GTP basic concepts
GPRS currently supports data rates from 9.6 kbps to more than 100 kbps, and is best suited for burst forms of traffic. GPRS involves both radio and wired components. The mobile phone sends the message to a base station unit (radio based), and the base station unit sends the message to the carrier network and eventually the Internet (wired carrier network).
The network system then either sends the message back to a base station and to the destination mobile unit, or forwards the message to the proper carrier’s network where it gets routed to the mobile unit.
PDP Context
The packet data protocol (PDP) context is a connection between a mobile station and the end address that goes through the SGSN and GGSN. It includes identifying information about the mobile customer used by each server or device to properly forward the call data to the next hop in the carrier network, typically using a GTP tunnel between the SGSN and GGSN.
When a mobile customer has an active voice or data connection open, both the SGSN and GGSN have the PDP context information for that customer and session.
When a mobile phone attempts to communicate with an address on an external packet network, either an IP or X.25 address, the mobile station that phone is connected to opens a PDP context through the SGSN and GGSN to the end address. Before any traffic is sent, the PDP context must first be activated.
The information included in the PDP context includes the customer’s IP address, the IMSI number of the mobile handset, and the tunnel endpoint ID for both the SGSN and GGSN. The ID is a unique number, much like a session ID on a TCP/IP firewall. All this information ensures a uniquely identifiable connection is made.
Since one mobile device may have multiple connections open at one time, such as data connections to different Internet services and voice connections to different locations, there may be more than one PDP context with the same IP address making the extra identifying information required.
The endpoint that the mobile phone is connecting to only knows about the GGSN — the rest of the GPRS connection is masked by the GGSN.
Along the PDP context path, communication is accomplished in using three different protocols.
l The connection between the Mobile Station and SGSN uses the SM protocol. l Between SGSN and GGSN GTP is used. l Between GGSN and the endpoint either IP or X.25 is used.
FortiOS Carrier is concerned with the SGSN to GGSN part of the PDP context — the part that uses GTP.
For more about PDP context, see Tunnel Management Messages.
Creating a PDP context
While FortiOS Carrier is concerned mostly with the SGSN to GGSN part of the PDP Context, knowing the steps involved in creating a PDP context helps understand the role each device, protocol, and message type plays.
Both mobile stations and GGSNs can create PDP contexts.
A Mobile Station creates a PDP context
- The Mobile Station (MS) sends a PDP activation request message to the SGSN including the MS PDP address, and APN.
- Optionally, security functions may be performed to authenticate the MS.
- The SGSN determines the GGSN address by using the APN identifier.
- The SGSN creates a down link GTP tunnel to send IP packets between the GGSN and SGSN.
- The GGSN creates an entry in its PDP context table to deliver IP packets between the SGSN and the external packet switching network.
- The GGSN creates an uplink GTP tunnel to route IP-PDU from SGSN to GGSN.
- The GGSN then sends back to the SGSN the result of the PDP context creation and if necessary the MS PDP address.
- The SGSN sends an Activate PDP context accept message to the MS by returning negotiated the PDP context information and if necessary the MS PDP address.
- Now traffic can pass from the MS to the external network endpoint.
A GGSN creates a PDP context
- The network receives an IP packet from an external network.
- The GGSN checks if the PDP Context has already been created.
- If not, the GGSN sends a PDU notification request to the SGSN in order to initiate a PDP context activation.
- The GGSN retrieves the IP address of the appropriate SGSN address by interrogating the HLR from the IMSI identifier of the MS.
- The SGSN sends to the MS a request to activate the indicated PDP context.
- The PDP context activation procedure follows the one initiated by the MS. See “A Mobile Station creates a PDP context”.
- When the PDP context is activated, the IP packet can be sent from the GGSN to the MS.
Terminating a PDP context
A PDP context remains open until it is terminated. To terminate the PDP context an MS sends a Deactivate PDP context message to the SGSN, which then sends a Delete PDP Context message to the GGSN.
When the SGSN receives a PDP context deletion acknowledgment from the GGSN, the SGSN confirms to the MS the PDP context deactivation. The PDP can be terminated by the SGSN or GGSN as well with a slight variation of the order of the messages passed.
