At first, I thought I was too noob to understand this stuff. I still consider myself a noob, but the way these TSs are written sometimes really gets on my nerves.
Let’s just consider the case of the S1-based handover with MME relocation and SGW relocation and Indirect Tunneling – meaning there is no X2 link between the source and target eNBs. All I can do for the moment is to look at the S11 interface, because this is the one I have the opportunity to study at this point.
So, the 2 TSs involved in this case, at least at the high level are TS 23.401 – which describes the message flows between the SAE entities and TS 29.274 – which describes each message and its IEs.
The S1 based handover with MME/SGW relocation and Indirect Tunneling looks something like this:
In order to make this more human-readable, I have considered the following scenario:
where my UE (UE-1) moves from eNB 18.104.22.168 to eNB 22.214.171.124 (which have an X2 link together) – doing X2 handover (with no MME relocation), then it moves from eNB 126.96.36.199 to eNB 188.8.131.52 (which don’t have an X2 link between them). As you can see from the picture, these 2 eNBs belong to 2 different MMEs and SGWs. This means that, when the UE moves from eNB5 (184.108.40.206) to eNB8(220.127.116.11), it will generate an S1 handover signaling between the source MME – MME1 (18.104.22.168), source SGW – SGW1 (22.214.171.124), target MME – MME4 (126.96.36.199) and target SGW – SGW2 (188.8.131.52). As there is no X2 link between eNB5 and eNB5, the downlink packets coming from the PGW while the UE is in the handover process with reach eNB5, then they will be “reflected” back to SG1, which will then forward them via an “indirect” tunnel to SGW2, which will forward them to the new eNB8, which is in charge of my UE.
The flow is like this (3GPP copy-pasted )
1) So, as this picture states, once the handover is decided, the source MME sends a Forward Relocation Request to the target MME. This message must at least contain the following mandatory IEs, as per TS 29.274:
- Sender’s F-TEID for Control Plane
- MME/SGSN UE EPS PDN Connections
- SGW S11/S4 IP Address and TEID for Control Plane
- MME/SGSN UE MM Context
2) Then the target MME sends a Create Session Request message to the target SGW, including (M == Mandatory):
- IMSI (M)
- RAT Type – here is E-UTRAN (M)
- Sender F-TEID for Control Plane – here it is the IP address of the source MME: 184.108.40.206 + it’s TEID/GRE Key (this “key” is actually a hexadecimal number on 2 bytes) (M)
- APN Name (M)
- Maximum APN Restriction (M)
- LBI – Linked EPS Bearer ID – indicates the default bearer of the connection – the ID of the default bearer, usually this has value 5 (C)
- PGW S5/S8 Address for Control Plane or PMIP – this is the IP address of the PGW: 220.127.116.11 (C)
3) the target SGW replies to the target MME with a Create Session Response message, containing:
- Cause (M)
- Sender F-TEID for Control Plane – this is the IP address of the target SGW: 18.104.22.168 (C)
- APN Restriction (M)
- Bearer Contexts created (M) – this means that all the bearers that have the OK to be created for the UE in question are going to be present here, in a separate group IE; the IEs within a Bearer Context have the following:
— EBI – EPS Bearer ID (M)
— Cause (M)
— S1-U SGW F-TEID – the IP address of the SGW used for user-plane and a TEID/GRE identifier on 2 bytes – this is usually the same identifier used for the initial traffic of this user, _before_ the handover, let’s just call it Key-A – which is the uplink identifier for the user (C)
— Bearer Level QoS – the new QoS parameters, if they have been changed (C)
** Let’s stop for a second a recap. What do I have at this point? I have an UE (UE-1 in the picture) with an IP address (let’s say: 22.214.171.124). It is attached to the eNB 126.96.36.199, having a default bearer in place with the MME 188.8.131.52 (source) and the SGW 184.108.40.206 (source). This default bearer has an uplink identifier TEID, called as above Key-A, which also has a downlink identifier TEID, called Key-1. Let’s say that what travels in uplink has a key made out of letters, and what travels in downlink has keys made out of numbers
Ooook, what’s next. Well, as my UE moves to eNB 220.127.116.11, AND there is no X2 link between eNB5 and eNB8, target MME creates an indirect tunnel for the packets. Once the UE has moved to eNB8, the uplink flows directly from this new eNB, to the new SGW and so on. So, the indirect path is for the downlink packets, more precisely, for THOSE downlink packets that have already been routed by the source SGW to the source eNB (eNB5). eNB5 cannot contact eNB8 directly, so it re-routes these packets back to the source SGW, which will also re-route them via this indirect tunnel to the target SGW – which has direct S1-U connectivity to the target eNB to deliver the packets to my dear UE
How does EPC do that?
