1 / 29

Control -Plane Protocol Interactions in Cellular Networks

Control -Plane Protocol Interactions in Cellular Networks. Guan-Hua Tu * 1 , Yuanjie Li * 1 , Chunyi Peng 2 , Chi-Yu Li 1 , Hongyi Wang 1 , Songwu Lu 1. 1: University of California, Los Angeles; 2: The Ohio State University. * The first two authors contribute equally to this work.

bud
Download Presentation

Control -Plane Protocol Interactions in Cellular Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Control-PlaneProtocolInteractionsinCellularNetworks Guan-Hua Tu*1,Yuanjie Li*1, ChunyiPeng 2,Chi-YuLi 1,HongyiWang1,SongwuLu 1 1: University of California, Los Angeles; 2: The Ohio State University * Thefirsttwoauthorscontributeequallytothiswork.

  2. CellularServices are Ubiquitous • Large-scale wireless infrastructure • Offer data and voice services to anyone, anywhere, anytime 6.8+ billion Source: http://www.4gamericas.org/

  3. Cellular Network Architecture CircuitSwitching(CS) 3G (PS + CS) MobileSwitchingCenter 3G Gateways PacketSwitching(PS) 3G Basestations (PS only) 4G Mobility Management Entity (Control Node)

  4. CircuitSwitching(CS) ControlPlaneinCellularNetwork MobileSwitchingCenter 3G 3G Gateways PacketSwitching(PS) 4G Mobility Management Entity (Control Node)

  5. ControlPlaneinCellularNetwork • Layered protocol stack ConnectivityManagement(CM) Mobility Management(MM) Radio Resource Control(RRC)

  6. ControlPlaneinCellularNetwork • Layered protocol stack • Domains separated for voice (CS) and data (PS) ConnectivityManagement(CM) MobilityManagement(MM) Radio Resource Control(RRC) CS Domain PS Domain CM CM MM MM Radio Resource Control(RRC)

  7. ControlPlaneinCellularNetwork 3G • Layered protocol stack • Domains separated for voice (CS) and data (PS) • Hybrid 3G/4G systems 4G CS Domain PS Domain PS Domain CM CM CM MM MM MM Radio Resource Control(RRC) RRC

  8. Complex Interactions Problem: Eachindividualprotocolmaybewelldesigned. How about protocolinteractions? • Protocolsworktogethertooffervital3G/4Gutilities • Rich patterns along threedimensions cross-domain cross-system CS Domain PS Domain PS Domain cross-layer CM CM CM MM MM MM RadioResourceControl RRC 3G 4G

  9. Rich Protocol Interactions • Complex interactions in common scenarios • Inevitable interplay between radio, mobility, data/voice • Concurrent voice and data use • 3G/4G switch due to hybrid deployment, mobility, voice • Two causes of problematic interactions • Design defects • Operation/Implementation slips Diagnosis over one layer/domain/system is insufficient Single-type test fails to unveil both issues

  10. Rich Protocol Interactions • Complex interactions in common scenarios • Inevitable interplay between radio, mobility, data/voice • Concurrent voice and data use • 3G/4G switch due to hybrid deployment, mobility, voice • Two causes of problematic interactions • Design defects • Operation/Implementation slips Diagnosis over one layer/domain/system is insufficient Single-type test fails to unveil both issues Closed Core Network

  11. Our Solution: CNetVerifier • Cellular-specific model checking • Extract full-stack cellular model from 3GPP standards • Create a variety of usage scenarios • Define desirable user-perspective properties • Discover counterexamples for possible design defects Protocol Stacks Model Checker Violated property Counterexamples Usage Settings Desirable Properties

  12. Our Solution: CNetVerifier • Cellular-specific model checking • Phone-based experimental validation • Instrument end devices to collect traces for verification • Discover operational slips in real networks Protocol Stacks Model Checker Violated property Counterexamples Usage Settings Scenario Setup Desirable Properties “Black-box” Design Flaws Operational slips

  13. Finding Overview • I. Necessary but problematic cooperation • II. Independent but coupled operations cross-system cross-layer cross-domain

  14. Improper cooperation: Cross-System 3G CS 3G PS 4G PS CM CM CM • Scenario: run dataservices during 4G3G4G MM MM MM 1. Setup 4G connectivity to access internet 3. 3G4G: 3G conn. context is converted back to 4G 2. 4G3G: 4G conn. context is converted to 3G for seamless switch RRC RRC 3G Conn. Context 131.179.176.1 3G 4G 4G Conn. Context 131.179.176.1

  15. Improper cooperation: Cross-System How and why? • Problematic scenario: 3G context is deleted before returning to 4G 1. 3G conn. context is deleted. 2. 3G->4G: No 3G context transferred to 4G context • PSconn context is not mandatoryin3G (PS+CS), • butmandatoryin4G (PS only) • Shared context for 4G and 3G is not well protected in 3G 3G Conn. Context 131.179.176.1 3G Causes of deletion (in 3GPP) • Low layer failures • User disables data services • No enough resources • …. 4G • “Out-of-Service”

