Department of: technology programs and customer service ... · • Provides QoS: allows transmission realtime sensitive services like VoIP or IP-TV. • An alternative to cable DSL

Department of: technology programs and customer service

WiMAX Survey

1 WiMAX Introduction Pages (1-20)

2 WiMAX Architecture Pages (1-8)

3 WiMAX Standardization Pages (1-8)

4 PHY and MAC Layer Pages (1-38)

5 WiMAX Security Pages (1-40)

6 WiMAX Implementations Pages (1-13)

7 Future Outlook Pages (1-4)

8 Technical Aspects Pages (1-47)

Sub ‐ Sections WiMAX Survey

This document consists of 178 pages.

Chapter 1: WiMAX Introduction

TS09TEC09En 1

Chapter 1 WiMAX Introduction

Aim of study This chapter introduces coverage of WiMAX.

Contents Pages

1 Basic Terms and Ideas 2

2 Market Analysis 7

3 Physical Aspects 11


TS09TEC09En 2

Chapter 1

WiMAX Introduction 1 Basic Terms and Ideas

BWA - Broadband Wireless Access

There are three main BWA technologies in the market:

• HSDPA (High Speed Downlink Packet Access).

• WiMAX (Worldwide Interoperability for Microwave Access).

• FLASH-OFDM (Fast Low-latency Access with Seamless Handoff – Orthogonal Frequency Division Multiplexing).

Wireless Technology Positioning

Fig. 1


TS09TEC09En 3

1.1 What is WiMAX?

WiMAX: Worldwide Interoperability for Microwave Access

• A true MAN area coverage technology able to cover distances over several kilometers (typical cell diameters: < 7 km).

• WiMAX standard IEEE802.16: „Air Interface for Fixed Broadband Wireless Access Systems“.

• Radio system with point-to-multipoint architectures.

• Three frequency bands:

- 5.8 GHz

- 3.5 GHz

- 2.5 GHz

• The 802.16e standard will support moving users with a speed up to 120km/h.

• Standards-based technology for delivery of last mile wireless broadband access.

• Provides QoS: allows transmission realtime sensitive services like VoIP or IP-TV.

• An alternative to cable DSL („wireless DSL“).

• Provides wireless broadband connectivity without the need for line-of-sight, for the following user groups:

- Fixed.

- Nomadic or portable.

- Soon also mobile.


TS09TEC09En 4

WiMAX – Evolution Phases (Phase 1)

Phase 1: WiMAX as fixed technology (based on IEEE 802.16-2004)

Fixed wireless can be used for high-throughput enterprise connections and

hotspot network backhaul.

Fig. 2

WiMAX – Evolution Phases (Phase 2)

Phase 2: WiMAX gets nomadic (placed on Subscriber Terminals)

Thus WiMAX will be available on ST linked to PC and to antenna.

Moreover, the antenna could be placed in the same desktop with PC and ST or

could be placed outdoor. In this model WiMAX will be applicable as

residential broadband deployment.


TS09TEC09En 5

Fig. 3 WiMAX – Evolution Phases (Phase 3)

Phase 3: WiMAX gets mobile

Thus WiMAX (based on IEEE 802.16e) will be integrated into commercial

laptops, PDAs and mobile phones.

Roaming between WiMAX areas is another important issue.

Fig. 4


TS09TEC09En 6

1.2 WiMAX Forum

• Wimax- Forum (www.wimaxforum.org) is responsible for:

- Marketing.

- Interoperability with other products.

• Non-profit organization.

• Was founded in April 2001

- In conjunction with IEEE 802.16 standard (10-66 GHz applications).

• Comprised of system manufacturers, component suppliers, software developers and carriers.

• Since 2005 more than 200 members (Intel, Fujitsu, Alvarion etc.).

• Planned for July 2005: testing and certification program

- WiMAX Forum Certified™: for Interoperability.

Network Definitions – Portable Network

Portable Network

“Nomadic or portable operation, synonymous with Metrozone is an

enhancement over basic fixed indoor/outdoor operation enabling access from

multiple network access points but without seamless mobility (roaming) “.

Network Definitions – Mobile Network

Mobile Network

“...supports low packet loss handoffs (handovers) and latencies to support

applications such as near top-quality VoIP or IP-TV. “.


TS09TEC09En 7

2 Market Analysis

One View on the 802.16 Market

802.16 Fixed Indoor/ Outdoor Wireless Subscribers Forecast

Fig. 5

• Large variation between analysts forecasts.

• Upside for 802.16e (laptop integration) not captured. Another View on the BWA/802.16 Market

Fig. 6


TS09TEC09En 8

• Frequency spectrum: 2.5 & 3.5 GHz spectrum represents biggest opportunity.

• Regional behavior: APAC (Asia Pacific) region biggest in 2006; followed by EMEA (Europe/Middle East/Africa) and NA (North America).

• Subscriber types: Majority of Subscribers are Residential and SOHO; followed by SMB (Small & Medium Business); Nomadic/Portable segment will start growing in 2006.

Time Horizon

Fig. 7

Overview Wireless Data Technologies

Fig. 8


TS09TEC09En 9

LOS (Line of Sight) - Fresnel Zone

• Direct path from transmitter to receiver.

• Fresnel zone must be free of obstruction.

• Obstruction reduces signal strength.

• Fresnel clearance zone depends on frequency and distance.

Fig. 9

NLOS (Non Line of Sight)

• Signal reaches receiver through reflections and scattering.

• Multipath: signal consists of direct path, multiple reflections, scattered energy and diffracted propagation paths.


TS09TEC09En 10

Fig. 10

LOS or NLOS?

• NLOS deployment, e.g. if antenna height restrictions.

• NLOS: reduced installation expenses; no site survey.

-> NLOS often preferred solution!

Fig. 11


TS09TEC09En 11

3 Physical Aspects

Physical Aspects – 802.16 History

• Initially (802.16-2001) frequency spectrum was planned for 10 – 66 GHz

- In this area a LOS connection is requested because of physical properties of electromagnetic waves.

- ->not very flexible usage.

• 802.16a (later re-named as 802.16-2004) was extended to use spectrum from 2 GHz

- Allows NLOS implementations.

- Also appropriate for indoor applications (Laptops, PDAs).

• 802.16e should support mobility using spectrum < 6 GHz.

3.1 Frequencies

Modulation and Multiple Access

• WiMAX devices according to 802.16-2004 operate similar to existing WLAN technology: using Spread Spectrum technology.

• Based on OFDM (Orthogonal Frequency Division Multiplexing) using sub-carriers instead of broadband signal (also WiFi 802.11g).

• Allows saving of bandwidth through overlapping.

