Download Mobility Management in IP

Mobility Management in IP-Based
Wireless Networks
1. Basic issues in mobility management
2. Mobility management in IP networks
3. Mobility management in 3GPP packet
networks
1. Basic Issues in Mobility Management
1.1 Impact of naming and addressing on mobility
management
1.2 Location management
1.3 Packet delivery to mobile destinations
1.4 Handoffs
1.5 Roaming
Types of Mobility
 Terminal mobility
 the ability for a user terminal to continue to access
the network when the terminal moves
 User mobility
 the ability for a user to continue to access network
services, may be from different terminals, under the
same user identity when the user moves
 Service mobility
 the ability for a user to access the same services
regardless of where the user is
Basic Mobility Management Requirements
 Support all forms of mobility
 Support mobility for all types of applications
 real-time and non-real-time data, voice, and multimedia
applications
 Support mobility across heterogeneous radio systems in the
same or different administrative domains
 Support session (service) continuity
 continue without significant interruptions as the user
moves about
 Global roaming
 the ability for a user to move into and use different
operators’ networks
Basic Functional Components
 Location management
 a process that enables the network to determine a
mobile’s current location
 i.e., the mobile’s current network attachment point
where the mobile can receive traffic from the
network
 Packet delivery to mobiles
 a process whereby a network node, mobile terminal,
or end-user application uses location information to
deliver packets to a mobile terminal
 Handoff and roaming
 handoff (or handover)
 a process in which a mobile terminal changes its
network attachment point
 example: a mobile may be handed off from one
wireless base station (or access point) to another, or
from one router or switch to another
 roaming
 the ability for a user to move into and use different
operators’ networks
 Network access control
 a process used by a network provider to determine
whether a user is permitted to use a network and/or a
specific service provided by the network
 main steps
 authentication: verify the identity of user
 authorization: determine whether a user should be
permitted to use a network or a network service
 accounting: collect information on the resources used
by a user
1.1 Impact of Naming and Addressing
on Mobility Management
 A name identifies a network entity, such as a user, a
user terminal, a network node, or a service
 An address is a special identifier used by the network
to determine where traffic should be routed
 A terminal’s address typically identifies a network
attachment point
 a telephone number in a PSTN network
 identifies a port on a PSTN switch rather than the telephone
set itself
 an IP terminal’s IP address
 identifies an attachment point to an IP network
 Today’s networks, the name of a terminal is often tied
with the terminal’s address, example,
 an IP terminal has traditionally been named by the Internet
Domain Name associated with the terminal’s IP address
 mobile terminals that use multiple network addresses are
becoming increasingly popular, example,
 a mobile terminal may have multiple radio interfaces
 each radio interface may use a different type of radio
technology
 each radio interface may need to have its own IP address
 which domain name should be used as the
terminal’s name in this case?
 solutions
 make the IP terminal names independent of the
terminal’s addresses
 e.g., IETF has defined Network Access Identifier
(NAI) that allows a terminal to be identified by a
single globally unique NAI regardless of how
many IP addresses this terminal may have
 Traditional circuit-switched networks, such as the
PSTN, typically do not support user names
 they assume a static mapping between a terminal and the user
responsible to pay for the services used by the terminal
 Static mapping of users to terminals could lead to a
range of problems in a mobile network
 mobile users often have to, or like to, use different types of
terminals in different locations depending on what types of
terminals are available or best fit their needs
 this suggests that a mobile user’s name should not be
statically tied to a mobile terminal
 Terminal-independent user names have become
increasingly common in mobile networks, example,
 GSM
 each subscriber is identified by a globally unique
International Mobile Subscriber Identity (IMSI) that
is independent of the terminal used by the user
 a Subscriber Identity Module (SIM) carries a
mobile’s IMSI and can be ported from one mobile
terminal to another to allow a user to use different
terminals and still be recognized by the network as
the same user
 Today’s IP Networks, applications provide their own
naming schemes for users, example
 e-mail users are identified by their e-mail addresses
 SIP users are identified by their SIP URIs
 the NAI may serve as a user’s globally unique and
terminal-independent user name
1.2 Location Management
1.2.1 Location update strategies
1.2.2 Location discovery (paging)
1.2.3 Interactions between location update and
paging
1.2.1 Location Update Strategies
 When a mobile should perform location
updates and what location-related information
the mobile should send to the network?
 update the mobile’s precise location every time the
mobile changes its network attachment points,
example, Mobile IP
 knowing a mobile’s precise location allows the
network to deliver traffic to the mobile via unicast
 when mobiles change their network attachment points
frequently, maintaining precise locations of all mobiles could
lead to heavy location update traffic, which wastes limited
radio bandwidth
 to save scarce resources on the mobile and in the wireless
network, a network can group network attachment points into
location areas
 only keeps track of which location area each mobile is likely
in when the user and the network have no traffic to send to
each other
 the network tries to determine a mobile’s precise location
only when it needs to deliver user traffic to the mobile
Location Update
 Time-based update
 update periodically at a constant interval (called update
interval)
 Movement-based update
 update whenever it traverses a predefined number of
location areas, called movement threshold
 most existing wireless networks (e.g., GSM, GPRS,
3GPP, 3GPP2) use movement-based location update
strategy in which the movement threshold is one
 Distance-based update
 update whenever it has traveled a predefined distance
threshold from the location area in which it performed
its last location update
 distance may be measured in many different ways, such
as physical distance, or cell distance (i.e., distance
measured in number of radio cells or location areas)
 the physical distance-based strategy is used, for example,
as an option in 3GPP2
 Parameter-based update
 update whenever the value of any preselected parameter
changes
 these strategies are sometimes referred to as profilebased strategies
 this strategy is used, for example, as an option in 3GPP2
 Implicit update
 a mobile does not send any message explicitly for the
purpose of location update
 instead, the network derives the mobile’s location when
the network receives other signaling or user data from
the mobile
 Probabilistic update
 update based on a probability distribution function
 a probabilistic version of time-based, movement-based,
or distance-based location update strategies may be
created
 example: a time-based location update
 the new update time interval after each update may
be dynamically adjusted based on the probability
distribution of call arrival times
Movement-Based vs. Distance-Based
Location Update Strategies
 Assumptions
 the mobile last performed a location update
in the center location area
 the number on each arrowed line indicates
the number of times the mobile has crossed
a cell boundary
 the movement threshold used by a
movement-based update strategy is three
cell boundary crossings
 the distance threshold used by the distancebased update strategy is three cells
 Movement-based update strategy
 update at the third, sixth, and the ninth times it
crosses a cell boundary
 Distance-based update strategy
 only update once, i.e., at the ninth time it crosses a
cell boundary
1.2.2 Location Discovery
(Paging)
 Network performs paging
 send one or multiple paging messages to a paging
area where the mobile is likely to be located
 Upon receiving a paging message
 a mobile needs to update its precise current location
with the network
Issues with Paging
 Paging should be done within a reasonable time
constraint
 if paging takes too long, the call setup latency could
become intolerable to end users and call attempts
may be dropped
 How to construct paging areas?
 paging areas do not have to be identical to location
areas
 How to search a paging area to locate a mobile?
Paging Strategies




Blanket paging
Sequential paging
Geographic paging
Group paging
Blanket Paging
 Blanket paging is deployed in most of today’s wireless
networks
 A paging message is broadcast simultaneously to all radio
cells inside the paging area where the mobile is located
 Advantages
 simplicity
 low paging latency
 Drawback
 broadcasting paging messages to a large number of
radio cells could consume a significant amount of scarce
resources, including radio bandwidth and power on all
the mobiles in the paging area
Blanket Paging
Page
every
cells
within the
LA
Sequential Paging
 A large paging area is divided into small paging sub-areas
(e.g., radio cells)
 Procedure
 paging messages are first sent to a subset of the paging
areas where the network believes the mobile is most
likely to be located
 if the mobile is not in this sub-area, subsequent paging
messages will be sent to another paging sub-area
 the process continues until either the mobile is found or
the entire paging area is searched
Sequential Paging
Page the cells
sequentially
until the user
is found
1
4
2
3
5
8
7
6
9
10
 Issues
 how to divide a large paging area into smaller paging
sub-areas
 which sub-areas should be searched first
Blanket Paging vs. Sequential Paging
Blanket
Sequential
paging cost
large
small
paging delay
small
large
sequential group paging may be used if
there is a constraint on paging cost
Geographic & Group Paging Strategies
 Geographic paging
 network uses geographical position of a mobile to
determine where a paging message should be sent
 Group paging
 to locate a mobile, the network pages a group of mobiles
together instead of paging only the mobile to be located
1.2.3 Interactions between Location
Update and Paging
 Design of location update and paging strategies should
consider a proper balance among the following
 overhead
 network resources consumed by location updates and
paging
 performance, e.g., paging latency
 complexity
 complexities of location update and paging as well as
protocols needed to support these strategies
 high complexity results in high network costs and
high level of difficulty in operating the network
1.3 Packet Delivery Strategies
to Mobile Destinations
 Direct delivery strategy
 a packet originator first obtains the destination
mobile’s current location (from location servers)
 then addresses and sends packets directly to that
location
 Relayed delivery strategy
 a packet is sent first to a mobility anchor point
 the packet is then relayed toward its final
destination
 the packet originator does not need to know
 the destination mobile’s current location
 whether a destination is a mobile or a fixed node
 Limitations of relayed delivery strategy
 may cause packets to take longer paths than direct
delivery strategies
 the mobility anchor points could become traffic and
performance bottlenecks
 Integrated relayed delivery and direct delivery strategies
 packets destined to the destination will be routed first toward
a mobility anchor point
 mobility anchor point relays these packets to mobile’s current
location
 the mobility anchor point or the destination then inform the
packet originator of the destination’s current location
 the packet originator then address the packets directly to the
mobile’s current location
1.4 Handoffs
 Handoffs in an IP-based wireless network may occur at
different protocol layers
 Handoffs at each protocol layer may occur in different
scopes
 Handoffs can be hard or soft
Layers of Handoff
 Physical layer
 a mobile changes its network attachment point at the
physical layer
 example: the mobile may change from one radio
channel to another, from one wireless base station to
another
 Logical link layer
 a mobile changes its logical link layer over which the
mobile exchanges user IP packets with the network
 IP layer
 the mobile changes its IP address or moves to a different
IP access router
Scopes of Handoff
 Handoffs at each protocol layer may occur in different
scopes
 Handoffs at the IP layer
 intra-subnet handoff
 a mobile remains on the same IP subnet after it
changes its IP address or moves from one base
station to another
 inter-subnet handoff
 a mobile moves into a new IP subnet and
changes its IP address
 inter-router handoff
 a mobile moves to a new IP access router
Types of Handoff Processes
 Hard handoff
 a mobile can receive user data from only one base
station at any time
 handoff implementations
 make-before-break
 mobile sets up new network attachment before it
tears down old network attachment
 break-before-make
 mobile tears down old network attachment point
and then sets up new network attachment
 Soft handoff
 a mobile receives copies of the same user data from two
or more base stations simultaneously
 the mobile uses signal processing techniques to
determine the most likely correct value of the data from
its multiple copies
 soft handoff has been proven to be an effective way for
increasing the capacity, reliability, and coverage range
 requires the following capabilities
 data distribution and selection
 data content synchronization
Data Distribution and Selection
 BS → Mobile
 separate copies of the same data sent via multiple base
stations to the same mobile
 the mobile should construct a single copy and only pass the
copy to upper layer protocols or applications
 Mobile → BS
 multiple copies of the same user data originated from a
mobile sent to network via different base stations
 the edge devices connecting the radio access networks to the
core network should select one copy of the data to send to the
destination
Data Content Synchronization
 Mobile’s radio system should combine copies of the
same data arriving from multiple base stations
Selection and Distribution Unit (SDU)
 Responsible for data distribution from network to
mobile
 May be located on a base station or a MSC
 Create and distribute multiple streams of the same data
over layer-2 circuits to multiple base stations that relay
the data to the mobile
1.5 Roaming
 Home domain
 the domain where the mobile maintains a service
subscription account
 uses user’s accounts and service profiles to
determine
 how to provide services to a mobile
 how to charge the services used by the mobile
 user’s account
 subscriber’s identity
 billing address
 service profile
 security information (for authentication)
 user’s service profile
 the network services subscribed by the user
 the networks the user is allowed to use
 Visited domain
 when a user moves into a domain with which it
does not have an account
Extra Capabilities Needed to
Support Roaming
 Network access control for visiting mobiles
 Roaming agreement between mobile’s home domain
and visited domains
 Session continuity while a user crosses domain
boundaries
Network Access Control for
Visiting Mobiles
 Decision on allowing a user to use a visited domain is
based on
 who this user is
 whether the user or its home domain agrees to pay
for its use of the visited domain
 where to send the bill of this user
Roaming Agreement between Mobile’s
Home Domain and Visited Domains
 A roaming agreement should decide
 how a visiting mobile should be authenticated,
authorized, and billed
 The visited domain may ask the user’s home domain to
 authenticate the user
 confirm how to charge for the user’s use of the
visited domain
 The home domain may send information regarding the
user’s service profile to the visited domain
 to help the visited domain to determine how to
provide services to the user, for example, the user’s
QoS requirements
Roaming Broker
 Problem
 users may roam outside the countries into different network
providers in other countries
 it is difficult for a network provider to establish a roaming
agreement with every other network provider
 One alternative solution is to use a Roaming Broker
 Roaming broker
 each network provider only needs to establish a roaming
agreement with the roaming broker
 when a user roams into a new visited network
 this visited network will ask the roaming broker to
authenticate and authorize the user
 the roaming broker
 relay the authentication and authorization requests
from the mobile’s home network provider
 relay the responses to the mobile’s current visited
network
2. Mobility Management in
IP Networks
2.1 Naming and addressing of IP terminals
2.2 Mobile IPv4
2.3 MIPv4 regional registration
2.4 Paging extensions to Mobile IPv4
2.5 Mobile IPv6
2.6 SIP-based mobility management
2.7 Cellular IP
2.8 HAWAII
 Mobile IPv4 (or MIPv4)
 standard protocol defined by IETF for mobility
management in IPv4 networks
 enables an IP terminal to maintain a permanent IP
address and receive packets addressed to this
permanent address regardless of the mobile’s
current attachment point to the Internet
 Mobile IPv6 (MIPv6)
 the IETF is leveraging MIPv4 to define an IP-layer
mobility management protocol for IPv6 networks
 Micromobility management protocols
 IP-layer mobility protocols that provide enhanced
mobility support (e.g., reduced handoff delay)
within a limited geographical region
 E.g., a building, campus, or a metropolitan area
network
 Examples of micromobility management protocols
 MIPv4 Regional Registration
 Cellular IP
 HAWAII
 SIP-based mobility management
 the most widely accepted application-layer mobility
protocol as the session management protocol for
wireline and wireless IP networks
