Direct Tunnel – GPRS Core Network Streamlining

While work is ongoing on 3GPP LTE (Long Term Evolution) and SAE (System Architecture Evolution), current 3G networks continue to be enhanced as well. Since the 3G air interface is in the process continues to evolve with HSPA (High Speed Packet Access) it was felt in the standards groups that the 3G core network should be streamlined to handle the increasing network traffic more efficiently.

One part of the network in particular has been waiting for optimization for quite some time. In today’s 3G packet core architecture the SGSN (Serving GPRS Support Node) which is the gateway between the radio network and the core network handles both signaling traffic (e.g. to keep track of a users location) and the actual data packets exchanged between the user and the Internet. Since the users location can change at any time, data packets are tunneled (encapsulated) from the gateway to the Internet (The Gateway GPRS Support Node, GGSN) via the SGSN over the radio network to the mobile device. The current architecture uses a tunnel between the GGSN and the SGSN and another one between the SGSN and the Radio Network Controller (RNC). All data packets thus have to pass the SGSN which has to terminate one tunnel, extract the packet and put it into another tunnel. This requires both time and processing power.

Since both the RNC and the GGSN are IP routers this process is not really required in most circumstances. The one tunnel approach now standardized in 3GPP thus foresees that the SGSN can create a direct tunnel between the RNC and the GGSN and thus remove itself from the chain. Mobility Management remains on the SGSN, however, which means for example that it continues to be responsible to modify the tunnel in case the mobile device is moved to an area served by another RNC.

The approach does not work for international roaming since the SGSN has to be in the loop in order to count the traffic for inter-operator billing purposes. Another case where the one tunnel option can not be used is in case the SGSN is asked for example by a prepaid system to count the traffic flow. A small limitation since in practice it’s also possible to connect such a system to the GGSN (via Diameter).

For the details have a look at the following documents:

  • Direct Tunnel 3GPP Work Item Description SP-060142_S2-060545
  • The TR (Technical Recommendation) describing the overall design and impact on existing functionalities: TR 23.809
  • The Change Request (CR) for 3GPP TS 23.060
  • And the latest version of the ‘GPRS Service Description;  Stage 2’ which contains the enhancements. TS 23.060 7.4.0

The Downside for Verizon of picking LTE

It’s been THE news of the week for the wireless industry that Verizon has selected to go for LTE as their next generation network rather than UMB, the successor technology of their current CDMA1x EvDO network. I put down my initial thoughts on the deal here. In the meantime there are two additional important points which came to my mind: Multimode terminals and backwards compatibility!

UMTS operators that are upgrading to LTE will have a smooth migration path especially since mobile devices are likely to be GSM/UMTS/HSDPA/LTE compatible. LTE makes this especially easy since the air interface has been designed to be able reuse oscillators etc. from HSDPA. Also the software stack on higher layers will probably be partly reusable as I expect that high level (NAS) signaling will be similar.

CDMA operators such as Verizon will have a much more difficult story to tell their subscribers. I kind of doubt that there will be CDMA/LTE mobile devices since there won’t be many operators taking this path. Also from the core network point of view LTE won’t be able to interconnect with a CDMA network as easily as with a UMTS network. For UMTS, the LTE specification already contains all information of how to do handovers back and forth between the two worlds.

A small comfort for Verizon: Sprint will have a similar experience moving from CDMA to WiMAX…

Mobile Web 2.0 Ressources

It’s good to see that not only wireless network technology is advancing but also the applications space. Rudy de Waele over from m-trends recently gave a great presentation at the Mobile Web 2.0 conference in London about the Mobile 2.0 Start-Up Ecosystem which is now available online. A great presentation if you are interested in the latest Mobile Web 2.0 developments from a technical perspective and also to find out who gets bought by whom and who gets money from whom.

If you are new to Mobile Web 2.0 or wonder what the difference is to Web 2.0 here is some further background material:

Verizon and LTE: All Over IP Is Shaking Up The Wireless World

Recent reports (here and here) that Verizon has chosen LTE as a successor technology of its current CDMA 1xEVDO Rev A. instead of UMB is likely to be a big blow for Qualcom and the CDMA industry as a whole. While the other big CDMA network operator Sprint has decided to go for WiMAX and a lot of global CDMA operators have already jumped ship and went to UMTS/HSDPA, Verizon is the latest addition to the list.

UMB, LTE and WiMAX are all ‘IP only’ technologies that strictly separate the wireless network from the applications running above. This is not only beneficial for users (as discussed here) but also allows network operators to jump ship when going to the next technology. Just as in the case of Verizon and Sprint. No UMTS operators have so far shown their interest to do the same, except for the threats of Vodafone that the LTE timeline is too slow for them and that they are looking what WiMAX can do for them. Might the tight integration of LTE into the already existing 2G/3G GSM/UMTS ecosystem keep operators at bay?

