Author: Martin

3G femtocells are an interesting topic but I haven't had much time yet to take a look at the details of how mobility management works in practice. There's lots of activity in 3GPP to standardize mobility management around femtocells (or Home NodeBs how they are called there) in Release 8 and beyond. However, there are already already femtos on the market today and they have to work together with pre-Release 8 mobiles. So I've had two fundamental questions: How can mobiles find the femtos when they are on the 3G macro layer and how does the femto get rid of users which do not belong to the subscriber group, i.e. everyone except the owner and his/her family and friends?

Then this book, "Femtocells – Technologies and Deployment" by Jie Zhan and Guillaume de la Roche came my way. I haven't had time yet to go through it in detail but it looks highly interesting and informative and I could answer my questions with it within minutes:

Cell-Reselection to a Femto: To make a cell reselection to another 3G cell, it needs to be part of the neighbor cell list of the cell. As there could be many femtos inside one macro network and provisioning them automatically might not be a straight forward approach, one option is to select a couple of Primary Scrambling Codes and declare them as neighbors in every macrocell or at least on those macrocells in which femtos are located. This works even if there are many femtos inside the coverage area of a macrocell as not all of the femots are overlapping and hence the PSCs can be reused. If the femtos scan their surroundings when they start up they can help to avoid the PSC overlapping issue.

How to get rid of non-femto subscribers: The femto deployments I have heard of so far are closed-subscriber-group femtos, i.e. only registered people have access. But since todays mobiles know nothing of femtos how can you ensure only those remain in the cell that are supposed to be there? The book gives this as one of the potential solutions: For the femtos a certain range of location area codes (LACs) are reserved. If a non-femto subscriber mobile finds the cell and tries to perform a location update it gets a location update reject with cause code #15 (no suitable cells in location area). The mobile then goes back to the macro layer and puts the LAC in the forbidden LAC list on the SIM. The 3GPP UMTS RRC spec says It's only removed when the mobile is switched-off or after a significant amount of time has passed (12-24h). A bit of a disadvantage here: If the user of femto-A passes femto-B during the course of a day, the mobile will try to register with femto-B and will be rejected. In case the LAC was the same as that of femto-A the mobile will not try to reselect to femto-A until the forbidden LAC list is cleared. In other words, the user comes home and the mobile will not use the femto.

Agreed, there's much much more to the topic, those where just my two most burning questions concerning femtos.

It's been a long time since I've last participated at the Carnival of the Mobilists so it was about time to send a post again. This week, the Carnival is hosted over at the Radvision Blog and Tsahi Levent-Levi has done a great job of assembling a great Carnival with the latest news on mobile from the blogosphere. So, head over and enjoy!

Looks like Apple has decided to let OperaMini into their AppStore and within just a couple of days it has become hugely successful according to Engadget here. Being a long time user of OperaMini and knowing about its strength and advantages in bandwidth constrained and high outage environments when moving in trains, cars, etc. I can imagine why everybody seems to rush to it. But not having an iPhone myself I'd be interested from you what your experiences are if you tried it!

Here's a little comparison of how UMTS and LTE deal with limited uplink power of mobile devices which I think it is quite interesting:

When uplink power for a UMTS E-DCH (HSUPA) transmission reaches a maximum, the number of simultaneously used codes can be reduced, a more conservative coding can be employed for additional redundancy and the modulation order can also be changed.

In LTE, modulation and coding can also changed as needed. And in addition, there's a third parameter: LTE uses an OFDM air interface, or to be more precise, SC-FDMA in the uplink direction. In other words, many subcarriers are used for the data transmission which are grouped into consecutive Resource Blocks (RBs) in case of uplink transmissions. When the mobile device reaches its maximum power level and the network detects this, it can reduce the number of RBs assigned in the uplink direction. This way the mobile can concentrate it's power on fewer RBs and hence it has more power available on the narrower channel it now uses. From a network point of view this is much better than leaving the number of RBs as they are and reduce modulation and coding as the RBs that are removed can be assigned to other devices also requesting resources in the uplink direction. For details see the power control section in this excellent book.

