The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE"...
Transcript of The Peril of Cellular Network EvolutionThe Peril of Cellular Network Evolution!!"On"CSFB"and"VoLTE"...
The Peril of Cellular Network Evolution
-‐ On CSFB and VoLTE
Chunyi Peng Fall 2015
Emerging Problems in Network Evolu?on
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 2
• Circuit-‐switching for voice
• Packet-‐switching for everything
• IP-‐based
• Circuit-‐switching for voice
• Packet-‐switching for data
2G 3G 4G
Q1: Will existing techniques fail to well support emerging requirements? YES!
Q2: Will new features raise new side-effects?
MUTUAL INTERFERENCE BETWEEN VOICE AND DATA IN 4G LTE NETWORKS
[mobicom’13] [CNS’15]
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 3
Advancing toward 4G LTE • 4G LTE grows fast
– Better support for mobile Internet – 480 LTE networks (by 09/2015, 4gamerica)
4
4G LTE’s Trouble in Voice • 4G LTE: Packet-‐switched (PS) only
– No circuit-‐switched (CS)
5
4G Base Station
4G PS Gateway
Internet
IP packets
Telephony Network Voice, traditionally via CS
No CS, ?
Two Solu?ons: CSFB & VoLTE • #1. CSFB (Circuit-‐Switched Fallback): leverage 3G/2G CS to support voice
• #2. VoLTE (Voice over LTE): deliver voice directly in packets (over IP)
6
4G Base Station
4G PS Gateway
Internet
Telephony Network 3G CS Domain
Coexis?ng Voice Solu?ons • Circuit-‐Switched Fallback (CSFB)
– Reuse the legacy 2G/3G networks – Broadly launched in many LTE networks – 1st-‐choice of LTE networks
• Voice over LTE (VoLTE) – Ul?mate solu?on, similar to (VoIP) in LTE – Need to deploy IMS (IP mul?media system) – Heavy cost and overhead – Ini?al rollout: AT&T, T-‐Mobile, Verizon since late 2014
7
...
CSFB (Circuit-‐Switched Fallback)
8
3G Base Station 3G CS Gateway Telephony Network
3G PS Gateway
Internet
IP packets (data-plane) 3G voice (data-plane)
Signaling (control-plane)
CSFB (Circuit-‐Switched Fallback)
9
3G Base Station 3G CS Gateway Telephony Network
3G PS Gateway
Internet
4G Base Station
4G PS Gateway
Control (MME) Internet
CSFB (Circuit-‐Switched Fallback)
10
3G Base Station 3G CS Gateway Telephony Network
3G PS Gateway
Internet
4G Base Station
4G PS Gateway
Control (MME) Internet 4G Base Station
4G PS Gateway
Control (MME) Internet
An Example: Incoming Call Comes During Downloading
• Expected flows on Bob
• [tu13-‐mobisys]: data transmission suspends and user traffic is over-‐accounted when inter-‐system handover, e.g., 4G <-‐>3G (step 3 and 6), occurs.
• What else? Impact on data or voice services?
11
CSFB: Incoming Call Flow
12
1. Call Request 2. Paging Request (CS call)
5. Paging Response (CS call)
4G MME Callee 3G CS Gateways 4G BS
3. Extend Service Request
4. Switch to 3G 3G BS
6. Setup CS Call
7. Call Conversion
8. Switch back to 4G
Seemingly Reasonable • Users only switch to 3G when needed (calls) • Users still obtain higher-speed 4G LTE for data • Carriers reuse the existing 3G (cost-effective)
By design: Independent voice & data • Expected data throughput slump during voice
– 4G downgrade to 3G
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 13
Three Unexpected Issues in CSFB Unexpected: Interference btw. voice & data • #1: Data applica?on aborts
– When voice call ends
• #2: Lose 4G connec?vity – Got stuck in 10+ hours
• #3: Miss calls when turning on data
14
#1: Applica?on Aborts
• 10-‐day abort ra?o – 2-‐5% on average – 15% in worst case
• Event: IP address change – “Implicit Detached” by cellular
– “Network re-‐akach” by mobile
15
App on 4G
App on 3G
Voice on 3G
Handoff (4G ->3G)
Handoff (3G ->4G)
App on 4G
✕
App aborts
Cause • CS domain
– When CSFB call ends, implicit detach from network (occasionally)
– network reakach, assign a new IP address
• PS domain – Data service pauses with implicit detach – Abort due to a new IP
• TCP/UDP sessions cannot be recovered
• Root cause: shared states between CS and PS MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 16
Circuit-Switching (CS)
Packet-Switching (PS)
17
Data Plane Data Plane Control Plane Control Plane
…
…
Implicit Detached
CSFB voice ends Detached
Data start
Data stops
Network-Reattach
Attached New IP addr.