• Single sub-carriers use PSK (Phase Shift Keying) or QAM (Quadrature Amplitude Modulation).

• Separation between different subscribers based on TDMA.

• Separation between UL and DL based on FDD or TDD.

• Note: WLAN is using CSMA/CA access method.

TDMA Time Division Multiplexing Access


TS09TEC09En 12

UL/DL Uplink/Downlink

FDD Frequency Division Duplex

TDD Time Division Duplex

CSMA/CA Carrier Sense Multiple Access/Collision Avoidance

Spectrum Bands

• Licensed 2.5 GHz (2.5 – 2.7 GHz)*.

• Licensed 3.5 GHz** (3.4 – 3.6 GHz; extension from 3.3 – 3.8 possible).

• License–Exempt 5 GHz (5.25 - 5.85 GHz).

- Especially interesting in underserved, low population density rural and remote markets.

- From 5.75 – 5.85 GHz many countries allow higher output power (4 W).

- For EU: 802.16h to harmonize frequency utilization.

* Especially used in Americas and South-East Asia

** Not used in U.S

2.5 GHz Spectrum

• Most European Countries: ISM-Band (2.4 – 2.5 GHz)

- Unlicensed frequency spectrum; no registration necessary.

- Also used for WLAN and others.

- very restricted transmit power: 100 Mw

-> Very restricted coverage.

- Not very interesting for economic use.


TS09TEC09En 13

• Some countries (e.g. U.S.): licensed spectrum (2.5 – 2.7 GHz)

- Allows higher transmit power.

• Uses TDD for UL/DL separation.

ISM Industrial, Scientific and Medical

3.5 GHz Spectrum

• Licensed spectrum.

• Actually most interesting for European providers.

• Frequency allows stable NLOS connections.

• Higher transmit power allowed.

• Transmit power specified by national regulations authorities, e.g. RegTP in Germany.

• Draft for European recommendation (ECC-Recomm. 05):

- +13 dBW/MHz for Base Stations.

- +23 dBW/MHz for Subscriber Terminals.

Assuming a bandwidth of 3,5 MHz per channel (max. 20 MHz) this would

mean a max. Transmit power of 70(!)W for Base Stations and about 700(!!)W

for Subscriber Terminals.

3.5 GHz Spectrum – Example Austria

• Austria was ratifying in July 2004 (frequency independent) maximum transmit power of

- +18 dBW (= 63 W) for Subscriber Terminals.

- +35 dBW (=3,2 kW) for Base Station.


TS09TEC09En 14

Note:

This on the first look, surprisingly high transmit powers are a result of the use

of directed antenna. Those allow an antenna gain of about 30 dBi, i.e. a factor

of 1000 (!). This value can only be reached with fixedly installed antenna.

• Alternative European Standard EN 301 021 and EN 301 080

- +35 dBm (= 3,1 W) for antenna output.

3.5 GHz Spectrum – Example Germany

• In Germany two frequency blocks can be used:

- 3410 – 3452 MHz.

42 MHz each block

- 3510 – 3552 MHz.

• Overall capacity:

84 MHz (e.g. 4 channels with 20 MHz each).

3.5 GHz Spectrum – Current Situation

Current Situation:

Subscriber Terminals (ST):

• Transmit power from 100 mW up to 4 W.

Base Stations (BS):

• Up to 40 W (antenna gain: 10-12 dBi; 10dBi = factor 10).

• Allows coverage up to 1 km.


TS09TEC09En 15

Uses FDD and TDD (optional)

FDD Frequency Division Duplex

TDD Time Division Duplex

5 GHz Spectrum

• EU*: frequency range 5.1 – 5.8 GHz offers some license-exempt bands.

• Some used by WiFi (802.11a).

• Max. Transmit Power (Germany):

- 5.1 – 5.3 GHz: PTr,max. = 200 mW.

- 5.8 GHz**: PTr,max. = 1 W.

• Max. coverage: < 1 km

• Use of TDD

* EU: 802.16h to harmonize frequency utilization in license-exempt spectrum

** Frequency Band 5.75 – 5.85 GHz: many countries allow higher output

power (4 W)

3.2 Coverage of WiMAX

• Dependent on:

- External conditions (building geometry, building material, weather, etc.).

- Frequency (higher frequency = higher attenuation).

• LOS: up to 50 km.

• NLOS: up to 8 km.


TS09TEC09En 16

Estimation of WiMAX Performance

LOS Line of Sight

NLOS Non Line of Sight

3.3 Data Rates

WiMAX Performance –Different Modulation Methods

Line of Sight

QPSK Quadrature Phase Shift Keying

QAM Quadrature Amplitude Modulation


TS09TEC09En 17

Calculation of Free Field Damping D

D = 20 * log (4 * π * d / λ)

d Distance from the transmitter unit

λ Wavelength (= 0.12 m at 2.5 GHz)

Free Field Damping D for Different Distances

Wavelength λ = 0.12 m (2.5 GHz)


TS09TEC09En 18

Indoor-Usage: Damping Properties of Building Materials

Radiation Characteristics of Omnidirectional Antenna

Fig. 12


TS09TEC09En 19

Radiation Characteristics of Directed Antenna

Fig. 13

Interactions with other Devices

For the ISM-Band:

• WiFi IEEE 802.11 b,g.

• Microwave Ovens (ISM-Band).

• Cordless telephones (DECT: 1,9 GHz; Others: ISM-Band).

• Bluetooth (ISM-Band).

Avoid spatial and frequency-related overlaps!

ISM Industrial, Scientific & Medical


TS09TEC09En 20

Health Risks from WiMAX Radiation

• Radiation power from WiMAX systems in comparison to other technologies:

- Outdoor use: typically approx. 3 W.

- Indoor use: TPC (Transmit Power Control).

• Power diminishes very quickly with increasing distance from the source (P ~ 1 / r²).

• No health damage observed yet.

Chapter 2: WiMAX Architecture

TS09TEC09En 1

Chapter 2 WiMAX Architecture

Aim of study This chapter introduces network architecture & components.

Contents Pages

1 Network Architecture 2

2 Components 3


TS09TEC09En 2

Chapter 2

WiMAX Architecture

1 Network Architecture

WiMAX E2E Network Architecture Aspects – Basic principles and

requirements

• WiMAX end-to-end architecture framework shall be modular and flexible enough to include a broad range of flexible implementation and deployment options ranging from:

- Centralized or fully distributed or hybrid architectures.

- Cost effective small-scale to large-scale (sparse to dense radio coverage and capacity) deployments.

- Urban, suburban and rural radio propagation environments shall be accommodated.

