Wireless and Mobile Networks

Guest lecture by: Roger Piqueras Jover (AT&T Security R&D)

October 16th, 2014

Wireless and Mobile Networks

Lecture overview

Overview and introduction to:

Wireless communications and wireless channel

Multiple access methods

Cellular communications
Mobile networks

TDMA, FDMA, CDMA, OFDMA

Contention-based methods

GSM, 3G (UMTS), 4G (HSPA) and LTE

I will be suggesting some readings and leaving some unanswered questions

Lecture overview

We will be focusing mostly on wireless access

Cellular, 802.11 and WiFi

PHY and MAC layers

From: Computer Networking A top down approach. James Kurose, Keith Ross.
Pearson.

Basics on wireless propagation and wireless channel

Wireless signal propagation

Coverage area defined by

Propagation loss
Large scale fading (shadowing)

Link/channel quality (error probability) defined by:

Small scale (fast) fading, multipath, etc

Figure 4.1 Small-scale and large-scale fading.

6

From: Wireless Communications: Principles and Practice (2nd Edition). Theodore

Rappaport. Prentice Hall.

From: Wireless Communications. Andrea Goldsmith. Cambridge University Press.

Propagation loss

The power of a wireless signal decays proportionally to 1/d (path loss)

Basic mathematical path loss models

Free-space

2-ray ground bounce model

Empirical models (based on measurements)

is the path-loss exponent

Different values of for different environments

Okomura-Hata, COST-231, etc

5G mmWave path-loss models [1]
From: Wireless Communications: Principles and Practice (2nd Edition). Theodore
Rappaport. Prentice Hall.

Large scale fading (shadow fading)

As users move, their reception/transmission is obstructed by obstacles

The duration of the fade is in the order of seconds

Buildings, trees, vehicles, etc

Time it takes to clear the obstacle
T=d/V=10 seconds, with d=100m and V=10m/s

Shadowing modeled by a log-normal distribution

P: received power
PR: average received power (path-loss)
: shadowing coefficient
(The equation in in dBs)

Fast fading

The received signal is a combination of multiple rays (multipath + scattering)

(Received signal)

Distance traveled by ray i

If i changes by fractions of the amplitude of r(t) can
change substantially

There is an infinite number of reflections (scattering)

( ) has Rayleigh (or Ricean) distribution

has a uniform disribution

Fast fading

Phase and frequency variation

Multipath

Multipath results in a frequency selective channel

Different fading attenuations at different frequencies

The frequency response of the channel is not flat

H(f)

Frequency selective channel results in signal distortion

Inter-symbol interference (ICI)

Delay 1
TX

Delay 2
TX
10

Multiple access methods

11

Multiple access methods

12

TDMA (GSM)

FDMA (AMPS)

CDMA (3G - UMTS)

OFDMA (LTE)

Next-Gen multiple access methods Spatial Division

Multi-antenna (MIMO) arrays and beamforming

Transmit and receive to/from specific directions

Separate users spatially

Theoretically feasible in 5G

mmWave
Massive MIMO arrays
+15dB

Suggested reading [4]

+10dB

-5dB
13

Contention-based methods

All the users share the same medium (channel)

Examples

14

Collisions are possible

Different methods to detect, avoid and minimize collisions
ALOHA and S-ALOHA
CSMA
Ethernet
802.11

ALOHA and Slotted ALOHA

Transmission from two or more nodes may collide

No ACK received Collision

15

Backoff for a random time

Try again

S-ALOHA forces transmissions in pre-defined time

slots

Throughput:

802.11

IEEE 802.11 is the most pervasive technology for wireless LAN

2 different modes

Infrastructure (with AP)

Independent

Based om CSMA-CA (Collision Sensing Multiple Access w Collision Avoidance)

802.11n

16

2.4/5.0 GHz bands

OFDM modulation
MIMO
Up to hundreds of Mbps

802.11 The hidden terminal and exposed terminal problems

Limited communication range of 802.11 nodes results in

Hidden terminal
Exposed terminal

(a) Hidden station problem. (b) Exposed station problem.