2.1 Naming and Addressing of
IP Terminals
 Issues
 with regular IP routing protocols, when a terminal
moves to a new IP network or IP subnet (visited or
foreign network)
 the terminal have to use an new IP address of
the new IP network in order to receive packets
from the visited network
 if the mobile terminal uses its IP address as its
identifier, the identifier will change as the
mobile moves from one IP network to another
 a mobile may have multiple radio interfaces, each
with a different IP address
 a mobile’s radio interfaces may not all be
reachable by the network at any given time
 depending on which radio systems are available at
the mobile’s current location or which radio
system the mobile user wishes to use if multiple
radio systems are available
 this makes it difficult to determine which IP
address configured on the mobile should be used
as the mobile’s identifier
 Resolution：Network Access Identifier (NAI)
 IETF defined NAI that can identify a mobile
terminal (or user) regardless of either the terminal’s
current location or how many IP addresses the
terminal may have
 NAI form
 username@realm
 username：identifies the terminal
 realm：identifies the Internet domain name of a
Network Access Server (NAS)
Note: Network Access Server (NAS)
 A single point of access to a remote resource
 Act as a gateway to guard access to a protected
resource
 this can be anything from a telephone network, to printers, to
the Internet
 Operations
 the client connects to the NAS
 the NAS then connects to another resource asking whether
the client's supplied credentials are valid
 based on that answer the NAS then allows or disallows
access to the protected resource
 NAS contains no information about what clients can connect
or what credentials are valid
 all the NAS does is send the credentials the client supplied to
a resource which does know how to process the credentials
 Associated protocols
 although not required, NAS are almost exclusively used with
AAA servers
 RADIUS tends to be the most widely used
 DIAMETER base protocol extends RADIUS services by
providing error handling and inter-domain communications
 this protocol is used in networks like IP Multimedia
Subsystem (IMS)
2.2 Mobile IPv4
 Mobility issues in IP Networks
 once a mobile terminal moves to a new subnet, a
correspondent node needs to use the mobile’s new
IP address
 it is difficult to force every possible
correspondent node to keep track when a mobile
terminal may change its IP address and what the
mobile’s new address will be
 changing IP address will cause on-going TCP
sessions to break
 Mobility management should
 ensure on-going TCP connection does not break
 restore quickly if TCP connection breaks
Home Network
 Home address
 a globally unique and routable IP address
 preconfigured or dynamically assigned
 Home network
 the network whose network address prefix matches that of the
mobile terminal’s home address
 Home agent (HA)
 maintain up-to-date location information for the mobile
 intercept packets addressed to the mobile’s home address
 tunnel packets to the mobile’s current location
Note: Network Prefix
7
A:
0
24
Network
Host
14
B:
1
0
16
Network
Host
21
C:
1
1
0
Network
8
Host
Class A Network (/8 Prefixes)
Class B Networks (/16 Prefixes)
Class C Networks (/24 Prefixes)
 IP addresses are divided into three different
classes
 each of the following figure defines different-sized
network and host parts
 there are also class D addresses specify a multicast
group, and class E addresses that are currently
unused
 in all cases, the address is 32 bits long
78
7
A:
0
24
Network
Host
14
B:
1
0
16
Network
Host
21
C:
1
1
0
Network
8
Host
IP addresses: (a) class A; (b) class B; (c) class C
79
 the class of an IP address is identified in the most
significant few bits
 if the first bit is 0, it is a class A address
 if the first bit is 1 and the second is 0, it is a class B
 if the first two bits are 1 and the third is 0, it is a class
C address
 of the approximately 4 billion (= 232) possible IP
addresses
 one-half are class A
 one-quarter are class B
 one-eighth are class C
80
 Class A addresses
 7 bits for the network part and 24 bits for the host
part
 126 (= 27-2) class A networks (0 and 127 are
reserved)
 each network can accommodate up to 224-2 (about 16
million) hosts (again, two are reserved values)
 Class B addresses
 14 bits for the network part and 16 bits for the host
part
 65,534 (= 216-2) hosts
81
 Class C addresses
 21 bits for the network part and 8 bits for the
host part
 2,097,152 (= 22l) class C networks
 254 hosts (host identifier 255 is reserved for
broadcast, and 0 is not a valid host number)
82
 IP addresses are written as four decimal integers
separated by dots
 each integer represents the decimal value contained in
1 byte (= 0~255) of the address, starting at the most
significant
 Example, 171.69.210.245
 Internet domain names (DNS)
 also hierarchical
 domain names tend to be ASCII strings separated by
dots, e.g., cs.nccu.edu.tw
83
Foreign Network
 Care-of Address (CoA)
 assigned to the mobile by the foreign network
 a mobile uses its CoA to receive IP packets in the
foreign network
 Foreign agent (FA)
 provides CoAs and other necessary configuration
information (e.g., address of default IP router) to
visiting mobiles
 de-tunnels packets from the tunnel sent from a visiting
mobile’s HA and then delivers the packets to the
visiting mobile
 acts as the IP default router for packets sent by visiting
mobile terminals
 helps visiting mobiles to determine whether they have
moved into a different network
Two Types of CoAs in MIPv4
 Foreign Agent CoA
 an IP address of a FA
 each FA is responsible for providing FA CoAs to
visiting mobiles
 when FA CoA is used, the mobile’s HA tunnels the
packets to the mobile’s current FA that addressed to
the mobile’s home address
 the FA will then de-tunnel the packets and deliver
them to the mobile
 Co-located CoA
 a CoA acquired by a mobile terminal through any
method external to Mobile IP
 example, a mobile may use the Dynamic Host
Configuration Protocol (DHCP) to obtain a
temporary address dynamically
 the mobile terminal’s HA tunnels the packets
addressed to the mobile’s home address directly to
the mobile itself; these packets do not have to go
through any FA
Main Phases of MIPv4 Operation





Agent discovery
Movement detection
Leaving the home network
Entering and staying in a visited network
Returning to the home network
2.2.1 Agent discovery
2.2.2 Movement detection
2.2.3 Leaving the home network
2.2.4 Entering and staying in a visited network
2.2.5 Returning to the home network
2.2.6 Mobile-home authentication extension
2.2.7 Vendor/organization specific extensions to Mobile IP
messages
2.2.8 Reverse tunneling
2.2.9 Limitations of MIPv4
2.2.10 MIPv4 route optimization
2.2.1 Agent Discovery
 Goal
 for a mobile terminal to discover mobility agents (home
agent and foreign agent)
 Approach
 mobility agents advertise services and system information to
mobiles via Agent Advertisement messages
 a mobile may solicit an Agent Advertisement message from
any mobility agents by sending an Agent Solicitation
message to the Mobile-Agents Multicast Group address
224.0.0.11
 all mobility agents should respond to any received Agent
Solicitation message
 Agent discovery using Internet Control Message
Protocol (ICMP) Router Discovery Messages
 ICMP Router Advertisement Message
 sent by router to terminals to inform its IP
address
 ICMP Router Solicitation Message
 sent by a terminal to ask router to send ICMP
Router Advertisement Messages
Agent Advertisement Message
 ICMP Router Advertisement message with extensions
to carry MIPv4 specific information
 Mobility Agent Advertisement Extension
 indicate this is a MIPv4 Agent Advertisement message
 carry information specific to MIPv4 mobility agent
 Prefix-Lengths Extension (optional)
 indicate the network prefix length (in bits) of each
advertised Router Address
 mobile may use this prefix lengths to determine whether
it has moved into a new IP network
Structure of Mobile IP Agent
Advertisement Message
MIPv4 Mobility Agent Advertisement
Extension to ICMP Router Advertisement Message
Fields and Flags
 Type
 16, indicates a Mobility Agent Advertisement Extension
 Length
 length in octets of the extension from the beginning of
Sequence Number field to the end
 Sequence Number
 number of Agent Advertisement messages sent since the
agent was initiated
 Registration Lifetime
 longest lifetime in seconds the agent is willing to accept
any Registration Request
 R (Registration required)
 set, if Mobile IP registration through this FA is required
 B (Busy)
 set, if this FA will not accept registrations from
additional mobile terminals
 H (Home agent)
 set, if this agent offers service as a HA
 F (Foreign agent)
 set, if this agent offers service as a FA
 M (Minimal encapsulation - RFC 2004)
 set, if this agent can accept tunneled messages that use
Minimal Encapsulation
 G (GRE encapsulation - RFC 3095)
 set, if this agent accepts tunneled packets that use
Generic Routing Encapsulation (GRE)
 r (Reserved)
 this field is not used
 must be set to zero and ignored on reception
 T (Reverse tunneling)
 set, if this FA supports reverse tunneling
 Reserved
 not currently used and shall be ignored by the mobiles
 Foreign Agent Care-of Addresses
 addresses, if any, provided by this FA
MIPv4 Prefix-Length Extension
to ICMP Router Advertisement message
Fields
 Type
 19, indicates a Prefix-Length Extension
 Length
 the value of the “Num Addrs” field in the ICMP Router
Advertisement portion of the Agent Advertisement
 indicating the number of Router Addresses advertised in this
message
 Prefix Lengths
 the number of leading bits that define the network prefix of
the corresponding Router Address
 encoded as a separate byte, in the order that the Router
Addresses are listed in the ICMP Router Advertisement
portion
Agent Solicitation Message
 The format is identical to ICMP Router Solicitation
message, except
 its IP Time-to-Live (TTL) must be set to 1, means that
Agent Solicitation message will not propagate beyond
local IP subnet
2.2.2 Movement Detection
 For a mobile to detect whether it enters a new IP
subnet (changes its care-of address)
 Approach 1
 use the Lifetime field in Agent Advertisement
messages
 Lifetime indicates the length of time that this
Advertisement is valid
 Algorithm
 if the mobile does not receive any new Agent
Advertisement from the same mobility agent within the
remaining Lifetime
 it will assume that it has lost contact with that
mobility agent
 if, by this time, the mobile has already received Agent
Advertisement from other mobility agents
 it may use one of these mobility agents
 otherwise, the mobile should start searching for a new
mobility agent by issuing Agent Solicitation messages
 Approach 2
 a mobile may compare the network prefix of old
network with that of new IP subnet
 if the two network prefixes differ then it means the
mobile has just entered a new IP subnet
2.2.3 Leaving the Home Network
 As a mobile leaves its home network
 the HA captures the packets addressed to the mobile’s
home address
 ARP (Address Resolution Protocol)
 used to determine the hardware address associated with
a target IP address
 hardware address
 identify a node at the link layer
 used by link layer protocol to forward link-layer
frames or packets
 ex：Medium Access Control (MAC) address
 ARP protocol
 when a node wants to send an IP packet to a target node
and does not know it’s hardware address
 it broadcasts an ARP REQUEST message (include
sender IP address, target IP address, sender hardware
address) to ask all the nodes on the local IP network for
the target node’s hardware address that matches target
IP address
 the node that matches the target IP address will reply
with ARP REPLY message including its IP address and
hardware address
 once a node learns the mapping from an IP address to a
hardware address, the node caches the mapping in its
ARP cache for later use
Issues & Resolutions
 Issue-1
 after a mobile leaves its home network, other nodes
on the home network may still have cached the
mapping of the mobile’s IP address to its hardware
address
 those nodes will continue to send packets to the
mobile’s hardware address rather than to the HA,
and thus these packets will be lost
 Resolution-1 (Gratuitous ARP)
 a Gratuitous ARP packet, can be an ARP
REQUEST packet, is sent by a node to trigger other
nodes to update their ARP caches
 before a mobile leaves its home network
 it broadcasts a Gratuitous ARP packet to all
other nodes (including mobility agents) on the
local IP subnet
 those nodes that receives such a Gratuitous ARP
packet will
 update its ARP cache to map the sending
mobile’s home address to the HA’s hardware
address
 these nodes will forward future packets
addressed to the mobile’s home address to the
mobile’s HA
 Issue-2
 if a node on a mobile’s home network does not
have the mobile’s hardware address in its ARP
cache
 when it wants to send a packet to the mobile, this node
will use ARP to find the mobile’s hardware address
 however, when the mobile is away from the home
network, the mobile will not be able to reply to the
ARP REQUESTs sent by nodes on the home network
 Resolution-2 (Proxy ARP)
 a Proxy ARP packet is an ARP REPLY message sent by
one node on behalf of another node in response to an
ARP REQUEST
 when the HA receives an ARP REQUEST asking for
hardware address of the mobile that is away from the
home network, the HA will reply to this ARP
REQUEST on behalf of the mobile
 the HA will set the Sender Protocol Address (IP address)
and the Sender Hardware Address of this ARP REPLY
message to the HA’s own IP and hardware addresses,
respectively
 those nodes that receive the ARP REPLY message will
forward packets addressed to the mobile’s home address
to the HA
2.2.4 Entering and Staying in a
Visited Network
 Upon entering a visited network
 a mobile must acquire a temporary CoA from the
visited network to receive packets from the visited
network
 the mobile will then register its new CoA with its
HA
 this registration serves as a location update and will
cause the HA to tunnel packets addressed to the
mobile’s home address to this new CoA
 Two messages for registration
 Registration Request
 Registration Reply
 Registration Request and Registration Reply
messages are transported over UDP to a port
number 434
 Registration request & reply
 a mobile sends a Registration Request message to
its HA to register its current CoA
 upon receiving a Registration Request message, the
HA authenticates the mobile
 if the authentication is positive, the HA will use this
CoA to update the mobile’s CoA
 the HA will then return a Registration Reply
message to the mobile
 A mobile may register its current CoA
 with its HA directly
 send Registration Request messages directly to
the HA without having to go through a FA
 through a FA
 send Registration Request messages first to a FA
and then forward them to the mobile’s HA
 Mutual authentication
 HA authenticates all Registration Requests it
receives
 mobile authenticates all Registration Reply
messages it receives
 protections against a range of security attacks
 redirection attack
 protect against malicious users from sending
Registration Requests to a HA to cause
packets to another redirected mobile user
 denial of service (DOS)
 protect a malicious user from pretending to be
a HA to conduct “denial of service” attacks
by rejecting its Registration Requests
MIPv4 Registration Request
Message Format
Fields and Flags
 Type
 1, indicate whether this is a MIPv4 Registration
Request
 S (Simultaneous bindings)
 set, if a mobile requests its HA to maintain multiple
care-of addresses for the mobile at the same time
 when the HA intercepts a packet addressed to the
mobile’s home address, it will tunnel a copy of the
packet to each currently registered care-of address
 B (Broadcast datagrams)
 set, if the mobile requests that the HA tunnel to it
any broadcast datagrams that it receives on the
home network
 D (Decapsulation by mobile terminal)
 set, if the mobile will itself decapsulate datagrams
that are sent to the co-located care-of address
 M (Minimal encapsulation)
 set, if the mobile requests that its HA use Minimal
Encapsulation for datagrams tunneled to the mobile
 G (GRE encapsulation)
 set, if the mobile requests that its HA use GRE
encapsulation for datagrams tunneled to the mobile
node
 r
 set to zero and ignored on reception
 not used for any other purpose
 T
 reverse tunneling requested
 x
 set to zero and ignored on reception
 not used for any other purpose
 Lifetime
 number of seconds remained before registration is
expired
 a zero lifetime indicates a request for deregistration
 Home Address
 if a mobile has a preconfigured home address
 it may put its home address in the Home Address
field
 if the mobile does not have a preconfigured home
address
 the mobile sets the Home Address field to
0.0.0.0
 the mobile should specify its NAI (Network
Access Identifier) in the Registration Request
message
 Home Agent
 if the mobile knows the address of its HA
 the Home Agent field contains the IP address of
the mobile’s HA
 if the mobile does not know the address of its HA
 use Dynamic Home Agent Address Resolution
to discover the HA’s address
 Care-of Address
 the mobile’s CoA
 Identification
 a 64-bit number
 used for protecting against replay attacks of
registration messages by matching Registration
Requests (mobile) with Registration Replies (HA)
 Extension
 one or more extension fields
 used to support future enhancement
 Mobile-Home Authentication Extension
 a mandatory extension in every Registration
Request message
 used by HA to authenticate Registration Request
MIPv4 Registration Reply Message Format
Fields
 Type
 3, indicate whether this is a MIPv4 Registration
Reply message
 Code
 indicate the result of the corresponding Registration
Request
 Lifetime
 for successful registration
 contain the number of seconds remained before
registration is expired
 for failed registration
 should be ignored
 0
 indicate that the mobile has been deregistered
 Home Address
 the mobile’s home address
 Home Agent
 the IP address of the mobile’s HA
 Identification
 a 64-bit number
 used for protecting against replay attacks of
