ControlPlane +Protocol+Interac.ons+...
Transcript of ControlPlane +Protocol+Interac.ons+...
Control-‐Plane Protocol Interac.ons in Cellular Networks
Guan-‐Hua Tu*1, Yuanjie Li*1, Chunyi Peng 2, Chi-‐Yu Li 1, Hongyi Wang 1, Songwu Lu 1
* The first two authors contribute equally to this work.
1: University of California, Los Angeles; 2: The Ohio State University
Cellular Services are Ubiquitous
¨ Large-‐scale wireless infrastructure ¨ Offer data and voice services to anyone, anywhere, any+me
2
Source: hGp://www.4gamericas.org/
6.8+ billion
Cellular Network Architecture 3
3G Gateways 3G Base stations
Mobile Switching Center
Circuit Switching (CS)
Packet Switching (PS)
3G (PS + CS)
Mobility Management Entity (Control Node)
4G (PS only)
Control Plane in Cellular Network
Radio Resource Control (RRC)
Mobility Management (MM)
Connec.vity Management (CM)
4
3G Gateways
Mobile Switching Center
Circuit Switching (CS)
Packet Switching (PS)
3G
Mobility Management Entity (Control Node)
4G
¨ Layered protocol stack
Control Plane in Cellular Network 5
3G Gateways
Mobile Switching Center
Circuit Switching (CS)
Packet Switching (PS)
3G
Mobility Management Entity (Control Node)
4G
Radio Resource Control (RRC)
CS Domain
MM
CM
PS Domain
MM
CM
¨ Layered protocol stack ¨ Domains separated for voice (CS) and data (PS)
Control Plane in Cellular Network 6
3G Gateways
Mobile Switching Center
Circuit Switching (CS)
Packet Switching (PS)
3G
Mobility Management Entity (Control Node)
4G
Radio Resource Control (RRC)
CS Domain
MM
CM
PS Domain
MM
CM
PS Domain
MM
CM
RRC
4G 3G
¨ Layered protocol stack ¨ Domains separated for voice (CS) and data (PS)
¨ Hybrid 3G/4G systems
Complex Interactions
¨ Protocols work together to offer vital 3G/4G uTliTes ¨ Rich paGerns along three dimensions
7
Radio Resource Control
MM
CM
PS Domain
MM
CM
PS Domain
MM
CM
RRC
CS Domain
3G 4G
cross-layer
cross-domain cross-system
Complex Interactions
¨ Protocols work together to offer vital 3G/4G uTliTes ¨ Rich paGerns along three dimensions
8
Radio Resource Control
MM
CM
PS Domain
MM
CM
PS Domain
MM
CM
RRC
CS Domain
3G 4G
cross-layer
cross-domain cross-system
Problem: Each individual protocol may be well designed.
How about protocol interacTons?
Rich Protocol Interactions
¨ Complex interacTons in common scenarios ¤ Inevitable interplay between radio, mobility, data/voice ¤ Concurrent voice and data use ¤ 3G/4G switch due to hybrid deployment, mobility, voice
¨ Two causes of problemaTc interacTons ¤ Design defects ¤ Operation/Implementation slips
9
3G Gateways
MSC
Circuit Switching (CS)
Packet Switching (PS)
3G
MME
4G
Rich Protocol Interactions
¨ Complex interacTons in common scenarios ¤ Inevitable interplay between radio, mobility, data/voice ¤ Concurrent voice and data use ¤ 3G/4G switch due to hybrid deployment, mobility, voice
¨ Two causes of problemaTc interacTons ¤ Design defects ¤ Operation/Implementation slips
10
3G Gateways
MSC
Circuit Switching (CS)
Packet Switching (PS)
3G
MME
4G
Diagnosis over one layer/domain/system is insufficient
Single-‐type test fails to unveil both issues
Closed Core Network
Our SoluTon: CNetVerifier
¨ Cellular-‐specific model checking ¤ Extract full-stack cellular model from 3GPP standards ¤ Create a variety of usage scenarios ¤ Define desirable user-perspective properties ¤ Discover counterexamples for possible design defects
11
Model Checker
Violated property Counterexamples
Protocol Stacks
Usage Se[ngs
Desirable ProperTes