17

802.11 The hidden terminal and exposed terminal problems

Solution

18

RTS/CTS messages

RTS (Ready to Send) Message sent to alert terminals within your coverage area that you are about to transmit
CTS (Clear to Send) The receiving terminal ACKs you and alerts all terminals in its coverage area that it is about to start receiving

802.11 Medium Access Control (MAC)

The basic parameters are

Slot time Basic unit of time for transmission and backoff delay
Short Inter-Frame Space (SIFS) Time required to sense end of another transmission and transmit control frame
DCF Inter-Frame Space (DIFS) Time to wait before starting to contend (SIFS + 2 slot times)

Medium free for t=DIFS?

Yes Start transmission
No Start backoff

19

Wait for medium to be busy t=DIFS

Select random number k ~unif[1,CW] (CW: contention window size)
Wait for k slots (must be idle) and then transmit
If collision or busy medium again, increase CW and restart.

802.11 MAC cheating

The drivers and controllers for 802.11 cards are open source
Food for thought: What would happen if a user configured CW always to be 1?

Suggested reading: Selfish MAC layer misbehavior in wireless networks [6].

20

802.11 MAC + RTS/CTS

Food for thought: Why do we use

SIFS instead of DIFS before ACKs
and CTSs?

21

Basics on cellular communications

22

Cellular networks

There are not enough wireless resources, so we reuse them

Network planning

23

Area divided in cells

All available resources used in one cluster of K cells
If two phones using the same resource are very close to each other there is interference
The more cells in a cluster the less we reuse the resources (but the less interference we have)

Interference-limited system

Signal to
Interference
Ratio

Re-use distance
Point with the worst reception
conditions

Assuming hexagonal cells, the interference comes from 6 directions

Generalized for a cluster of size K

24

Path-loss
coefficient

Handover

When you move from one cell to another the phone does not disconnect
This makes mobility in cellular networks possible
Types of handover

Hard (GSM, LTE) The phone disconnects from a tower and connects to a new one
Soft (3G UMTS) The phone is always connected to N towers and just updates that list

Rake receiver

BS1

BS2
Signal from BS2

Signal from BS1

Ideal HO
25

Distance from BS1 to BS2

Food for thought: How do we

avoid the ping-pong effect due to
fast fading?

Mobile networks

26

2G and 3G mobile network architecture

SMS
network
(SS7)

Phone network

Internet
27

Radio Access Network (GSM - TDMA,

3G WCDMA)

3G Radio Access Network - WCDMA

s(t)
0 0

Code for user 1

s(t) x Ci(t)

Code for user 1

1011101011
Spreading

|S(f)|2

|S(f)*Ci(f)|2

A2

A2
B2/G

A2/G

f
W G*Rb
User 1
User 2

28

Despreading

BRb

s(t)
0 0

BRb

Resiliency of CDMA against adversarial interference

CDMA was initially designed for military applications

The signal is transmitted hidden under the noise floor

Resiliency against adversarial interference

s(t)
0 0

s(t) x Ci(t)
1

1011101011
Spreading

|S(f)|2

|S(f)*Ci(f)|2

A2

I2
I2/G

A2/G
BRb

29

Despreading

t
A2

s(t)
0 0

f
W G*Rb

Interfe
ring
signal

BRb

Mobile Core Network

Routes and forwards each connection

Upon incoming call/SMS/connection, locates the recipient phone

30

MSC: Phone calls PSTN (Public Switched Telephone Network)

MSC+SMSC: SMS SS7 network
GGSN/SGSN (3G) or S-GW (LTE): Data Internet
HLR (Home Location Register)
Paging

Controls and manages the Radio Access Network (RAN)

Paging

When there is an incoming call/SMS, the network has to find the recipient
A paging message is broadcasted

Broadcasting over every single cell in America sounds like an inefficient way to do it
The network (HLR) knows roughly the area where you were last seen (Tracking Area)