registration messages by matching Registration
Requests (mobile) with Registration Replies (HA)
 Extension
 Mobile-Home Authentication Extension
 a mandatory extensions field to be carried in
every Registration Reply message
 used by a mobile to authenticate the Registration
Reply message
2.2.5 Returning to the Home Network
 When a mobile returns to its home network
 packets addressed to its home address will now be
forwarded to itself directly, rather than to its HA
 Two steps to take
 those nodes on the home network, which cache IPto-hardware address binding, will start to send
packets directly to the mobile rather than to the HA
 the mobile should inform its HA to remove the
obsolete states for the mobile
2.2.6 Mobile-Home Authentication
Extension
 Used to authenticate Registration Request and
Registration Reply messages
Mobile-Home Authentication
Extensions to Mobile IP Messages
Fields
 Type
 32, indicate a Mobile-Home Authentication Extension
 Length
 length in octets of the extension from the beginning of
the SPI field to the end
 Security Parameter Index (SPI)
 a four-octet identifier used to identify a security context
between a mobile and its HA
 SPI identifies the authentication algorithm and the secret
used by the mobile and its HA to compute the
Authenticator
 Authenticator
 a number calculated by applying an authentication
algorithm on the message that needs to be protected
 protect the following fields of a Registration Request or
a Registration Reply message
 the data of the Registration Request or the
Registration Reply
 all other Extensions to the Registration Request or
the Registration Reply message prior to the MobileHome Authentication Extension
 the Type, Length, and SPI fields of this MobileHome Authentication Extension
Fields Protected by MIP
Mobile-Home Authentication Extension
2.2.7 Vendor/Organization Specific
Extensions to Mobile IP Messages
 Allow network equipment vendors and other
organizations (e.g., network operators) to
 add their specific information to the Mobile IP
signaling messages (i.e., Registration Request,
Registration Reply, Agent Advertisement messages)
 implement creative mobility control capabilities in
addition to the basic mobility control capabilities
 Two Vendor/Organization Specific Extensions have
been defined in IETF RFC 3115
 Critical Vendor/Organization Specific Extensions
(CVSE)
 Normal Vendor/Organization Specific Extensions
(NVSE)
Critical Vendor/Organization Specific
Extensions (CVSE)
CVSE Fields
 Type
 37, the CVSE-TYPE-NUMBER
 Reserved
 reserved for future use
 set to 0 by the sender and must be ignored on
reception
 Length
 length in bytes of this extension, not including the
Type and Length bytes
 Vendor/Org-ID
 the identifier of the vendor or organization that is
using this extension
 Vendor-CVSE-Type
 the particular type of this CVSE
 a vendor may assign and use different types of
CVSEs
 Vendor-CVSE-Value
 vendor/organization-specific data
 it may contain zero or more octets
Normal Vendor/Organization Specific
Extensions (NVSE)
NVSE Fields
 Type
 133, the NVSE-TYPE-NUMBER
 Length
 length in bytes of this extension, not including the
Type and Length bytes
 Reserved
 reserved for future use
 set to 0 by the sender and must be ignored on
reception
 Vendor/Org-ID
 the identifier of the vendor or organization that is
using this extension
 Vendor-NVSE-Type
 the particular type of this NVSE
 a vendor may assign and use different types of
NVSEs
 Vendor-NVSE-Value
 vendor/organization-specific data
 it may contain zero or more octets
2.2.8 Reverse Tunneling
 Reverse tunneling
 tunnel a mobile’s outgoing packets from the
mobile’s CoA back to the mobile’s HA
 the HA will then decapsulate the packets and route
the original packets to their final destinations
 IETF RFC 3024
 specifies how reverse tunneling works when a
mobile uses Foreign Agent CoA
 a mobile arrives at a visited network
 listen for Agent Advertisement messages
 select a FA that supports reverse tunnels
 a FA informs visiting mobiles that it supports
reverse tunneling by
 setting the “T” flag in the Agent Advertisement
messages it sends to the mobiles
 the mobile requests the reverse tunneling service
when it registers through the selected FA
 by setting the “T” flag in the MIPv4 Registration
Request
 Two ways for a visiting mobile to deliver packets to
FA
 direct delivery style
 the mobile
 designate the FA as its default router
 send packets directly to the FA without
encapsulation
 the FA
 intercept these packets
 tunnel them over the reverse tunnel to the
mobile’s HA
 encapsulate delivery style
 the mobile
 encapsulate all its outgoing packets
 send the encapsulated packets to the FA
 the FA
 decapsulate these packets
 tunnel them over the reverse tunnel to the
mobile’s HA
Mobile IPv4 Reverse Tunneling
2.2.9 Limitations of MIPv4
 [Limitation-1] Triangular routing
 packets addressed to a mobile’s home address
→ routed to the mobile’s HA first
→ forwarded to the mobile’s current care-of
address
 could introduce long end-to-end packet delays and
lead to inefficient use of network resource
 solution：route optimization
 [Limitation-2] HA may become a traffic and
performance bottleneck
 all user traffic destined to a mobile outside its home
network have to go through the mobile’s HA
 this makes a HA a potential traffic and performance
bottleneck as the number of mobiles and/or the
traffic volume grow
 [Limitation-3] Potential long handoff delay
 when a mobile changes its CoA (e.g., handoffs to
another IP subnet), it has to register its new CoA
with its HA
 if the foreign network is far away from the mobile’s
home network
 could introduce a long delay registration process
 may be unacceptable to on-going real-time
sessions of voice or multimedia applications
 solution：micromobility management protocols
 [Limitation-4] Potential insufficient deregistration
capability
 after a mobile is registered through a FA, the
mobile may move into a new network
 in basic MIPv4, the mobile does not explicitly
deregister with the FA in the old network
 this registration expires only when its lifetime
expires
 it’s difficult for a visited network to determine
when a mobile left the network
 [Limitation-5] Insufficient capabilities to support other
mobility management requirements
 example, current MIPv4 does not support dormant
mobiles
 a dormant mobile exchanges limited information
infrequently with network in order to save scarce
resources (e.g., power)
 network may not know the precise location of
this dormant mobile
 network needs to perform paging to determine the
mobile’s precise location when it has packets to
send
 solution
 to support dormant mobile terminals, IP paging
protocols are required
2.2.10 MIPv4 Route Optimization
 A correspondent node knows a mobile’s current CoA
→ tunnel packets to the destination mobile’s CoA directly
 A correspondent host may maintain a Binding Cache that
maps the mobiles’ home addresses to their CoAs
 When a packet is to be sent, the correspondent host will
first search its Binding Cache for the mobile’s CoA
 if the search is found, the correspondent host will tunnel
the packets to the mobile’s CoA directly
 otherwise, it will send the packet to the mobile’s home
address as in the basic MIPv4
MIPv4 Route Optimization
2.3 MIPv4 Regional Registration
 Problem
 a mobile has to register with its HA every time it
changes its CoA
 this could introduce long handoff delay when the
visited network is far away from the mobile’s home
network
 MIPv4 Regional Registration
 extend the basic MIPv4 protocol to allow a mobile
to register its new CoA locally with its visited
network domain
 network domain
 a collection of networks sharing a common
network administration
MIPv4 Regional Registration
 Each network domain consists of a two-level hierarchy
of FAs
 top level：Gateway Foreign Agents (GFAs)
 each domain will have at least one GFA
 GFAs are the FAs that directly interact with
visiting mobiles’ HAs outside the domain
 a GFA must have a publicly routable IP address
 lower level：any number of FAs
 A mobile inside a visited domain will have two CoAs
 GFA address: the mobile will register the address of a
GFA in the visited domain as its CoA with its HA
 local CoA: a local CoA is an address used by the mobile
to receive packets over a network inside the visited
domain
 MIPv4 Agent Advertisement message is extended to
include a flag “I” to indicate whether the domain supports
MIPv4 Regional Registration
 The mobile can learn the GFA address in one of the
following ways
 from Agent Advertisement messages
 these messages are extended to carry GFA address
 dynamically assigned by visited network
 the mobile sets the CoA field in its Registration
Request to zero to require the visited network to
dynamically assign it with a GFA address
 FA will add the following extensions to the received
Registration Request message and then relay this
message with the added extensions to the GFA
 a GFA IP Address Extension
 contain the address of the assigned GFA
 a Hierarchical Foreign Agent Extension
 contain the address of the FA
 MIPv4 Regional Registration introduces two new
messages
 Regional Registration Request
 mobile → FA → GFA
 initiate regional registration
 Regional Registration Reply
 GFA → mobile
 respond to a Regional Registration Request
2.4 Paging Extensions to Mobile IPv4
 Mobile IP can be extended to support paging
 P-MIP (Paging in Mobile IP) is one set of paging
extensions to Mobile IPv4
 P-MIP
 mobile
 a mobile can be in active or idle state
 active state
 mobile operates in the same manner as in
standard Mobile IP without P-MIP
 idle state
 mobile may not perform MIP registration
 a mobile uses an Active Timer to determine
whether it should be in active or idle state
 it stays in active state for an Active Timer period
and changes into idle state when its Active
Timer expires
 each time a mobile sends or receives a packet, it
restarts its Active Timer
 an idle mobile transitions into active state
whenever it receives or sends any packet
 Registered FA
 the FA through which a mobile performed its
last Mobile IP registration
 use an Active Timer to determine whether the
mobile is active or idle
 each time this FA sends a packet to or receives a
packet from the mobile, it restarts the Active
Timer for the mobile
 P-MIP requirement
 an FA is required on each IP subnet
 mobiles can only use FA CoAs and have to perform
Mobile IP registration through FAs
 Paging Areas
 FAs are grouped into Paging Areas
 each Paging Areas is identified by a unique Paging
Area Identifier (PAI)
 Requirement of MIP registration
 No
 if an idle mobile moves from one IP subnet to
another inside the same paging area
 Yes
 if an idle mobile moves into a new paging
area
Paging Extensions to Mobile IPv4
 P-MIP procedure (deliver packets to idle mobiles)
 sending
 packets → mobile’s HA → mobile’s CoA (the
mobile’s Registered FA) → Registered FA
checks if the mobile is active or idle → mobile’s
home address
 if the mobile is active
 mobile's Registered FA will forward the packets
over its own local network directly to the mobile
 if the mobile is idle
 mobile's Registered FA will
 broadcast a Paging Request over its own local
network, and
 unicast a Paging Request to every FA in the
same Paging Area
 note：there is no requirement of MIP
registration if an idle mobile moves from one
IP subnet to another inside the same paging
area
 when an idle mobile receives a Paging Request, it
will transit into active mode
 Limitations on Active Timers
 setting of Active Timer
 value of Active Timer depends on the
application traffic
 example, value of Active Timer of sending and
receiving a stream of packets should be longer
than that of inter-packet arrival, so that no extra
paging will be needed before the last packet of
the packet stream is received by the mobile
 different applications generate different types of
traffic with widely varying inter-packet arrival
times
 mobiles should dynamically adjust the value of
Active Timer by sending signaling messages to
inform its Registered FA of the new Active
Timer value
 consistency of Active Timers
 the value of the Active Timer maintained on the
mobile should be about the same as that used by
the mobile’s Registered FA
 this requires an FA to know the value of the
Active Timer for each mobile
 preconfigure such Active Timer values on all
FAs for every mobile does not seem to be a
scalable approach
2.5 Mobile IPv6
 Mobile IPv6
 use the same concepts of home networks and home
addresses as in MIPv4
 ensure that a mobile can receive packets addressed
to its home address regardless of where it is
 make a mobile’s movement transparent to upper
layer protocols and applications
 Basic concept
 mobile
 has a home network and a home address
 mobile’s home address
 does not need to change regardless of where the
mobile is
 correspondent node
 can always address packets to a mobile’s home
address
 when a mobile moves into a foreign network
 it acquires a IPv6 CoA to receive packets from
foreign network by registering its current CoA
with its HA
 binding
 association between a mobile’s home address
and its CoA
MIPv6 Address Binding with
Home Agent
 Address binding
 as a mobile changes its CoA
 mobile sends a Binding Update (BU) message to
its HA to register its current CoA
 HA returns a Binding Acknowledgment (BA)
message to inform the mobile of the status of the
Binding Update
 Authentication
 HA authenticates every BU message it receives
 mobile authenticates every BA it receives
 authentication of BU and BA messages is achieved
using IPsec
 IP Security (IPsec)
 IETF develops IP Security (IPsec) to secure IP
packet transmissions
 IPsec provides data origin authentication, replay
protection, data integrity, data confidentiality, and
access control
 IPsec is a suite of protocols for protecting IP
datagrams and higher-layer protocols
 it consists of security protocols, authentication and
encryption algorithms, security associations, and
key management
 IPsec is optional for IPv4 but mandatory in IPv6
 Security protocols
 Authentication Header (AH)
 support data integrity and authentication of
packets
 Encapsulating Security Payload (ESP)
 mainly provide confidentiality services,
including confidentiality of message content and
limited traffic flow confidentiality
Family of IPsec Protocols
Note: Security
 Different facets of network security
 authentication
 an ability for communicating parties, including network
operators and users, to validate each other’s authentic
identity
 authorization
 the ability for a party (e.g., a network provider) to determine
whether a user should be allowed to access particular
networks, network services, or information
 also referred to as access control
 integrity
 protection of information from unauthorized change
 confidentiality or privacy
 keep the information private such that only authorized users
can understand it
 confidentiality is also referred to as privacy
 confidentiality is often achieved by encryption
 availability
 the network operators should prevent outside malicious
users from blocking legitimate access to a network or a
network service
 denial-of-service, for example, will deter legitimate users
from accessing the network information and resources
 nonrepudiation
 the ability for a network to supply undeniable evidence
to prove the message transmission and network access
performed by a user
 Security attacks (active attack)
 denial-of-service (DoS)
 prevent a service from being provided to one or more
users or to cause significant disruptions to the services
 example, an attacker may initiate a large number of
connections to a target destination continuously to
overload the target to make it impossible or difficult
for the target to provide any service
 legitimate users, therefore, are deterred from network
access
 masquerade
 an attacker first acquires the identity of a legitimate
user
 it then pretends to be an authorized user to access the
network information and resources
 man-in-the-middle
 an attacker positions forces between communicating
parties to intercept and manipulate the messages
transmitted between the communicating parties
 example, the attacker may delay, modify, or counterfeit
the messages
 the attacker may also divert the messages to other
locations before relaying them between the legitimate
communicating parties
 before such attacks are detected, the legitimate
communicating parties believe that they are still
sending messages to each other directly
 replay
 an attacker intercepts and records the legitimate
transmission
 the attacker then replays (i.e., resends) the messages
later on
 using replay attacks, an attacker could pretend to be an
authorized user to access a network or information
even when the captured transmission was encrypted
and even when the attacker does not know the security
key needed to decrypt the captured transmission
 example, an attacker could replay a banking transaction
to duplicate the previous transaction
 MIPv6 does not use FAs
 in IPv6 network, mobiles use only co-located CoAs,
and no need of FA CoAs
 mobiles can use IPv6 Neighbor Discovery to detect
movement
 MIPv6 supports two modes of operation
 bi-directional tunneling mode
 route optimization mode
MIPv6 Bi-directional Tunneling Mode
 Similar to how MIPv4 works when using a co-located
CoA
 It treats a mobile destination in exactly the same way it
treats a fixed destination
 Correspondent host sends packets to mobile
 it always uses the mobile’s home address as the
destination address
 packets will be routed via regular IPv6 routing to
mobile’s home network
 if the mobile is inside its home network
 packets will be delivered to mobile via
regular IPv6 routing protocols without MIPv6
 if the mobile is outside its home network
 HA intercepts the packets
 tunnel packets to mobile
 Mobile sends packets to correspondent host
 while a mobile is away from its home network
 packets are tunneled to mobile’s HA first
 HA then uses regular IPv6 routing to route these
packets toward their final destinations
MIPv6 Route Optimization Mode
 Operation
 a mobile will register its binding not only with its
HA but also with its correspondent hosts
 packets from a correspondent host can be routed
directly to the CoA of the destination mobile
