26 January 2022


    JRC Tech Seminar Vol.1

    In the last section we introduced the definition of Attach Sequence, the general process, and cell search/selection, do you still remember them?

    Now, this section is about UE authentication/bearer establishment in attach sequence, let us get started! First of all, understanding the network configuration, the functional description of each node, and each interface will be quite helpful.

    LTE Network Configuration

    The LTE network consists of a radio access network (E-UTRAN) and a core network (EPC). The radio access network consists of eNodeB, while the core network consists of MME, HSS, S-GW, and P-GW.

    Each node such as eNodeB and MME is connected by an interface. This interface has a control plane for exchanging control data and a user plane for exchanging user data.



    Functional Description of Each Node




    User Equipment

    User terminal

    Evolved Node B

    Base station

    Mobile Management Entity

    It registers the location of UEs, controls movement such as handover and paging, and handles the authentication of user terminals based on the authentication information from the HSS.

    Home Subscriber Server

    It manages user authentication information, location registration, and QoS information. (* Management of billing information is performed by PCRF.)

    Serving Gateway

    It relays user data to and from eNodeBs and P-GWs, sets the path for UE connections on instructions from the MME, and switches paths during handovers.

    Packet Data Network Gateway

    It is the connection point to external networks such as the Internet, where IP addresses are allocated to UEs and user data is transferred to the S-GW.


    Functional Description of Each Interface

    Interface Name Function
    LTE-U It is the interface between the user terminal and the eNodeB, exchanging control information and user data on the radio section.
    S1-MME It is the interface between the eNodeB and the MME, exchanging control information such as UE location registration and paging control.
    S1-U It is the interface between the eNodeB and the S-GW and exchanges user data.
    S5 It is the interface between S-GW and P-GW and exchanges user data.
    S6 It is the interface between the MME and the HSS, exchanging user authentication and QoS authorization information.
    S11 It is the interface between the MME and the S-GW, exchanging control information for setting up the path and switching the path during handover on instructions from the MME.
    SGi The interface between the P-GW and the external network for the exchange of user data.

    Completion Stage of the Radio Connection

    When the radio connection between the UE and the eNodeB is completed, the UE sends the message "RRC Connection Setup Complete" to the eNodeB. This message includes the NAS Attach Request, which is a request for the UE to connect to the core network, and the PDN Connectivity Request, which is a request for the UE to connect to the PDN (Packet Data Network).

    The Attach Request contains the IMSI information of the UE and is used for authentication of the UE in the HSS. And, the PDN Connectivity Request contains a request for the IP address of the UE. When the eNodeB receives these messages, it includes the NAS Attach Request and PDN Connectivity Request in the S1AP Initial UE Message and sends it to the MME. The tracking area code will also be sent to it.

    When the MME receives the "Attach Request", the UE and the MME become ECM Connected. ECM means "EPC Connection Management", and ECM Connected means that the UE and the core network (MME) are connected. The MME which received the S1AP Initial UE Message will request the HSS for the authentication and location registration information of the UE.


    UE Authentication

    In the case of an authentication request, the MME sends an Authentication Request to the HSS. This message contains the IMSI of the UE. When the HSS receives the Authentication Request, it generates parameters for authentication from the IMSI and the HSS's key. These parameters are sent to the MME as an Authentication Response.

    The MME which received the Authentication Information Response will generate the security key from the parameters for authentication. And will send the parameters for authentication (RAND, AUTN) to the eNodeB. The eNodeB sends the received RAND and AUTN to the UE. The UE generates the response value for authentication based on its own key and the received RAND, AUTN, and sends it to the eNodeB.

    The eNodeB sends the response value for the UE authentication to the MME, which checks this response value against the response value received from the HSS, and if they match, the UE authentication is completed. If they do not match, the authentication of the UE will fail.


    Location Registration

    The MME sends an Update Location Request to the HSS to register the location of the UE. This message contains the IMSI of the UE. The HSS which received the message will send the PDN address (fixed IP address), P-GW IP address, and APN include in the Update Location Answer--that associated with the IMSI--to the MME.


    S5 Bearer Establishment

    The MME sends the IDs called TEID (Tunnel Endpoint ID) and EBI (EPS Bearer ID) used in GTP communication, PDN address, P-GW IP address, and APN, including S11 GTP-C Create Session Request--which is a request for a connection--to the S-GW.

    When the S-GW receives the connection request, it sends the TEID, EBI, PDN address, etc. to the P-GW in the S5 GTP-C Create Session Request. After receiving the message, the P-GW sends the TEID and EBI to the S-GW in the S5 GTP Create Session Response. At this point, the connection between S-GW and P-GW (S5 Bearer) is established.

    The S-GW sends the EBI and the TEIDs of the P-GW and S-GW to the MME in the S11 GTP Create Session Response as a response to the MME's S11 GTP-C Create Session Request.


    Radio Bearer Establishment

    Once the S5 bearer is established, the MME sends an S1AP Initial Context Setup Request to the UE to establish the radio bearer (DRB). This message contains the NAS Attach Accept (response to the NAS Attach Request), which is sent to the UE via the radio section. This message also contains the key (KeNB) necessary for the encryption (AS security) of the radio section.

    The eNodeB sends an RRC Security Mode Command to the UE, and when the UE responds with a Security Mode Complete reply, the radio section is encrypted. When the radio section is encrypted, the eNodeB sends an RRC Connection Reconfiguration message to the UE to establish the radio bearer. This message contains the NAS Attach Accept (including PDN address (IP of the UE) and GUTI) sent by the MME. When the UE sends RRC Connection Reconfiguration Complete to the eNodeB as a response to RRC Connection Reconfiguration, the radio bearer (DRB) is established.


    S1 Bearer Establishment

    When a radio bearer is established, the eNodeB sends an S1AP Initial Context Setup Response to the MME as a response to the S1AP Initial Context Setup Request.

    This message contains the TEID to establish the S1 bearer and is sent to the S-GW via the MME. In this case, the message is sent to the S-GW via the MME. The UE sends a NAS Attach Complete message to the MME as a response to the NAS Attach Accept, which is included in the RRC UL Information Transfer.

    The MME sends an S11 GTP Modify Bearer Request to the S-GW in order to establish the S1 bearer. The S-GW sends the S11 GTP Modify Bearer Response to the MME as a response to this message, then the S1 bearer is established. These processes enable data communication between UEs, eNodeBs, MME, S-GW, and P-GW.

    When these processes are completed, the attachment is complete and the UE is connected to the LTE network, enabling data communication.


     For further information about Private LTE, please check out our other blogs and use cases. If you have any questions, please do not hesitate to contact us.