Shared control states in CS and PS
STATE Data Voice
…
Evalua?on: Data App Abort Due to Voice Call
• 8 popular data applica?ons – Browser, Gmail, Ftp, Youtube, Skype, PPS (Streaming), Pandora (internet radio), Facebook
• We find that Browsing, Gmail, FTP, Skype and Facebook may abort due to CSFB calls. – Browsing/Facebook: content is not displayed – FTP/Gmail: downloading is terminated – Skype: voice call is aborted
18
#2: Lose 4G connec?vity
• Result – 10+ hour in 3G
• even handoff
• Events
– CS call state changes HO trigger
– PS data resets HO ?mer
19
PS Data on 4G
PS Data on 3G
Handoff (4G ->3G)
NO Handoff (3G ->4G)
Call & hang up
NoVoice on 3G
✕
PS Data on 4G
✕
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 20
20
1. Call Request 2. Paging Request (CS call)
5. Paging Response (CS call)
4G MME Callee 3G CS Gateways 4G BS
3. Extend Service Request
4. Switch to 3G
3G BS
6. Setup CS Call
7. Call Conversion
8. Switch back to 4G
Data Plane (CS)
W-REQ
IDLE
W-PAGE
RECV
ALERT
Conn
F-REQ
F-PAGE
F-RECV
Fail
Call control setup: 6 signaling Handoff 4G->3G: 21 signaling Handoff 3G->4G: 21 signaling
Cause • RRC states shared in CS and PS
– Voice calls: RRC connected – Data: RRC connected
• 4G-‐>3G procedure – RRC connected: handoff – RRC idle: cell-‐reselec?on
• 4G-‐>3G switches counts on handoff – Handoff’s ?mer sepngs – During data, no handoff is performed
• Root cause: shared states, complex signalings MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 21
Call & hang up: Change call state F-RECV
Handoff State Machine 22 22
Data Plane (CS)
F-RECV
Data
3G IDLE
3G DATA FACH/DCH
4G DATA
4G IDLE
Call & hang up: Change call state
10 s
ec
5 sec
1st
>1st
L
S
Y
N
HO-‐in-‐3G reset Data
3G IDLE
3G DATA FACH/DCH
4G DATA
4G IDLE
10 s
ec
PS data: reset HO timer
Circuit-Switching (CS)
Packet-Switching (PS) Data Plane Data Plane Control Plane Control Plane
Complex signaling/control involved in both CS and PS
Evalua?on • We conduct an experiment to track the dura?on Bob stays in 3G for 3 mins aqer Bob’s call conversa?on finishes. – Packet Size: 1B or 1KB – Packet Interval: 1~24 seconds
• Q: Why does it depend on traffic pattern ? 23
OP-I OP-II
19s-1KB 13s-1KB 14s-1B 7s-1B
RRC State Transi?on • Go back to 4G LTE via Inter-‐RAT Handover or Cell reselec4on.
• RRC State Transi?ons observed in OP-‐I and OP-‐II
24
Simplified RRC State for OP-I Simplified RRC State for OP-II
Inter-RAT Handover
Inter-RAT Handover
#3: Miss Voice Calls
25
4G LTE Phone
PS on 4G
Missed call
Turn on PS data
✕ Incoming Call
• Event – “Implicit Detached”
by cellular – Transient
unavailability
• Root cause: shared control states between CS and PS
Security Implica?ons
C. Peng (OSU) 26
Possible Problems
27
1. Call Request 2. Paging Request (CS call)
5. Paging Response (CS call)
3. Extend Service Request
4. Switch to 3G 3G BS
6. Setup Circuit-Switched Call
7. Call Conversion
8. Switch back to 4G
#1. Action before paging response (w/o user awareness and consent)
#2. Data over 3G; handoff causes Data service interruption
#3. What if 3G-4G handoff is deferred or cancelled?