 Before a correspondent host has the binding for a
mobile
 it will address packets to mobile’s home address
 initial packets are tunneled by HA to the mobile
 mobile can then send binding to correspondent host
for it to sent future packets directly to mobile
 To support route optimization
 MIPv6 requires each IPv6 host and MIPv6 HA to
use a binding cache to maintain binding information
 when an IPv6 terminal wishes to send packets to
another IPv6 terminal, it first checks its binding
cache to see if it has a binding for the destination
 if it does, packets are addressed to the
destination’s CoA directly
 if it does not, packets are addressed to the
destination’s home address
2.5.1 Movement Detection
 The basic approach used by an IPv6 mobile for
movement detection is IPv6 Neighbor Discovery
 IPv6 Neighbor Discovery
 enables an IPv6 terminal to discover new IPv6
routers and determine if a router is reachable (i.e.,
terminal and router can receive packets from each
other)
 an IPv6 router broadcasts Router Advertisement
messages to mobiles on that local network
 these advertisement messages
 carry the IPv6 addresses of the router and
network prefixes that can be used by mobiles to
configure their CoA
 help a mobile to discover new IPv6 routers
 also help a mobile to detect whether an IPv6
router is still reachable, i.e. whether it has moved
out of a network or moved into a new network
 A mobile can probe the network to see if there are
reachable routers by broadcasting Neighbor
Solicitation messages
 upon receiving such message, a router will send
Router Advertisement messages to the mobile
 A mobile may use other means to help movement
detection
 example, a handoff at the lower layer (e.g., change
of radio channels, radio cells, or radio interfaces on
the mobile) can be used as an indication that the
mobile may have moved into a new IP network
 A mobile can acquire an IPv6 CoA by using
 auto-configuration
 combine a network prefix received in the Router
Advertisement messages with the mobile’s own
hardware address
 DHCPv6
2.5.2 Sending Packets Directly to Mobile’s
Care-of Address
 When a correspondent host has a binding for a mobile
 the host can address packets directly to the mobile’s
CoA
 In IPv6, a routing header is used by a source node
 to list one or more nodes that should process the
packet (or the nodes to be visited by the packet), in
addition to the node identified by the destination
address in the packet header
 A routing header is inserted between the IPv6
header and the header of upper layer protocol
(e.g., UDP or TCP)
IPv6 Packet傳送架構
Next Header (8 bits)
值(10進位)
0
6
17
41
43
44
46
50
51
58
59
60
下一個標頭的種類
Hop By Hop Option Header
TCP
UDP
Capsule IPv6 Header
Routing Header
Fragment Header
Resource Reservation Protocol
Security Payload Capsule Header (RFC2406)
Authentication Header (RFC2402)
ICMPv6
No Next Header
Destination Option Header
IPv6封包延伸標頭的例子
IPv6 header
CoA
Routing header
Home address
 When a correspondent host sends a packet directly to a
mobile
 it uses the mobile’s CoA as the destination address
in the IPv6 header of the packet
 the mobile’s home address will be carried in a
routing header defined by MIPv6
 When the packet arrives at the destination mobile’s
CoA
 it will process the routing header and know where is
the mobile’s home address
IPv6 header
Home address
 it replaces the IPv6 destination address in the IPv6
header with the mobile’s home address
 decrements the Segments Left field in the
routing header by one
 0, indicating that the mobile’s home address is
the final destination
MIPv6 Routing Header Format
Fields
 Next Header
 8-bit code
 identifies the type of header immediately following
the routing header
 Header Extension Length
 8-bit unsigned integer
 indicates the length of the routing header in eightoctect units, not including the first eight octets
 Routing Type
 type of the routing header
 Segments left
 8-bit unsigned integer
 indicates the number of nodes listed in this routing
header that are still to be visited
 1, this MIPv6 routing header will carry only a
single home address
 Reserved
 32-bit field
 reserved for future use
 Home Address
 home address of the destination mobile
2.5.3 Sending Packets while Away
from Home
 When a mobile is away from its home network and
wants to send a packet to a correspondent host or the
mobile’s HA
 the mobile may use its current CoA as the source
address in the packet header and pass to the access
routers in a visited network without using reverse
tunneling
 MIPv6 uses IPv6 Destination Options Header
 Header carries optional information to be examined
only by destination node
 Header is placed between IPv6 header and the
header of upper layer protocols (e.g., UPD)
 MIPv6 defines a Home Address Option that will be
carried inside an IPv6 Destination Option Header
 when a mobile is away from its home network and
wants to send a packet, it uses the Home Address
Option to inform the packet’s recipient of the
mobile’s home address
Format of IPv6 Destination Options Header
Carrying a Mobile IPv6 Home Address Option
Fields
 Next Header
 8-bit code
 identifies the type of header immediately following
the destination options header
 Header Extension Length
 8-bit unsigned integer
 indicates the length of the destination options
header in eight-octect units, not including the first
eight octets
 Option Type
 identifies the type of the Option carried in IPv6
Destination Options Header
 201, defined by MIPv6
 Option Length
 8-bit unsigned integer
 indicates the length of the Home Address Option in
octets, excluding the Option Type field and the
Option Length field
 Home Address
 the home address of the mobile sending the packet
 When a correspondent host (or a HA) receives a packet
that carries a MIPv6 Home Address Option
 if it does not have a binding entry for the home
address carried in Home Address Option
 it drops the packet
 if it has a binding entry for the home address
 it replaces the source address in the packet
header with the home address carried in the
Home Address Option
2.5.4 Formats of Binding Update and
Binding Acknowledgment Messages
 MIPv6 Binding Update (BU) and Binding
Acknowledgment (BA) messages
 transported inside a special IPv6 extension header,
the Mobility Header defined by MIPv6
 Mobility Header
 placed between IPv6 header and upper layer
protocol (e.g., UDP or TCP) header of a user IPv6
packet
Mobile IPv6 Mobility Header
Fields
 Payload Protocol
 8-bit value
 identifies the type of the header immediately
following the Mobility Header
 Header Length
 8-bit unsigned integer
 represents the length of the Mobility Header in
units of octets, excluding the first eight octets
 must be a multiple of eight octets
 Mobility Header Type
 8-bit value
 identifies the type of mobility message in the
Message Data field
 Reserved
 8-bit field
 reserved for future use
 Checksum
 16-bit unsigned integer
 checksum of the Mobility Header
 Message Data
 a variable-length field
 contains a specific mobility message, such as a BU
message or a BA message
 Note：a checksum is a form of redundancy check, a very
simple measure for protecting the integrity of data by
detecting errors in data
Format of Mobile
IPv6 Binding Update message
Fields
 Sequence Number
 16-bit unsigned integer
 used by receiving node to sequence BU messages
 used by sending node to match a returned BA
message with a BU message
 A (acknowledge)
 1-bit flag
 set by sending node to request a BA message be
returned by receiving node upon receipt of BU
message
 H (Home Registration)
 1-bit flag
 set by sending node to request that the receiving
node act as the sending node’s HA
 L (Link-Local Address Compatibility)
 1-bit flag
 set when the home address reported by mobile node
has the same interface identifier as the mobile
node’s link-local address
 interface identifier
 a number used to identify a node’s interface on a
link
 the remaining low-order bits in the node’s IP
address after the subnet prefix
 link-local address
 an address that is only valid within the scope of a
link, such as one Ethernet segment
 K (Key Management Mobility Capability)
 1-bit flag
 only valid in a BU message sent to a HA
 set by the sending node to indicate whether the
protocol used for establishing the IPsec security
association between a mobile and its HA can
survive movement
 Reserved
 reserved for future use
 Lifetime
 16-bit unsigned integer
 indicates the number of time units remaining before
the binding expires
 Mobility Options
 a variable-length field that contains one or more
Mobility Options in a Type-Length-Value format
 used to carry
 information needed for MIPv6 mobility
management such as a mobile’s CoA
 security-related information needed for a
receiving node to authenticate a received
message
 examples of Mobility Options
 Alternative CoA option
 used to carry a mobile’s CoA
 Binding Authorization Data option
 used to carry security-related information
needed by the receiving node to authenticate
and authorize BU message
 Nonce Indices option
 a nonce is a random number used by a
correspondent node to help authenticate a BU
from a mobile
 this option is only used when BU message is
sent to a correspondent node
 the correspondent node uses the information
carried in this option with the information
carried in the Binding Authorization Data
option to authenticate a BU message from a
mobile
Formats of Mobile IPv6 Alternative CoA
Option and Binding Authorization Data Option
Alternative CoA Option Format
 Type
 3, identifies an Alternative CoA option
 Length
 length in octets of the portion of this option starting
immediately after the Length field
 16, means exactly one CoA will be carried in the
option
Binding Authorization Data Option Format
 Type
 5, indicates a Binding Authorization Data option
 Option Length
 length in octets of the Authenticator field
 Authenticator
 a cryptographic value used to determine that the
message comes from a right user
 Protects the following mobility data fields
 Care-of Address
 final destination address of the packet
 Mobility Header Data
 the content of the Mobility Header excluding
the Authenticator field
Format of Mobile IPv6
Binding Acknowledgement Message
Fields
 Status
 an 8-bit unsigned integer
 indicating the status of how the corresponding BU
message is processed
 K
 indicate whether the protocol used by a HA for
establishing the IPsec security association between
the mobile and the HA can survive movement
 Reserved
 reserved for future use
 Sequence Number
 copied from the Sequence Number field of the
corresponding BU message
 Lifetime
 the time, in units of 4 seconds, for which the sender
of this BA message will retain the binding of the
receiving node of this BA message
 Mobility Options
 a variable-length field that
 one or more Mobility Options in a Type-LengthValue format
 A BA message may carry the following Mobility
Options
 Binding Authorization Data option
 used to carry the security-related information for
the receiving node to authenticate the BA
message
 Binding Refresh Advice option
 used by a HA to inform a mobile how often the
mobile should send a new BU message to the
HA
 this option is only used in a BA sent by a HA to
a mobile in response to a received BU message
2.5.5 Hierarchical Mobile IPv6 Registration
 When a mobile is far away from its HA
 the process of binding update with HA may
experience a long delay
 One approach to reduce binding update delay
 implement local HAs dynamically using the
“forwarding from the previous CoA”
Mobile IPv6 “Forwarding from Previous
Care-of Address" Mechanisms
 Assumptions on a mobile
 original home network is Subnet A
 original home agent, HA A, is in Subnet A
 mobile movement：Subnet A → Subnet B → Subnet C
 Scenario
 while a mobile in Subnet B
 acquires a CoAB
 performs a binding update with original home agent
HA A
 register CoAB as its primary CoA
 When the mobile moves into Subnet C
 acquires a new CoAC
 the mobile does not have to perform address
binding with home agent HA A
 it may send a Binding Update to home agent HA
B to request HA B to serve as the HA for CoAB
and use CoAC as the current care-of address for
CoAB
 packets addressed to the mobile’s home address
continue to be routed to mobile’s home network,
where they will be captured by mobile’s HA
 HA continues to use CoAB as the primary careof address for the mobile and tunnel intercepted
packets to CoAB, i.e., to HA B
 HA B will extract the original packets from the
tunnel and then tunnel them to the mobile’s
current CoAC, i.e., to the mobile itself
 The “forwarding from the previous CoA” may be used
to support hierarchical registration
 consider that the mobile subsequently moved from
Subnet C to a new subnet D
One Approach to Support Hierarchical
Mobile IPv6 Registration
 Upon entering subnet D
 mobile will acquire a new CoAD
 mobile can choose to make HA B its local HA and
register its new CoAD with this local HA only
 mobile uses “forwarding from the previous CoA”
 it sends a Binding Update message to HA B to
use its CoA to update the CoA for its CoAB
 when HA B receives packets that are addressed to
CoAB
 it will tunnel them to the mobile’s CoAD
2.6 SIP-Based Mobility Management
 MIPv4 and MIPv6
 IP-layer protocols
 Session Initiation Protocol (SIP)
 application-layer protocol
 used to support mobility over IP networks
 used for signaling and control of real-time voice
and multimedia applications over
 IP networks
 3GPP
 3GPP2
SIP
 An application-layer protocol that can establish,
modify, and terminate multimedia sessions
(conferences) over the Internet
 a multimedia session is a set of senders and
receivers and the data streams flowing from the
senders to the receivers
 example, a session may be a telephony call between
two parties or a conference call among more than
two parties
 SIP can also be used to invite a participant to an ongoing session such as a conference
 SIP messages could contain session descriptions such
that participants can negotiate with media types and
other parameters of the session
 SIP provides its own mechanisms for reliable
transmission and can run over several different
transport protocols such as
 TCP
 UDP
 SCTP (Stream Control Transmission Protocol)
 SIP is compatible with both IPv4 and IPv6
 SIP provides the following key capabilities for
managing multimedia communications
 determine destination user’s current location
 determine whether a user is willing to participate in
a session
 determine the capabilities of a user’s terminal
 set up a session
 manage a session
 modify the parameters of a session
 invoke service functions to provide services to a
session
 terminate a session
 SIP is a client-server protocol that uses a request and
response transaction model
 Four major components in SIP architecture
 SIP user agent
 a user agent (UA) is an Internet endpoint, such
as IP phone, PC, or conference bridge, that is
used to establish, modify, and terminate sessions
 a UA could act as both a user agent client (UAC)
and user agent server (UAS)
 a UAC is a logical entity that initiates a request
 a UAS, on the other hand, generates a response
to a SIP request
 SIP redirect server
 a redirect server is a UAS that generates a
response to redirect a request to other location
 SIP proxy server
 a proxy server assumes the roles of both UAC
and UAS
 it acts as an intermediary entity between other
user agents to route SIP messages to the
destination user
 SIP registrar
 a registrar is a UAS that processes SIP
REGISTER requests
 it maintains mappings from SIP user names to
addresses and is the front end of the location
service
 it is consulted by a SIP server to route messages
SIP in Redirect Mode
SIP in Proxy Mode
2.6.1 Movement Detection
 SIP application to handle mobility
 should detect when the mobile terminal changes its IP
address (e.g., moves into a new IP network) and what the
new IP address will be
 DHCP can help to detect network change and acquire new IP
addresses
 mobile may ask a DHCP server for a new IP address each
time the mobile detects a handoff from one radio cell to
another
 mobile will supply its current IP address as the preferred
address in its request sent to DHCP server
 if the address assigned by the DHCP server is the
same as the mobile’s current IP address, the mobile
is still in the same IP subnet
 otherwise, the mobile assumes that it has moved
into a new IP network
 once the mobile’s IP address changed, the software
on the mobile should inform the SIP application of
the change
 the SIP applications should ensure that
correspondent hosts can establish SIP sessions with
the mobile at its new location
2.6.2 Pre-session Terminal Mobility
 Pre-session terminal mobility
 the ability for correspondent hosts to establish a SIP
session with a mobile regardless of where the
mobile is located currently
 A SIP Redirect Server in a mobile’s home network
 tracks the mobile’s current location
 provides the location information to a caller so that
the caller can contact the mobile at its new location
directly to set up a SIP session
SIP-Based Pre-session Terminal
Mobility Management
 Scenario
① a correspondent user sends a SIP INVITE message
to SIP redirect server in the destination user’s
home network to establish a SIP session
② the SIP Redirect Server returns the destination
terminal’s current location to the correspondent
user
③ the correspondent user sends a new SIP INVITE
message directly to the destination user’s current
location to establish SIP session
④ once the session is successfully established, user
data will flow between the users directly without
having to traverse the SIP redirect server
 Key difference between SIP Redirect Server and
Mobile IP HA in tracking current locations of mobiles
 SIP Redirect Server
 simply tells a caller where a destination is
currently and will not be involved in relaying
user traffic to the destination
 mobility uses Direct Delivery strategy for
delivering a call to a mobile destination
 Mobile IPv4 HA
 will also be responsible for relaying user packets
to destination mobile
 Mobile IPv4 uses the Relayed Delivery strategy
for delivering traffic to a mobile
Location Update for Supporting
SIP-based Terminal Mobility
 SIP Redirect Server learns the user’s current location
from user’s SIP REGISTRATION messages