- Licensed and/or licensed exempt frequency bands.

- Hierarchical, non-hierarchical or flat access topologies.

- Co-existence of fixed, nomadic, portable and mobile usage models.

• Architecture framework shall enable vendor-interoperability without reducing implementation flexibility and avoid over-specification.

WiMAX Network Architecture Business model

Fig.1


TS09TEC09En 3

2 Components

WiMAX System Development

The simplest WiMAX based system consists of two parts:

• Base Station (BS), usually on a tower

- For the necessary over-the-air standards-compliant functionality.

- Beams high-speed Internet connections to homes and businesses in a radius of up to 50 km*.

Fig.2

*) theoretical maximum • Subscriber Station (SS)

- Receiver (box or PCMCIA card) and antenna.

Fig.3


TS09TEC09En 4

2.1 Base Station (BS)

Base Station (BS) – Task Description

• 802.16 air interface handling (e.g. PHY, MAC, CS, Scheduler)

- Handover.

- Power control.

- Network entry (SS initialization).

• QoS providing for traffic via air interface.

• Micro Mobility Handover.

• Radio Resource Management Update.

• MSS Activity Status update (Active, Idle).

• Traffic classification.

• DHCP Proxy.

• Key Management.

• Session Management.

Fig.4


TS09TEC09En 5

2.2 Subscriber Station (SS)

Subscriber Station Requirements

• Allows the subscribers to connect to the network.

• Indoor or outdoor.

• Integrated or external antenna.

• Access to voice, video and high-speed data services.

• Different interfaces to the user equipment.

• Self or simple installation.

Fig.5

Antennae Examples

Fig.6


TS09TEC09En 6

2.3 Air Interface

Air Interface Requirements

• Compliant with WiMAX standard.

• Configurable QoS parameters.

• Scheduling services support.

• Advanced functions such as power management (paging), compression, data reliability.

• Adaptive Modulation and Coding.

• Over-the-air and End-to-End Security.

• Message exchanges for mobility support.

• SS connectivity provisioning and admission control.

• Mobility management.

• Device management.

• UL and DL data exchange.

• Authorization and tunnelling for specialized IP services.


TS09TEC09En 7

WiMAX Reference E2E Network Architecture

Fig.7 Interworking with 3G – WiMAX Interworking is like WLAN

Interworking

Fig.8


TS09TEC09En 8

WiMAX Interworking model

Fig.9

Chapter 3: WiMAX Standardization

TS09TEC09En 1

Chapter 3 WiMAX Standardization

Aim of study This chapter introduces positioning of IEEE wireless standards.

Contents Pages

1 Active IEEE 802 Wireless Working Groups 2

2 IEEE 802.16 History 2

3 Positioning of IEEE Wireless Standards 3

4 Completed/active IEEE 802.16 Projects 4

5 Alternative Standards (ETSI, 802.20 etc.) 6

6 FAQ 7


TS09TEC09En 2

Chapter 3

WiMAX Standardization

1 Active IEEE 802 Wireless Working Groups

• 802.11: Wireless LAN (WLAN).

• 802.15: Wireless Personal Area Network (WPAN; Bluetooth).

• 802.16 Broadband Wireless Access (BWA).

• 802.20: Mobile Broadband Wireless Access (MBWA; FLASH-OFDM)

- Mobile Broadband Wireless Access Network Operating in Licensed Frequency Bands and Supporting Mobility at Vehicular Speeds.

• 802.21: Multi-Media Independent Handoff (Handover)

- Optimization of handoff between networks of different media types or networks of the same media type but of different operational entities.

=>generic handoff (GSM term: Hand-Over) support for all 802.x-interfaces.

2 IEEE 802.16 History

WiMAX Forum and IEEE

Fig.1


TS09TEC09En 3

3 Positioning of IEEE Wireless Standards

From PAN to WAN – Continuum of Wireless Standards

Fig.2 • IEEE 802.20 – Emerging Standard for Mobile Broadband Wireless

Access.

• IEEE 802.21 – Emerging Standard to address inter-network handoffs.


TS09TEC09En 4

IEEE 802.16 Standard Overview

4 Completed/active IEEE 802.16 Projects

Completed IEEE 802.16 Projects (Status: 04/2005)


TS09TEC09En 5

• IEEE 802.16 – 2001

For Fixed Wireless Access Systems for 10 – 66 GHz.

• IEEE 802.16a (802.16 REVd)

For Fixed Wireless Access Systems –

Amendment 2: MAC and PHY Modifications for 2 - 11 GHz.

• IEEE 802.16d

PHY extension and improved NLOS with up to 20 MHz sub-channels.

• IEEE 802.16 – 2004

Active IEEE 802.16 Projects (Status: 04/2005)

• IEEE 802.16e

Mobile Extension (< 120 km/h) with Roaming (Hand-over) Agreement.

• IEEE 802.16f

MIB (Management Information Base) Extension.

• IEEE 802.16g

Definition of Management Plane (Power Management, Roaming, Accounting, Security).

• IEEE 802.16 – 2004

Conformance Test Specs. 1 for vendor inter-operability.

• IEEE 802.16h

Extension for coexistence and non-interference with other occupiers in unlicensed bands.


TS09TEC09En 6

802.16g Management Plane Procedures and Services

• „Baseline Document“ from NetMan Task Group 802.16g

(Still in a Pre-Draft Version).

• Scope

- Provides enhancements to the MAC and PHY management entities of IEEE Standard 802.16-2004 to create standardized procedures and interfaces for the management of conformant 802.16 devices.

• Content

- Management Interfaces and Procedures: For PHY/MAC/CS Interworking between MSS (Mobile Subscriber Station) and BS (Base Station), e.g.

o Mobility and Handover Management.

o Roaming Management.

o Security Management.

o Accounting Management.

5 Alternative Standards

Alternative Standards – ETSI HIPERMAN

• 2003 released by European Telecommunication Standards Institute (ETSI).

• Targeted to SME (Small & Medium Enterprise) and Residential users.

• Operating at frequencies between 2 – 11 GHz.

• Was developed in close cooperation with IEEE 802.16.

• Capable to support ATM -> offers full QoS (comp. to HIPERLAN).

• Supports PtP- and PtMP-connections.


TS09TEC09En 7

• Using MAC-Layer of 802.16 standard.

• Supports UL/DL separation by FDD and TDD (see 802.16).

6 FAQ

FAQ - Will WiMAX compete with Wi-Fi?

• WiMAX and Wi-Fi will coexist.

• WiMAX complements Wi-Fi by extending its reach and providing a "Wi-Fi like” user experience on a larger geographical scale.

• Wi-Fi designed for LAN; WiMAX for MAN.

