1. Field of the Invention
The present invention relates to mobility management for wireless devices in a cellular communications network, and in particular to controlling handover of a wireless device from one cell of the network to another. While it is described below in the context of an LTE (“long term evolution”) type of cellular network for illustration purposes and because it happens to be well suited to that context, those skilled in the communication art will recognize that the invention disclosed herein can also be applied to various other types of cellular networks.
2. Discussion of the Related Art
Universal mobile telecommunications system (UMTS) is a 3rd Generation (3G) asynchronous mobile communication system operating in wideband code division multiple access (WCDMA) based on European systems, global system for mobile communications (GSM) and general packet radio services (GPRS). The long term evolution (LTE) of UMTS is under discussion by the 3rd generation partnership project (3GPP) that standardized UMTS.
The 3GPP LTE is a technology for enabling high-speed packet communications. Many schemes have been proposed for the LTE objective including those that aim to reduce user and provider costs, improve service quality, and expand and improve coverage and system capacity. The 3G LTE requires reduced cost per bit, increased service availability, flexible use of a frequency band, a simple structure, an open interface, and adequate power consumption of a terminal as an upper-level requirement.
FIG. 1 is a block diagram illustrating network structure of an evolved universal mobile telecommunication system (E-UMTS). The E-UMTS may be also referred to as an LTE system. The communication network is widely deployed to provide a variety of communication services such as voice and packet data.
As illustrated in FIG. 1, the E-UMTS network includes an evolved UMTS terrestrial radio access network (E-UTRAN) and an Evolved Packet Core (EPC) and one or more user equipment. The E-UTRAN may include one or More evolved NodeB (eNodeB, or eNB) 20, and a plurality of user equipment (UE) 10 may be located in one cell. One or more E-UTRAN mobility management entity (MME)/system architecture evolution (SAE) gateways 30 may be positioned at the end of the network and connected to an external network.
As used herein, “downlink” refers to communication from eNodeB 20 to UE 10, and “uplink” refers to communication from the UE to an eNodeB. UE 10 refers to communication equipment carried by a user and may be also be referred to as a mobile station (MS), a user terminal (UT), a subscriber station (SS) or a wireless device.
An eNodeB 20 provides end points of a user plane and a control plane to the UE 10. MME/SAE gateway 30 provides an end point of a session and mobility management function for UE 10. The eNodeB and MME/SAE gateway may be connected via an S1 interface.
The eNodeB 20 is generally a fixed station that communicates with a UE 10, and may also be referred to as a base station (BS) or an access point. One eNodeB 20 may be deployed per cell. An interface for transmitting user traffic or control traffic may be used between eNodeBs 20.
The MME provides various functions including distribution of paging messages to eNodeBs 20, security control, idle state mobility control, SAE bearer control, and ciphering and integrity protection of non-access stratum (NAS) signaling. The SAE gateway host provides assorted functions including termination of U-plane packets for paging reasons, and switching of the U-plane to support UE mobility. For clarity, MME/SAE gateway 30 will be referred to herein simply as a “gateway,” but it is understood that this entity includes both an MME and an SAE gateway.
A plurality of nodes may be connected between eNodeB 20 and gateway 30 via the S1 interface. The eNodeBs 20 may be connected to each other via an X2 interface and neighboring eNodeBs may have a meshed network structure that has the X2 interface.
FIG. 2(a) is a block diagram depicting an architecture of a typical E-UTRAN and a typical EPC. As illustrated, eNodeB 20 may perform functions of selection for gateway 30, routing toward the gateway during a Radio Resource Control (RRC) activation, scheduling and transmitting of paging messages, scheduling and transmitting of Broadcast Channel (BCCH) information, dynamic allocation of resources to UEs 10 in both uplink and downlink, configuration and provisioning of eNodeB measurements, radio bearer control, radio admission control (RAC), and connection mobility control in LTE_ACTIVE state. In the EPC, and as noted above, gateway 30 may perform functions of paging origination, LTE-IDLE state management, ciphering of the user plane, System Architecture Evolution (SAE) bearer control, and ciphering and integrity protection of Non-Access Stratum (NAS) signaling.