 whenever a user starts to use a new IP address (e.g.,
mobile terminal changes IP address or user uses a
different terminal), it will register its new IP
address with SIP Redirect Server
 user registration process may be performed directly
with home register or via a SIP Proxy Server in
visited network
 Current location registration
 mobile sends a SIP REGISTRATION message
carrying its current location to its home SIP
Redirect Server
 Home SIP Redirect Server interacts with AAA
servers in the home network to authenticate the user
 if authentication is positive
 Home SIP Redirect Server returns a positive
acknowledgment to the mobile
 location update process is thus completed
2.6.3 Mid-Session Terminal Mobility
Support
 Mid-session (mid-call) terminal mobility
 the ability to maintain an on-going SIP session,
whereas the mobile terminal moves from one IP
subnet to another
 When the mobile changes its IP address in the middle
of an on-going SIP session
 mobile will send a new SIP INVITE message to
invite correspondent host to re-establish SIP session
to mobile’s new location
 Upon receiving such update information and
acknowledging the mobile’s SIP INVITE request
 the correspondent host will start to use the mobile’s
new IP address to address the packets destined to
the mobile
 The mobile will update its location with its home SIP
Redirect Server using location update procedure
SIP-Based Mid-Session
Terminal Mobility Management
2.6.4 Limitations of IP Mobility Using SIP
 Limitation
 Limitation-1
 a mobile using SIP mobility has to register its
new IP address with a SIP server (e.g., a SIP
Redirect Server) in the mobile’s home network
every time the mobile changes its IP address
 this could introduce long handoff delays when
the mobile is far away from its home network
 this could also create a high load on home server
 Resolution
 hierarchical registration is used to reduce the
registration latency
 Limitation-2
 it is difficult for SIP-based mobility
management to keep a TCP session alive while a
mobile changes its IP address
 changing the IP address on either end of a TCP
session will cause the TCP session to break
 with SIP-based terminal mobility, when a
mobile changes its IP address, a correspondent
host will have to address its outgoing packets to
the mobile’s new IP address
 Resolution
 a mobile terminal and a correspondent host uses
a software agent called a SIPEYE agent to hide
the IP address change from the on-going TCP
sessions
 A SIPEYE agent on a terminal operates as follows
 it maintains a list of the on-going TCP connections
on the terminal
 it detects the birth and death of TCP connections by
examining the headers of TCP packets
 for each on-going TCP session, the SIPEYE agent
records the following information
 original IP address of the terminal
 served as a terminal’s source IP address when
the TCP session was initiated
 current IP address of the terminal
 used to receive IP packets from the visited
network
 original IP address of the correspondent host for
this TCP session
 served as correspondent host’s source IP
address when the TCP session was initiated
 when the mobile terminal changes its IP address
 it will send a SIP INFO message to the
correspondent host of each on-going TCP
session to inform them of the mobile’s new IP
address
 the TCP application on the mobile
 does not need to know that the mobile has
changed its IP address
 continues to use its original IP address as the
source IP address in all outgoing TCP packets
 The SIPEYE agent on a correspondent host operates as
follows
 being notified that the mobile has changed its IP
address
 encapsulate each outgoing TCP packet with a new
IP header that carries the mobile’s new IP address
as the destination address
 these packets will be routed via regular IP routing
to the mobile terminal’s new location
 the TCP application on the correspondent host
 does not need to be aware that the mobile has
changed its IP address
 continues to address its outgoing packets to the
mobile’s original IP address
 The SIPEYE agent on the mobile terminal operates as
follows
 receive such an encapsulating packet
 strip off the encapsulating header added by the
correspondent host
 deliver the payload TCP packet to the TCP process
 TCP application
 continue to use the original source and
destination IP addresses throughout the on-going
TCP session without any modification to the
TCP protocol
 allows TCP session to remain alive when the
mobile changes its IP address
 SIPEYE approach has a potentially significant limitation
 it requires a SIPEYE agent to be implemented on
every mobile and every correspondent host
 it’s difficult over a large network such as Internet
2.7 Cellular IP
 With Mobile IP
 when a mobile is far away from its HA and wants to register
new IP address with its HA
 this could lead to long handoff delay
 Cellular IP
 designed to support fast handoff in a wireless network of
limited size (e.g. a network within the same administrative
domain)
 mobile doesn’t need to change its IP address while moving
inside a Cellular IP network, and thus reducing handoff
latency
 Main reason for a mobile to change its IP address when
moving into a new IP subnet
 regular IP routing uses prefix-based routing
 which divides network into subnets and requires
different subnets to use disjoint IP address spaces
 Cellular IP
 a mobile doesn’t need to change its IP address
inside a cellular network
 does not use prefix-based routing
 uses host-specific routing
 network nodes perform routing and packet
forwarding based on the full IP address of each
mobile
 network maintains a host-specific downlink
route to forward packets to each mobile, rather
than maintaining a route for each IP address
prefix
Cellular IP
 Two types of network nodes in Cellular IP network
 Base Stations (BS)
 internal to a Cellular IP network and do not
interface directly with external networks
 can be a wireless access point that provides air
interface to mobiles or a router that does not
have any air interface
 Gateway Router
 interconnects a Cellular IP network with external
IP networks
 Nodes
 use Cellular IP routing protocol to determine
 routes from one node to another
 host-specific downlink route to each mobile
2.7.1 Cellular IP Routing
 Uplink packets
 packets originated from mobiles inside Cellular IP
network
 first routed hop-by-hop to gateway router
 gateway router
 determines where to route the packet and then
forward the packet toward destination
 periodically broadcasts a beacon packet
throughout Cellular IP network
 BS
 records the interface on which the beacon packet
is received
 uses reverse path to forward uplink packets to
router
 Downlink packets
 packets sent over a host-specific downlink route
from gateway router to a mobile inside Cellular IP
network
 host-specific downlink routes are established and
maintained by Cellular IP routing
 each network node maintains a routing cache
 an entry in a routing cache is called a routing
entry
 a routing entry points to the next-hop network
node along host-specific route
 the host-specific downlink route to a mobile is
established when any packet is forwarded from
mobile toward gateway router
 as a packet from a mobile is forwarded toward
gateway router, each network node along the
path packet will create a routing entry that points
to BS from which the packet is received
 Network nodes maintain routes in “soft states”
 routes will be removed if no route-update packet is
received during a predetermined time period
 when a mobile does not have any user packet to
transmit, it may send small special route-update
packets toward gateway to refresh route entries
 Cellular IP integrates location management with
routing
 each time a mobile sends a route-update packet or
any other packet
 the downlink host-specific route for the mobile
will also be updated
 mobile’s location is implicitly maintained by upto-date host-specific downlink route to the
mobile
 The way Cellular IP BSs learn the routes to the
gateway router and to each mobile suggests that the
physical configuration of a Cellular IP network has to
be loop free, i.e., a tree or a string
 otherwise, routing loops may occur
 example
 if there is a physical connection between BSs 3
and 4; i.e., BSs 1, 3, and 4 form a loop
 when gateway router broadcasts beacon packets,
BSs 3 and 4 will receive beacon from each other
 BS 3 will take BS 4 as the next hop to forward
uplink packet, and BS 4 will take BS 3 as the
next hop to forward uplink packet → forms a
routing loop
2.7.2 Handoffs Inside a Cellular IP Network
 Cellular IP supports two types of handoffs
 hard handoff
 semi-soft handoff
Hard Handoff
 Implemented using Break-before-Make strategy
 When a mobile moves from old BS to new BS, it tunes
its radio to new BS
 The packets on the way to old BS may be lost
 Mobile then sends a route-update packet toward
gateway router
 Route-update packet triggers the nodes along its path
to setup a host-specific downlink route for mobile
 the route-update packet will eventually reach a
cross-over node
 cross-over node is a node shared by
 mobile's old downlink host-specific route that
goes to old BS
 mobile's new downlink host-specific route set up
by current route-update packet
 examples
 if mobile moves from BS 3 to BS 4, the crossover node will be BS 1
 if mobile moves from BS 5 to BS 6, the crossover node will be BS 2
 When route-update packet reaches a cross-over node
 this node will update mobile's downlink hostspecific route and start to forward future packets to
mobile's new BS
 packets that have already been on their way to old
BS may be lost
Semi-Soft Handoff
 Allows a mobile to receive packets from old BS before
network sets up its route to new BS
 Mobile
 tunes its radio to new BS
 sends a semi-soft handoff packet via new BS
toward gateway
 tunes its radio back to old BS immediately to
continue receiving packets from old BS while
network is setting up mobile's downlink hostspecific route to new BS
 Semi-soft handoff packet
 triggers nodes on its path to set up a downlink hostspecific route to new BS for the mobile
 when this packet reaches the first cross-over node,
this node will start forwarding packets to both old
and new BSs
 After a predetermined amount of delay (expected
downlink host-specific route setup time)
 mobile disconnects from old BS and tunes its radio
to new BS to receive packets from new BS only
2.7.3 Handoff between Cellular IP Networks or
between Cellular IP and Regular IP Networks
 Handled by a “macromobility” management protocol
(e.g., Mobile IP)
 Mobile inside a Cellular IP network
 uses the IP address of gateway router as its Mobile
IP CoA
 uses its Mobile IP home address to send and receive
packets over Cellular IP network
 Upon entering a new Cellular IP network
 mobile sends a route-update packet toward gateway
router to trigger new Cellular IP network to set up a
downlink host-specific route for the mobile
 Gateway router
 acts as a Mobile IP FA
 sends Mobile IP Agent Advertisement messages
to mobile after it receives the first packet from
mobile
 mobile
 learns the IP address of gateway router from
Advertisement
 uses this address as its new CoA
 registers this address with its HA
 After a successful Mobile IP registration
 packets addressed to mobile's home address will be
tunneled by mobile's HA to mobile's current CoA
(the IP address of gateway router)
 Gateway router will de-tunnel packets and forward
the payload packets along the downlink hostspecific route to mobile directly without
encapsulation or tunneling
2.7.4 Paging
 Dormant (idle) mobile
 a mobile that has not transmitted packets for a
predefined time period (active-state-timeout)
 For a mobile that has not sent packets over active-statetimeout
 its host-specific route will be removed by network
 When a gateway router has packets to send to a mobile
 if the router does not have a valid routing entry for
mobile (i.e., mobile is dormant), it will initiate
paging to locate mobile first
 To support paging
 Cellular IP organizes BSs into paging areas
 when a dormant mobile crosses a paging area
boundary, it updates its location with the network
by sending a paging-update packet to gateway
router
 this packet is addressed to gateway router and
forwarded by BSs hop-by-hop to the router
 A network node may optionally use a paging cache to
maintain paging routes for dormant mobiles
 paging entry in the cache
 points to the next-hop network node along the
paging route to a specific dormant mobile
 paging update packet
 trigger the network nodes, which have paging
caches, to create a new paging entry or update its
existing paging entry
Paging in Cellular IP Networks
 When a node receives a downlink packet to send to a
mobile but does not have a valid routing entry
 the node will check if it has a valid paging entry for
the mobile
 if it does, it will forward a paging message along
the paging route toward mobile
 otherwise, it will broadcast a paging message
over all its interfaces except the one that receives
packets
 When a paging message reaches the first BS in the
dormant mobile's current paging area
 this message will be broadcast over the paging area
to all BSs and, hence, to all mobiles inside the
paging area
 Upon receiving a paging message or any other packet,
a dormant mobile will
 transit into active mode
 start to send route-update packets toward gateway
router
 trigger network to set up and maintain a hostspecific downlink route for the mobile
 The paging entries are maintained as “soft states”
 a dormant mobile may refresh its paging route by
periodically sending paging-update packets to
gateway router
 Paging-update packets cannot be used to update
routing caches
 as a result, a network node may maintain only a
paging entry for a dormant mobile, but it does not
need to maintain any routing entry for the mobile
 this reduces the sizes of the routing caches because
a large percentage of the mobiles may be dormant
at any given time in a real wireless network
 When a BS wants to send a packet to an active mobile
 it only needs to search the routing cache, which
reduces the delay incurred by table lookups at the
BSs
2.8 HAWAII
 Handoff-Aware Wireless Access Internet Infrastructure
 HAWAII and Cellular IP are similar in many ways
 both designed to support fast handoff and paging
inside a wireless network under a single
administrative domain
 use similar techniques
 use host-specific routes to deliver packets to
mobile
 reduce handoff latency by reducing the
frequency of changing IP addresses
 HAWAII and Cellular IP are different in routing and
mobility management implementations
 HAWAII organizes a network into domains
 a HAWAII domain is a network under the control
of one administrative entity and uses HAWAII
internally
 A HAWAII domain consists of three types of
network nodes
 Base Stations (BSs)
 Routers
 Domain Root Routers (DRRs)
HAWAII
 Base Station
 a network node that supports air interface or other
radio specific functions
 Router
 used to interconnect BSs
 Domain Root Router (DRR)
 used to interconnect a HAWAII domain to external
IP networks (e.g., the Internet)
 Mobile
 has a home domain (belongs to mobile's service
provider)
 has an IP address
 could be statically configured when subscribes to
network services
 may also dynamically assigned by DHCP
 while moving inside the same HAWAII domain
 does not need to change IP address
 upon entering a new domain
 has to obtain a new IP address from new domain
 All IP packets originated from or destined to any
mobile inside a HAWAII domain
 will be routed first to DRR in HAWAII domain
 DRR then forwards these packets to destinations
 DRR uses regular IP routing to route packets
destined to external IP networks
 DDR uses a host-specific forwarding route
established by HAWAII Path Setup Schemes to
forward packets destined to a mobile inside
HAWAII domain
 Network nodes maintain host-specific forwarding
routes in soft states
 a network node needs to maintain state information
about a host-specific route only if it is part of that
route
 this reduces state information each router needs to
maintain and thus improves network scalability
 HAWAII uses regular IP routing protocol to route and
forward packets
 example
 IP packets addressed to any HAWAII network
node or to external IP networks will be routed by
regular IP routing protocol
 the physical configuration of each HAWAII
domain can be of any topology as IP routing
creates loop-free routes
2.8.1 Mobile Powers Up in its Home
HAWAII Domain
 When a mobile powers up in its home HAWAII
domain
 it may need to acquire an IP address from its home
domain if it does not already have one
 home HAWAII domain needs to establish a hostspecific forwarding route from DRR to mobile for
packets delivering
HAWAII Mobile Power-up Procedure
Power-Up Procedure
 Step1
 mobile powers up in home HAWAII domain
 mobile sends a MIPv4 Registration Request
(Message 1) to its current BS A
 BS A creates a host-specific forwarding entry for
mobile indicating that the mobile is reachable over
its air interface
 Mobile IP may be used to support handoff between
HAWAII domains
 mobile's Mobile IP HA may be located inside
mobile's home HAWAII domain
 mobile's IP address obtained from home
HAWAII domain can be mobile's Mobile IP
home address
 Mobile IP Registration Request is used only for
triggering HAWAII path setup procedure
 Step 2
 BS A looks up its regular IP forwarding table to
find the next-hop node (“Router 1”) toward DRR
 BS A sends a HAWAII power-up message
(Message 2) to Router 1
 this message triggers Router 1 to create a hostspecific forwarding entry points to BS A
 Step 3
 Router 1 sends a HAWAII message (Message 3) to
its next-hop node (DRR) toward DRR
 Message 3 triggers DRR to create a host-specific
forwarding entry points to Router 1
 Step 4
 DRR sends an ack (Message 4) back to BS A
 Step 5
 BS A sends a MIP Registration Reply to mobile
 From this point on
 DRR will use host-specific forwarding route created
during powering up procedure to forward user IP
packets to mobile
 Network nodes maintain host-specific routes in soft
states
 mobile has to refresh its host-specific route by
sending HAWAII path refresh messages to DRR
periodically
2.8.2 Handoffs Inside a HAWAII Domain