• Future Outlook:

For 2006-2008, it is expected that both 802.16 and 802.11 will be available in end user devices (laptops, PDAs, mobile phones).

FAQ - Interworking between WiMAX and Wi-Fi Alliance?

• WiMAX-Forum is working with some industry groups, including the Wi-Fi Alliance.

• Idea: to enable seamless handoffs between multiple wireless standards.

FAQ - Interworking between WiMAX-Forum and ETSI?

• The IEEE 802.16-2004 (256 OFDM PHY) and ETSI HiperMAN standards share the same PHY and MAC specifications.

• WiMAX-Forum is active in both standards organizations to ensure that a single global standard for Wireless MAN is adopted.


TS09TEC09En 8

FAQ - Comparison between 802.16 and 802.20?

• 802.16 and 802.20 (FLASH-OFDM) are two different technology approaches targeted at distinct markets:

-> 802.20 is targeted to WAN market.

• 802.20 is still in the very early stages of standards development.

• 802.20 is not expected to be completed before 2007.

• 802.20 does not have industry support yet

-> Interoperability out of scope yet.

Chapter 4: PHY and MAC Layer

TS09TEC09En

1

Chapter 4 PHY and MAC Layer

Aim of study This chapter introduces MAC Layer addressing & MAC-Frame, QOS in WiMAX and

modulation methods.

Contents Pages

1 OSI Reference Model 2

2 The MAC Layer (Media Access Control) 5

3 Privacy Sublayer 25

4 The PHY Layer (Physical) 29


TS09TEC09En

2

Chapter 4

PHY and MAC Layer

1 OSI Reference Model

Communication according to the OSI Reference Model

Fig. 1

Shell-type Structure of the Communication Process

Fig. 2


TS09TEC09En

3

IEEE 802.16 – Protocol Stack

The IEEE standard 802.16 specifies

• Medium Access Control layer (MAC).

• Physical layer (PHY).

Of fixed Point-to-Multipoint Broadband Wireless Access (BWA) Systems

providing multiple services.

The MAC layer is structured to support MULTIPLE Physical layers

Specifications.

IEEE 802.16 – PHY and MAC Overview

Fig. 3


TS09TEC09En

4

WIMAX Bridging Functionality

Fig. 4

IEEE 802.16 – Protocol Stack

Fig. 5


TS09TEC09En

5

IEEE 802.16 – PHY and MAC Alternatives

PHY Alternatives

• OFDM (Wireless MAN-OFDM Air Interface)

- 256-point FFT with TDMA (TDD/FDD).

• OFDMA (Wireless MAN-OFDMA Air Interface)

- 2048-point FFT with OFDMA (TDD/FDD).

• Single-Carrier (Wireless MAN-SCa Air Interface) TDMA.

MAC Overview

• Point-to-Multipoint.

• Connection-oriented.

• Higher Layer protocol independent (IP, Ethernet, ATM …).

• Flexible QOS offering:

- CBR, rt-VBR, nrt-VBR, BE, with granularity within classes.

FFT Fast Fourier Transformation

2 The MAC Layer (Media Access Control)

MAC Overview

• MAC independent of PHY.

• DL works on a PTMP-basis (sector zed antennae).

• Connection-oriented

- 16 Bit Connection ID (CID).

• MAC covers Network Entry of SS.

• Provides QOS using scheduled service flows.


TS09TEC09En

6

CS - Service Specific Convergence Sub layer

Fig. 6

Types of Convergence Sub layers

• CS used to adapt higher layers to MAC.

• IEEE 802.16 specifies two different Convergence Sub layers:

- ATM CS (for ATM).

- Packet CS (for IP, Ethernet).

ATM Asynchronous Transfer Mode

ATM CS

Fig. 7


TS09TEC09En

7

Three Options for ATM Header:

• Normal ATM cell header (5 bytes): transparent transmission of ATM cells.

• Suppression of VPI (header size: 3 bytes): VP switching.

• Suppression of VPI and VCI (header size: 1 byte): VC switching.

Note:

Whether or not payload header suppression (PHS) is used, is signaled at MAC

connection creation. If suppression is used, VPI/VCI can be reconstructed at

the end of the peer, through mapping of the CID (see MAC-Layer).

PDU Protocol Data Unit

VPI Virtual Path Identifier

VCI Virtual Channel Identifier

Packet CS

• Used for encapsulation of IP or Ethernet Packets.

• Allows header suppression (optional!)

- PHS (Payload Header Suppression) can be used

-> Ethernet/IP-Header will be suppressed.

• If PHS is used, then receiver needs a mapping table for reconstructing the original header.

Fig. 8


TS09TEC09En

8

MAC – Common Part Sublayer

Fig. 9

Downlink – Point-to-Multipoint Concept

• DL (BS -> SS) operates a PTMP basis (using sectorized antennae).

• Within antenna sector: broadcast („to all“).

• SS check for CID.

Fig. 10


TS09TEC09En

9

Uplink – Concept

• UL (SS -> BS) is shared on a demand basis.

• right to send:

- Issued continuously (UGS service class).

- Must be requested by user and granted by BS.

Fig. 11

MAC PDU Frame Format

Fig. 12


TS09TEC09En

10

MAC Header Formats

• Generic MAC Header

- Used for data or MAC management messages.

• Bandwidth Request (BR) MAC Header

- Used by SS to request more bandwidth on UL.

Outlook of MAC Header

Fig. 13

• HT (Header Type): = 0 (Generic MAC Header).

= 1 (Bandwidth Request Header).

• Type: indicates sub-headers, e.g. for fragmentation, packing, etc.

• CID (Connection Identifier).

• Options: e.g. EC (Encryption Control): if payload is encrypted.

• CI (CRC Indicator): indicates CRC.

• LEN (Length): in bytes of the MAC PDU including the MAC header.

• BR (Bandwidth Request): number of bytes of uplink bandwidth requested by the Subscriber Station.


TS09TEC09En

11

MAC PDU for Bandwidth Request

Fig. 14

• Doesn't contain payload information.

• Header length: 6 bytes.

• Type:

- Incremental request: add BR bytes to the requirements for CID.

- Full request (called aggregate): total number of BR bytes for CID.

• BR indicates the number of bytes requested.

• CID indicates the connection for which the uplink bandwidth is required.

MAC PDU for Data Message

Possible sub-headers (described by Type field):

• Fragmentation sub-header.

• Packing sub-header.

• Automatic Repeat Request (ARQ).

• Grant Management sub-header – see graphic (only uplink).


TS09TEC09En

12

Fig. 15

Fragmentation and Fragmentation Rules

• MAC SDUs (e.g. IP packets) are divided into one or more MAC PDUs.

