Wednesday, September 14, 2022

Tracking Are Update Feature during handover

 

Reference(s):


1. Netmanias Technical Document: EMM Procedure 8 & 9. Handover and Cell Reselection with TAU www.netmanias.com

2. https://blog.3g4g.co.uk/2011/03/lte-to-3g-handover-procedure-and.html


Case A: TAU during Handover while it stays in Connected state:



A TAU procedure is required after handover/cell re-selection if UE moves to a non-registered TA. The TAI list assigned to the UE is a list of the areas where the UE has been registered. Because of this, if UE moves to a TA not in the TAI list, it must perform a TAU procedure, requesting for TA update, so that the network can update the UE’s TAI list and assign the updated list accordingly.


Example:

A handover procedure performed when UE in Connected state moves to a TA that it is not registered to. When the UE initially attached the network, MME selected TA1 and TA2 for the UE, and sent a TAI list = {TAI=1, TAI=2}, as included in the Attach Accept message. Initially, the UE was served through eNB2 (Cell 5 in it, to be exact) in TA1. Now it is moving toward eNB5 (Cell 13, to be exact) in TA3 which is not in the TAI list. This example concerns intra-LTE handover only, and assumed both eNB2 and eNB5 are connected to the same MME and S-GW.






1. Handover:


As the UE moves toward eNB5, a handover event is triggered. The UE measures the

signal strength of the serving cell and neighbor cells, and sends the results to eNB2, as included in the

Measurement Report message. First, the source eNB (e.g. eNB2 above) chooses the type of handover to perform, X2 or S1. In X2 handover, it is the source eNB that selects the target eNB (e.g. eNB5 above), whereas it is MME in S1 handover. Next, handover is performed from eNB2 (Cell 5 in it to be more exact) to eNB5 (Cell 13 in it).





2. TAU request sent by UE->MME:


UE when being handed over to the target eNB (eNB5), it knows eNB5 does not belong to its assigned

TAs. Thus, as soon as the handover is completed, it sends a TAU Request message to MME, requesting TA update. At this time, the message includes the following information:


TAU Request (Update Type=TA Updating, GUTI, Last Visited TAI, KSI ASME , NAS-MAC)


 Update Type: indicates the TAU type. Set as TA Updating unless UE is handed over to a registered TA


 GUTI: UE ID previously allocated by MME. Used by MME for UE identification.


 Last Visited TAI: TAI reported through TAU Request last time


 KSI ASME : index for K ASME , the NAS security base key


 NAS-MAC: message authentication code (MAC) used in protecting the integrity of TAU Request with NAS integrity Key (K NASint ).


The TAU Request message is sent through an UL Information Transfer message from UE to eNB (as RRC message), and then through an Uplink NAS Transport (NAS-PDU (TAU Request), ECGI, TAI) message from eNB to MME (as S1AP message). The Uplink NAS Transport message, including the TAU Request message and the current cell’s ECGI and TAI, is forwarded to MME.


As the NAS security context has already been established between the UE and MME, the TAU Request

message that the UE sends is integrity-protected with the NAS integrity key (K NASint ).

If the MME’s integrity check on the received TAU Request message fails, the MME performs user authentication and NAS security setup procedures.



3. [MME] TA Update: Allocating New TAs:


Because the UE has moved to a TA that it is not registered to, the MME selects a group of TAs to allocate and configures a new TAI list for the UE. At this time, a new Globally Unique Temporary Identifier (GUTI) may also be allocated.



4. [MME→UE] TAU Accept:

The MME sends the newly selected TAs (and GUTI if applicable), as included in a TAU Accept (GUTI, TAI List) message. This message, after being encrypted and integrity-protected, is sent through a Downlink NAS Transport message from MME to eNB (as S1AP message), and then through a DL Information Transfer message from eNB to UE (as RRC message).



4) [UE → MME] TAU Complete

If a new GUTI was allocated, the UE sends the MME a TAU Complete message to acknowledge the

receipt of the new GUTI. Once the TAU procedure is completed, the UE, now with the new TAI list (and GUTI if applicable), can be served through eNB5.







Case B: TAU during Handover while it is in Idle state:


Example: Same as above, but assuming the UE was in idle state


1. RRC connection establishment:

Steps are also same as above, but first the UE establishes an RRC connection with the eNB, and sends the message, thereby transiting from Idle state (EMM-Registered, ECM-Idle, RRC-Idle) to Connected state (EMM-Registered, ECM-Connected, RRC-Connected).



2. [MME, S-GW, P-GW, PCRF] EPS Bearer/Session Modification:

As the UE’s location is changed, the MME informs the S-GW of such change by sending a Modify Bearer Request message. If MME is required to report any TA change to PCRF, as set in the Change Report Action parameters received from PCRF when the UE established the EPS session after initial attach, a session modification procedure is performed, reporting the TA change to PCRF accordingly.



3. [MME → UE] TAU Accept:

The MME sends the UE a new TAI list (and GUTI if applicable) through a TAU Accept (GUTI, TAI List) message. At this time, the message includes the same information as listed above, and is

sent integrity-protected and encrypted.


4. [UE, eNB, MME] Transiting to Idle State:

After the TAU procedure is completed, the MME releases the S1 connection, thereby releasing the S1 signaling connection between eNB5 and MME. Then, eNB5 releases the RRC connection established with the UE. Now, the ECM connection between the UE and MME is removed, and the UE turns to Idle state (EMM-Registered, ECM-Idle, RRC-Idle), back from Connected state (EMM-Registered, ECM-Connected, RRC-Connected).


5) [UE] Camping on Cell 13:

Once back to Idle state, the UE camps on Cell 13. Now with the new TAI list, it wakes up at the end of

every DRX cycle and measures the signal of Cell 13 (RSRP, RSRQ).

[Reference Signals Received Power (RSRP) and Reference Signal Received Quality (RSRQ) are key measures of signal level and quality for modern LTE networks.]



Mindbox