 HAWAII provides two basic path setup schemes to
support handoff
 Forwarding Path Setup Scheme
 Non-Forwarding Path Setup Scheme
HAWAII Forwarding Path Setup Schemes
Forwarding Path Setup Scheme
 Allows old BS to forward user packets to new BS
(which in turn forwards packets to mobile)
 A host-specific route will be established from old BS
to new BS
 Procedure
[Step1]
 when a mobile connects to a new BS B, it sends a
MIPv4 Registration Request message (Message 1)
to new BS
 this message will inform new BS that the mobile's
previous BS was BS A
[Step 2]
 BS B initiates a HAWAII Handoff Message
(Message 2) and sends it to BS A along the route
created by regular IP routing
 BS A uses the IP address of BS B and the
forwarding table generated by regular IP routing to
determine Router 1 as the next-hop router for
forwarding packets to BS B
 BS A then sets up a host-specific forwarding entry
for mobile
 this will allow BS A to forward future packets
destined to mobile to Router 1
[Step 3]
 BS A sends a HAWAII message (Message 3) to
Router 1 to trigger Router 1 to set up a host-specific
forwarding entry for mobile
[Step 4]
 Router 1 uses the IP address of BS B and the
forwarding table generated by regular IP routing to
determine the next-hop router (Router 2) for
forwarding packets to BS B
 Router 1 will establish a host-specific forwarding
entry for mobile and set the next-hop for the hostspecific route to Router 2
 from now on, Router 1 will forward packets
destined to mobile to Router 2
 Router 1 will also send HAWAII message 4 to
Router 2 to trigger Router 2 to create a host-specific
forwarding entry for mobile
[Step 5]
 Router 2 is the cross-over router
 Router 2 will start to forward future packets
destined to mobile along the new host-specific route
to new BS B directly, and then to mobile
[Step 6]
 Router 2 sends a HAWAII message to the next-hop
router (Router 3) along the route toward BS B
 the process continues until a host-specific route is
established from BS A to BS B for the mobile
[Step 7]
 BS B sends a MIP Registration Reply message to
mobile, completing the path setup process
Nonforwarding Path Setup Scheme
 Packets may not be forwarded from old BS to new BS
 When packets destined to mobile arrive at a cross-over
router
 packets will be forwarded by cross-over router to
new BS, and then to mobile
 a cross-over router is a router shared by
 host-specific forwarding route from DRR via old
BS to mobile
 host-specific forwarding route from DRR via
new BS to mobile
 HAWAII defined multiple forms of Nonforwarding
Path Setup Schemes
 Here we focus on Unicast Nonforwarding Scheme
HAWAII Unicast Non-Forwarding
Path Setup Schemes
 Procedure
[Step 1]
 when a mobile moves to BS B, it sends a MIPv4
Registration Request message to BS B to initiate
handoff procedure
 this message will carry the IP address of the old
base station BS A
[Step 2]
 BS B creates a host-specific forwarding entry for
mobile with outgoing interface set to the interface
on which it received Registration Request
 BS B uses the IP address of BS A and looks up the
IP forwarding table established by regular IP
routing to determine the next-hop router (“Router
3”) toward BS A
 BS B then sends HAWAII Message 2 to Router 3
[Step 3]
 Router 3 creates a host-specific forwarding entry
for mobile with the next-hop node set to BS B
 Router 3 then determines the next hop toward BS A
is Router 2 and forwards HAWAII Message 3 to
Router 2
[Step 4]
 Router 2 creates a host-specific forwarding entry
for mobile with outgoing interface set to Router 3
 Router 2 is the cross-over router
 after Router 2 creates the new host-specific
forwarding entry for mobile, it will forward future
user packets destined to mobile to BS B directly
 Router 2 also sends a HAWAII message (Message
4) to the next-hop router (Router 1) toward BS A
[Step 5]
 this process continues until BS A receives a
HAWAII message (Message 5)
[Step 6]
 BS A establishes a host-specific forwarding entry
for mobile and then sends an ack message (Message
6) back to BS B
 this message will trigger BS B to send a MIPv4
Registration Reply message back to mobile to
complete path setup and handoff procedure
2.8.3 Moving into Foreign HAWAII
Domains
 A “macromobility”management protocol such as
Mobile IP can be used to
 support handoff between HAWAII domains
 ensure that a mobile is always addressable by a
permanent home address when it moves into
foreign HAWAII domains
Handoff between HAWAII Domains
Using Mobile IP
Interdomain Handoff Procedure
using Mobile IP
 When a mobile enters a new HAWAII domain
 it first needs to obtain a new IP address from new
HAWAII domain
 this may be achieved using, e.g., DHCP
 After the mobile acquires a new IP address
 the new HAWAII domain needs to set up the initial
host-specific forwarding route from DRR to mobile
 this is achieved using power-up procedure
 When mobile's current BS receives ack message
(Message 4) from DRR indicating that a host-specific
forwarding route has been set up from DRR to mobile
 the BS will forward mobile's Mobile IP
Registration Request message to mobile's Mobile IP
home agent
 The mobile uses the IP address it obtained from new
HAWAII domain as its co-located CoA
 packets addressed to mobile's home address will be
tunneled by mobile's HA to mobile directly
 these packets will enter mobile's current HAWAII
domain via a DRR in the domain
 DRR will forward packets along the host-specific
forwarding route to mobile
 mobile will then de-tunnel packets to extract
original packets
2.8.4 Paging
 HAWAII groups BSs into paging areas
 Each paging area is identified by an IP Multicast
Group Address (MGA) that has a scope of the
administrative domain
 While a mobile is in dormant mode (or standby mode)
 network will only know mobile’s currently located
paging area but not the currently connected BS
 a dormant mobile will send a location update
message toward DRR every time it crosses a paging
area boundary
 location update message is propagated hop-by-hop
from mobile's current BS to DRR
 it triggers BS and each router along its path to
create a new or update its existing host-specific
routing entry and paging entry for mobile
 a routing entry is for forwarding regular user
packets to a mobile
 a paging entry is for forwarding paging messages to
a mobile
 routing entries and paging entries on a network
node are maintained separately
 Paging entry contains the following main information
 the MGA (Multicast Group Address) that identifies
mobile's current paging area
 the outgoing interface for sending paging messages
to mobile
 To page a mobile
 a network node (router or BS) acts as a Paging
Initiator
 a paging initiator is responsible for
 creating a paging message and multicasting it to
the MGA (all the BSs) of paging area
 each BS will in turn send a paging message to
all the mobiles it is serving
 buffering packets destined to a dormant mobile
while the mobile is being paged
 To increase network reliability and scalability
 paging in a HAWAII domain does not use a
centralized paging initiator for all mobiles
 paging initiator functionality is dynamically
distributed to network nodes
 a network node may dynamically elect itself as a
mobile's paging initiator
 before a network node can initiate paging for a
mobile (ensuring paging initiator knows mobile’s
latest paging area)
 only a node along mobile's latest host-specific
paging route (established by mobile's latest
location update) can be paging initiator for
mobile
 a paging initiator initiates paging only when it
receives packets destined to mobile from an
upstream node
 node A is node B's upstream node when both
nodes are on the latest paging route from
DRR to mobile's last-known BS, but node A
is closer to DRR
 Packets originated inside a dormant mobile's current
HAWAII domain have to be routed first to DRR
 DRR will forward packets along mobile's latest
paging route toward mobile's current paging area
 Upon receiving a packet from the DRR
 a router or BS on mobile's latest paging route may
then elect itself as mobile's paging initiator and
initiates a paging message
3. Mobility Management in 3GPP Paket
Networks
 Assumptions
 mobility management in packet-switched (PS)
domain of a 3GPP network (Release 5)
 RAN is assumed to be UTRAN
3GPP Conceptual Network Architecture
(Release 5)
3GPP Network Architecture and Protocol
Reference Model (Release 5)
Components
 Public Land Mobile Network (PLMN)
 a public network administrated by a single network
operator for providing land mobile services
 3GPP PLMN
 consists of one or more Radio Access Networks
(RANs) interconnected via a Core Network (CN)
 RAN
 provides radio resources (e.g., radio channels,
bandwidth) for users to access CN
 Release 5 currently supports GSM/EDGE RAN
(GERAN) and UMTS Terrestrial RAN (UTRAN)
GERAN
 GERAN
 divided into Base Station Subsystems (BSS)
 BSS
 consists of one or multiple Base Transceiver
Stations (BTSs) and Base Station Controllers
(BSCs)
 BSC
 controls radio connections toward mobile terminals
as well as wireline connections toward CN
 each BSC can control one or more BTSs
 BTS
 maintains air interface
 handles signaling and speech processing over air
interface
UTRAN
 UTRAN
 divided into Radio Network Subsystems (RNS)
 RNS
 consists of one or multiple Node Bs controlled by a
Radio Network Controller (RNC)
 RNC
 analogous to a BSC in GSM
 controls radio connections toward mobile terminals
and wireline interfaces with CN
 Node B
 a wireless base station
 analogous to a BTS in GSM
 provides air interface with mobile terminals
Core Network
 CN
 support both circuit-switched (CS) and packetswitched (PS) communication services
 communication services include basic services and
advanced services
 basic CS services
 switching of CS voice and data calls and call
control functions for supporting basic pointto-point CS calls
 basic PS services
 routing and transport of user IP packets
 advanced CS services
 prepaid calls, toll-free calls, call forwarding
(e.g., forward a voice phone call to another
phone or to an e-mail box), multiparty
communications, and pay-per-view
 advanced PS services
 e-mail, World-Wide Web, location-based
services, multimedia messaging services,
network gaming, and e-commerce
 CN is divided into the following functional building
blocks
 circuit-switched domain
 packet-switched domain
 IP Multimedia Subsystem (IMS)
 provides all the network entities and procedures
to support real-time voice and multimedia IP
applications
 uses SIP to support signaling and session control
for real-time services
 Information Servers
 maintain necessary information for network
operations and provide services to users
 these information servers are as follows
 Home Subscriber Server (HSS)
 the connecting element between PS and
IMS domains
 Authentication Center (AuC)
 Equipment Identity Register (EIR)
 In CN, old CS switch, MSC, has been divided into two
logical entities
 MSC server
 control logic is in MSC
 Media gateway (CS-MGW)
 actual switching matrix in MGW
 data typically bypasses the control logic in CN
Protocol Reference Model for
3GPP PS Domain
Packet Data Protocols, Bearers, and
Connections for Packet Services
 A mobile uses a Packet Data Protocol (PDP)
 to exchange user packets over a 3GPP PS CN
domain with other mobiles either inside the same
3GPP network or in other IP networks
 PDP Packet Data Units (PDUs) (i.e. user packets)
 transported inside a 3GPP network over traffic
bearers
 Traffic bearer
 a set of network resources and data transport
functions used to deliver user traffic between two
network entities
 can be a path, a logical connection, or a physical
connection between two network nodes
3GPP Bearers for Supporting PacketSwitched Services
Traffic Bearers Structure Supporting
Packet-Switched Services
 3GPP Bearer
 a dedicated path between mobile and its serving
GGSN
 for a mobile to send or receive packets over a 3GPP
PS CN
 a 3GPP Bearer in a UMTS network would be a
UMTS Bearer
 constructed by concatenating
 Radio Access Bearer (RAB)
 connects a mobile over a RAN to the edge of
CN (i.e., a SGSN)
 CN Bearer
 carries user traffic between the edge of CN
and a GGSN
Signaling and Traffic Connections between
Mobile and SGSN
 The signaling connection between mobile and SGSN is
constructed by concatenating
 Signaling Radio Bearer
 between mobile and RAN (e.g., the RNC in
UTRAN)
 Iu Signaling Bearer
 between RAN and SGSN
 Signaling and traffic connections between mobile and
SGSN
 Radio Resource Control (RRC) connection
 Radio Access Network Application Part (RANAP)
connection
 Radio Resource Control (RRC) connection
 includes Signaling Radio Bearers and Traffic Radio
Bearers for the same mobile
 used to establish, maintain, and release Radio
Bearers
 a mobile will use a common RRC connection to
carry signaling and user traffic for both PS and CS
services
 Radio Access Network Application Part (RANAP)
connection
 includes Iu Signaling Bearers and Iu Traffic Bearers
for the same mobile
 used to establish, maintain, modify, change, and
release all these Iu Bearers
Packet Routing in 3GPP PS Domain
Mobility Management in 3GPP
Packet Networks
 All PS user data to and from a mobile is first sent to a
GGSN called mobile's serving GGSN
 serving GGSN will in turn forward user data toward
their destinations
 mobile and its serving GGSN use a host-specific
route to exchange user data
 mobility management in 3GPP PS domain is to
manage the changes of host-specific route between
each mobile and its serving GGSN
 Host-specific route consists of
 a RRC connection between mobile and RAN
 a RANAP connection between RAN and SGSN
 CN Bearers between SGSN and mobile's serving
GGSN
 Mobile's Serving RNC
 the RNC that receives data from PS CN domain and
then distributes data to mobile
 For a mobile to exchange signaling messages with PS
CN (e.g., to set up and manage traffic bearers, to
perform location update)
 a dedicated logical signaling connection (Signaling
Radio Bearer and Iu Signaling Bearer) needs to be
established between mobile and SGSN
 Mobile
 does not need to maintain all traffic bearers in
RAN or CN if it does not expect to send or receive
user data soon
 does not even need to maintain its dedicated
signaling connection to SGSN at all times
 may release radio resources for other mobiles to use
Scope of Mobility in 3GPP
Packet-Switched Domain
 Scope of mobility
 Inter-Node B handoff
 Inter-RNC handoff
 Inter-SGSN handoff
 Inter-GGSN handoff
 Inter-Node B Handoff
 change mobile's Radio Bearers from source Node B
to target Node B
 Inter-RNC Handoff
 change mobile’s Radio Bearers
 change mobile's Iu Bearers
 Inter-SGSN Handoff
 change Radio Bearers
 change Iu Bearers
 update mobile's PDP context
 establish a new CN Bearer
 Inter-GGSN Handoff
 change Radio Bearers
 change Iu Bearers
 mobile's new serving GGSN creates a PDP context
for mobile
 establish a CN Bearer between mobile's new
serving GGSN and new serving SGSN
3.1 Packet Mobility Management (PMM)
Context and States
 Mobile’s PMM context
 a set of information used by network to track
mobile’s location
 State of a mobile’s PMM context determines
 which network connections (bearers) between
mobile and SGSN should be maintained for mobile
 how mobile’s location should be tracked by
network
 3GPP PS domain
 Mobile
 needs to maintain a PMM context to collaborate
with network for location tracking
 SGSN
 responsible for tracking locations of mobiles that
are using PS services
 needs to maintain PMM contexts of mobiles
 GGSN
 not directly involved in location tracking
 does not need to know any mobile’s PMM
context or PMM state
 A PMM context on mobile or SGSN can be in one of
the following states (for UMTS)
 PMM-DETACHED State
 PMM-CONNECTED State
 PMM-IDLE State
PMM-DETACHED State
 No communication between mobile and SGSN
 Mobile and SGSN do not have valid location or routing
information for mobile
 Mobile does not react to system information related to
SGSN
 SGSN cannot reach mobile
PMM-CONNECTED State
 SGSN and mobile have established
 a PMM context for mobile
 a dedicated signaling connection between mobile
and SGSN
 Signaling connection consists of
 RRC connection between mobile and RAN
 Iu signaling connection over Iu interface between
RAN and SGSN
 PS domain-related signaling and CS domain-related
signaling share one common RRC connection
 one IuCS signaling connection for CS domain
 one IuPS signaling connection for PS domain
PMM-IDLE State
 SGSN and mobile have established PMM contexts for
mobile
 No signaling or traffic connection exists between
mobile and SGSN
 A mobile moves into PMM-IDLE state to conserve
scarce resources, e.g.,
 power off the mobile, reduce transmissions of
signaling messages to conserve radio bandwidth
3GPP PMM State Transition Machines
PMM-DETACHED State to
PMM-CONNECTED State
 When mobile performs GPRS Attach to attach to PS
domain
 GPRS Attach procedure
 a signaling connection needs to be established
between mobile and its serving SGSN
PMM-CONNECTED State to
PMM-IDLE State
 Whenever the signaling connection between mobile
and its serving SGSN is released
 Example
 when GPRS Attach process is finished, this
signaling connection may be released immediately,
which will cause mobile’s PMM state to change
from PMM-CONNECTED to PMM-IDLE
PMM-IDLE State to
PMM-CONNECTED State
 A mobile in PMM-IDLE state may need to establish a
signaling connection to SGSN for various purposes
 example
 a mobile needs to establish a signaling
connection to SGSN to perform routing area
update
 when this signaling connection is not needed in
near future (e.g., after routing area update is
completed), it may be released to allow mobile’s
PMM state to change back to PMM-IDLE
PMM-CONNECTED State to
PMM-DETACHED State
 When GPRS Detach procedure is performed
 When mobile’s GPRS Attach request is rejected by
SGSN
 When mobile’s Routing Area Update (RAU) request is
rejected by SGSN
PMM-IDLE State to
PMM-DETACHED State
 A mobile or a SGSN may change from PMM-IDLE to
PMM-DETACHED as a result of a local event
 Example
 state change on a mobile
 when SIM, USIM, or battery is removed from
mobile
 state change on SGSN
 when the lifetime of PMM state expires
Discussions
 PMM context cannot change from PMM-DETACHED
to PMM-IDLE directly
 before a mobile’s PMM context can be in PMMIDLE state, mobile’s PMM context has to be