4) Target MME (18.104.22.168) sends a Create Indirect Data Forwarding Tunnel Request message to the Target SGW (22.214.171.124), containing all the grouped IEs Bearer Contexts that are to be forwarded this way, this grouped IE being the only Mandatory IE in this message. This Bearer Context IE contains:
— EBI – EPS Bearer ID (M)
— S1-U eNodeB F-TEID for data forwarding – this is the IP address of the target eNB (126.96.36.199) and its associated TEID/GRE key, let’s call it Key -2. This key instructs the target SGW about the destination of the packets for my UE (C)
5) then the Target SGW (188.8.131.52) responds to this message with a Create Indirect Data Forwarding Tunnel Response message. This message has 2 Mandatory IEs: the Cause and the Bearer Contexts grouped IE. This Bearer Context IE has:
— EBI (M)
— Cause (M)
— S1-U SGW F-TEID for data forwarding – this is the IP address of the target SGW and its TEID/GRE identifier – Key-B
6) After this, the target MME sends a Forward Relocation Response message to the source MME, instructing it about the bearers that have been accepted for creation on this indirect path
7) Now, the source MME (184.108.40.206) sends a Create Indirect Data Forwarding Tunnel Request to the source SGW (220.127.116.11), with elements similar to the corresponding message above, except that in this case, the Bearer Context has the TEID/GRE identifiers of the target SGW, contained in the Create Indirect Data Forwarding Tunnel Response from above – Key-B - when source SGW will forward the packets to target SGW, this will be the GRE Identifier used for encapsulating those packets
The source SGW responds with a Create Indirect Data Forwarding Tunnel Response message, same as above, but the TEID/GRE ID is the one of the IP address of the source SGW. This ID shall be used for uplink data on the indirect tunnel from the source eNB to the source SGW. Let’s call this ID Key-3.
*** At this point, we have an indirect tunnel created between the following entities:
source eNB (18.104.22.168) -> source SGW (22.214.171.124) : TEID Key-3
source SGW (126.96.36.199) -> target SGW (188.8.131.52) : TEID Key-B
target SGW (184.108.40.206) -> target eNB (220.127.116.11) : TEID Key-2
At this point, the user traffic is like this:
1: packets already forwarded by the source SGW to the source eNB are “reflected” by this eNB – use the downlink GRE ID established initially, Key-1
2: the reflected packets from source eNB back to source SGW use the GRE negotiated via the messages above: Key-3
3: packets then travel on the tunnel from source to target SGW, via the TEID/GRE ID: Key-B
4: then the target SGW finally forwards the packets down to the target eNB via GRE ID: Key-2
*** During all this complicated process, the uplink is already using the target eNB as source for the encapsulating tunnel
So, what happens afterwards?
9) the target MME sends a Modify Bearer Request message to the target SGW, describing the newly created tunnels for downlink, not the indirect ones, the usual, direct ones and the target SGW replies with a Modify Bearer Response message in order to acknowledge (or state a cause for rejecting) this
10) the source MME deletes its session from its (source) SGW, using a Delete Session Request / Delete Session Response pair of messages, carefully indicating the SGW that this is only a “local detach” of the UE, not a complete detach, meaning that the UE just moved and the local information about it is no longer valid, NOT that the UE disappeared from the network and the resources are to be deleted !
11) 12) both pairs of source and target MME/SGW now delete the indirect tunnel by exchanging the Delete Indirect Data Forwarding Tunnel Request / Delete Indirect Data Forwarding Tunnel Response messages.
And everybody is happy.
EXCEPT Me, because there are a lot of misleading and confusing “explanations” in the specs regarding this type of scenarios, like for instance:
a) one spec (TS 23.401) states that the delete session procedure should have Cause and LBI IEs in the Create Session Request message, while TS 29.274 defines these 2 IEs as Conditional, and, as per the condition in place, none of them should appear in this message when the source MME disconnects from the source SGW. Instead, the SGW should look at the Indication Flags in this request: if the Operation Indication is set, then this is a full detach, if the Scope Indication is set, this is a local detach.
b) look at the above flags: shouldn’t it be better to have just 1 flag, and, if it is set, we have a full detach, otherwise we have a local detach?
c) what happens in the S1 handover with no SGW relocation (whether or not the MME is relocated) and Indirect Tunneling? How is that going? Do I still send the two pairs of Create Indirect Data Forwarding Tunnel Request/Response?
and more to come