If a user moves

Tracking Area Update

Paging only broadcasted in your Location Area

If you move, the phone updates with the HLR your location (Location Area Update)

When your phone receives the paging message replies to it

Hey, I am here!
Now the network knows in what specific cell you are

Food for thought: Why not

keeping track of the cell where
each user is instead of the
Location Area?
31

Random Access Channel

There is not enough spectrum for ever mobile device to be always connected (channel assigned)

Mobile devices are usually disconnected

When they need to connect, they request resources on a shared channel

RACH

Internet

32

Random Access Channel

The RACH is an important signaling channel in mobile networks

Used to initiate all transmissions
Shared by all the users in a cell
Contention-based access
Method similar to S-ALOHA with random backoff delays, retransmissions

33

Also used to acquire UL synchronization

UL synchronization over the RACH

Delay t1

TX1

The time advance value is in

the RACH response the
network sends back to each
user.

RACH
User 1
TX2

Delay t2
TX2

User 2

TX1

Frame <j>

Time advance 2

Time advance 1

34

Frame <j+1>

Connection establishment (2G/3G example)

Mobile initiated
Connection
establishment

Core Network

Location
update**

Radio Access
Bearer (RAB)

SMS SS7
Call PSTN
Data Internet

Paging Ch (PCH)

DTCH (data)

RACH

Access grant +
channel
assignment
Access
petition

35

MAC

Connection establishment (2G/3G example)

Mobile terminated
Connection
establishment

Core Network

Location
request

Radio Access
Bearer (RAB)
Paging Ch (PCH)

Incoming
SMS/call/data

DTCH (data)

RACH

Access grant +
channel
assignment
Access
petition

36

MAC

Long Term Evolution (LTE)

37

LTE mobile network architecture

The Long Term Evolution (LTE)

Latest evolution of 3GPP standards

Enhanced RAN

OFDMA
MIMO
Robust performance in multipath environments

Enhanced Packet Core

38

eUTRAN

EPC

Flat(er) all-IP architecture

Support and mobility between multiple heterogeneous access networks

LTE mobile network architecture

39

LTE RAN Radio frame architecture

40

Decode PSS and SSS to synchronize in

time and frequency.

LTE connection

Decode PBCH

Cell Search
Procedure

Power up

RACH

Obtain
System
Configuration

Random
Access

Radio Access Bearer

Connected

System configuration

41

Decode Master Information Block (MIB) from PBCH

Decode System Information Blocks (SIBs) from PDSCH

User traffic

LTE Random Access Channel

Very similar procedure to 3G

Random access preamble select a signature out of 64

Random Access Response Time Advance command plus assignment of C-RNTI id

MT

eNodeB

1
Random access preamble
2
Random access response
3
L2/L3 message
4
Contention resolution message
42

Radio Access Bearer setup

43

Radio Access Bearer setup - Real world example

RACH handshake
between UE and eNB
RRC handshake between
UE and eNB

RAB setup
(authentication, set-up of
encryption, tunnel set-up,
etc)

Encrypted traffic

44

Radio Resource Control (RRC) and power management in LTE

Motivation

RRC state machine

45

RRC Not enough radio resources for all users, they need to be reused when a user is idle
Power management The radio of a mobile device burns a lot of battery, it is necessary to shut it down when the user is idle
Idle low power usage, no active connection (no bearer with P-GW)
Connected high battery usage, active bearer with P-GW

Radio Resource Control (RRC) and power management in LTE

RRC state transitions

Connected to idle
Idle to connected

46

Radio Resource Control (RRC) and power management in LTE

State demotions result in tail time

[RRC Connected RRC Idle] transition occurs after the device has been idle for t seconds
The phones radio is always on for t seconds after the device goes idle

State promotions require a promotion delay

State transitions result in signaling load at the core network

Recommended reading: AT&T Research - A Call for More Energy-Efficient Apps [3]