4G MME Callee 3G CS Gateways 4G BS
One Example
0
5
10
15
20
25
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75
4G
3G
X-th second
Speed (M
bps)
Call ends Ringing @callee 28
#1. Action before ringtones (w/o user awareness) #2. Data service interruption (6-7 seconds)
US OP-1
Another Example
0
5
10
15
20
25
0 5 10 15 20 25 30 35 40 45 50 55 60 65 70 75
4G
3G
X-th second
Speed (M
bps)
Call ends Ringing@ callee 29
#3. 3G->4G switch is deferred not back to 4G LTE in case of PS traffic
US OP-2
So, possible exploit • Anyone can make a call without callee’s consent
• With CSFB, it can manipulate 4G-‐>3G handoff – Handoff already happens before the call setup
• So it is viable to impede data services – Long data service disruption
• It is even worse while repeating it – 3G – 4G – 3G – 4G … (ping-pong)
30
Ping-Pong Attack
31
1. Call Request 2. Paging Request (CS call) 3. Extend Service Request
4. Switch to 3G 3G BS
1. Dial
2. Hang-‐up 5. Paging Response (CS call)
6. Setup CS Call
5. Stop call request
6. Switch back to 4G 3. Wait
1. Dial 2. Hang-‐up, 3. Wait
4G –> 3G
3G –> 4G …
4G MME Callee 3G CS Gateways 4G BS
Ping-‐Pong Akacks (cont’d) • How to guarantee successive switch without
the victim’s awareness? • Two key timers:
– T1: dial time between dialing and hanging up – T2: wait time between hanging up and re-dialing
32
Ping-‐Pong Akack Valida?on
33
0
5
10
15
20
25
30
35
40
0 10 20 30 40 50 60 70 80 90 100 110 120
Per Second
Moving Avg.
Speed (M
bps)
X-th second
TCP-w/o attack
0
5
10
15
20
25
30
35
0 10 20 30 40 50 60 70 80 90 100 110 120
Per Second
Moving Avg.
Speed (M
bps)
TCP-w/ attack
0.08 0.01
X-th second
TCP: from 31Mbps to 0.08 Mbps in 30s
On Real Apps
App Task TCP/UDP w/o conn loss w/ conn loss
Web Access one CNN page TCP Abort Abort
Gmail Sending/receiving emails TCP Fail & mul?-‐entry
Abort & Auto Recovery
Fabebook Ongoing chat session TCP Slower slower
Whatsapp Ongoing chat session TCP Slower Abort & recover
AndFTP File download TCP Abort Abort
Youtube Video streaming TCP Freeze Abort
PPStream Video streaming UDP Freeze Abort
Skype Ongoing video calls UDP Freeze Abort
34
Discussion • Any other side-‐effects from CSFB?
• What insights and lessons learnt from CSFB? – How should we design voice solu?ons? – How should we design cellular network arch?
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 35
Takeaway • CSFB is a cost-‐effec?ve solu?on
– Seek to reuse the exis?ng architecture
• Unexpected consequence – Incompa?bility with exis?ng procedures – Mutual interference caused by shared states in CS and PS, as well as complex signaling
• Complex dependency and coupling effects
– Akacks: open access to control one’s state without consent
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 36
INSECURITY OF VOICE SOLUTION VOLTE IN LTE MOBILE NETWORKS
[CCS’15]
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 37
Recap: Voice Evolu?on in 4G LTE
• Legacy voice solu?on: Circuit-‐Switched (CS) – Carrier-‐grade quality
• 4G LTE: Packet-‐switched (PS) only
38
Telephony Network CS Gateway
Circuit Circuit Circuit
4G PS Gateway (aka. edge routers)
Internet Data Service Bearer
?
39
4G PS Gateway (aka. edge routers)
Internet
Telephony Network
4G LTE PS Core
VoLTE Signaling Bearer VoLTE Voice Bearer
Normal Data Service Bearer
Signaling Servers
Media Gateway
VoLTE
VoLTE: Carry Voice in Packets
“Carrier-‐Grade” Voice Quality in VoLTE • Via differen?ated QoS profiles
40
Delivery Priority VoLTE Voice Bearer Guaranteed-Bit-Rate 2 VoLTE Signaling Bearer Best Effort 1
(highest) Data Service Bearer Best Effort 6-9
Packet-switched (PS) Core
4G PS Gateway (aka. edge routers)
Poten?al Security Threats in VoLTE
41
4G PS Gateway (aka. edge routers)
Internet
If yes, abuse its charging scheme (free) and higher-‐priority/QoS scheme for “data”?