• Idea: to reduce risk of packet loss.

• Initiators: BS for DL and SS for UL.

• The fragmentation must be active for the specific connection via signaling.

Fig. 16


TS09TEC09En

13

Packing

• Packing combines multiple higher layer SDUs.

• Allows better bandwidth utilization.

Fig. 17

Automatic Repeat Request (ARQ) Protocol

• TCP-like reliable protocol using ACK; operating on MAC layer.

• Uses sliding-window (# of MAC SDU blocks w/o ACK is specified).

• Receiver sends ACK or negative ACK message.

• Re-transmission of lost or error blocks.


TS09TEC09En

14

Fig. 18

MAC Addressing

• Subscriber Station (SS)

- MAC-Address (48 Bit).

- Used during initial ranging process to establish the appropriate connection for an SS.

• Base Station (BS)

- Base Station ID (programmable – 64 Bit).

• Connection

- Connection ID (CID – 16 Bit).

- Used for user data connections and for management connections (basic, primary, secondary).


TS09TEC09En

15

Network Entry – Subscriber Station Initialization

1) DL-Channel Synchronization

SS searches for DL-frames and synchronizes using preamble.

2) Initial Ranging

Setting sending parameters (power, code parameters, phase).

3) Capability Exchange

Modulation method, coding rates, duplex method.

4) Authentication

Establishing authentication and encryption.

5) Registration

IP-Version, ARQ parameters, flow control, error correction.

6) IP-Connectivity

Management connection between BS and SS.

7) Creation of Data Connection.

8) Periodic Ranging.


TS09TEC09En

16

Subscriber Station Initialization

Fig. 19

Network Entry –

1) DL-Channel Synchronization

• SS scans for a channel in the pre-defined frequency list (compare to WLAN).

• Normally SS will be configured to use specific BS (given set of

operational parameters - frequency, power - when operating in a licensed

band).

• If SS finds DL channel:

- Synchronizes at PHY (detects the periodic frame preamble).

- MAC looks for DCD and UCD (to get information on modulation and other DL and UL parameters.


TS09TEC09En

17

DCD DL Channel Descriptor

UCD UL Channel Descriptor

Network Entry –

2) Initial Ranging

• Sending Ranging Request MAC Message (during initial ranging interval) using minimum transmission power.

• If no response

- SS sends the ranging request again using higher transmission power.

• If SS receives response, response either indicates

- Success, i.e. SS is ready to send data on the UL.

- Power and timing corrections for SS.

• If response indicates corrections, SS sends another ranging request after making these corrections.

Network Entry –

3) Capability Exchange

• SS sends a Capability Request Message to the BS.

• this message describes capabilities in terms of

- Supported modulation levels.

- Coding schemes.

- Coding rates.

- Duplexing methods.

• BS accepts or denies the SS, based on its capabilities.


TS09TEC09En

18

Network Entry –

4) Authentication

• BS authenticates SS and provides key material to enable data ciphering.

• SS sends to BS

- X.509 certificate (provided by SS manufacturer).

- Description of supported cryptographic algorithms.

• BS

- Validates identity of SS.

- Determines cipher algorithm and protocol.

- Sends an authentication response to SS.

• SS periodically performers authentication and key exchange procedures to refresh its key material.

Network Entry –

5) Registration

• SS sends a Registration Request Message to BS.

• BS sends a Registration Response to SS.

• Registration exchange includes

- IP version support.

- ARQ parameters support.

- CRC support.

- Flow control.

ARQ Automatic Repeat Request


TS09TEC09En

19

Network Entry –

6) IP Connectivity

• SS starts DHCP to get IP-address and other parameters to establish IP connectivity (SN-mask, default gateway).

• BS and SS maintain current date and time using Time of the Day protocol (RFC 868).

• SS then downloads operational parameters using TFTP.

DHCP Dynamic Host Configuration Protocol

TFTP Trivial File Transfer Protocol

Network Entry –

7) Creation of Data Connection

• For pre-provisioned service flows, connection creation process is initiated by the BS

- BS sends a dynamic service flow Addition Request Message to SS.

- SS sends a response to confirm creation of connection.

• Non-pre-provisioned service flows are initiated by the SS

- SS is sending a dynamic service flow Addition Request Message to BS.

- BS responds with a confirmation.


TS09TEC09En

20

QOS in WI MAX

• WiMAX works with a polling-based MAC layer

- More deterministic than the contention-based MAC Used by 802.11.

• Each connection is associated with a single scheduling data service

- Each scheduling data service is associated with a set of QoS parameters.

• IEEE 802.16 specifies four types of scheduling data services.

Scheduling Data Services

• UGS: Unsolicited Grant Service

- Guarantees fixed size data packets on a periodic basis (CBR).

- Used for TDM emulation, VoIP (w/o silence suppression).

• rtPS: real-time Polling Service

- Supports variable size data packets on a periodic basis (rt-VBR).

- Used for MPEG video, VoIP with silence suppression.

• nrtPS: non-real-time Polling Service

- Supports variable size data packets on a quite regular basis (nrt-VBR).

- Used e.g. for TFTP.

• BE: Best Effort

- Provides best effort traffic (UBR).

- Used for e-mailing, web surfing etc.

CBR Constant Bit Rate

rt-VBR Realtime Variable Bit Rate


TS09TEC09En

21

nrt-VBR Non-realtime Variable Bit Rate

UBR Unspecified Bit Rat

Scheduling Data Services

• Each UL connection is assigned to a service class as Part of the creation of the connection.

-> see „Network Entry“description – „Creation of Data Connection“.

Service Classes for different Services

Fig. 20


TS09TEC09En

22

Traffic Descriptors in 802.16

• Maximum Sustained Rate (MSR)

- Peak Information Rate (PIR) - specified in bps.

- Wireless link must be policed to check for conformance (discard if MSR exceeded!).

- Tolerated (best effort).

• Minimum Reserved Rate (MRR)

- Minimum Rate reserved per service flow – in bps.

- Also Latency, Jitter according to Traffic Contract.

- MRR ≤ MSR.

- Guaranteed.

QoS guarantees

- Max. latency, max. jitter, Bit Error Rate.

QoS Parameter Set – Service Class

• Each Service Flow has some assigned QoS parameters.

• specifies e.g.

- maximum delay

Jitter (delay variation)

- minimum delay

- Bit Error Rate (default threshold: 10-6).

• Service Classes or Service Class Names (SCN) defines a common set of QoS parameters.

• At Service Flow level QoS parameters of Service Classes can be overwritten.


TS09TEC09En

23

• Service Classes also used for billing.