So while UMB is not dead yet, the hill they have to climb just got a lot steeper.

More Wifi Layer 1 Tracing with Wi-Spy

Last week I reported on my new Wi-Spy analyzer that has gripped my imagination and is since scanning the ISM band used by Wifi, Bluetooth and other radio systems wherever I go. Today I’ve got a couple of additional traces which I think are spectacular enough to show around.

A3_mkdrf_with_file_transfer_topo_on
The first picture on the left shows how the ISM band looks like in my neighborhood. There’s one Access Point broadcasting away on channel 1. On channel 2 there are another two access points and probably a third one which is farther away and thus it’s amplitude is much lower than those of the other two. My own access point operates on channel 11 and sent a lot of data to my notebook when the trace was taken. Hence the access point emissions are shown in red. The notebook doesn’t send a lot of data but has a higher amplitude since the antenna is closer to the Wi-Spy probe. Since there is a notebook with an ‘old’ 802.11b network card in the network both the access point and my notebook send ‘Clear To Send’ packets with direct spread (DSSS) modulation. This shows quite nicely in the trace with the two side lobes to the left and right of the high main arch produced by the receiving notebook. The data packets itself are sent with 802.11g OFDM modulation which produces a much flatter main arch. The red space in the trace is actually a mixture of DSSS and OFDM modulation. Look closer and you will also see an access point transmitting on channel 9.

A6_hung_belkin_wlan_card_narrow_int
The second image on the left shows what happens when a Wifi card runs wild. Before I ran the test I remembered that I had a broken 802.11g network card which used to always work quite well for a couple of minutes before loosing the network. As can be seen in the figure, loosing the network actually means going completely wild. It looks like it completely looses modulation and after a short stint in the original band where it used to send and receive it moves down the bottom of the ISM band with the two main archs at 2410 and 2420 MHz. The peaks on the side are probably the side lobes. Looks like the wifi card is blasting away on full power throughout the band and I am sure it wracks havoc on any transmissions within reach… Looks like the wifi card is ready for the scrap yard.

So much for today. For more traces take a look at my previous entry, at the trace library over at Metageek either here or here.

A Question For a Wifi Ueber-Geek

I like when things work but I get a strange feeling it if I can’t explain why. Here’s a scenario that works perfectly well but I can’t figure out why. Maybe a Wifi Ueber-Geek can help:

I’ve used a Linksys WRT54 access point configured to AP client mode (bridged) to connect to a Siemens Wifi Access Point. Connected to the WRT54 are two notebooks, each via one Ethernet port. When the cable is plugged in both were assigned an IP address by the DHCP server running on the Siemens AP (192.168.40.20 and 192.168.40.73). Both can communicate with the Internet over the single wireless link just fine. What I wanted to test with this scenario was how the Ethernet MAC addresses of the two notebooks and the WRT54 access point are used on the wireless link.

To my great surprise the Siemens AP always uses the Ethernet MAC address of the WRT54 when packets are sent to one of the notebooks. But how does the WRT54 then know which notebook (which Ethernet port) it should deliver it to? On the notebook the incoming packet contains its MAC address. This means that the WRT54 must have changed the MAC address in the destination field. But why does it do that and how can it know which MAC address to use? I am thoroughly confused.

I’ve documented the result in the two pictures below. The first picture shows how the packet looks like when its received on the WRT54. The destination address in the 802.11 header is the WRT54 (Cisco-Li…, traced with Kismet on the WRT54). The same packet on the notebook (traced with Wireshark) suddenly contains the notebooks MAC address in the destination field of the of the Ethernet II header (Uniwil…). It’s not IP routing since the notebooks and the Siemens AP behind the wireless link are all in
the same subnet. It’s also not Layer 2 bridging since the MAC address
changes.

Does anyone have an explanation for this?

Wifi1b
Wifi2b


More Internet on Train: Thalys Starts Pilot Service

A number of train operating companies have started to offer Wifi Internet access in some of their trains over the past year or two like for example in the U.K. or in Germany. Now Thalys, a private train company that links Paris with Brussels and Cologne has started their pilot service for Wifi Internet access on trains. From train to ground data is transmitted via Satellite, UMTS and GPRS. Another company that has understood how to make people take the train instead of the car or plane. Hopefully an example that spreads.

Probing Layer 1 Wifi and Bluetooth with Metageek’s Wi-Spy

Wispy24x_in_actionpng
Seeing is believing. Be it by reading standards or by using tools and analyzers to get hands on experience on how wireless networks operate is what drives my professional interests and this blog. When it comes to the physical layer, i.e. the radio transmissions, tools are scarce, at least those that are affordable. Recently, however, I stumbled over a great tool called Wi-Spy from Metageek which has opened the door to Layer 1 of the 2.4GHz ISM band for me. This is the frequency band in which Wifi, Bluetooth and a couple of other wireless systems operate.