#1: Carry “data” over VoLTE Signaling bearer?
Poten?al Security Threats in VoLTE
42
4G PS Gateway (aka. edge routers)
Media Gateway
VoLTE
If yes, authen?c voice traffic will be blocked.
#2: Inject (junk) data into VoLTE voice bearer?
✗
Overview of Our Findings
• Data: Carry data over VoLTE signaling bearer – Free data service – Higher-priority data service – Overbilling – Data Denial-of-Service
• Voice: Inject junk data into VoLTE voice bearer – Voice Denial-of-Service (muted voice)
• Vulnerabili?es from – VoLTE standards – Carrier networks – Mobile devices (software and hardware)
43
CARRY DATA IN VOLTE SIGNALING BEARER
44
Two Access Control at Device & Network
45
4G PS Gateway (aka. edge routers)
Internet
Q1: [Device] Will the phone allow an app (user-‐space) to send data packets out into VoLTE signaling bearer?
Q2: [Network] Will the network allow packets over VoLTE signaling bearer to non-‐VoLTE des?na?ons (Internet)?
Har
dwar
e No Access Control on the Phone
Android OS
Softw
are
Apps IMS Client VoLTE app (dialing)
4G LTE Modem (chipset)
• #1: VoLTE signaling func?ons open to OS and Apps (soqware) – IP-‐based, a system app
IP for VoLTE
IP for Normal data
Har
dwar
e No Access Control on the Phone
• #2: No proper permission control to VoLTE Signaling network interface in OS (soqware) – Given IP, app (w/Internet permission) send
packets • #3: No access control in chipset (hardware)
47
Android OS
Softw
are
Apps IMS Client
VoLTE app (dialing)
4G LTE Modem (chipset)
IP for VoLTE
No Access Control in Network • #4: Imprudent rou?ng in network
– Simply rou?ng based on des?na?on IP – US-‐I: Internet and Mobile ✔– US-‐II: Mobile ✔
48
4G PS Gateway (aka. edge routers)
Internet
Signaling Servers
VoLTE
? ✔
Finally, it works out! • Mobile-‐to-‐Internet
– Example: ping Google
49
4G-GW
Finally, it works out! • Mobile-‐to-‐Internet
• Mobile-‐to-‐Mobile – VoLTE-‐to-‐VoLTE – VoLTE-‐to-‐PS
50
4G-GW
4G-GW
Free Data Access Akack
51
• VoLTE Signaling free of charges – Voice calls: charged by minutes – Signaling: no charges (usually small volume) – Validated in two US carriers
• Ra?onal, but exploited for free data access
Free Data Service: Skype as Demo
52
Free Data Service
53
0 30 60 90
120 150 180 210 240
0 2 4 6 8 10 12 14 16
Uplink Downlink
Source Rate (Mbps)
Free
Dat
a (M
B)
0
100
200
300
400
500
0 1 2 3 4 5 6 7 8 9 10
Uplink Downlink
Time (Hours) Fr
ee D
ata
(MB
)
There exists NO signs of limit on the volume, throughput and dura.on for free data service
4G PS Gateway (aka. edge routers)
Overbilling Akack • Spamming via Mobile-‐to-‐Mobile (VoLTE-‐to-‐PS)
– Bypass inbound traffic access control at border
Internet NAT/Firewall
$
4G PS Gateway (aka. edge routers)
Data Denial-‐of-‐Service Akack • Spamming via Mobile-‐to-‐Mobile (VoLTE-‐to-‐VoLTE) – Exploit higher priority of VoLTE signaling bearer
Internet NAT/Firewall
Delivery Priority VoLTE Signaling Bearer Best Effort 1 Data Service Bearer Best Effort 6-9
Data Denial-‐of-‐Service Akack
0 4 8 12 16 20 24 28 32
0 5 10 15 20 25 30 35 40 45 50 55 60
Data Bearer VoLTE Signaling Bearer Th
roughp
ut (M
bps)
X-‐th Second
0 Mbps
www.cnn.com
Youtube Logo
INJECT JUNK DATA INTO VOLTE VOICE BEARER
57
Similar, but Seemingly More Secure
4G PS Gateway (aka. edge routers)
Media Gateway
VoLTE ✗
Inject (junk) data packets into VoLTE voice bearer as to VoLTE signaling bearer
