9.6 UMTS Interfaces

9.6 UMTS Interfaces

The UMTS open interfaces that are important to understand from an IP networking and services perspective are Iu (Cs and Ps), Iub, and Iur.

9.6.1 Iu Interface

The Iu interface connects the UTRAN/GERAN radio network to the core network. Iu is further subdivided as follows :

  • IuC: This is the Iu interface that connects the radio network to the circuit switched core network. The CS core network essentially consists of the MSCs, HLR, VLR, AuC, and EIR functions.

  • IuP: This interface connectes the radio network to the packet core network that comprises the SGSN and GGSN.

The Iu interface has a control plane and a user plane component associated with it. ATM is the link-layer protocol that Iu is currently specified over. However, the Iu interface could be run over IP in the near future.

The IuCs and IuPs control plane consists of radio access network application protocol (RANAP), which is run on top of SS7. AAL5 is the adaptation layer used in the control plane. The IuCs user plane resides directly over AAL2. Since voice is the primary service provided over the IuCs interface, AAL2 has been selected as the adaptation layer for IuCs. GTP-U (GPRS Tunneling Protocol ”User Plane) over UDP/IP/AAL5 is the user plane for IuPs. The protocol stacks for Iu are shown in Figure 9-4.

Figure 9-4. Control and user plane stacks for Iu.


RANAP is the signaling protocol whose functionality includes the following:

  • Radio access bearer (RAB) management: Includes setup, teardown , and modification.

  • Relocation: This deals with SRNS relocation and hard handoffs.

  • Paging: Used to page an idle mobile for a mobile- terminated session.

  • Information broadcast: Used to broadcast system information over a specified area in a repetitive manner.

The user plane protocol in the case of IuCs is the frame protocol. For IuPs, if the payload is of type IP, it is carried via GTP-U.

9.6.2 Iub

The Iub interface connects the Node Bs to the RNC. The Iub interface consists of a control plane and a user plane. Again ATM is used as the underlying protocol for the Iub interaface. The control plane of the Iub interface is called NBAP (Node B application part). NBAP is further divided into common NBAP and dedicated NBAP depending on the signaling link used. The user plane Iub protocol is defined via the frame protocol. It defines the structures of the frames and inband control procedures for every type of transport channel.

9.6.3 Iur

The Iur interface is defined for inter-RNC communication. The control plane protocol is refered to as RNSAP (radio network system application part). RNSAP operates over SS7, which is carried over an AAL5-based ATM interface. The user plane consists of the the frame protocol. Two user plane protocols are defined, namely the dedicated channel (DCH) frame protocol and the common channel (CCH) frame protocol. The user plane is carried directly over AAL2. The interface was originally intended to support inter-RNC soft handovers. However, with the development of this interface, new functionality has been added, including support for basic inter-RNC mobility, support for dedicated and common channel traffic, and support for global resource management.

9.7 Protocol Architecture

The UMTS architecture splits the protocols across the user plane and the control plane for both the UTRAN/GERAN and the CN. The protocol model can be viewed as a multi-layered architecture. Three layers that can be differentiated are:

  • Transport Network Layer

  • Radio Network Layer

  • System Network Layer

The transport network is responsible for providing a general purpose transport for all UMTS network elements. The radio network protocols allow interworking between the Mobile station and core network on all aspects related to the radio access bearer. The system network layer enables the setup of tunnels/PDP contexts and performs mobility management- related functions, authentication, and data delivery.

9.7.1 User Plane

The user plane of 3G GPRS features few changes from the user plane of the Release 97 GPRS (2.5G GPRS) (Figure 9-5). The 2.5G GPRS protocols in SGSN and BSS are designed by considering the reuse of GSM infrastructure. Therefore, the packet controller unit (PCU) was introduced as a logical element between SGSN and BSS. Because of PCU, 2.5G SGSN performs the link-layer functions of SNDCP and LLC. The user plane for 3G GPRS is designed without this consideration. It consists of carefully designed layered structure providing user plane transfer along with the necessary control procedures, such as flow control and error recovery. Thus, the SGSN doesn't have radio protocol layers (i.e., LLC and SNDCP).

Figure 9-5. User plane protocol architecture.


The PDCP in the RAN provides protocol transparency to the application protocols over the radio interface. So the new protocols can be supported in the future without changing radio interface. This is unlike SNDCP, which also provides IP payload compression. The 3G GPRS provides only IP header compression. The ciphering function of LLC is moved into RLC and MAC. There is one more GTP tunnel between the RAN and SGSN. The SGSN is connected to the RAN using ATM. AAL5 is used for segmenting the IP packet into ATM cells .

The split of radio protocols between RNC and Node B is mentioned for the WCDMA radio interface. There are four types of radio channels: broadcast, control, shared, and dedicated. Node B has radio physical layer and MAC for the broadcast, control, and shared channels. The RNC has PDCP, RLC, and MAC for the dedicated channels.