47

The Internet of Things and M2M communications

48

IoT and M2M

Already more things connected to the Internet than

humans

Mobile networks are designed and optimized to handle

{cell/smart}-phone traffic

Traffic characteristics of M2M devices very different than

smart-phones
Different M2M devices have very different traffic
characteristics than other M2M devices

Current open research questions

49

Industry and standardization bodies talk about billions of

connected devices by 2020

Impact of IoT and M2M on cellular networks as we move to

the connected world
Suggested reading [7]

Bluetooth

Short-range, high-data-rate wireless link for personal devices

Based on frequency hopping spread spectrum

80 channels (1MHz per channel)

The transmitter and receiver agree on a pseudo-random frequency hop pattern
Time division duplexing
About 700kbps

Master-slave communications

50

Originally designed to replace cables with a wireless link

Operates in the 2.4GHz ISM band
Note its the same band as WiFi
Range up to ~100m (usually less)

Piconet

Up to 7 slaves controlled by a master (3 bit addressing)

ZigBee

Standard for low-power monitoring and control

IEEE 802.15.4

Defines PHY and MAC layers

ZigBee is the networking layer on top of 802.15.5

PHY layer

51

Long battery life

Shorter range than Bluetooth (10m-75m)
~200kbps

16 channels in the 2.4 GHz band (5 MHz per channel)

10 channels in the 915 MHz band (2 MHz per channel)
1 channel in the 868 MHz band
2.4 GHz band uses Direct Sequence Spreading

Things to play with

The IoT is one of the hottest areas in communications right now

Lots of media attention, investment and technology developments

Many easily available open-source and low cost tools to test cool stuff

Arduino: http://www.arduino.cc/

52

Arduino ZigBee: http://arduino.cc/en/Main/ArduinoXbeeShield

Arduino Bluetooth: http://arduino.cc/en/Main/ArduinoBoardBT?from=Main.ArduinoBoardBluetooth

Arduino + Android: http://www.mouser.com/new/arduino/arduinoandroid/

Raspberry Pi: http://www.raspberrypi.org/
Romo: http://www.romotive.com/

Suggested reading
[1] 5G wireless channel measurements: http://ieeexplore.ieee.org/iel7/6287639/6336544/06515173.pdf?arnumber=6515173
[2] Wireless Communications: Principles and Practice (2nd Edition). Theodore Rappaport. Prentice Hall.
[3] AT&T Research - A Call for More Energy-Efficient Apps:
http://www.research.att.com/articles/featured_stories/2011_03/201102_Energy_efficient?fbid=Vss1vjwl65X
[4] A. L. Swindlehurst, E. Ayanoglu, P. Heydari, and F Capolino, "Millimeter-Wave Massive MIMO: The Next Wireless Revolution?" IEEE Comm. Magazine,
Vol. 52, No. 9, pp. 56-62, Sept. 2014.
[5] SESIA, S., BAKER, M., AND TOUFIK, I. LTE, The UMTS Long Term Evolution: From Theory to Practice. Wiley, 2009.
[6] P Kyasanur, NF Vaidya. Selfish MAC layer misbehavior in wireless networks. IEEE Transactions of Mobile Computing:
http://perso.prism.uvsq.fr/users/mogue/Biblio/Sensor/AUTRES/01492362.pdf
[7] F. Ghavimi, Hsiao-Hwa Chen. M2M Communications in 3GPP LTE/LTE-A Networks: Architectures, Service Requirements, Challenges and Applications.
IEEE Comunication Surveys and Tutorials. 2014.
http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6916986&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D69
16986
Technology directions for 5G:
[8] F. Boccardi, et. al. Five Disruptive Technology Directions for 5G. IEEE Communications Magazine. 2014. http://arxiv.org/pdf/1312.0229
Mobile network security:
[9] R. Piqueras Jover. Security Attacks Against the Availability of LTE Mobility Networks: Overview and Research Directions. IEEE Global Wireless Summit
2013. http://web2.research.att.com/techdocs/TD_101153.pdf
53