Metageek was nice enough to send me one of their advanced probes which sell for $399.-. Compared to other spectrum analyzers it’s almost a free ride. Since then I’ve used the probe day and night and have gathered hundreds of megabytes worth of data. I am absolutely fascinated and have learnt a great deal of how Wifi and Bluetooth behave, interact and interfere on the ISM band. Good to have a blog so I can share some of the results.

B1_clean_environment
The first picture on the left shows two of the three graphs the Chanalyzer software creates in real time out of the data gathered by Wi-Spy. The upper diagram is a waterfall diagram that shows the frequency range on the x-axis and time on the y-axis. Activity on a certain frequency and intensity is drawn in different colors ranging from blue (low to nothing) to red (high signal strength). As can be seen on the y-axis, the graph shows the activity of the past 60 minutes. The lower diagram in the picture shows the amplitudes reached on the frequency band. The color indicates how often a signal was registered. Not much can be seen in the first picture except for the slight increase in activity between channel 3 and 4. As such this radio environment is a dream for deploying a new wireless LAN access point.

B2_idle_networks
Things start to get much more interesting in picture 2 which uses the same scales and settings as in the first example. This trace, however, was taken at a place were 6 wireless LAN access points operate in parallel. Due to the long recording time of 60 minutes it becomes clear that three different wireless LAN devices operate on channel 6. They can be distinguished because each has a is received with a different signal strength by the probe which means that they are at different locations or have a different output power. My own access point operates on channel 11. During the recording time of 60 minutes all access points including mine were mostly in idle mode. The graph also shows that there is another access point on channel 1 and a further one on channel 9. Channel 9 is a most unfortunate choice since it overlaps and thus interferes with all access points on channel 6 and also with my access point on channel 11.

B4_overlap
In the next picture I have zoomed on the topographic chart and have activated markers that show where the three possible non overlapping channels in the ISM band begin and end. I’d love to show this picture to the guy who owns the access point transmitting on channel 9 which tramples over the ones on the left and right of it. The impact such a partial and full overlapping has on performance will be discussed in a future blog entry.

B3_congested_environment
The the last picture on the left shows the pretty congested radio environment in my Paris apartment. My own access point in this case is on channel 1 and I’ve done some file downloading over a 10 MBit/s ADSL2+ Internet connection at 40 minutes in the trace and a pretty long one between around 5 and 20 minutes in the trace. The traces shows my access point which is received at around -70dbm and the wifi transmissions of my notebook which are received at around -45 dbm (as the antenna is very close to the Wi-Spy probe). As I mostly downloaded information the Wifi signal of the access point is plotted in a lighter color (more activity) than the notebook. Also note the very active Wireless LAN on channel 11.

Since the Chanalyzer can be used to record and playback I saw that this network keeps transmitting 24h a day. The same applies for the wireless LAN access point on channel 3. Most likely these are two of the access points by French DSL provider Free. Their version 5 access point uses MIMO techniques to stream TV signals over Wifi to a set top box on the TV. This theory is supported by the SSIDs these networks broadcast. To make the partial overlaps complete there is another access point on channel 5. All signals by the way are strong enough to be easily received and decoded by my notebook so these signals are far more than faint background noise.

So much for this first part on Layer 1 Wifi tracing. In the next parts I will cover scenarios such as throughput measurements in partly and fully overlapping Wifi networks, how I detected a faulty Wifi card, how Bluetooth interferes with Wifi downloads and how it looks like when a microwave oven ruins your live TV signal streaming.

In the meantime if you want to check things out for yourself head over to the Metageek homepage where you can download the Chanalyzer software and some traces to start your own experiments. In case you think about buying and live in Europe, here’s a link to the list of national resellers.

The Mobile Internet and Event Reporting in Italy

I’ve been in Rome recently and over the weekend attended one of the V-Day manifestations with a friend for more direct democracy in Italy initiated by Beppe Grillo. I mention this on my technical blog as I was very happy to see a couple of organizations reporting from the event which used a 3.5G network to broadcast their stories in real time via the Internet and radio.

Tv_roma
The first picture on the left shows two guys of TheBlogTV interviewing people at the event. The guy on the left operates the camera while the guy on the right with the Mac (!) controls the software which sends the live video stream with the USB data card that hangs down from the notebook on the left to the Internet (recognize the Huawei logo?). I know there are already integrated mobile phone solutions available that do the same thing but this way the quality is probably better (at least for now).

Radio_roma
The second picture shows the transmission equipment of Radiololgiata which transmits both on FM (96.6) and on the Internet. I didn’t talk to them personally as they were quite busy but I am sure the N70 connected to the equipment via the USB cable was NOT used for sending SMS messages 🙂

Great examples of how the mobile Internet revolutionizes event reporting and allows anyone to broadcast to a large audience in real time, in good quality (think HSUPA with 500+ kbit/s bandwidth) and with little cost for equipment. I modestly contributed to the reporting and uploaded some pictures to flickr in real time.