For those of you using public Wi-Fi hotspots now and then and who are a bit worried after my previous post on cookie theft there are several VPN options that protect you from eavesdroppers. In this post I talked about installing a PPTP server on your windows machine at home to redirect all your traffic while you are away via your home network. That's not everybody's cup of tea, however, as you need a DSL or cable connection with a fast uplink and a PC running all the time. So for those of you looking for an alternative on the net here are two:

• 12vpn
• Witopia

Both offer a number of different options ranging from PPTP, which Windows already has a client for, up to a full OpenVPN SSL with certificates and all bells and whistles you can imagine. Both VPN offers also work with Linux and the OpenVPN configuration especially with Ubuntu (I tried with Jaunty) it is quite straight forward.

Both VPNs are not free but if you compare the power cost over a year if you leave an extra machine running at home, the extra cost for the external VPN might just be negligible.

A quick one today: For all of you interested in the German spectrum auction going on these days for 800, 1800, 2100 and 2600 MHZ spectrum, the Bundesnetzagentur has a web page which is updated after each bidding round. For each 90 minutes round it shows the the highest bidder for each block. Today was day one and the current total price is €116 million.

With LTE, the complexity of including a reasonable number of different frequency bands in a mobile device not only for LTE but also for GSM and UMTS is once again getting trickier. Here's a how I see things from a historical point of view and where I think we are heading:

Once upon a time the wireless frequency landscape was quite simple. When GSM started in Europe, there was only a single frequency band in the 900 MHz band which all network operators used. Sure there was the legacy analog network in the 450 MHz band but nobody seriously thought about working on dual mode devices. GSM or bust! Things got a bit more complicated when the second band in the 1800 MHz range was opened for GSM at the end of the 90's and but it didn't take take device manufacturers long to come up with dual mode devices. In the US things were pretty similar but the remainder of this post continues with a Europe point of view.

Since then, things have gotten much more complicated. With UMTS, things started well for some time with 2100 MHz being 'the' 3G band around the world, except for the US. In the US, UMTS and GSM are used in the 850 and 1900 MHz ranges and these days also on the 1700/2100 MHz band combination. In Europe in the meantime, UMTS in the 900 MHz band has also taken off in some countries. I guess this was the point where the number of bands used around the world and the number of bands supported in a single mobile device really started to diverge. Today, the state of the art from a European point of view is the following combination:

• Quad band GSM support (850, 900, 1800 and 1900 MHz)

• UMTS tri-band (2100, 900 and one of the US bands)

And now with LTE just around the corner things are about to get even more complicated. Here's the bands where I think LTE will see the day of light in the next two to three years:

• In Europe LTE will likely start on 2600 MHz and potentially also on 1800 MHz and 2100 MHz

• And then there's the digital dividend band in the 800 MHz range which is likely to be used in some countries to bring broadband connectivity with LTE to rural areas.

• In Japan, LTE will be used on 2100 MHz with an additional band likely to follow.

• In the US, the situation is even more divergent. Each network operator seems to have its own band. Verizon uses a 10 MHz block in the 700 MHz range and another operator has another block in the same range but with exchanged uplink/downlink assignments. Some operators might launch LTE in the 1700/2100 MHz band combination and there are speculations of a satellite backhaul based LTE network with its own frequency range. Finally, there are rumors of Clearwire jumping from WiMAX to LTE in the 2600 MHz band but with TD-LTE.

From my point of view, this frequency diversity is far from ideal for everyone involved. For users it's an issue as global roaming capabilities of devices will get worse and worse. Also, especially in the US, it will be difficult for users to switch between networks by changing SIM cards and subscriptions while keeping the device. For network operators and device manufacturers it's also far from ideal as some will have trouble getting good devices as volumes are just too low to reach good prices. There might be multi-frequency LTE devices tailored for the US market but since almost every operator uses different legacy network technologies and frequency ranges the potential band and technology combinations for GSM, CDMA, UMTS and LTE are huge.

So what's the way out of this? To me it looks like it's in the hand of device manufacturers as the number of frequency bands will not shrink anytime soon. The question is if the ever growing number of bands and backwards compatibility combinations change the device design?