Our SoluTon: CNetVerifier
¨ Cellular-‐specific model checking ¨ Phone-‐based experimental validaTon
¤ Instrument end devices to collect traces for verification ¤ Discover operational slips in real networks
12
Model Checker
Violated property Counterexamples
Protocol Stacks
Usage Se[ngs
Desirable ProperTes
Scenario Setup
Opera.onal slips
Design Flaws “Black-‐box”
Finding Overview 13
II. Independent operaTons
I. Necessary cooperaTon
Finding Overview 14
cross-layer cross-domain cross-system
II. Independent operaTons
I. Necessary cooperaTon
Improper coopera.on: Cross-‐System
¨ Scenario: run data services during 4Gà3Gà4G 15
1. Setup 4G connecTvity to access internet
RRC MM CM
3G PS
MM CM
3G CS
MM CM
RRC
4G PS
þ
4G
4G Conn. Context
131.179.176.1
Improper coopera.on: Cross-‐System
¨ Scenario: run data services during 4Gà3Gà4G 16
3G
1. Setup 4G connecTvity to access internet 2. 4Gà3G: 4G conn. context is converted to 3G for seamless switch
RRC MM CM
3G PS
MM CM
3G CS
MM CM
RRC
4G PS
þ
4G
3G Conn. Context
131.179.176.1
Improper coopera.on: Cross-‐System
¨ Scenario: run data services during 4Gà3Gà4G 17
3G
1. Setup 4G connecTvity to access internet 2. 4Gà3G: 4G conn. context is converted to 3G for seamless switch
RRC MM CM
3G PS
MM CM
3G CS
MM CM
RRC
4G PS
þ
4G
4G Conn. Context
131.179.176.1
3. 3Gà4G: 3G conn. context is converted back to 4G
¨ ProblemaTc scenario: 3G context is deleted before returning to 4G
18
3G
1. 3G conn. context is deleted.
þ
4G
3G Conn. Context
131.179.176.1 Causes of dele.on (in 3GPP)
¤ Low layer failures ¤ User disables data services ¤ No enough resources ¤ ….
Improper coopera.on: Cross-‐System How and why?
¨ ProblemaTc scenario: 3G context is deleted before returning to 4G
19
3G
1. 3G conn. context is deleted.
þ
4G
3G Conn. Context
131.179.176.1
2. 3G-‐>4G: No 3G context transferred to 4G context
“Out-‐of-‐Service”
Improper coopera.on: Cross-‐System How and why?
¨ ProblemaTc scenario: 3G context is deleted before returning to 4G
20
3G
1. 3G conn. context is deleted.
þ
4G
3G Conn. Context
131.179.176.1
2. 3G-‐>4G: No 3G context transferred to 4G context
“Out-‐of-‐Service”
PS conn context is not mandatory in 3G (PS+CS), but mandatory in 4G (PS only)
Shared context for 4G and 3G is not well protected in 3G
Improper coopera.on: Cross-‐System How and why?
¨ Real-‐world impact ¤ Occurs 3.1% in user study ¤ “out-of-service” for up to 25s
¨ Lessons: a design defect ¤ Different demands of packet switching in 3G & 4G ¤ Desirable but not enforced: shared context should be
consistently protected in 4G & 3G
¨ Proposed remedies ¤ Avoid unnecessary 3G PS context deactivation ¤ Immediately enable 4G PS context reactivation
21
þ Improper coopera.on: Cross-‐System
¨ Scenario: 4G users make calls via 3G CS Fallback 22
1. To make a call, 4G user à3G
þ þ
RRC MM CM
3G PS
MM CM
3G CS
MM CM
RRC
4G PS
4G
3G
Improper coopera.on: cross-‐domain+system
¨ Scenario: 4G users make calls via 3G CS Fallback 23
1. To make a call, 4G user à3G
þ
2. When the call ends, 3Gà4G
þ
RRC MM CM
3G PS
MM CM
3G CS
MM CM
RRC
4G PS
4G
3G
Improper coopera.on: cross-‐domain+system
¨ ProblemaTc Scenario: Call with background data 24
1. A call makes 4G à 3G; Data is migrated to 3G, too
þ þ
4G
3G
Improper coopera.on: cross-‐domain+system
How and Why?
¨ ProblemaTc Scenario: Call with background data 25
1. A call makes 4G à 3G; Data is migrated to 3G, too
þ
2. When the call ends, No 3Gà4G (data is sTll on)
þ
4G
3G
User gets stuck in 3G, losing 4G.