An IP packet going in the downlink direction is tunneled from the GGSN to the RNC via SGSN using two GTP tunnels. The PDCP in the RNC performs IP header compression and passes the data packet to RLC. The RLC does segmentation of the packet into radio blocks. The RLC in the nontransparent mode may also cipher the data packet. It may also provide an acknowledgment mode for transferring the packet over the air interface. The MAC provides physical channel mapping and priority handling for a data packet.

9.7.2 Signaling Plane

The signaling plane consists of protocols for control and support of the user plane functions. It provides session management (SM) and GPRS mobility management (GMM) for a user along with the short message service (SMS). The SM consists of PDP context activation, modification, and deactivation procedures. The GMM consists of attach, detach, routing area update, and security procedures.

The RANAP layer provides access control and manages GTP connections. It encapsulates and carries SM, GMM, and SMS protocol messages. It also provides mobility management functions such as SRNC relocation. RANAP is carried between RAN and SGSN using SCCP over ATM using signaling bearers . There are two alternatives for the signaling bearer layer. One option is to use a broadband SS7-based signaling bearer. This is realized by using MTP3-B (Message Transfer Part for Layer 3)/SSCF-NNI (Service-Specific Coordination Function ”Network-to-Network Interface)/SSCOP (Service-Specific Connection-Oriented Protocol). The other alternative is to use an IP-based signaling bearer. This is realized by using M3UA (MTP3 ”User Adaptation)/ SCTP (Simple Control Transmission Protocol/IP.

The RRC protocol between MS and the RAN provides setup, modification, and release of radio resources. It also provides mobility management functions such as radio link measurements, handovers, and cell updates. The RLC protocol provides radio link management for the transmission of higher-layer signaling. The MAC provides access control to the MS. The signaling plane across the UMTS network (UTRAN) is shown in Figure 9-6.

Figure 9-6. Signaling plane protocol architecture.


9.7.3 GPRS Tunneling Protocol

GTP is used for both signaling (GTP-c) and data transfer (GTP-u) procedures between the GSNs. It provides a header, which together with the UDP/TCP and IP header identifies the destination GSN and handling of the packet at the destination. A variant of GTP, GTP ', is used for transporting charging information to the charging gateway function (CGF) from GSNs.

The header has been changed from 2.5G GPRS. Instead of flow label, 3G uses TEID to identify a GTP flow. Also, instead of LLC frame number, 3G uses N-PDU number to coordinate the data transmission after the inter-SGSN RA update procedure. A new field, called extension header type, is used to carry extension headers. 3G also has some new flags, as discussed next .

The GTP header is depicted in Figure 9-7. The first 8 bytes are the mandatory part of the GTP header. The rest of the bytes are considered as part of the payload.

Figure 9-7. GTP header fields.


The GTP header contains the following fields:

  • Version indicates different GTP versions; 2.5 G has 0 value and 3G has 1.

  • PT (protocol type) differentiates between a GTP and a GTP ' message.

  • Extension header flag (E) indicates the presence of the next extension header field when it is set to '1'.

  • Sequence number flag (S) indicates the presence of the sequence number field when it is set to '1'.

  • N-PDU number flag (PN) indicates the presence of the N-PDU number field when it is set to '1'. This flag is present only for GTP-U.

  • Message type indicates the type of GTP message. For GTP-c, this contains the unique message type for a signaling message.

  • Length indicates the length in octets of the payload, excluding the mandatory GTP header (first 8 bytes).

  • Tunnel endpoint identifier (TEID) uniquely identifies a tunnel endpoint in the receiving GTP-U or GTP-C protocol entity.

  • Sequence number is used as a transaction identity in GTP-c; in other words, the value is copied from the request message to the response message. In GTP-u, it is used as a sequence number for the PDUs and is only used when the sequence order must be preserved.

  • N-PDU number is used at the inter-SGSN RA update procedure and some intersystem handover procedures (e.g., between 2G and 3G RAN). This field is used to coordinate the data transmission for acknowledged mode of transmission.

Next extension header type indicates the type of extension header that follows this field in the GTP-PDU. There are three types of extension header: PDCP PDU number, suspend request, and suspend response. The PDCP PDU number is used for the SRNC relocation procedure to provide not yet acknowledged sequence numbers of the PDCP PDUs. The suspend request and response headers are used during inter-SGSN handovers for a type of circuit call.

9.7.4 UMTS Mobility Management

Iu mode mobility management (MM) handles the terminal mobility for packet communication just like GMM does for GPRS (see Chapter 8). The mobility management state machines are in the terminal and 3G-SGSN. The states are PMM-DETACHED, PMM-IDLE, and PMM-CONNECTED (3GPP TS 23.060). The main difference from GMM is that PDU transmission and reception are not visible in the state machine. Only signaling events cause transitions in the Iu mode MM. The state machines are depicted in Figure 9-8.

Figure 9-8. UMTS packet session mobility management.