When the PDP Context is terminated, the tunnel it was using is deleted as well. If this is not completed in a timely manner, it is possible for someone else to start using the tunnel before it is deleted. This hijacking will result in the original customer being over billed for the extra usage. Anti-overbilling helps prevent this. See Configuring Anti-overbilling in FortiOS Carrier.
GPRS security
The GPRS network has some built-in security in the form of GPRS authentication. However this is minimal, and is not sufficient for carrier network security needs. A GTP firewall, such as FortiOS Carrier, is required to secure the Gi, Gn, and Gp interfaces.
GPRS authentication
GPRS authentication is handled by the SGSN to prevent unauthorized GPRS calls from reaching the GSM network beyond the SGSN (the base station system, and mobile station). Authentication is accomplished using some of the customer’s information with a random number and uses two algorithms to create ciphers that then allow authentication for that customer.
User identity confidentiality ensures that customer information stays between the mobile station and the SGSN — no identifying information goes past the SGSN. Past that point other numbers are used to identify the customer and their connection on the network.
Periodically the SGSN may request identity information from the mobile station to compare to what is on record, using the IMEI number.
Call confidentiality is achieved through the use of a cipher, similar to the GPRS authentication described earlier. The cipher is applied between the mobile station and the SGSN. Essentially a cipher mask is XORd with each outgoing frame, and the receiving side XORs with its own cipher to result in the original frame and data.
Parts of a GTPv1 network
A sample GTP network consists of the end handset sender, the sender’s mobile station, the carrier’s network including the SGSN and GGSN, the receiver’s mobile station, and the receiver handset.
When a handset moves from one mobile station and SGSN to another, the handset’s connection to the Internet is preserved because the tunnel the handset has to the Internet using GTP tracks the user’s location and information. For example, the handset could move from one cell to another, or between countries.
The parts of a GPRS network can be separated into the following groups according to the roles of the devices:
- Radio access to the GPRS network is accomplished by mobile phones and mobile stations (MS).
- Transport the GPRS packets across the GPRS network is accomplished by SGSNs and GGSNs, both local and remote, by delivering packets to the external services. l Billing and records are handled by CDF, CFR, HLR, and VLR devices.
GPRS networks also rely on access points and PDP contexts as central parts of the communication structure. These are not actual devices, but they are still critical .
These devices, their roles, neighboring devices, the interfaces and protocols they use are outlined in the following table.
Carrier network showing the interfaces used (GTPv1)
Devices on a GTPv1 network
Device role |
Neighboring Devices |
Interfaces used |
Protocols used |
Mobile Users |
Mobile Stations (MS) |
Radio Access
Technology (RAT) |
|
Mobile Stations (MS) |
Mobile Users, SGSN |
Gb |
IP, Frame Relay |
SGSN (local) |
MS, SGSN (local or remote),
GGSN (local and remote),
CDR, CFR, HLR, VLR |
Ga, Gb, Gn, Gp, Gz |
IP, Frame Relay, GTP, GTP’ |
SGSN (remote) |
SGSN (local) |
Gn |
GTP |
GGSN (local) |
SGSN (local or remote),
GGSN (local and remote),
CDR, CFR, HLR, VLR |
Ga, Gi, Gn, Gp, Gz |
IP, GTP, GTP’ |
GGSN (remote) |
SGSN (local), WAP gateway,
Internet, other external services |
Gi, Gp |
IP, GTPv1 |
CDR, CFR |
SGSN (local), GGSN (local) |
Ga, Gz |
GTP’ |
HLR, VLR |
SGSN (local), GGSN (local) |
Ga, Gz |
GTP’ |
Radio access
For a mobile phone to access the GPRS core network, it must first connect to a mobile station. This is a cellular tower that is connected to the carrier network.
How the mobile phone connects to the mobile station (MS) is determined by what Radio Access Technologies (RATs) are supported by the MS.
Transport
Transport protocols move data along the carrier network between radio access and the Internet or other carrier networks.
FortiOS Carrier should be present where information enters the Carrier network, to ensure the information entering is correct and not malicious. This means a Carrier-enabled FortiGate unit intercepts the data coming from the SGSN or foreign networks destined for the SSGN or GGSN onto the network, and after the GGSN as the data is leaving the network.
