Increasing the security of VoLTE with YateUCN

The emergence of VoLTE-capable devices is raising new security concerns for mobile network operators, as existing IMS deployments expose vulnerabilities in VoLTE handsets to other devices in the network. YateUCN unified core network brings a solution to these concerns by isolating SIP and RTP call legs between handsets.

b2bua_vs_sip_proxy_2015-10-13_image1

LTE uses an IMS network to deliver VoLTE (voice services), and does so via Session Initiation Protocols (SIPs). This makes the IMS network act as a SIP proxy, performing routing, session control, and registering the UE to VoLTE. Voice is delivered through RTP from one UE to the other. Therefore, in case of a security attack, it is theoretically possible for a third party to send additional information through a forged SIP message via the IMS, to the target UE.

b2bua_vs_sip_proxy_2015-10-13_image2

Voice communication in 4G LTE can also be subject to malicious acts at various layers of the channel, including at the IP packets level, the UDP, RTP, or even the codec level.

What’s more, SIP is also implemented directly in the baseband processor of the latest generation smartphones to allow subscribers to use VoLTE, making it easy to for a potential smartphone takeover to occur.

b2bua_vs_sip_proxy_2015-10-13_image3

For SIP signaling, YateUCN acts as a Back-to-Back User Agent server, ensuring a secure transmission of data. B2BUA allows SIP communication from the originating party (or User Agent) to be terminated at the one side of the network, where the message is verified. Any harmful information included in the received SIP message is eliminated and the message is recomposed to include only the information needed for the SIP to reach the end party.

The risk of attacks decreases since malicious data is not automatically allowed to pass from one UE to the other, and the split SIP messages are negotiated independently on the originating and terminating sides.

Unlike current IMS deployments, YateUCN allows the same message decoding, verification, and re-encoding of RTP by acting as a proxy. This also simplifies the deployment of Voice over LTE, since handsets only need to connect to YateUCN server.

A forecast on the evolution of radio access networks

This month we participated at an active antenna workshop in Warsaw. The event was well attended by many RAN managers, strategists and planners from various mobile operators around the world. There were also a large number of radio head and eNodeB, antenna, semiconductors and materials and test equipment vendors.

Crowded towers

There was a lot of talk about crowded towers. The majority of towers are already very crowded and at their mechanical limits. Because new equipment cannot be added, often times the only solution is that of replacing existing equipment with new antennas and radios. Since everyone in the industry wants ‘cleaner’, less crowded towers, the experts found that radio equipment capable of running on both GSM and LTE would help reduce the overall load on cell site towers.

active_anntenna_workshop

3G sunset

Within this workshop quite a few of our beliefs regarding the future of the UMTS have been confirmed:

  • In a number of markets UMTS 3G will be discontinued, while 2G will continue to stay, allowing for 2G/4G mixed networks to flourish.
  • While 2G spectrum allocation will diminish in time, GSM will still be alive and well for a while.
  • In many markets, UMTS 3G spectrum is already re-farmed for 4G LTE.

Massive MIMO?

As the workshop’s theme was the evolution of active antennas, a lot of the conversation revolved around MIMO technology and MIMO antennas. The 2×2 MIMO configuration is becoming a standard for mobile networks, and 4×2 MIMO is expected to become the standard in two to three years. There is little prospect in the industry for LTE devices to support more than 2 MIMO channels, meaning that the most practical MIMO configuration is the Nx2 variety. One of the most important current issues is that many LTE devices still don’t support MIMO.

Vertical sectorization

In terms of vertical sectorization, the consensus is that it can be useful only when combined with fast-responding self-organizing networks (SON). Vertical sectorization is only efficient when used throughout the whole network, and no just in a few cell sites. However, vertical sectorization will be obsolete once most LTE devices will support MIMO.

VoLTE perspectives from the RAN side

RAN experts present at the workshop discussed VoLTE’s slow adoption. One reason for this is that for any given cell site, the service range for VoLTE is typically smaller than that for UMTS’ or GSM’s circuit-switched service. It’s range is also limited by the overall uplink performance. However, MIMO antennas are expected to improve VoLTE’s uplink performance.

Summary

It was a pleasure to meet with so many representatives from both operators and vendors and hear their insights. To answer to the current needs of the industry, we developed combined 2G/4G software-defined radio systems. Our SatSite macro base station will support GSM and LTE independently, as well as at the same time, using a common radio access. This event was a confirmation that we are on the right track, as mixed 2G/4G networks are the future of mobile networks.

The challenges behind VoLTE

In previous blog posts and demos we showed that a simplified approach is the way to obtain clear results in deploying VoLTE and 2G/4G mixed networks. We performed the industry’s first VoLTE call from a GSM mobile phone to an iPhone 6, through a single unified core network, the YateUCN, and we presented our solution for handling SRVCC (Single Radio Voice Call Continuity) as an inter-MSC (Mobile Switching Center) handover from 4G to 2G in the same YateUCN. Follow our take on why VoLTE hasn’t developed as rapidly as we all expected it would. We’ll give our insight and what we’ve learned from the many discussion we’ve had with mobile operators and smartphone producers alike.