But, voice bearer info is confideneal Voice via RTP/RTCP (iden?fier unknown)
4G LTE Modem (chipset)
Insufficient VoLTE Voice Access Control
• #1: only dest. port# needed – RTP Session Iden?fier: (IP,Port#) – Fixed dest. IP to media gateway
• #2: Sending data packets with correct port# is allowed – Same access control trouble
59 VoLTE voice bearer
Hardware
Android OS
Soqw
are
Apps IMS Client VoLTE app (dialing)
Port# is Secret, but can be Easily Leaked
• #3: Same IP between voice and signaling bearers – Port# matched, è VoLTE voice bearer – Port# unmatched, è VoLTE signaling bearer
• #4: Be leaked through disenct behaviors caused by various QoS profiles – Guaranteed-‐Bit-‐Rate vs. High-‐Priority Best Effort – Low-‐rate voice traffic NOT affected by heavy VoLTE signaling
60
Delivery Priority VoLTE Voice Bearer Guaranteed-Bit-Rate 2 VoLTE Signaling Bearer Best Effort 1
Infer RTP/RTCP Desenaeon Ports
61
Port Number (K)
One
Hop
RTT
(ms)
0
100
200
300
0 10000 20000 30000 40000 50000 60000
0
40
80
120
160
200
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Right-‐Port Min-‐RTT-‐for-‐Wrong-‐Port
x-th Run
One
Hop
RTT
(ms)
Ports 64580, 64581
Voice DoS: Muted Call
62
Root Causes & Recommended Solu?ons • VoLTE standards
– Design defects: lack protec?on when VoLTE makes open voice access; no speed limit on highest priority, ..
• Carrier networks – Imprudent rou?ng & charging for VoLTE signaling – Fix: disable rou?ng, limit speed, enable VoLTE volume accoun?ng
• Mobile Devices – Lack access control at both soqware (improper permission) and hardware (missing)
– Fix: VoLTE-‐specific permission, anomaly detec?on
63
Updates • Report and work with 2 US carriers to fix problems
• Par?al solu?ons in place (07/2015, 08/2015) • US-‐I
– Disable routing to Non-VoLTE destination – Fixed: free data, overbilling, data DoS – Not fixed: voice DoS
• US-‐II – Limit the speed of Mobile-to-Mobile to 600 kbps – Fixed: data DoS – Not fixed: voice DoS, free data, overbilling
64
Discussion • Why? What is new with VoLTE?
– Changes on network side – Changes on phone side (Chipset, OS)
• VoLTE designed to carry voice can be exploited to carry data – Real threats: free data, overbilling, data DoS, voice DoS …
• Lessons at its early deployment – Blame carrier network, device OS, chipset vendors and standards
• Peril of evolu?on
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 65
BACKUP SLIDES
MSSN (Mobile System, Security, Networking) @ OSU | Chunyi Peng 66
Experimental Methodology • two major US 4G LTE operators
– Called as OP-‐I and OP-‐II in this work • Mobile devices:
– Apple iPhone5 – Samsung Galaxy S3/S4 – HTC One – LG Op?mus G.
67
Throughput Slump
68
Logs of data throughput (4G:+, 3G:x) on Bob in OP-I
One More Slump • In addi?on to two handovers, we observe one extra handover in the 40.6% of experiment runs (149/367) in OP-‐I.
69
Logs of data throughput (4G:+, 3G:x) in OP-I
Even Worse • In OP-‐II, we observe that Bob cannot go back to 4G LTE aqer call ends.
70
Logs of data throughput (4G:+, 3G:x) in OP-II
Is it OP-II specific issue? How long it lasts for?
Lose 4G Connectivity
Lose 4G Connec?vity • In OP-‐I, Bob cannot go back to 4G LTE if Alice cancels the outgoing call before call is fully established (i.e., Bob doesn’t hear ringtone yet).