GTP
GPRS Tunnelling Protocol (GTP) is a group of IP-based communications protocols used to carry General Packet
Radio Service (GPRS) within Global System for Mobile Communications (GSM) and Universal Mobile Telecommunications System (UMTS) networks. It allows carriers to transport actual cellular packets over a network via tunneling. This tunneling allows users to move between SGSNs and still maintain connection to the Internet through the GGSN.
GTP has three versions version 0, 1, and 2. GTP1 and GTP2 are supported by FortiOS Carrier. The only GTP commands that are common to all forms of GTP are the echo request/response commands that allow GSNs to verify up to once every 60 seconds that neighboring GSNs are alive.
GTPv0
There have been three versions of GTP to date. The original version of GTP (version 0) has the following differences from version GTPv1.
l the tunnel identification is not random l there are options for transporting X.25 l the fixed port number 3386 is used for all functions, not just charging l optionally TCP is allowed as a transport instead of UDP l not all message types are supported in version 0
GTPv1
On a GPRS network, Packet Data Protocol (PDP) context is a data structure used by both the Serving GPRS Support Node (SGSN) and the Gateway GPRS Support Node (GGSN). The PDP context contains the subscribers information including their access point, IP address, IMSI number, and their tunnel endpoint ID for each of the
SGSN and GGSN.
The Serving GPRS Support Node (SGSN) is responsible for the delivery of data packets from and to the mobile stations within its geographical service area. Its tasks include packet routing and transfer, mobility management
(attach/detach and location management), logical link management, and authentication and charging functions.
The location register of the SGSN stores location information (e.g., current cell, current VLR) and user profiles (e.g., IMSI, address(es) used in the packet data network) of all GPRS users registered with this SGSN.
GTPv1-C
GTPv1-C refers to the control layer of the GPRS Transmission network. This part of the protocol deals with network related traffic.
FortiOS Carrier handles GTPv1-C in GTPv1 by using the Tunnel Endpoint IDentifier (TEID), IP address and a Network layer Service Access Point Identifier (NSAPI), sometimes called the application identifier, as an integer value that is part of the PDP context header information used to identify a unique PDP context in a mobile station, and SGSN.
For more information on GTPv1-C, see GTP-C messages.
GTPv1-U
GTPv1-U is defined in 3GPP TS 29.281 and refers to the user layer of the GPRS Tunneling network. This part of the protocol deals with user related traffic, user tunnels, and user administration issues.
A GTPv1-U tunnel is identified by a TEID, an IP address, and a UDP port number. This information uniquely identifies the limb of a GTPv1 PDP context. The IP address and the UDP port number define a UDP/IP path, a connectionless path between two endpoints (i.e. SGSN or GGSN). The TEID identifies the tunnel endpoint in the receiving GTPv1-U protocol entity; it allows for the multiplexing and demultiplexing of GTP tunnels on a UDP/IP path between a given GSN-GSN pair. For more information on GTPv1-U, see GTP-U messages.
The GTP core network consists of one or more SGSNs and GGSNs.
GGSN
The Gateway GPRS Support Node (GGSN) connects the GPRS network on one side via the SGSN to outside networks such as the Internet. These outside networks are called packet data networks (PDNs). The GGSN acts as an edge router between the two different networks — the GGSN forwards incoming packets from the external PDN to the addressed SGSN and the GGSN also forwards outgoing packets to the external PDN. the GGSN also converts the packets from the GPRS packets with SGSN to the external packets, such as IP or X.25.
SGSN
The Serving GPRS Support Node (SGSN) connects the GPRS network to GTPv1 compatible mobile stations, and mobile units (such as UTRAN and ETRAN) on one side and to the gateway node (GGSN), which leads to external networks, on the other side. Each SGSN has a geographical area, and mobile phones in that area connect to the GPRS network through this SGSN. The SGSN also maintains a location register that contains customer’s location and user profiles until they connect through a different SGSN at which time the customer information is moved to the new SGSN. This information is used for packet routing and transfer, mobility management also known as location management, logical link management, and authentication and billing functions.