created first on SGSN
 to create a PDP context on SGSN, mobile has to
perform GPRS Attach
 this will cause mobile’s PMM state to change from
PMM-DETACHED to PMM CONNECTED first,
before it transits into PMM-IDLE
3.2 Location Management for PacketSwitched Services
3.2.1 Location Concepts
 RANs and CN in 3GPP network use different location
concepts to track mobile’s locations
 RAN uses the following location concepts
 Cell Area (or Cell)
 the geographical area served by one wireless BS
 UTRAN Registration Area (URA)
 covered by a set of cells
 CN uses the following location concepts
 Location Area (LA)
 a group of Cells used by CS CN domain to track
the locations of mobiles that are using CS
services
 Routing Area (RA)
 a group of Cells used by PS CN domain to track
the locations of mobiles that are using PS
services
3GPP Location Management
for Packet Services
 LA
 consists of one or more Cells that belong to the
RNCs that are connected to the same MSC/VLR
 all Cells in the same URA have to be served by the
same MSC/VLR
 one LA is handled by only one MSC/VLR
 each LA is identified by a globally unique Location
Area Identifier (LAI)
 when a mobile moves inside an LA, it does not
have to perform location update with CN CS
domain
 RA
 consists of one or more Cells that belong to the
RNCs that are connected to the same SGSN
 one RA is handled by only one SGSN
 an RA is either the same as an LA or a subset of
one and only one LA
 one RA cannot belong to more than one LA,
whereas each LA may contain multiple RAs
 each RA is identified by a globally unique Routing
Area Identifier (RAI)
Structures of 3GPP Location Area Identifier
and Routing Area Identifier
 LAI
 Mobile Country Code (MCC)
 identifies the country in which the 3GPP
network is located
 Mobile Network Code (MNC)
 identifies a 3GPP network in that country
 Location Area Code (LAC)
 identifies a Location Area within a 3GPP
network
 RAI
 Location Area Identifier (LAI)
 contains an LAI that identifies the Location Area
in which the RA resides
 Routing Area Code (RAC)
 identifies a Routing Area inside the LA
identified by the LAI
3.2.2 Location Tracking
 3GPP uses hierarchical location tracking
 the methods and accuracy level of location tracking
for each mobile depend on activeness level of
mobile
 a mobile’s activeness level is represented by the
mode of its RRC connection
 A mobile’s RRC connection has two modes
 RRC-CONNECTED mode
 a mobile has an established RRC connection
 mobile may be either in PMM-CONNECTED or
PMM-IDLE state because a mobile uses a single
RRC connection for both CS and PS services
 mobile can be in RRC-CONNECTED mode and
PMM-IDLE state at the same time because the RRC
connection may be present but is currently used only
for CS services; i.e., no signaling connection is
established to SGSN
 RRC-IDLE mode
 a mobile has not established any RRC
connection
 mobile’s PMM state can only be PMM-IDLE or
PMM-DETACHED because no signaling
connection between mobile and SGSN can exist
without an RRC connection
Location Tracking Depends on Mobile’s
RRC Connection Mode
 When a mobile is in the RRC-IDLE mode (hence, also
in PMM-IDLE state)
 mobile’s location is tracked at the RA level by
SGSNs
 mobile in RRC-IDLE mode will receive Mobility
Management (MM) system information broadcast
by RNCs at RRC layer
 MM system information informs mobile which RA
and Cell it is in currently
 mobile will initiate RA Update toward CN upon
receiving MM system information, indicating that it
moved into a new RA
 When a mobile is in RRC-CONNECTED mode
 mobile’s location inside RAN is tracked at cell
level by RNCs
 an RNC identifies a mobile by a temporary
identifier, the Radio Network Temporary Identity
(RNTI), to track mobiles
 RNTI is assigned to mobile dynamically by an
RNC
 mobile receives MM system information from
serving RNC over the established RRC connection
 it uses MM system information to determine if it
has moved into a new Cell, RA, or LA
 When a mobile is in RRC-CONNECTED mode and
PMM-IDLE state
 SGSNs will also track the mobile’s location at RA
level
 mobile will initiate RA Update toward CN PS
domain upon receiving MM system information,
indicating that it has just moved into a new RA
 When a mobile is in RRC-CONNECTED mode and
PMM-CONNECTED state
 mobile’s serving SGSN will know the mobile’s
serving RNC because the serving SGSN maintains
a signaling connection through mobile’s serving
RNC to mobile
 when mobile’s serving RNC function needs to be
changed to a new RNC as mobile moves
 mobile’s serving SGSN will participate in this
change process (i.e., Serving RNS Relocation
procedure)
 to ensure that signaling connection between
mobile and SGSN will go through new
serving RNC
 Serving RNS Relocation Procedure
 the process for relocating RNC side of
endpoint of an Iu bearer from one RNC to
another
3.3 Routing Area Update
 Routing area update in 3GPP allows
 mobile’s serving SGSN to know which RA the
mobile is currently in
 mobile’s existing active PDP contexts to be updated
 example
 if moving into a new RA also means that the
mobile has to use a new SGSN
 a PDP context between new SGSN and
mobile’s serving GGSN needs to be
established
 this ensures that the mobile’s serving GGSN
always knows where to forward user packets
destined to mobile
 A mobile performs RA update when
 mobile enters a new RA
 mobile’s periodic routing area update timer expires
 Types of RA update
 Intra-SGSN RA update
 occurs when new RA and old RA connect to the
same SGSN
 Inter-SGSN RA update
 occurs when new RA and old RA connect to
different SGSNs
3.3.1 Intra-SGSN Routing Area Update
 To send uplink signaling messages to perform an RA
update
 the mobile first establishes a RRC connection with
target RNC if such a channel does not exist
 the mobile has to be in PMM-CONNECTED state
for at least the duration of RA Update procedure
 if the mobile is in PMM-IDLE state before it starts
RA Update
 establish necessary signaling connection to
target SGSN
 change mobile’s PMM state into PMMCONNECTED
 Routing Area Update Request (RAUR) carries the
following main information
 P-TMSI (Packet-Temporary Mobile Subscriber
Identity)
 the information that mobile has been using
immediately before sending RAUR message
 mobile’s P-TMSI is assigned by its source
SGSN
 Old RAI
 used by target SGSN to determine whether it is
an intra-SGSN or inter-SGSN RA Update
 Old P-TMSI Signature
 P-TMSI signature is used by SGSN to
authenticate P-TMSI
 Old P-TMSI Signature is the current P-TMSI
signature the mobile has for its current P-TMSI
 Update Type
 tells target SGSN whether RA Update is
triggered by a change of RA, a periodic RA
update, or a combined RA/LA update
 Network Capability
 a set of information describing mobile's nonradio-related capability
 it includes, for example, information needed for
performing ciphering and authentication
Footnote
 IMSI (International Mobile Subscriber Identity)
 each subscriber to 3GPP network services is
assigned a globally unique IMSI as its permanent
identifier
 a subscriber uses its IMSI as its common identifier
for accessing PS services, CS services, or both PS
and CS services at the same time
 TMSI (Temporary Mobile Subscriber Identity)
 to avoid transmitting IMSI over the air, 3GPP uses
TMSI to identify a mobile whenever possible
 TMSI is a four-octet number assigned to a mobile
temporarily
 by an MSC/VLR for CS services, or
 by an SGSN for PS services
 an MSC or SGSN uses a TMSI to uniquely identify
a mobile
 TMSI will only be allocated in ciphered form
 P-TMSI (Packet TMSI)
 a TMSI for packet-switched services
3GPP Intra-SGSN Routing Area
Update Procedure
 [Step 1] Mobile initiates RA update by sending a
RAUR to target RNC
 RAUR is then forwarded to target SGSN
 this will trigger the establishment of an Iu
signaling connection between them if such a
connection does not exist (e.g., if mobile was in
PMM-IDLE state before sending RAUR)
 target SGSN determines whether RA update is
intra-SGSN or inter-SGSN RA update by
examining Old RAI carried in RAUR
 RA update is intra-SGSN RA update if target
SGSN also serves old RA
 [Step 2] Target SGSN needs to authenticate mobile to
determine whether RAUR can be accepted
 as mobile identifies itself by its P-TMSI in RAUR,
target SGSN will authenticate mobile by validating
mobile’s P-TMSI first
 only the SGSN that assigned P-TMSI has sufficient
information (i.e., mobile’s IMSI and correct PTMSI Signature for P-TMSI) to validate P-TMSI
 as target SGSN is identical to source (serving)
SGSN with an intra-SGSN handoff
 target SGSN should be the SGSN that assigned
old P-TMSI to mobile and therefore should be
able to validate P-TMSI locally
 [Step 3 & 4] Upon positive authentication of mobile,
SGSN updates mobile’s RAI
 if mobile was in PMM-CONNECTED state on
target SGSN
 some user traffic destined to mobile may have
been sent by target SGSN to source RNC and are
buffered at source RNC
 as mobile is now connected to target RNC
 source RNC can not deliver these buffered
traffic over its radio connections to mobile
 if these traffic belong to a Radio Access Bearer
that requires in-order delivery packets
 target SGSN may send a Serving RNS (SRNS)
Data Forward Command to instruct source
RNC to tunnel the buffered traffic to target
SGSN
 target SGSN will in turn deliver this traffic to
mobile before sending subsequent traffic
 [Step 5] SGSN will also send a Routing Area Update
Accept (RAUA) message to mobile to inform that its
RAUR is accepted
 target SGSN may assign a new P-TMSI to mobile
 the new P-TMSI together with a P-TMSI Signature
for new P-TMSI will be carried in RAUA message
 [Step 6] Mobile confirms the acceptance of new PTMSI by returning a Routing Area Update Complete
(RAUC) message to SGSN, which completes RA
Update procedure
3.3.2 Inter-SGSN Routing Area Update
 [Step 1] Mobile initiates an inter-SGSN RA update by
sending a RAUR to target SGSN in exactly the same
format and information elements as in initiating an
intra-SGSN RA update
 target SGSN needs to authenticate mobile to
determine if the RAUR can be accepted
3GPP Inter-SGSN Routing Area
Update Procedure
(1)
(3)
(2)
(4)
(5)
(6)
(7)
(8)
(9)
(10)
(11)
(12)
(13)
(15)
(16)
(14)
(17)
(18)
(19)
(20)
(21)
(22)
 for an inter-SGSN RA update
 target SGSN is different from source SGSN
 mobile’s P-TMSI in RAUR was assigned by
source SGSN
 target SGSN will ask source SGSN to help
validate P-TMSI
 target SGSN first derives source SGSN from Old
RAI and P-TMSI carried in RAUR
 [Step 2] Target SGSN sends a SGSN Context Request
message to source SGSN to validate mobile’s P-TMSI
 SGSN Context Request carries the following
information elements
 Old P-TMSI
 Old RAI
 Old P-TMSI Signature
 [Step 3 & 4] Some PDP context information (e.g.,
sequence number of the next packet to be sent to
mobile) requested by target SGSN may be maintained
by source RNC
 source SGSN will send an SRNS Context Request
to source RNC to collect such information
 source RNC will stop sending downlink data to
mobile and returns an SRNS Context Response
message to source SGSN
 [Step 5 & 6] Source SGSN will validate P-TMSI and
act as follows
 upon positive validation of P-TMSI
 source SGSN will send a SGSN Context
Response message back to target SGSN
 this message carries mobile’s PMM context and
PDP context
 these contexts contain critical information
needed by target SGSN to handle the traffic to
and from mobile
 example
 PDP contexts describe mobile’s active PDP
contexts immediately before RA update
 target SGSN needs to update PDP contexts on
mobile’s GGSN during RA update
 if mobile was in PMM-CONNECTED state
on source SGSN
 source SGSN could be sending packets to
mobile immediately before RA update
 to ensure in-sequence delivery of packets to
mobile
 target SGSN needs to know the sequence
number of the next user packet that should
send to mobile
Footnote
 PMM context
 mobile’s PMM context
 a set of information used by network to track
mobile's location
 state of a mobile’s PMM context determines
 which network connections (bearers) between
mobile and SGSN should be maintained for
mobile
 how network tracks mobile’s location
Footnote (cont.)
 PDP Context
 a set of information maintained by a network node
used to determine how to forward user packets
destined to and originated from a particular PDP
address
 PDP context為在GPRS/UMTS內部網路中繞送封
包時所需的路由資訊
 當啟動PDP context建立程序時，SGSN會依照
MS所啟動的服務，選擇一適當的APN (Access
Point Name)及GGSN服務該使用者
Footnote (cont.)
 PDP Context Activation
 MS可藉由此程序和GGSN間建立PDP Context
 MS將依據使用者的服務需求，要求與網路端建
立符合QoS的傳輸通道
 網路端若接受MS的QoS需求，則可完成PDP
Context的建立，內容將分別記錄於MS、SGSN及
GGSN中
Footnote: 3GPP PDP Context State
Transitions
 upon negative validation of P-TMSI
 source SGSN will send an appropriate error
cause to target SGSN
 this will trigger target SGSN to initiate security
procedures directly with mobile to authenticate
mobile
 if authentication is also negative
 target SGSN will reject mobile’s RAUR
 if authentication is positive
 target SGSN will send another SGSN Context
Request message to source SGSN to retrieve
mobile’s PMM context and PDP context
 this time, SGSN Context Request will carry
mobile’s IMSI, Old RAI, an indicator (“MS
Validated”) to indicate that mobile has been
positively authenticated
 source SGSN will respond with an SGSN
Context Response message
 carrying mobile’s PMM context and PDP
context if source SGSN has these
information elements, or
 an appropriate error cause if source SGSN
does not have these information elements
 [Step 7]
 after receiving SGSN Context Response from
source SGSN indicating a positive validation of
mobile’s P-TMSI
 target SGSN responds with an SGSN Context ACK
message
 [Step 8 ~ 10]
 if mobile was in PMM-CONNECTED state on
source SGSN
 some user traffic destined to mobile may have
been sent by source SGSN to source RNC and
are buffered at source RNC
 as mobile is now connected to target SGSN
 source RNC can not deliver these buffered
traffic over its own radio connections to
mobile
 if these traffic belong to a RAB that requires inorder delivery, source SGSN may send an SRNS
Data Forward Command to source RNC to
instruct it to tunnel the buffered traffic to source
SGSN, and then to target SGSN
 target SGSN will in turn deliver traffic to mobile
 [Step 11 & 12] After sending SGSN Context ACK
message to source SGSN
 target SGSN will also update mobile’s active PDP
contexts by sending Update PDP Context Request
to ensure that the mobile’s serving GGSN knows to
which SGSN packets destined to mobile should be
delivered
 this will trigger serving GGSN to update mobile’s
PDP context
 [Step 13] For a successful PDP context update
 target SGSN will update mobile’s location with
HLR, which tracks each mobile’s serving SGSN
 when a GGSN has packets to send to a mobile but
does not have active PDP context for mobile
 GGSN may query HLR to find out the address of
mobile’s current serving SGSN, then
 use Network-requested PDP Context Activation
to establish a PDP context to forward packets to
mobile
 SGSN uses Gr interface to interact with HLR for
location update by sending an Update Location
message
 [Step 14] Upon receiving Update Location message
 HLR will inform source SGSN to delete mobile‘s
location information by sending Cancel Location
 source SGSN will then remove mobile’s location
and service subscription information
 [Step 15] Source SGSN will also release Iu connections
between source SGSN and source RNC used by mobile
by sending Iu Release Command
 [Step 18] In the meantime, HLR will also send user’s
service subscription to target SGSN by sending Insert
Subscriber Data message
 [Step 19] Target SGSN records mobile’s service
subscription information and responds to HLR with an
Insert Subscriber Data ACK message
 [Step 20] Now, HLR will send Update Location ACK
message back to target SGSN indicating that location
update with HLR is complete
 [Step 21] Upon a successful location update with HLR
 target SGSN creates a PMM context for mobile
 target SGSN will send a Routing Area Update
Accept (RAUA) message to mobile indicating that
RAUR is accepted
 target SGSN assigns a new P-TMSI to mobile
 the new P-TMSI together with a P-TMSI Signature
for the new P-TMSI will be carried in RAUA
message
 [Step 22] Mobile confirms the acceptance of the new
P-TMSI by returning a Routing Area Update Complete
message to target SGSN, which completes RA Update
procedure
3.4 Serving RNS Relocation
 Serving RNC
 a mobile in PMM-CONNECTED state has a
serving RNC, which receives user traffic from CN
and distributes traffic over RAN to mobile
 Serving RNS
 the RNS that contains a mobile’s serving RNC
 a mobile’s serving RNS may forward user traffic
via another RNC to mobile
3GPP Data Path before and after Serving
RNS Relocation and RA Update
 When a mobile connects to a target RNC
 target RNC may become the mobile’s new serving
RNC
 Serving RNS Relocation procedure (S-RNS-RP)
 only source RNC can initiate S-RNS-RP
 source RNC decides whether to initiate S-RNS-RP
based on measurement results of the quality of
radio channels to mobile
 as an Iu connection needs to be maintained between
mobile’s serving RNC and serving SGSN while the
mobile is in PMM CONNECTED state
 the RNC side of the mobile’s Iu connections needs
to be relocated from old serving RNC to new
serving RNC
 Assumption
 before the relocation, mobile’s serving RNC is
using Iur interface to forward signaling and user
traffic to another RNC, which in turn delivers
traffic to mobile
 such a scenario may occur during or after a soft
inter-RNC handoff
 source RNC distributes copies of user traffic to
one or more other RNCs, which in turn deliver
user data to mobile simultaneously
 Consider a mobile that moves from source RNC to
target RNC
 after mobile connects to target RNC but before
Serving RNS Relocation or RA Update is
performed
 user traffic destined to mobile continues to be
routed by PS CN to source RNC
 source RNC then forwards traffic to target RNC
 target RNC will in turn transmit traffic to mobile
3GPP Serving RNS Relocation
(1)
(2)
(3)
(4)
(5)
(6)
(7)
(8)
(9)
(10)
(13)
(11)
(14)
(12)
(15)
(16)
(18)
(17)
(19)
(20)
 [Step 1] When source RNC decides to initiate S-RNSRP
 it sends a RANAP Relocation Required message to
source SGSN, which carries the following info.