FIGS. 2(b) and 2(c) are block diagrams depicting the user-plane protocol and the control-plane protocol stack for the E-UMTS. As illustrated, the protocol layers may be divided into a first layer (L1), a second layer (L2) and a third layer (L3) based upon the three lower layers of an open system interconnection (OSI) standard model that is well-known in the art of communication systems.
The physical layer, the first layer (L1), provides an information transmission service to an upper layer by using a physical channel. The physical layer is connected with a medium access control (MAC) layer located at a higher level through a transport channel, and data between the MAC layer and the physical layer is transferred via the transport channel. Between different physical layers, namely, between physical layers of a transmission side and a reception side, data is transferred via the physical channel.
The MAC layer of Layer 2 (L2) provides services to a radio link control (RLC) layer (which is a higher layer) via a logical channel. The RLC layer of Layer 2 (L2) supports the transmission of data with reliability. It should be noted that the RLC layer illustrated in FIGS. 2(b) and 2(c) is depicted because if the RLC functions are implemented in and performed by the MAC layer, the RLC layer itself is not required. The PDCP layer of Layer 2 (L2) performs a header compression function that reduces unnecessary control information such that data being transmitted by employing Internet protocol (IP) packets, such as IPv4 or IPv6, can be efficiently sent over a radio (wireless) interface that has a relatively small bandwidth.
A radio resource control (RRC) layer located at the lowest portion of the third layer (L3) is only defined in the control plane and controls logical channels, transport channels and the physical channels in relation to the configuration, reconfiguration, and release of the radio bearers (RBs). Here, the RB signifies a service provided by the second layer (L2) for data transmission between the terminal and the E-UTRAN.
As illustrated in FIG. 2(b), the RLC and MAC layers (terminated in an eNodeB 20 on the network side) may perform functions such as Scheduling, Automatic Repeat Request (ARQ), and hybrid automatic repeat request (HARQ). The PDCP layer (terminated in eNodeB 20 on the network side) may perform the user plane functions such as header compression, integrity protection, and ciphering.
As illustrated in FIG. 2(c), the RLC and MAC layers (terminated in an eNodeB 20 on the network side) perform the same functions as for the control plane. As illustrated, the RRC layer (terminated in an eNodeB 20 on the network side) may perform functions such as broadcasting, paging, RRC connection management, Radio Bearer (RB) control, mobility functions, and UE measurement reporting and controlling. The NAS control protocol (terminated in the MME of gateway 30 on the network side) may perform functions such as a SAE bearer management, authentication, LTE_IDLE mobility handling, paging origination in LTE_IDLE, and security control for the signaling between the gateway and UE 10.
The NAS control protocol may use three different states; first, a LTE_DETACHED state if there is no RRC entity; second, a LTE_IDLE state if there is no RRC connection while storing minimal UE information; and third, an LTE_ACTIVE state if the RRC connection is established. Also, the RRC state may be divided into two different states such as a RRC_IDLE and a RRC_CONNECTED.
In RRC_IDLE state, the UE 10 may receive broadcasts of system information and paging information while the UE specifies a Discontinuous Reception (DRX) configured by NAS, and the UE has been allocated an identification (ID) which uniquely identifies the UE in a tracking area. Also, in RRC-IDLE state, no RRC context is stored in the eNodeB.
In RRC_CONNECTED state, the UE 10 has an E-UTRAN RRC connection and a context in the E-UTRAN, such that transmitting and/or receiving data to/from the network (eNodeB) becomes possible. Also, the UE 10 can report channel quality information and feedback information to the eNodeB.