Service Flows

• Dynamic Service Flows using 802.16 Management Messages:

- Create a new flow (DSA - Dynamic Service Addition).

- Change an existing flow (DSC - Dynamic Service Change).

- Delete an existing (DSD - Dynamic Service Deletion).

• Static Service Flows

- Provisioned through the network management system.

Note:

These mentioned protocols are critical to carriers, as they eliminate the need to

schedule changes during a maintenance window and therefore reduce the

mean time to provision new services.

They allow providers to add new subscribers, modify traffic contracts and/or

reclaim resources on the fly without interfering with other Existing

subscribers.

Example of a Dynamic Service Flow –

Creation of a new Service Flow using DSA

• DSA request (DSA-REQ) can be initiated by either the Base Station or the Subscriber Station.

• DSA-REQ from Subscriber Station contains Service Flow reference and QoS parameters.

• Base Station (after sending a DSX-Receive message) responds with DSA-RSP either accepting or rejecting the request.


TS09TEC09En

24

• If request is rejected because of a non-supported parameter, that specific parameter may be indicated with the RSP.

Fig. 21

MAC Management Messages

• Broad set of Management Messages (not all fixed yet; IEEE 802.16g).

• Carried in the payload part of the MAC PDU.

• Three types of MAC management messages are pairwise (UL/DL) established between SS and BS (can be recognized by the user via CID):

- Basic Management Messages: short, time urgent messages.

- Primary Management Messages: long and more tolerant messages.

- Secondary Management Messages: standard based messages, e.g. DHCP, TFTP, SNMP etc.

• Additionally: some types of broadcast messages, e.g. UCD, DCD etc.

DCD DL Channel Descriptor

UCD UL Channel Descriptor


TS09TEC09En

25

Examples for MAC Management Messages

Fig. 22

3 Privacy Sublayer

Fig. 23


TS09TEC09En

26

Privacy Sublayer

• Authentication.

• Authorization.

• Encapsulation (Encryption).

• Key Management.

Fig. 24

PKI Public Key Infrastructure

PKM Public Key Management

EAP Extensible Authentication Protocol

Encapsulation Protocol

• Encryption services defined as set of capabilities within the MAC Privacy Sub layer.

• Encryption is always applied to the MAC PDU payload

- Generic MAC Header always unencrypted.

- EC-bit specifies if payload PDU is encrypted or not.

- CRC is calculated after payload encryption.


TS09TEC09En

27

Fig. 25

Privacy Key Management

• Privacy Key Management Protocol (PKM) used by Subscriber Station

- To obtain authorization from Base Station.

- To obtain traffic keying material from the Base Station.

- To support periodic re-authorization and key refresh.

• PKM uses

- X.509 digital certificates [Public Key Infrastructure; RFC 2459].

- Public Key Encryption.

- Strong algorithms to perform key exchange between SS and BS (e.g. EAP-AKA, EAP-MSCHAPv2).

Initial Authorization

• Base Station authenticates a Subscriber Station during the Initial Authorization process.

• Each Subscriber Station carries a unique X.509 digital certificate issued by the Subscriber Station’s manufacturer. This digital certificate contains

- Subscriber Station’s Public Key.

- Subscriber Station MAC address.

• Initial Authorization

- SS presents its digital certificate to BS.


TS09TEC09En

28

- BS verifies the digital certificate, using the verified Public Key to encrypt the Authorization Key.

- Authorization Key sent back from BS to requesting SS.

Re-Authorization

• Re-Authorization (periodically, after achieving initial authorization)

- To refresh aging encryption keys.

Note:

At all times the Base Station maintains two active sets of keying material per

subscriber station. The lifetimes of the two generations overlap such that each

generation becomes active halfway through the life of it predecessor and

expires halfway through the life of its successor.

802.16 Security Concept Overview

Fig. 26


TS09TEC09En

29

4 The PHY Layer (Physical)

PHY – Physical Layer

Fig. 27

PHY Overview

• 10 – 66 GHz

- Single Carrier SC.

• 2 - 11 GHz

- Single Carrier SC (equalizer necessary for NLOS).

- OFDM-256 (with 256 sub-carriers).

- OFDMA-2048 (with 2048 sub-carriers).

- Scalable-OFDMA from Intel and Samsung (implementation with 802.16e). • Variable number of sub-carriers with constant bandwidth.

• Adaption of coding methods according to SNR

- QPSK.

- 16-QAM.


TS09TEC09En

30

- 64-QAM.

OFDM(A) Orthogonal Frequency Division Multiplexing (Access)

SNR Signal to Noise Ratio

PHY Mechanisms

• OFDM(A) achieves high data rate and efficiency by using Multiple orthogonal (overlapping) carrier signals.

• By using multiple carriers reliable communication can be maintained: kind of carrier redundancy (if one carrier is interrupted some others still can be used).

• Spectral Efficiency (no. of bits carried by the channel): 5 bits/Hz i.e. 70 Mbit/s of usable data in a 20 MHz-channel.

• Adaptive Modulation and Coding (AMC) dependent on quality of signal (based on SNR).

OFDM (A) Orthogonal Frequency Division Multiplexing (Access)

SNR Signal to Noise Ratio

OFDM Basics

• A maximum of one carrier frequency lies precisely at the zero position of all other carrier frequencies in the frequency range

- The frequencies do not interfere with each other.

- Overlaying of the frequencies in the same frequency range is possible.

- -> Bandwidth Save.


TS09TEC09En

31

Fig. 28

Comparison OFDM – FDM

Fig. 29

OFDM Basics

• 802.16 preferred OFDM mode requires 256 point FFT.

• Optional: OFDMA with 2048 point FFT.

• Advantage: Especially suitable for NLOS (multipath environment).

FFT Fast Fourier Transformation


TS09TEC09En

32

256 OFDM

• 192 subcarriers for data (1 user!).

• 8 subcarriers for pilot (phase reference).

• 56 subcarriers for null (guard).

Fig. 30

• Note: Multi-user support with TDD or FDD.

OFDMA

• Orthogonal Frequency Division Multiplexing Access.

• „Multi-User OFDM“.

• Sub-carriers form Sub-channels.

• Sub-channels can be used by one user or a group of users.

Fig. 31


TS09TEC09En

33

SOFDMA

• Scalable OFDMA.

• Will be implemented with 802.16e.

• Allows reduction of FFT size (from 2048 to 128).

• Bandwidth range: 1.25 – 20 MHz.

Modulation Methods

• Modulation of sub-carriers

- PSK: Phase Shift Keying.

- QAM: Quadrature Amplitude Modulation.