• We find that Bob will stay in 3G longer than 10 hours under certain condi?ons.
71
Alice hangs out the outgoing call before call setup is finished
Data Services • We find that it depends on whether data service is running on Bob’s phone.
• Specifically, the dura?on Bob stuck in 3G is dependent on packet size and packet interval of data service running.
• We conduct an experiment to track the dura?on Bob stays in 3G for 3 mins aqer Bob’s call conversa?on finishes. – Packet Size: 1B or 1KB – Packet Interval: 1~24 seconds
72
Experiment Results
73
OP-I OP-II
Why does it depend on traffic pattern ?
19s-1KB 13s-1KB 14s-1B 7s-1B
RRC State Transi?on • Bob can go back to 4G LTE via Inter-‐RAT Handover or Cell reselec4on.
• RRC State Transi?ons observed in OP-‐I and OP-‐II
74
Simplified RRC State for OP-I Simplified RRC State for OP-II
Inter-RAT Handover
Inter-RAT Handover
CSFB standards allow operators to decide how to move users back to 4G LTE
Data Applica?ons Abort Due to Voice Call
• We are running eight popular data applica?ons – Browser, Gmail, Ftp, Youtube, Skype, PPS (Streaming), Pandora (internet radio), Facebook
• We find that Browsing, Gmail, FTP, Skype and Facebook may abort due to CSFB calls. – Browsing/Facebook: content is not displayed – FTP/Gmail: downloading is terminated – Skype: voice call is aborted
75
How Oqen Applica?on Aborts • We run the experiment that user makes a call and hangs up later while data applica?ons are running.
• We observe the average abort ra?o around 3-‐5%.
76 10-day FTP downloading abort ratio (OP-I).
What happens?
Detached • The users are detached by carriers and lose both of 3G and 4G LTE connec?vity for a while when this issue occurs.
77
Logs of network status at mobile phone (OP-I).
Detached
Reattached
How long does it recover the connectivity?
Resign into network (OP-II).
Reakach Dura?on
78
¨ For OP-I, 95% of re-attaches finish within 11 seconds. ¨ For OP-II, 90% of re-attaches finish within 15 seconds.
Q: Is it big issue to lose connectivity for 11-15 seconds? It should be easily recovered by TCP retransmission.
Invalid TCP retransmission
79
Wireshark traces at the FTP server
¨ FTP server retransmits packets to mobile devices, however it doesn’t receive any acks.
¨ OP-I assigns different IP address to the mobile devices after reattaches. ¨ OP-II assigns same IP address, however NAT mapping is gone after
reattaches, i.e., retransmitted packets are dropped without valid mapping.
Miss Call • Under certain scenario, users may miss incoming calls without no?fica?ons.
• Alice is calling Bob and Bob is enabling PS network in the mean?me. – Bob may miss Alice’s call without no?fica?on (e.g., ringtone).
– However, Alice s?ll hears aler?ng tone. • She may think Bob inten?onally doesn’t answer the call.
80
Aler?ng Tone Comes Early
• In the paging phase (Step 2), to avoid long period of silence at Alice, the Bob’s MSC# sends indica?on of user aler?ng to Alice
• Then Alice can hear aler?ng tone. • However, if Bob fails to handover to 3G networks (Step 3) then he will not hear ringtone.
81 #: On receipt of service request from MME.
CSFB Incoming Call flows on Bob
Discussion • Key factors?
• Root cause?
• Solu?on?
• What else (other problems)? • Lessons and Insights?
C. Peng (OSU) 82
Summary • Throughput slumps when voice call starts and ends.
– In OP-‐II, the throughput isn’t recovered even aqer call ends. • Users may lose 4G connec?vity for 10 hours (no signs of
limits) and may be u?lized by malicious akackers. • Users may be implicit detached by operators aqer CSFB
call ends – Some applica?ons abort due to unsuccessful receipt of packets from their applica?ons server aqer re-‐akach finishes.
• Users may miss voice call without indica?ons because aler?ng tone early comes to caller.
83
Voice/Data Interference • Mutual interference between voice & data
– Shared radio resource – Shared network state – Complex control/signaling
• Complex dependency and coupling effects • Smart core in cellular networks, but
– Can be fragile
84