Improper coopera.on: cross-‐domain+system
How and Why?
Improper coopera.on: cross-‐domain+system
How and Why?
¨ Unexpected loop in RRC state machine 26
þ þ
User gets stuck in 3G, losing 4G.
RRC
3G PS 3G CS
RRC
4G PS
CONN-‐ED
IDLE
CONN-‐ED
IDLE Voice only
Improper coopera.on: cross-‐domain+system
How and Why?
¨ Unexpected loop in RRC state machine 27
þ þ
User gets stuck in 3G, losing 4G.
RRC
3G PS 3G CS
RRC
4G PS
CONN-‐ED
IDLE
CONN-‐ED
IDLE
Voice + Data (certain seZng)
Improper coopera.on: cross-‐domain+system
How and Why?
¨ Unexpected loop in RRC state machine 28
þ þ
User gets stuck in 3G, losing 4G.
RRC
3G PS 3G CS
RRC
4G PS
CONN-‐ED
IDLE
CONN-‐ED
IDLE
Voice + Data (certain seZng)
RRC state transiTon is inconsistent with dual-‐domain, inter-‐system se[ngs
¨ Real-‐world impact ¤ 62.1% 4G users being stuck in 3G afer the call ¤ Stuck in 3G for 39.6s in average
¨ Lessons: a design defect ¤ 3G CS and 3G PS are indirectly coupled in RRC ¤ Inconsistent state transition with all 3Gà4G options
¨ Proposed remedies ¤ Revise the RRC state transition for possible settings
29
þ þ Improper coopera.on: cross-‐domain+system
30
þ
¨ Problem Scenario: Signaling loss for registraTon
MM
3G PS
MM CM
3G CS 4G PS
CM
RRC
CM MM RRC
Improper coopera.on: Cross-‐Layer How and why?
Attach request
Attach accept Attach complete
Deregistered Deregistered
Registered Registered Deregistered
31
þ
¨ Problem Scenario: Signaling loss for registraTon
Attach complete
Location update Location update response (error)
MM
3G PS
MM CM
3G CS 4G PS
CM
RRC
CM MM RRC
Improper coopera.on: Cross-‐Layer How and why?
Attach request
Attach accept
Deregistered Deregistered
Registered Registered Deregistered
“out-‐of-‐service” right afer being aGached
Deregistered
32
þ
¨ Problem Scenario: Signaling loss for registraTon
Attach complete
Location update Location update response (error)
MM
3G PS
MM CM
3G CS 4G PS
CM
RRC
CM MM RRC
Improper coopera.on: Cross-‐Layer How and why?
Attach request
Attach accept
Attach complete
Deregistered Deregistered
Registered Registered Deregistered
“out-‐of-‐service” right afer being aGached
Deregistered
Upper-‐layer (MM) assumes underlying reliable in-‐sequence signal transfer, but lower-‐layer (RRC)
cannot offer this guarantee
33
MSC
¨ Scenario: voice/data request with locaTon update
RRC MM CM
MM CM
3G-‐CS
MM CM
RRC
3G-‐PS 4G-‐PS
Location Update
1. LocaTon update is triggered by MM (e.g., user moves)
Unnecessary Coupling: Cross-‐layer þ
34
MSC
¨ Scenario: voice/data request with locaTon update
RRC MM CM
MM CM
3G-‐CS
MM CM
RRC
3G-‐PS 4G-‐PS
Location Update
1. LocaTon update is triggered by MM (e.g., user moves) 2. Afer locaTon update, user can send/receive voice and data
Unnecessary Coupling: Cross-‐layer þ
Dial out
35
3G Gateways 3G Base stations
MSC
¨ ProblemaTc Scenario: voice/data request during the locaTon update
RRC MM CM
MM CM
3G-‐CS
MM CM
RRC
3G-‐PS 4G-‐PS
Location Update
2. User dials out 1. LocaTon is triggered by MM (e.g., user moves)
þ Unnecessary Coupling: Cross-‐layer
How and why?
36
3G Gateways 3G Base stations
MSC
¨ ProblemaTc Scenario: voice/data request during the locaTon update
RRC MM CM
MM CM
3G-‐CS
MM CM
RRC
3G-‐PS 4G-‐PS
Location Update
2. User dials out
Dial out
Outgoing call is delayed
“Updating the location”
þ Unnecessary Coupling: Cross-‐layer
How and why?