• Is it physically possible today to support so many bands? Software defined radios have been discussed for many years but as far as I know antennas and filters are not so easily to be adapted to different frequency ranges with software only.
• Or could the radio part of the device in the future be built in a way that it can easily be interchanged?

• How about exchangeable radio modules? With this approach I would in the future select a SIM, a mobile device and an RF module and maybe one or two extra for international roaming? Or will we just have to live with the situation as it grows worse?

• And then, there's still Wi-Fi which, at least so far, can be used universally around the world. Most smartphones today have Wi-Fi built there's no ubiquitous coverage and logging into foreign Wi-Fi networks automatically is still a dream.

As things are I don't see a good solution yet. As always, comments are welcome!

iPhone and Android users are very outspoken about the nice full web browsing experience on their device. That is, until they step into the Paris metro and then try do do anything meaningful with their device. With 'only' EDGE available and the network being quite busy anyway most of the time, you can't get more than a couple of kbit/s out of the line. That's nowhere near sufficient to download full web pages in any reasonable amount of time.

Now there is an obvious solution to the problem and that is to put UMTS into the metro as well, but I don't expect to see that anytime soon. In the meantime, I am happily surfing away with my OperaMini and network side compression while the full-web guys give up after a couple of minutes and tuck away their device. At least the people using Android could put Opera Mini on their device to help out, if they are aware of it.

As many of you know, but the general public probably isn't really aware of, Wi-Fi hotspots are not encrypted and hence the data transmitted can be read by anyone nearby with just a bit of knowledge and no special equipment required. But how much is actually possible and how easy is it to do it?

First, here are some things which are not problematic:

• Most hotspots I have encountered in the past encrypt the authentication and payment pages so an attacker can't steal credit card information. One has to look closely though at the URL of the landing page and ensure that the connection is really encrypted (URL marked in green or blue on the left side in Firefox)

• Online shopping: I've tested Amazon which by default does not encrypt pages until the time you click on the checkout button. Attackers can therefore see what you are looking for on Amazon but the payment process itself is encrypted.

• Online banking: All online banking pages I use are fully encrypted, so attackers can only see which banks I am using but not what I am doing there.

And now some things which require special attention:

• POP and SMTP for e-mail: The default configuration of most e-mail programs is not to use encryption. While over a properly secured Wi-Fi network at home this is not really an issue, an attacker in a public Wi-Fi hotspot can easily intercept user names and passwords. Switching on encryption is not difficult in most e-mail programs but one has to be aware of it and actually do it.

• Of particular interest for me are blogging systems as I use one of them myself for this blog. Some of them do not use https for the editing process and use cookies to identify the session. When the pages are not encrypted and an open Wi-Fi hotspot is used, the cookies can be easily intercepted and misused. At home in my own encrypted Wi-Fi network (for which I obviously have the key and where it is legal to experiment) I ran a proof of concept: First, I intercepted the http request for the blog editor web page with Wireshark, copied the cookies and imported them into Firefox on a second computer. Then, I requested the same page on the second computer and could easily access the blogging front end. The damage that can be done this way is limited as a password change requires knowledge of the old password so an attacker can't lock out the owner of the blog. And as soon as the logout button is pressed, the session is closed for the owner and the attacker. Better than nothing but still way to insecure for my purposes.

• I tried the same with my facebook account at home and after transferring the cookies, the session was usable from both computers while the logout button was not pressed. But who presses the logout button? Other web applications such as flickr for example also use non encrypted http so I expect things to be the same.

So there isn't really a way around a VPN tunnel such as this one if you want to securely connect over a public Wi-Fi hotspot.

When HSDPA was first specified it was unfortunately forgotten to put an indicator somewhere on the broadcast channel so a mobile could distinguish a 3G network from a 3.5G HSDPA network and show something to the user. It was added in a later release of the standard but I haven't seen a device yet that would do something with the information or networks that would actually broadcast it. Turns out that quite some networks have this turned on by now and some phones like for example the Nokia N72 display "3.5G" instead of 3G permanently and not only while an HSDPA data transfer is ongoing. How nice, but it's too late now. Some network operators use HSDPA now but have chosen not to activate the indication, hence, the E72 still shows 3G despite the network being HSDPA capable.