Sure, VoLTE is great! Combining the powers of IMS and LTE, VoLTE offers excellent high-definition voice calls. It also guarantees a Quality of Service component, ensuring that customers get an unprecedented quality of voice services. However, VoLTE depends on far too many aspects to be fully functional and widely deployed, contrary to what optimistic reports have predicted in the past.

volte_issues

One of the main issues operators and customers alike are facing is the fact that there’s still a shortage of VoLTE capable smartphones. By April 2015 Verizon offered around 15 devices supporting VoLTE, while AT&T’s smartphone selection included around 19 devices capable of HD voice, in July 2015, as seen on their online shop. iPhone6 is still the only device capable of supporting VoLTE for all the operators that offer it. What’s more, most of these devices came from about 5 smartphone vendors, giving customers a limited choice when they buy a new phone.

Approximately 97% of VoLTE capable smartphones have their LTE chipset from the same vendor. According to reports from smartphone producers and operators alike, the VoLTE client is not stable enough, this being the reason why some vendors don’t even activate VoLTE in the baseband, and also why operators implement VoLTE in both the smartphones and the IMS network itself differently.

This also leads to the lack of interoperability between mobile carriers. Currently, VoLTE works only between devices belonging to the same network: for example, a T-Mobile customer using a VoLTE capable handset cannot roam in the AT&T VoLTE network of a called party. However, this was one of the main goals when VoLTE specifications were developed and we should still expect it to happen at some point.

Lastly, and perhaps most importantly, VoLTE deployments are scarce. A GSA report from July 2015 showed that only 25 operators have commercially launched VoLTE networks in 16 countries, while there are around 103 operators in 49 countries who are planning, trialling or deploying VoLTE. Compared with the total of 422 LTE networks commercially launched in 143 countries, VoLTE deployments are dramatically lower. This is the result of mobile carriers having a difficult time planing and building functional LTE and VoLTE networks, while also developing the essential Single Radio Voice Call Continuity (SRVCC) technology in an effective and performable way.

VoLTE still needs to leap over many hurdles until it becomes a technology used world wide. Operators, network equipment vendors, smartphones and chipset producers need to cooperate and jointly find technical solutions that will allow for a more swift VoLTE roll-out in most LTE networks.

SRVCC made easy

As promised in our last LTE technology post,  we want to tackle a new technology used in voice in 4G: Single Radio Voice Call Continuity. We’ll explain what SRVCC entails and give you an insight into our own approach towards this technology: inter-MSC SRVCC from 4G to 2G.

While most voice traffic in LTE  is provided with CSFB, today the next stage involves using VoLTE and a technology called SRVCC for providing seamless voice continuity from LTE to other 2G/3G networks in areas not covered by LTE.

One of the main issues for LTE for operators is that deployment is spotty and incomplete. Once the big challenge of deploying VoLTE has been achieved, operators have to use SRVCC to offer subscribers continuous voice traffic when they reach an area without LTE coverage.

SRVCC allows for inter-Radio Access Technology handover, while also providing handover between a packet data-only network to a CS network. As the name suggests, SRVCC removes the need for two simultaneous active radios in devices, as required by CSFB, preserving the battery life, and manages to maintain continuous QoS during voice calls which are in progress. SRVCC is also a mandatory technology for maintaining continuity during emergency calls.

Typically, SRVCC enables voice and data handover from LTE to legacy networks and viceversa. To enable SRVCC, operators need to upgrade their legacy MSCs, the LTE RAN and EPC and the IMS network for VoLTE.

We have a different, simpler approach to offer operators: our YateUCNserver handles SRVCC by performing and inter-MSC handover from 4G to 2G. Built to simultaneously be an MME/MSC and the IMS network for VoLTE, YateUCN performs SRVCC without the additional network upgrades (in LTE and 2G) mentioned above.

VoLTE_SRVCC_Handover

With YateUCN, the SRVCC handover will be performed as simple as an inter-MSC handover, without the additional investments normally required.

We are committed to innovation and believe in providing software-defined mobile network equipment, designed to cater to both 4G and 2G, while relieving operators from the huge costs of upgrade, maintenance and service. Our resilient and scalable YateUCN embodies this philosophy entirely.

Voice in LTE – CSFB trials and tribulations

As LTE is a packet data-only network, operators use two main solutions to provide voice to their subscribers with LTE devices: VoLTE, which we previously discussed in our blog posts, and Circuit Switched Fallback (CSFB).

CSFB is often seen as a “temporary” solution, until there are enough VoLTE devices on the market, and consists of 4G users being handed over to legacy 2G/3G networks to use voice services. However, CSFB also has major challenges, such as the fact that subscribers can lose their 4G data connectivity after their CSFB call ended. This is also a troublesome aspect for operators with LTE-only networks, as they have roaming agreements with MNOs for voice services over 2G or 3G, and will be forced to pay higher fees once their subscribers don’t return to their 4G networks.