In RRC_CONNECTED state, the E-UTRAN knows the cell to which the UE 10 belongs. Therefore, the network can transmit and/or receive data to/from UE 10, the network can control mobility (handover) of the UE, and the network can perform cell measurements for a neighboring cell.
In RRC_IDLE mode, the UE 10 specifies the paging DRX (Discontinuous Reception) cycle. Specifically, the UE 10 monitors a paging signal at a specific paging occasion of every UE specific paging DRX cycle.
FIG. 3 illustrates a typical handover procedure in an LTE system. The handover procedure is made to transfer, or hand off, a pending communication from a source cell, serviced by a source eNodeB 20S, to a target cell, serviced by a target eNodeB 20T. We consider here the case where the source and target cells are not serviced by the same eNodeB.
The source eNodeB 20S configures the UE measurement procedures, which form part of the RRC protocol depicted in FIG. 2(a), according to area restriction information provisioned in each eNodeB. This may be done by sending one or more MEASUREMENT CONTROL messages to the UE 10 in the RRC_CONNECTED state, as illustrated in step S1 of FIG. 3. Measurements requested by the source eNodeB 20S may assist the function controlling the UE's connection mobility. The UE 10 is then triggered to send MEASUREMENT REPORT messages (step S2) according to rules set by e.g. system information broadcast by the source eNodeB and/or specified in the MEASUREMENT CONTROL message or additional downlink signaling.
For each UE in the RRC_CONNECTED state, the source eNodeB 20S runs one or more handover control algorithms whose inputs include the measurements reported by the UE 10 and possibly other measurements made by the source eNodeB 20S. Depending on the measurements, the source eNodeB 20S may decide to hand off the UE 10 to a target eNodeB 20T (step S3 of FIG. 3). When this occurs, the source eNodeB 20S issues a HANDOVER REQUEST message to the target eNodeB 20T (step S4), passing necessary information to prepare the handover on the target side. Such information includes a UE X2 signaling context reference at the source eNodeB, a UE S1 EPC signaling context reference, a target cell identifier, an RRC context and a SAE bearer context. The UE X2 and UE S1 signaling context references enable the target eNodeB to address the source eNodeB and the EPC. The SAE bearer context includes necessary radio network layer (RNL) and transport network layer (TNL) addressing information.
An admission control function may be performed by the target eNodeB 20T depending on the received SAE bearer quality of service (QoS) information to increase the likelihood of a successful handover, if the necessary resources are available at the target eNodeB (step S5 of FIG. 3). If the handover is admitted, the target eNodeB 20T configures the resources according to the received SAE bearer QoS information and reserves a new cell-radio network temporary identifier (C-RNTI) for the sake of identifying the UE 10 in the target cell. The target eNodeB 20T prepares the handover in layers 1 and 2 and sends a HANDOVER REQUEST ACKNOWLEDGE message to the source eNodeB 20S (step S6). The HANDOVER REQUEST ACKNOWLEDGE message includes a transparent container to be passed to the UE 10. The container may include the new C-RNTI allocated by the target eNodeB, and possibly some other parameters such as access parameters, system information blocks (SIBs), etc. The HANDOVER REQUEST ACKNOWLEDGE message may also include RNL/TNL information for the forwarding tunnels, if necessary.
In response, the source eNodeB 20S generates the HANDOVER COMMAND message of the RRC protocol and sends it towards the UE 10 (step S7). In parallel (step S8), the source eNodeB 20S transfers to the target eNodeB 20T part or all of the packets that are buffered for transmission to the UE and currently in transit towards the UE, as well as information relating to acknowledgement status of the packets by the UE.
The HANDOVER COMMAND message includes the transparent container, which has been received from the target eNodeB 20T. The source eNodeB applies the necessary functions of integrity protection and ciphering to the message. The UE receives the HANDOVER COMMAND message with the necessary parameters (new C-RNTI, possible starting time, target eNodeB SIBs etc.) and is thereby instructed by the source eNodeB 20S to perform the handover. The UE 10 complies with the handover command by detaching from the source cell, getting synchronization and accessing the target cell (step S9).