37
3G Gateways 3G Base stations
MSC
¨ ProblemaTc Scenario: voice/data request during the locaTon update
RRC MM CM
MM CM
3G-‐CS
MM CM
RRC
3G-‐PS 4G-‐PS
Location Update
2. User dials out
Dial out
Outgoing call is delayed
1. LocaTon is triggered by MM (e.g., user moves)
“Updating the location”
“Without user loca+on, the cellular network cannot route user voice/data.”
þ Unnecessary Coupling: Cross-‐layer
How and why?
38
3G Gateways 3G Base stations
MSC
¨ ProblemaTc Scenario: voice/data request during the locaTon update
RRC MM CM
MM CM
3G-‐CS
MM CM
RRC
3G-‐PS 4G-‐PS
Location Update
2. User dials out
Dial out
Outgoing call is delayed
1. LocaTon is triggered by MM (e.g., user moves)
“Updating the location”
“Without user loca+on, the cellular network cannot route user voice/data.”
Outgoing voice/data requests can be routed without user locaTon
Unnecessary prioriTzaTon of locaTon update over outgoing call/data
þ Unnecessary Coupling: Cross-‐layer
How and why?
¨ Real-‐world Impact ¤ up to 8.3s call delay and 4.1s data delay ¤ 7.6% of outgoing calls occur during locaTon update
¨ Lessons: a design defect ¤ outgoing data/voice requests and location update are
independent, but they are artificially correlated ¨ Proposed remedies
¤ Decouple location update and outgoing data/voice requests
¤ E.g., two parallel MM threads for different purposes
39
þ Unnecessary Coupling: Cross-‐layer
MM
3G PS
MM CM
3G CS
MM CM
RRC
4G PS
CM
RRC
¨ Scenario: dial a call during data service in 3G 40
Circuit Switching (CS)
Packet Switching (PS)
3G 10Mbps 10Mbps
1. Access internet at full rate 2. Dials a call
þ Unnecessary Coupling: Cross-‐domain
MM
3G PS
MM CM
3G CS
MM CM
RRC
4G PS
CM
RRC
¨ Scenario: dial a call during data service in 3G 41
Circuit Switching (CS)
Packet Switching (PS)
3G 2.5Mbps 2.5Mbps
12.2Kbps
12.2Kbps
1. Access internet at full rate 2. Dials a call
Data service rate declines up to 74%
þ Unnecessary Coupling: Cross-‐domain
MM
3G PS
MM CM
3G CS
MM CM
RRC
4G PS
CM
RRC
¨ Scenario: dial a call during data service in 3G 42
Circuit Switching (CS)
Packet Switching (PS)
3G 12.2Kbps
12.2Kbps
1. Access internet at full rate 2. Dials a call
Data service rate declines up to 74% Voice and data have compeTng demands on the channel, but they have to share the radio channel
þ Unnecessary Coupling: Cross-‐domain
Voice: low rate, low loss (e.g., 16QAM) Data: high rate, loss tolerant (e.g., 64QAM)
2.5Mbps 2.5Mbps
¨ Scenario: LocaTon update in 3G and 4G 43
3G
3G PS
MM CM
3G CS
CM
RRC
4G PS
CM
RRC MM MM
4G
þ Unnecessary Coupling: Cross-‐system
1. Update 4G locaTon, and noTfy 3G MSC
¨ Scenario: LocaTon update in 3G and 4G 44
3G
3G PS
MM CM
3G CS
CM
RRC
4G PS
CM
RRC MM MM
4G
þ Unnecessary Coupling: Cross-‐system
2. 3G locaTon update fails, so 4G deregisters the network
Detach
MSC unavailable
¨ Scenario: LocaTon update in 3G and 4G 45
3G
3G PS
MM CM
3G CS
CM
RRC
4G PS
CM
RRC MM MM
4G
þ Unnecessary Coupling: Cross-‐system
2. 3G locaTon update fails, so 4G deregisters the network
Detach
MSC unavailable
3G internal failures are exposed to 4G devices
Conclusion
¨ Uncover problems in signaling protocol interacTons in cellular networks
¨ Three Lessons ¤ The layering rule should be fully honored (optimistic
assumptions, coupled actions) ¤ Inter-domain difference should be well recognized
(coupling independent services) ¤ Hybrid systems are not properly coordinated (context
sharing, fault isolation) ¨ More rigorous efforts are needed
46