Adaptive Modulation and Coding (AMC)

• Modulation and Coding is adapted to signal strength (SNR).

Fig. 32


TS09TEC09En

34

Modulation Methods

Fig. 33

Example for Data Rate Dependency on Modulation Method

Fig. 34

Frequency/Time Division Duplex

• For separation of

- Users in OFDM.

- DL and UL.


TS09TEC09En

35

• FDD: UL and DL transmissions are simultaneous use different sequences.

• TDD: UL and DL transmissions occur at different times but may share the same frequency.

Fig. 35

OFDM Frame Structure for TDD

Fig. 36


TS09TEC09En

36

IEEE 802.16e

IEEE 802.16e – Mobile Enhancements.

• MAC and PHY Enhancements (SOFDMA).

• Power consumption reduction.

• Hand-Off (Hand-over).

• L2.5 Routing.

• Power Consumption Reduction

- SS often will use Battery Power.

- Introduction of two modes for the SS: Awake-mode and Sleep-Mode.

• Awake-mode: SS is receiving and transmitting PDUs in a normal way.

• Sleep-Mode: allows the SS to power down

- Sleep-interval.

- Listening-interval.

The Sleep-Mode

Fig. 37


TS09TEC09En

37

The Sleep-Mode 2

Fig. 38

IEEE 802.16e – Mobile Enhancements

• Challenges for Hand-Off

- Optimize L2 hand-off.

- Provide trigger to L3.

- Allows mobile SS to move efficiently between BSs.

- Smoothes BS transitions with minimal loss of PDUs.

- Fast BS transition to guarantee QoS.

• Communication link between terminal and Internet must be preserved.

• IP address should stay the same even if a terminal is moving.


TS09TEC09En

38

Fig. 39

• IEEE 802.16e proposes to use L2.5 label to set up tunnel (path).

• Comparing to MPLS.

• Switching faster than Routing.

• QoS possible.

Fig. 40

Chapter 5: WiMAX Security

TS09TEC09En 1

Chapter 5 WiMAX Security

Aim of study This chapter introduces security expectations From WiMAX network.

Contents Pages

1 Definitions 2

2 Cryptography 5

3 Hash Functions vs. MAC 19

4 Introduction IEEE 802.16 Security 21

5 Security Expectations From WiMAX Network 23

6 WiMAX security functions and OSI 7-layer model 24

7 WiMAX Data Link Layer Security 25

8 Summary of WiMAX standard addresses the

security requirements

32

9 WiMAX Network Reference Model (NRM) 34


TS09TEC09En 2

Chapter 5

WiMAX Security

1 Definitions

Security Services

• Authentication - assurance that the communicating entity is the one claimed.

• Access Control - prevention of the unauthorized use of a resource.

• Data Confidentiality –protection of data from unauthorized disclosure.

• Data Integrity - assurance that data received is as sent by an authorized entity.

• Non-Repudiation - protection against denial by one of the parties in a communication.

Definitions

• Plaintext: easy to understand form (original message).

• Ciphertext: difficult to understand form.

• Encryption: encoding (plaintext -> ciphertext).

• Decryption: decoding (ciphertext -> plaintext).

• Cryptology: study of encryption.

• Cryptography: use of encryption.

• Cryptanalysis: breaking encryption.


TS09TEC09En 3

Group of individuals

• Hacker – is a general term that has historically been used to describe a computer programming expert. More recently, this term is commonly used in a negative way to describe an individual that attempts to gain unauthorized access to network resources with malicious intent.

• Cracker – is the term that is generally regarded as the more accurate word that is used to describe an individual that attempts to gain unauthorized access to network resources with malicious intent.

• Phreaker – is an individual that manipulates the phone network in order to cause it to perform a function that is normally not allowed. A common goal of phreaking is breaking into the phone network, usually through a payphone, to make free long distance calls.

• Spammer – is an individual that sends large quantities of unsolicited email messages. Spammers often use viruses to take control of home computers in order to use these computers to send out their bulk messages.

• Phisher – uses email or other means in an attempt to trick others into providing sensitive information, such as credit card numbers or passwords. The phisher will masquerade as a trusted party that would have a legitimate need for the sensitive information.

• White hat – is a term used to describe individuals that use their abilities to find vulnerabilities in systems or networks, and then report these vulnerabilities to the owners of the system so that they can be fixed.

• Black hat – is another term for individuals that use their knowledge of computer systems to break into systems or networks that they are not authorized to use.

• Alice—she is an end user/computer without malicious intentions, one of the main users of cryptography.

• Bob—he is Alice’s friend and is also a main user of cryptography, without malicious intentions.

• Cathy—another user of cryptography; she does not usually have a large roll nor malicious intentions.


TS09TEC09En 4

• Eve—a malicious user that does not interfere with communications.

She simply wants to eavesdrop on the conversation between two other

characters, typically Alice and Bob, but does not actively try to attack

the communication.

• Mallory— the malicious user. Always trying to thwart attempts by

other characters to communicate securely.

• Trent—he is a trusted third party. He only communicates with Alice,

Bob, or Cathy when they ask for his help. He can always be trusted to

do what he says he will do.

Definitions

• Key— a random piece of data used with encryption and decryption.

Encryption and decryption algorithms require a key and plain text or

cipher text to produce cipher text or plain text, respectively.

• Security Association— a set of information that describes how the

communicating entities will utilize security.


TS09TEC09En 5

2 Cryptography

Fig. 1

Fig. 2


TS09TEC09En 6

Mode of Operation

Fig. 3

There are several block cipher modes including:

1. Electronic Code Book (ECB).

2. Cipher Block Chaining (CBC).

3. Cipher Feedback Mode (CFB).

4. Output Feedback (OFB).

5. Counter (CTR).

Electronic Codebook Book (ECB)

Fig. 4


TS09TEC09En 7

Each block is encoded independently of the other blocks

Ci = Ek(Pi).

Uses: secure transmission of single values.

Cipher Block Chaining (CBC)

Fig. 5

Each previous cipher blocks is chained with current plaintext block, hence

name.

Use Initial Vector (IV) to start process.

Ci = Ek(Pi XOR Ci-1)

C-1 = IV

Uses: bulk data encryption, authentication.


TS09TEC09En 8

Cipher Feed Back (CFB)

Fig. 6

• Message is treated as a stream of bits.

• Added to the output of the block cipher.

• Result is feed back for next stage (hence name).

Output FeedBack (OFB)

Fig. 7


TS09TEC09En 9

Message is treated as a stream of bits, output is then feed back (hence name).

Feedback is independent of message.

Can be computed in advance.

Ci = Pi XOR Oi

Oi = Ek(Oi-1)

O-1 = IV

Uses: stream encryption on noisy channels.