 relocation Type
 indicates whether mobile should get involved
in S-RNS-RP
 in particular, whether mobile’s RRC
connection needs to be relocated during SRNS-RP
 if relocation Type is “UE not Involved”
 network itself carries out S-RNS-RP and
mobile’s RRC connection does not need to
be relocated
 i.e., mobile has already set up the
necessary RRC connection with target
RNC; no handoff procedure needs to be
performed for RRC Connection during SRNS-RP
 network only needs to move RNC side of
mobile’s Iu bearers to target RNC to make
it the mobile’s new serving RNC
 if relocation Type is “UE Involved”
 mobile will also need to get involved in SRNS-RP to relocate its RRC connection to
target RNC
 source ID
 identifier of source RNC
 target ID
 identifier of target RNC
 source RNC to target RNC transparent container
 contains the information needed by target
RNC to perform serving RNC relocation
 security information regarding mobile
 RRC protocol context that describes
mobile’s RRC connection and mobile’s
capabilities
 [Step 2 ~ 4] Source SGSN determines if RNS
relocation is intra-SGSN or inter-SGSN by inspecting
the identifiers of source and target RNCs
 for inter-SGSN relocation
 source SGSN will send a RANAP Forward
Relocation Request message to target SGSN to
request target SGSN to establish Iu connection
for mobile
 target SGSN will then send a RANAP
Relocation Request message to target RNC to
trigger it to establish the necessary RABs for
mobile
 each RAB consists
 Radio Bearers between mobile and RNC
 Iu bearers between SGSN and RNC
 to set up RABs between target SGSN and mobile
 the existing Radio Bearers between mobile
and source RNC
 need to be relocated between mobile and
target RNC
 mobile’s Iu bearers between source SGSN and
source RNC
 need to be relocated between target SGSN
and target RNC
 [Step 5] After target RNC has allocated all necessary
resources for all required RABs
 target RNC will send a RANAP Relocation Request
Acknowledge message back to target SGSN
 at this point, the resources for transporting user
packets between target RNC and target SGSN have
been allocated and target RNC is ready to become
the new serving RNC for mobile
 [Step 6] Target SGSN will send a RANAP Forward
Relocation Response message back to source SGSN
 [Step 7 & 8] Source SGSN sends a Relocation
Command to source RNC to instruct source RNC to
start to hand over the role of serving RNS to target
RNC
 this message will also inform source RNC
 which RABs for mobile should be released, and
 which ones should be kept for a little longer so
that user packets already received by source
RNC can be forwarded to target RNC
 at this moment, source RNC may start to forward
downlink data toward target RNC
 [Step 9] Source RNC will then transfer its serving
RNC role to target RNC
 source RNC sends a Relocation Commit message,
over Iur interface, to target RNC
 this message also sends Serving RNS (SRNS)
Contexts for mobile from source RNC to target
RNC
 these Contexts contain information regarding RABs
between mobile and source SGSN
 [Step 10 ~ 12] Target RNC sends a RANAP
Relocation Detect message to target SGSN to request
SGSN to update PDP Context for mobile if necessary
(i.e., if the relocation is inter-SGSN)
 [Step 13] Immediately after sending out Relocation
Detect message
 target RNC will start to serve as serving RNC for
mobile and will start to send RAN Mobility
Information messages to mobile
 these messages contain
 the identity of mobile’s new serving RNC
 location area identifier (LAI)
 routing area identifier (RAI)
 [Step 14] Mobile may begin to send uplink traffic
toward target RNC
 mobile will also use the received information to
reconfigure itself
 mobile will send RAN Mobility Information
Confirm message to target RNC
 this message indicates that mobile is ready to
receive user traffic from target RNC
 [Step 15 ~ 17] Upon receiving RAN Mobility
Information Confirm message
 target RNC will send Relocation Complete to target
SGSN and then to source SGSN, to inform
completion of S-RNS-RP
 [Step 18 & 19] Source SGSN instructs source RNC to
release Iu Bearers allocated to mobile
 [Step 20] When mobile starts communication with
target RNC
 mobile may find that it has moved into a new RA
 in this case, mobile will initiate RA Update
procedure
3.5 Hard Handoffs
 Assumptions
 inter-RNC hard handoff
 no Iur interface (RNC-RNC) is implemented
 Before inter-RNC hard handoff
 source RNC is the mobile’s serving RNC
 During and after inter-RNC hard handoff
 target RNC will become mobile’s new serving RNC
 this requires RNC side of mobile’s Iu Bearers to be
relocated from source RNC to target RNC
(combined with S-RNC-RP)
3GPP PS Domain Hard Handoff
(Inter-SGSN Handoff)
(1)
(2)
(3)
(4)
(5)
(7)
(9)
(6)
(8)
(10)
(11)
(12)
(13)
(14)
(15)
(16)
(17)
(18)
(19)
(20)
(21)
(22)
(23)
 [Step 1] Only source RNC can initiate inter-RNC hard
handoff process
 source RNC determines whether to initiate handoff
process based on measurement results of radio
channel qualities
 initiating S-RNS-RP
 source RNC sends a RANAP Relocation
Required message to source SGSN and sets
Relocation Type to “UE Involved”
 “UE Involved” Relocation Type indicates that
mobile will get involved in S-RNS-RP to
relocate its RRC connection to target RNC
 [Step 2] If it is an inter-SGSN handoff
 source SGSN will send a Forward Relocation Request
to target SGSN to ask for starting to relocate mobile’s
RABs between mobile and target SGSN
 [Step 3] Target SGSN sends Relocation Request message to
target RNC to relocate RABs for mobile
 [Step 4] Target RNC proceeds to allocate all the necessary
resources needed to set up Iu Bearers
 [Step 5] Target RNC sends a Relocation Request
Acknowledge message back to target SGSN
 [Step 6] When all the Iu bearers have been established
for the mobile between target SGSN and target RNC
and the target RNC is ready to act as the serving RNC
for mobile
 target SGSN sends a Forward Relocation Response
message to source SGSN
 [Step 7] This message triggers source SGSN to send a
Relocation Command to source RNC to ask source
RNC to hand over the role of serving RNS to the new
RNC
 [Step 8&9] Source RNC takes the following main
actions
 Forwarding user data to target RNC
 forward downlink user data that have already
arrived at source RNC, toward target RNC
 instruct mobile to relocate its RRC connection to
new RNC
 source RNC will send an RRC-layer message
( RRC Message 1) to instruct mobile to relocate
its Radio Bearers to new RNS
 [Step 10-13] Source RNC sends a Forward SRNS
Context message to target RNC (via source SGSN and
target SGSN)
 SRNS Context contains information regarding
mobile’s RABs through source RNC and can be
used by target RNC to establish Iu bearers for
mobile
 [Step 14-16] When target RNC detects that mobile has
connected to target RNC
 target RNC informs target SGSN by sending a
Relocation Detect message
 for inter-SGSN hard handoff, the Relocation Detect
message will also trigger target SGSN to initiate
PDP Context Update procedure to ensure that
GGSN will start to send packets destined to mobile
to target SGSN
 [Step 17] After mobile has reconfigured its Radio
Bearers and established its RRC connection to target
RNC
 it will send a RRC-layer message (RRC Message 2)
to inform target RNC that handoff on mobile side
has been completed
 [Step 18] Handoff process completes when mobile has
connected to target RNS
 mobile’s PDP context on mobile’s serving GGSN
has been updated, and target RNC has received all
the required Serving RNS Context information
from source RNC
 [Step 20-23] Target SGSN informs source SGSN of
handoff completion by sending a Forward Relocation
Complete message
 this message will trigger source SGSN to release
mobile’s Iu Bearers between source SGSN and
source RNC
3.6 Paging Initiated by Packet-Switched
Core Network
 When a SGSN receives downlink user data or
signaling messages destined to a mobile in PMM-IDLE
state
 SGSN initiates paging by sending a RANAP Paging
message to every RNC in the Routing Area in
which the mobile is located
3GPP Paging in Packet Switched Domain
 RANAP Paging message carries the following main
information
 identities of the mobile to be paged
 RANAP Paging message carries mobile’s IMSI
 if mobile is using a P-TMSI, RANAP Paging
message will also contain mobile’s P-TMSI
 CN Domain Identifier
 indicates which CN domain (i.e., PS CN domain
or CS CN domain) initiated this RANAP Paging
message
 area
 the Paging Area in which the mobile is to be
paged
 Depending on the way a paging message is physically
delivered by RNC to mobile, paging inside RAN can
be classified into two types
 Type 1 Paging
 performed when there is no dedicated RRC
connection between RNC and mobile
 RNC will send a Type 1 Paging message to
mobile over Paging Channel, a physical radio
broadcast channel
 Type 1 Paging message may also be initiated by
RAN, i.e., by an RNC in RAN
 Type 1 Paging message will carry a Paging
Originator field that indicates whether the paging
is initiated by CN or RAN
 Type 2 Paging
 used when mobile has a dedicated RRC
connection to RNC
 RNC will deliver a Type 2 Paging message to
mobile over this dedicated RRC connection
 Upon receiving a Type 1 or 2 Paging message
 mobile will start Service Request procedure to
establish the necessary signaling and traffic
connections with CN and use them to send uplink
signaling messages and user packets
3.7 Service Request Procedure
 Service Request Procedure (SRP) used by a mobile in
PMM-IDLE state
 request the establishment of a signaling connection
between mobile and SGSN so that mobile can begin
to exchange signaling messages with SGSN
 SRP used by a mobile in PMM-CONNECTED state
 request resource reservation for mobile’s active
PDP contexts
3GPP Mobile-Initiated Service
Request Procedure
(1)
(2)
(3)
(4)
(6)
(5a)
(7)
(8)
(9)
 [Step 1&2] Mobile has to establish an RRC connection
with RNC, if such a connection does not exist
 mobile sends a Service Request message to SGSN
 [Step 3&4] Upon receiving the Service Request
 SGSN will perform security procedures to
authenticate mobile and check if it is authorized to
use the network
 if the mobile is authorized to use network
 SGSN takes actions based on Service Type in
the received Service Request
 [Step 5a,6&7] If the Service Type indicates DATA
 means that mobile has user data to send (or receive)
over PS CN domain
 a signaling connection between mobile and SGSN
will be established first so that mobile can send
signaling messages to SGSN
 the RABs will be allocated for mobile’s existing
active PDP contexts using RAB Assignment
Procedure, if such RABs do not already exist, to
allow mobile to exchange user data with GGSN
 [Step 5b] If Service Type indicates SIGNALING
 means that mobile has no user data to send (or
receive) over PS CN domain at this moment
 mobile just wishes to exchange signaling messages
with SGSN
 only a signaling connection between mobile and
SGSN will be established
 no RAB will be allocated for any active PDP
context of mobile
 Service Request is acknowledged in different ways
depending on Service Type and mobile’s PMM state
 if mobile is in PMM-CONNECTED state and
Service Type indicates DATA
 SGSN will respond to Service Request message
by returning a Service Accept message to mobile
if SGSN accepts mobile’s service request
 if Service Type indicates SIGNALING or mobile is
in PMM-IDLE state
 SGSN does not send any explicit signaling
message to mobile to indicate the acceptance of
mobile’s Service Request
 mobile will learn that its Service Request was
successfully received by SGSN when mobile
receives certain RRC-layer signaling messages
from RNC
 [Step 8] After a RAB has been re-established
 the QoS profile negotiated for this newly
established RAB may be different from the old
negotiated QoS profile maintained in the PDP
contexts on SGSN, GGSN, and mobile
 SGSN will trigger SGSN-initiated PDP
Modification procedure to inform GGSN and
mobile of the new negotiated QoS profile for
RAB
 SGSN may also use SGSN-initiated PDP DeActivation procedure to delete a PDP context if the
required RABs cannot be set up for this PDP
context
 [Step 9] Mobile may also use the Modification
procedure to request CN to renegotiate the QoS profile
for a RAB, or use Mobile-initiated PDP Context DeActivation procedure to delete an active PDP context
3.8 Handoff and Roaming Between 3GPP
and Wireless LANs
 How Mobile IP (v4 or v6) can be used to support
handoff and roaming between 3GPP and WLAN
 the same approach can also be used to support
handoff/roaming between WLAN and any other
cellular network (e.g., GPRS, EDGE, and 3GPP2)
Handoff between 3GPP and IP
Networks using Mobile IP
 Mobility service provider
 refers to any network provider that provides a
Mobile IP Home Agent to mobile
 may be one of the following
 cellular network provider
 mobile’s home enterprise network
 Internet Service Provider
 Cellular network
 connects to mobility service provider’s IP network
directly or via a standard IP network
 When a mobile moves from a cellular network to a
WLAN
 mobile acquires a local IP address that it can use to
receive IP packets from new network
 mobile uses this new local IP address as its new
Mobile IP CoA and uses Mobile IP to register the
new CoA with its Mobile IP Home Agent
 mobile will continue to receive IP packets
addressed to its Mobile IP Home Address
 user IP packets addressed to mobile’s Home
Address will be routed to mobile’s HA
 HA will tunnel these packets to mobile’s current
CoA
Sample Signaling Message Flow to
support Handoff from WLAN to 3GPP
 Given a mobile moves from a WLAN into a cellular
network, mobile performs standard 3GPP procedures
 attach to 3GPP network
 activate its PDP context
 acquire a local care-of IP address during PDP
Context Activation process
 Mobile registers this CoA with its home agent
 IP packets addressed to mobile’s MIP home address
will be tunneled by HA to mobile’s current CoA
 If the CoA is a co-located CoA
 packets will be tunneled to mobile directly
 mobile will then de-tunnel packets to extract the
original payload packets
 If mobile uses a Foreign Agent (FA) CoA in 3GPP
network and FA is on the mobile’s serving GGSN
 packets will be tunneled to FA/GGSN which will
de-tunnel packets and forward the resulting packets
to mobile
Sample Signaling Flow for Handoff
between 3GPP and IP Networks using MIPv4