CSFB allows operators with newly created LTE networks to exploit their legacy networks or to use MVNO agreements, and provide voice capabilities without major investments or fundamental changes to their circuit switched (CS) core networks. CSFB moves a subscriber from the LTE core network to the CS core network through the SGs interface during call setup (the SGs interface is added to the LTE architecture and allows mobility management and paging procedures between the MME and the MSC). Normally, one would expect the subscriber will return to the LTE network once the call has ended. The reality, however, is otherwise.

Circuit Switched Fallback

Among CSFB’s main issues, we can name:

  • data traffic suspends during the handover between networks
  • data rates decrease dramatically during the CSFB call’s answer and hang-up moments
  • mobile apps terminate during the CSFB voice call
  • data transfer is suspended during the call if the 2G/3G networks don’t support dual transfer mode
  • most importantly, once the voice call has ended, the subscriber cannot return to the home LTE network, especially in the case of MVNO agreements and not when the operator has both the LTE and CS networks

Studies have shown that behavior patterns such as those listed above depend on the data packet size and the running data packet interval.

Operators with LTE-only networks need to use roaming agreements with other MNOs to enable CSFB. Therefore, they are the ones who will bare the data traffic costs when their subscribers remain stuck in 2G/3G networks, sometimes even for hours.

The main impediment in proposing a solution that will work for all operators and will prevent such problems is that CSFB standards don’t give any insight into how devices are supposed to return to the LTE home network. One solution non-MVNOs typically adopt is to set up rules for the handover back to 4G or for the cell reselection procedure.

Stay tuned for our next blog post in which we’ll cover more on voice solutions for 4G, namely inter-MSC SRVCC from LTE to 2G.

Unified Core Network Demo with iPhone 6

Recently, we verified the interoperability of the new iPhone 6 with the Unified Core NetworkTM, by performing the industry’s first VoLTE call from a GSM mobile phone to iPhone 6, through a single unified switch. This is a Big Deal. Why?

First, Some Background on the Problem

One of the changes 4G LTE is forcing on mobile operators is the elimination of older SS7 MAP core networks of 2G and 3G in favor of IMS. However, many critical services, like roaming are not yet “fully baked” in IMS, so operators will probably continue to run 2G and 3G networks for the foreseeable future. In fact, mixed 2G/4G deployments are happening in many places right now and those operators are in the situation of installing and managing two nearly independent core networks.

The Solution

SS7Ware’s Unified Core Network (UCN), along with YateBTS is the answer to the 2G/4G mixed network problem. The UCN provides a “packet core” for routing internet traffic and an IMS/VoLTE core for handling calls and text messages. It works with YateBTS to support 2.5G GSM/GPRS handsets and with any standard eNodeB to support 4G LTE devices . We first introduced it with this video. (In that first video we referred to “OpenSAE” and “OpenVoLTE” as two different things, but we have since combined them into a single UCN server.)

Unified Core Network The switching, routing and mobility management functions of the core network (4G SAE/IMS and 2G Mobile Switching Center/Visitor Location Register/GPRS support node) are implemented in a single UCN server. This approach offers many advantages:

  • Simplified architecture; even a large network is just many copies of an identical box.
  • Simple scalability; just add more servers.
  • Increased network resiliency: there is a many-to-many relationship between radio sites and UCN servers, with seamless failover and load balancing.

And now the Demos!

Most recently, we have been testing the UCN with the IMS client in the new iPhone 6. (Unlike  over-the-top applications like Skype, a true IMS client is implemented in the baseband processor, so using a true VoLTE-capable handset is critical.) We used the UCN with an an off-the-shelf LTE eNodeB to provide a 4G radio network for the iPhone and we used YateBTS to provide a 2G radio network for a second test phone. In this first demo video, the iPhone registers to the UCN through the 4G radio network and the GSM phone registers to the UCN through the 2G radio network.

The two phones register to the same HLR using SS7-MAP. Then, we exchanged text messages between the two handsets. If you are a hardcore techie, here is a ladder diagram: 2g_4g_register_sms_sip_map-video And here is the signaling trace from the UCN server console. If you look at the ladder diagram, you see that we are using conventional SS7-MAP to register an LTE iPhone6 to the HLR. This solves the LTE roaming problem, and we can do it thanks to the Yate messaging engine, which is the basis of the UCN server.

In the second demo video, we make phone calls between the two handsets.

For the 2G phone, this is an ordinary circuit-switched GSM call. For the 4G phone, this is a VoLTE call. What is special here is that these calls are being handled by a single switch in the UCN, behaving as a 4G IMS and a 2G MSC at the same time. We can do this because the UCN server is built on Yate, which combines one of the most solid SIP implementations in the industry with carrier-certified SS7-MAP support, and because YateBTS gives us a very LTE-like RAN for 2.5G.

We have already had the opportunity to present this technology to mobile operators. Their first reaction is disbelief, followed by a lot of excitement. “You mean we can use CAMEL on a VoLTE call?”  “You mean we can authenticate 4G handsets in an ordinary HLR?” “You mean we can run GSM and LTE out of the same core network?” And to this we say, “Yes, you can!”