When the UE 10 has successfully accessed the target cell, it sends an HANDOVER CONFIRM message to the target eNodeB 20T using the newly allocated C-RNTI (step S10 in FIG. 3) to indicate that the handover procedure is completed on the UE side. The target eNodeB 20T verifies the C-RNTI sent in the HANDOVER CONFIRM message. If the verification is positive, the EPC is informed by the HANDOVER COMPLETE message from the target eNodeB 20T (step S11) that the UE has changed cell. In step S12, the EPC switches the downlink data path to the target side and it releases any U-plane/TNL resources towards the source eNodeB 20S. The EPC confirms by returning a HANDOVER COMPLETE ACK message in step S13.
The target eNodeB 20T then informs the source eNodeB 20S that the handover was successful by sending a RELEASE RESOURCE message (step S14), which triggers the release of resources, i.e. radio and C-plane related resources associated to the UE context, by the source eNodeB in step S15.
It happens that a UE 10 in the RRC_CONNECTED state, communicating with a given eNodeB 20, undergoes a radio link failure. The UE 10 can then either perform an RRC connection reestablishment procedure to resume the bearer operation with the same eNodeB or a different one, or switch to the RRC_IDLE state and request a new RRC connection when possible. A radio link failure can, in particular, occur between steps S6 and S7 in the handover procedure shown in FIG. 3 (perhaps degradation of the radio link prior to failure was the reason for the handover decision). In such a case, the UE 10 will often end up selecting the right target cell, particularly if the target was selected by the source eNodeB 20S based on channel conditions. Even though the target eNodeB 20T has already obtained all the necessary information about the UE 10 from the source eNodeB 20S, the UE 10 may still have to go via the RRC_IDLE state, which is undesirable as it requires relatively complex procedures involving the EPC.
It has been proposed (“Handover Failure Recovery”, R2-071717, 3GPP TSG-RAN WG2 Meeting #58, Kobe, Japan, 7-11 May 2007) to deal with this situation by letting the source eNodeB 20S send to the target eNodeB 20T, in the HANDOVER REQUEST message, the UE identity that may be used in an RRC connection request if the radio link fails, i.e. the identity that is used by the UE when accessing a new cell after the cell selection process. When a radio link failure occurs in the preparation phase of the handover, before the UE 10 has a chance to receive the HANDOVER COMMAND message, and if the UE ends up selecting the cell targeted by the handover procedure, the target eNodeB 20T would then be able to identify the UE and indicate to the UE the possibility to reuse its existing RRC connection instead of setting up a brand new connection and contacting the EPC. In other words, the system would behave as if the handover had been successful.
Thus, instead of transmitting the HANDOVER CONFIRM message to the target eNodeB 20T, the UE 10 undergoing a radio link failure sends an RRC CONNECTION REESTABLISHMENT REQUEST message indicating a UE identifier that the target eNodeB 20T will use in order to identify the UE and to be able to link this UE to the UE context received from the source eNodeB 20S. If the verification is positive, the target eNodeB 20T indicates to the UE 10 that its connection can be resumed (it need not switch to the RRC_IDLE state), by returning a RRC CONNECTION REESTABLISHMENT message.
The UE identifier indicated by the UE and used by the target eNodeB for contention resolution may consist of the C-RNTI associated with a message authentication code for integrity (MAC-I). See “Radio Link Failure Recovery”, R2-072382, 3GPP TSG-RAN WG2 Meeting #58, Orlando, U.S.A., 25-29 Jun. 2007. The use of a MAC-I provides some security against intruders that may attempt to use the existing connection of a legitimate user. However, the security is not perfect and in particular intruders may replay the UE identifier transmitted by the legitimate UE to try a fraudulent use of the RRC connection.
An object of the present invention is to enhance security in case of a radio link failure taking place while a handover procedure is being executed.