GTPv2
GTPv2, defined in 3GPP TS 29.274, is dramatically different from GTPv1, defined in 3GPP TS 29.060. Where in
GTPv1 the tunnel is between the SGSN and the GGSN, in GTPv2 The SGSN is between the MME and the LTE Serving Gateway (S-GW), beyond which is the PDN gateway (P-GW). Even tunnel management messages have changed significantly.
Network diagram for GTPv2
Device roles on a GTPv2 network
Device role |
Neighboring Devices |
Interfaces used |
Protocols used |
Mobile Users |
Mobile Stations (MS) |
Radio Access
Technology (RAT) |
— |
GTPv1 Mobile Stations (MS) |
Mobile Users, SGSN |
Gb |
IP, Frame Relay |
GTPv2 Mobile Stations (MS) |
Mobile Users, MME |
??? |
IP, Frame Relay |
SGSN (local) |
GTPv1 MS, SGSN, S-GW |
??? |
IP, Frame Relay, GTPv1, GTP’ |
S-GW |
SGSN, MME, P-GW |
??? |
IP, GTPv2, GTP’ |
P-GW |
S-GW, Internet, other external services |
??? |
IP, GTPv2 |
GTPv2-C
GTPv2-C is the control layer messaging for GTPv2. It is used by LTE mobile stations, SGSN units for backwards compatibility, and SGWs that are the gateway to other networks. The messaging is very different from GTPv1. GTPv2-C is required to communicate with the Mobility Management Entity (MME) to create, change and delete EPS bearers when handover events happen, and to create Forwarding tunnels. The protocol is also used to communicate with the Serving Gateway (SGW) which has the S-GW and PDN-GW interfaces, and the Serving GPRS Support Node (SGSN).
MME
MME essentially fills the role of the SGSN in a GTPv1 network — it is how the mobile stations gain access to the
Carrier network. GTPv2 supports different mobile stations than GTPv1, so MME handles the GTPv2 MSes and SGSN handles the GTPv1 MSes
GPRS network common interfaces
Billing and records
A major part of the GPRS network is devoted to billing. Customer billing requires enough information to identify the customer, and then billing specific information such as connection locations and times, as well as amount of data transferred. A modified form of GTP called GTP’ is used for billing. The home location records and visitor location records store information about customers that is critical to billing.
GTP’ (GTP prime)
GTP is used to handle tunnels of user traffic between SGSNs and GGSNs. However for billing purposes, other devices that are not supported by GTP are required. GTP’ (GTP prime) is a modified form of GTP and is used to communicate with these devices such as the Charging Data Function (CDF) that communicates billing information to the Charging Gateway Function (CGF). In most cases, GTP‘ transports user records from many individual network elements, such as the GGSNs, to a centralism computer which then delivers the charging data more conveniently to the network operator’s billing center, often through the CGF. The core network sends charging information to the CGF, typically including PDP context activation times and the quantity of data which the end user has transferred.
GTP’ is used by the Ga and Gz interfaces to transfer billing information. GTP’ uses registered UDP/TCP port 3386. GTP’ defines a different header, additional messages, field values, as well as a synchronization protocol to avoid losing or duplicating CDRs on CGF or SGSN/GGSN failure. Transferred CDRs are encoded in ASN.1.
HLR
The Home Location Register (HLR) is a central database that contains details of each mobile phone subscriber that is authorized to use the GSM core network. There can be several logical, and physical, HLRs per public land mobile network (PLMN), though one international mobile subscriber identity (IMSI)/MSISDN pair can be associated with only one logical HLR (which can span several physical nodes) at a time. The HLRs store details of every SIM card issued by the mobile phone operator. Each SIM has a unique identifier called an IMSI which is the primary key to each HLR record.
VLR
The Visitor Location Register (VLR) is a database which stores information about all the mobile devices that are currently under the jurisdiction of the Mobile Switching Center which it serves. Of all the information the VLR stores about each Mobile Station, the most important is the current Location Area Identity (LAI). This information is vital in the call setup process.
Whenever an MSC detects a new MS in its network, in addition to creating a new record in the VLR, it also updates the HLR of the mobile subscriber, informing it of the new location of that MS.
For more information on GTP‘, see GTP-U and Charging Management Messages.