The states relate to terminal mobility management only. They are independent of the PDP contexts and the number of IP addresses allocated to the mobile terminal. In the PMM-DETACHED state the 3G-SGSN does not know the mobile terminal, and incoming IP packets will not reach it. The mobile terminal initiates communication with the GPRS attach procedure and transition to the PMM-CONNECTED state. The serving RNC tracks the mobile location when connected. PS signaling connection release moves the state to PMM-IDLE, where only the routing area of the terminal is known (i.e., less accurate information than in the connected state is available in the 3G-SGSN). The signaling connection can be reestablished after paging the mobile. Transition to the connected state enables packet data transfer again.

UMTS attach and detach procedures are the same as in GPRS and were discussed in Chapter 8. The key differences and improvements are described below.


The UMTS attach procedure moves the MM state to PMM-CONNECTED. In the connected state the mobile station (MS) can activate the PDP contexts. During the attach, MS and the visited network authenticate each other. The network authentication toward MS is an UMTS addition to the GSM authentication. A second improvement over the GPRS procedure is that air interface ciphering takes place in RNC instead of the base station. The third improvement is the signaling integrity protection possibility, which prevents forged control messages between the base station and MS.


Core network mobility is different from radio network mobility. CN mobility is only handled when the mobile is attached and is not RRC connected. Location areas (LAs) are the CS domain mobility management concept inherited from the GSM networks. Routing areas (RAs) are the corresponding PS domain entities. The core network (CN) uses RA in paging. The temporary P-TMSI subscriber identifiers are unique within RA.

Within the radio access network RA is further divided into UTRAN registration areas (URAs). UTRAN initiated paging uses the URA when the terminal signaling channel has been set up (i.e., the terminal is in the RRC-CONNECTED mode). URA is not visible outside UTRAN.

The relationship between the areas is strictly hierarchical, as Figure 9-9 shows (cells are not shown). An LA belongs to one 3G MSC and RA belongs to one 3G SGSN. URA belongs to the RNC. URA and cell-level tracking within UTRAN is done whenever the RRC connection is up. Otherwise, the 3G SGSN is responsible for paging and updating the location information in the RA level.

Figure 9-9. UMTS area concepts (3GPP TS 23.121).



The radio access security architecture of the 3GPP release 99 standard is largely based on the 2G GSM air interface. Advanced encryption algorithms with longer cipher keys, mutual authentication, and signaling integrity protection are the main improvements over GSM. GSM-EDGE radio access network (GERAN) will adopt the 3GPP security features in later standards.

The 3GPP Security Threats and Requirements technical specification (3GPP 21.133) lists the main 3G security concerns, prioritizes the associated risks, and sets the goals for the countermeasures. The following examples present only a minor subset of the identified risks. From a security perspective, there are several other reasons to update GSM/EDGE to the UMTS security architecture (both MAJOR and medium risks of 21.133).


  • Eavesdropping user traffic: Intruders may eavesdrop user traffic on the radio inter face. (MAJOR). The GSM air interface confidentiality algorithm has been criticized for not being evaluated widely enough. Its 64-bit cipher key is sometimes considered too short and vulnerable to brute force attacks against recorded traffic offline.

  • Masquerading as a communications participant: Intruders may masquerade as a network element to intercept user traffic, signaling data or control data on the radio inter face. (MAJOR). In GSM the subscriber authenticates toward the network. A GSM subscriber cannot verify the authenticity of the network elements, e.g. base stations , or the origin of the authentication vectors.


  • It shall be possible to protect the confidentiality of user traffic, particularly on radio inter faces. (T1a, T5a). A strong WCDMA air interface confidentiality algorithm (f8) with a 128-bit confidentiality key (CK) has been publicly evaluated. Doubling the key length makes brute force attacks practically impossible . The public evaluation of the algorithm ensures that any loopholes have been detected before going to commercial releases.

  • It shall be possible for users to be able to verify that serving networks are authorized to offer 3G services on behalf of the user's home environment at the start of, and during, service delivery. 3G networks improve the GSM authentication so that also the visited network authenticates toward the subscriber, preventing masquerading as a network element. The subscriber is able to verify that the authentication challenge originated from the home network (i.e., the HLR); thus the visited network must have a roaming agreement with the home.

9.7.5 Session Management

The mobile node is assigned an IP address that corresponds to the GGSN where the PDP context terminates. The UE is anchored to the GGSN for the duration of a session or more. However, the UE tends to move across Node Bs, RNCs, and SGSNs. Hence delivering packets destined to a UE to the appropriate GGSN is only part of the overall solution of supporting IP mobility. Tunneling technology is used to manage the mobility of the UE. A logical connection for forwarding packets from the GGSN to the RNC via the SGSN is established in advance via the PDP context setup procedure. As the UE moves from one area to another and as a result changes the serving RNC or the SGSN, a new logical connection is created between the GGSN and SGSN and/or between the SGSN and RNC.

UMTS session management (SM) is based on GPRS session management but has been enhanced in many areas. GTP is used as the protocol for managing the mobility within the packet core network. QoS control and logical connection setup methods of 3G GTP are enhanced when compared to the GPRS-based GTP mechanisms. Session management allows a UE to establish a session and terminate a session and also deals with relocation procedures, including tunnel setup and movement.