  16. Improper cooperation: Cross-System • Real-world impact • Occurs 3.1% in user study • “out-of-service”for up to 25s • Lessons: a design defect • Differentdemands of packet switching in 3G & 4G • Desirable but not enforced: shared context should be consistently protected in 4G & 3G • Proposed remedies • Avoidunnecessary3GPS context deactivation • Immediately enable 4G PS context reactivation

  17.  Improper cooperation: cross-domain+system 3G CS 3G PS 4G PS CM CM CM • Scenario: 4Gusersmakecalls via 3G CS Fallback MM MM MM 2. When the call ends, 3G4G 1. To make a call, 4G user 3G RRC RRC 3G 4G

  18.  Improper cooperation: cross-domain+systemHow and Why? • Problematic Scenario:Callwithbackgrounddata • A call makes 4G  3G; • Data is migrated to 3G, too 2. When the call ends, No 3G4G (data is still on) 3G 4G • Usergetsstuckin3G, losing 4G.

  19.  Improper cooperation: cross-domain+systemHow and Why? • Unexpected loop in RRC state machine CONN-ED CONN-ED Voice + Data (certain setting) 3G CS 3G PS 4G PS RRC RRC • RRCstate transition is inconsistent withdual-domain, inter-system settings IDLE IDLE Voice only • Usergetsstuckin3G, losing 4G.

  20.  Improper cooperation: cross-domain+system • Real-world impact • 62.1% 4G users being stuckin3Gafterthecall • Stuck in 3G for 39.6s in average • Lessons: a design defect • 3GCSand3G PSareindirectlycoupled in RRC • Inconsistent statetransitionwithall 3G4Goptions • Proposed remedies • Revise the RRC state transition for possible settings

  21. Improper cooperation: Cross-Layer How and why? 3G CS 3G PS 4G PS CM CM CM • “out-of-service” right after being attached • Problem Scenario: Signalinglossforregistration MM MM MM RRC RRC Attach request Deregistered Attach complete Deregistered Attach accept Attach complete Deregistered Registered Location update • Upper-layer (MM) assumes underlying reliable in-sequence signal transfer, but lower-layer (RRC) cannot offer this guarantee Registered Location update response (error) Deregistered

  22. Unnecessary Coupling: Cross-layer  3G-CS 3G-PS 4G-PS CM CM CM • Scenario: voice/data request with location update MM MM MM RRC 1. Location update is triggered by MM (e.g., user moves) 2. After location update, user can send/receive voice and data RRC Dial out Location Update MSC

  23. Unnecessary Coupling: Cross-layerHow and why?  3G-CS 3G-PS 4G-PS CM CM CM • Problematic Scenario: voice/data request during the location update • “Without user location, the cellular network cannot route user voice/data.” MM MM MM RRC 1. Location is triggered by MM (e.g., user moves) 2. User dials out RRC Dial out • Outgoing voice/data requests can be routed without user location “Updating the location” Location Update • Unnecessary prioritization of location update over outgoing call/data MSC • Outgoing call is delayed 3G Gateways 3G Basestations

  24. Unnecessary Coupling: Cross-layer  • Real-world Impact • up to 8.3s call delay and 4.1s data delay • 7.6% of outgoing calls occur during location update • Lessons: a design defect • outgoing data/voice requests and location update are independent, but they are artificially correlated • Proposed remedies • Decouple location update and outgoing data/voice requests • E.g., two parallel MM threads for different purposes

  25. Unnecessary Coupling: Cross-domain  3G CS 3G PS 4G PS CM CM CM • Scenario: dial a call during data service in 3G MM MM MM 2. Dials a call 1. Access internet at full rate RRC RRC CircuitSwitching(CS) 12.2Kbps • Voice: low rate, low loss (e.g., 16QAM) • Data: high rate, loss tolerant (e.g., 64QAM) PacketSwitching(PS) 12.2Kbps 3G 2.5Mbps 10Mbps 10Mbps 2.5Mbps • Voice and data have competing demands on the channel, but they have to share the radio channel • Data service rate declines up to 74%

  26. Unnecessary Coupling: Cross-system  3G CS 3G PS 4G PS CM CM CM • Scenario: Location update in 3G and 4G MM MM MM 1. Update 4G location, and notify 3G MSC 2. 3G location update fails, so 4G deregisters the network RRC RRC 3G MSC unavailable • 3G internal failures are exposed to 4G devices 4G Detach

  27. Conclusion • Uncover problems in signaling protocol interactions in cellular networks • Three Lessons • The layering rule should be fully honored (optimistic assumptions, coupled actions) • Inter-domain difference should be well recognized (coupling independent services) • Hybrid systems are not properly coordinated (context sharing, fault isolation) • More rigorous efforts are needed

  28. Backup slides

  29. Related Work • Protocol verification for the Internet • Since 1990s • Single protocol with implementation • E.g., [Cohrs’89, SIGCOMM], [Holzmann’91], [Smith’96], TCP [NSDI’04], Routing[SIGCOMM’05], … • Emerging techniques for network verification • E.g., Anteater [SIGCOMM’11], Head Space Analysis[NSDI’12], NICE [NSDI’12], Alloy[SIGCOMM’13], NetCheck[NSDI’14], Software Dataplane [NSDI’14] … • Largely unexplored territory in cellular networks • Few efforts, e.g., 2G handoff [Orava’92], Authentication [Tang’13]

More Related