SIP UA is shorter than 1/µ. 34.

(50) Case 2) The first outstanding call is dropped; i.e., the activation time t2 of SIP UA is longer than 1/µ. Let Pi be the probability that Case i occurs, and Ni be the expected number of lost calls in Case i. Pi can be expressed as. P1 = Pr[t 2 < 1 / µ ] = ∫ 1t2/ =µ0 f t2 (t 2 )dt 2 = 1− e. ⎛γ ⎞ − ⎜⎜ ⎟⎟ ⎝µ⎠. and P2 = 1 − P1 = e. ⎛γ ⎞ −⎜⎜ ⎟⎟ ⎝µ⎠. (2.1). In Case 1, all incoming calls arrive during the SIP UA activation period t2 are lost. Since the incoming calls are a Poisson stream, the expected number of lost calls during t2 is λt2. Therefore P1 ⋅ N 1 = ∫ 1t2/ =µ0 λ t 2 × f t2 (t 2 )dt 2 ⎛γ ⎞. ⎛γ ⎞. λ ⎛ λ ⎞ − ⎜⎜ ⎟⎟ ⎛ λ ⎞ − ⎜⎜ ⎟⎟ = − ⎜⎜ ⎟⎟ e ⎝ µ ⎠ − ⎜⎜ ⎟⎟ e ⎝ µ ⎠ γ ⎝γ ⎠ ⎝µ⎠. (2.2). In Case 2, the first outstanding call and all incoming calls during the waiting time of the first outstanding call are dropped. That is, the expected number of lost calls before T1 expires is 1 +. λ . We further analyze Case 2 by two sub-cases in terms of the next event µ. after T1 expires. Case 2-1) The next event after the T1 expiration is the completion of SIP UA activation (i.e.,. t4 < t3 in Figure 2-10). The expected number of lost calls after the drop of first. outstanding call is 0. Case 2-2) The next event after the T1 expiration is an incoming call request (i.e., t3 < t4 in. Figure 2-10), and this incoming call becomes the second outstanding call. From the residual life theorem and the memoryless property of the Exponential distribution. 35.

(51) [47], t3 has the same distribution as that for the inter call arrival time t0. That is, f t 3 (t ) = f t 0 (t ) = λ e − λ t . Similarly, we have f t 4 (t ) = f t 2 (t ) = γ e − γt . Since t3 and t4 have. the same distributions as those for t0 and t2, respectively, the situation seen by this outstanding call is the same as that seen by the first outstanding call. Therefore, the expected number of lost calls after the arrival of this new outstanding call is E[N]. Let P2-i denote the probability that Case 2-i occurs, we have ⎛ N 2 = ⎜⎜1 + ⎝ ⎛ = ⎜⎜1 + ⎝. λ⎞ ⎟ + (P2−1 × 0 + P2− 2 × E[ N ]) µ ⎟⎠ λ ⎞ λ E[ N ] ⎟+ µ ⎟⎠ λ + γ. (2.3). From Equations (2.1), (2.2), and (2.3) 2. E[ N ] = ∑ Pi × N i i =1. ⎡ λ ⎛ λ ⎞ − ⎛⎜⎜ γ ⎞⎟⎟ ⎛ λ ⎞ − ⎛⎜⎜ γ ⎞⎟⎟ ⎤ −⎛⎜⎜ γ ⎞⎟⎟ ⎡⎛ λ ⎞ λ E[ N ] ⎤ = ⎢ − ⎜⎜ ⎟⎟ e ⎝ µ ⎠ − ⎜⎜ ⎟⎟ e ⎝ µ ⎠ ⎥ + e ⎝ µ ⎠ × ⎢⎜⎜1 + ⎟⎟ + ⎥ ⎥⎦ ⎢⎣ γ ⎝ γ ⎠ ⎝µ⎠ ⎣⎝ µ ⎠ λ + γ ⎦. (2.4). By re-arranging Equation (2.4), we have ⎛γ ⎞. E [N ] =. 2.4.3. λ ⎛ λ ⎞ −⎜⎜⎝ µ ⎟⎟⎠ + ⎜1 − ⎟ × e γ ⎜⎝ γ ⎟⎠ ⎛ λ 1 − ⎜⎜ ⎝λ +γ. (2.5). ⎛γ ⎞. ⎞ −⎜⎜⎝ µ ⎟⎟⎠ ⎟⎟ × e ⎠. Simulation Model. We utilize discrete event simulation experiments to validate the analytic model described in Section 2.4.2. In the simulation, three types of events are defined: CallArrival event represents the arrival of incoming call to an MS, TimerExpiration event represents that T1 of an outstanding call expires, and ActivationComplete event indicates that the SIP UA of the called MS is successfully activated. Every event is associated with a timestamp. 36.