Counter (CTR)

Fig. 8

Similar to OFB but encrypts counter value rather than any feedback value.

Must have a different key & counter value for every plaintext block (never

reused).


TS09TEC09En 10

Ci = Pi XOR Oi

Oi = Ek(i)

Uses: high-speed network encryptions.

Fig. 9

Cryptographic System Usages

Cryptographic algorithms can be used for:

• Encryption: for confidentiality (privacy).

• Authentication: for data origin authentication and data integrity.


TS09TEC09En 11

Fig. 10

Types of Cryptographic Systems

• Symmetric-key cryptosystems.

• Asymmetric-key or Public-key cryptosystems.

• Hybrid (Symmetric-key and Asymmetric-key) cryptosystems.

Fig. 11

Symmetric Encryption

• Uses conventional / secret-key / single-key.

• Sender and recipient share a common key.

• All classical encryption algorithms are private-key.

• The only type prior to invention of public-key in 1970’s.


TS09TEC09En 12

Fig. 12

Symmetric-key cryptosystems

Examples of symmetric key algorithms are as follows:

• Data Encryption Standard (DES).

• Triple DES (3DES).

• Advanced Encryption Standard (AES).

• International Data Encryption Algorithm (IDEA).

• CAST.

Fig. 13


TS09TEC09En 13

Triple DES

• Private Key symmetric block cipher.

• 3DES uses the same basic machinery of DES three times over, using three keys k1, k2, and k3.

• The plaintext (M) is encrypted using k1. This result is encrypted with k2 and the result is then further encrypted with k3 to get the cipher text (C). This mode of using 3DES is called the DES–EEE mode.

• The other mode is called DES–EDE, where the second stage is run in decryption mode.

• The three keys may or may not be independent.

• For the DES–EDE mode, three options are defined:

- The keys k1, k2, and k3 are independent.

- k1 and k2 are independent but k1 = k3.

- k1 = k2 = k3; in this case, 3DES becomes backward compatible with DES.

• Hence must use 3 encryptions

- Would seem to need 3 distinct keys.

• But can use 2 keys with E-D-E sequence

- C = Ek1 [DK2 [EK1 [P]]].

- If K1=K2 then can work with single DES.

• No current known practical attacks.

• Has been adopted by some Internet applications, e.g., PGP.


TS09TEC09En 14

Triple DES (3DES)

Fig. 14

Advanced Encryption Standard (AES)

• Private Key symmetric block cipher.

• 128-bit data, 128/192/256-bit keys.

• Stronger & faster than Triple-DES.

• Active life of 20-30 years.

• Provide full specification & design details.

• Both C & Java implementations.

• The AES standard was developed to replace DES and 3DES.

• AES uses the Rijndael algorithm.


TS09TEC09En 15

International Data Encryption Algorithm (IDEA)

• Xuejia Lai and James Massey, ETH (Swiss Federal Institute of Technology), 1991.

• Patented

- Patent is held by Ascom-Tech.

- Non-commercial use of IDEA is free. Commercial licenses can be obtained by contacting Ascom-Tech.

• Used in PGP.

• 128-bit key, 64-bit block.

• Eight rounds + final transformation.

CAST Encryption Algorithm

• CAST is a block cipher with a 128-bit key size.

• CAST is very fast, and it’s free.

• Its name is derived from the initials of its designers, Carlisle Adams and Stafford Tavares of Northern Telecom (Nortel).

• CAST appears to be exceptionally well designed, by people with good reputations in the field.

• CAST is too new to have developed a long track record, but its formal design and the good reputations of its designers will undoubtedly attract the attentions and attempted cryptanalytic attacks of the rest of the academic cryptographic community.

Asymmetric-key or Public Key Encryption

Fig. 15


TS09TEC09En 16

• Based on mathematical algorithms.

• Asymmetric: Use two separate keys.

• Public Key issues

- Plain text.

- Encryption algorithm.

- Public and private key.

- Cipher text.

- Decryption algorithm.

Fig. 16

Fig. 17


TS09TEC09En 17

Public Key Encryption

• One key made public and the other kept private.

• Infeasible to determine decryption key given encryption key and algorithm.

• Either key can be used for encryption, the other for decryption. Asymmetric-key or Public-key Cryptosystems

• There are many examples of commonly used public-key systems including:

- Diffie-Hellman.

- Rivest, Shamir, Adleman (RSA).

- Digital Signature Algorithm (DSA).

- Al Gamal.

- Elliptic Curve Cryptosystem (ECC). Digital certificates

• Digital certificates include:

- A public key.

- An individual or organisation’s details.

- A digital signature from a certifying authority (CA)

This states that the CA has seen proof of identity.

• Common certifying authorities:

- VeriSign, Thawte, Equifax Secure, British Telecom.

- CAs are themselves certified by other CAs.

- A few “root” CAs are usually trusted.


TS09TEC09En 18

Fig. 18

Message Authentication

Fig. 19


TS09TEC09En 19

3 Hash Functions vs. MAC

Hash functions • Hash Function

- Generate a fixed length “Fingerprint” for an arbitrary length message.

- No Key involved.

- Must be at least One-way to be useful.

• Constructions

- Iterated hash functions (MD4-family hash functions): MD5, SHA1, …

Fig. 20

Message Authentication Code

• MAC

- Generate a fixed length MAC for an arbitrary length message.

- A keyed hash function.

- Message origin authentication.


TS09TEC09En 20

- Message integrity.

- Entity authentication.

- Transaction authentication.

Fig. 21 Comparison of Hash Function & MAC

• Easy to compute.

• Compression: arbitrary length input to fixed length output.

• Unkeyed function vs. Keyed function.

Fig. 22


TS09TEC09En 21

SHS Algorithm Properties

Fig. 23

4 Introduction IEEE 802.16 Security IEEE 802.16 WiMAX

• Wireless Metropolitan Area Network (WMAN).

• Standard, Broadband Wireless Access (BWA).

• Last mile connectivity.

• Range up to 50 km.

• Provide high speed connectivity that supports data, voice and video.

• Fast deployment, cost saving.


TS09TEC09En 22

IEEE 802.16 Applications

Fig. 24 Introduction IEEE 802.16 Security

• Security is an important topic in telecom.

• Wireless systems easier to attack than wireline systems.

• Lessons learnt from weaknesses in Wi-Fi security have been incorporated into the WiMAX standard.


TS09TEC09En 23

5 Security Expectations from WiMAX Network

Security expectations from WiMAX network (user point of view)


TS09TEC09En 24

6 WiMAX security functions and OSI 7-layer model

WiMAX security functions can be mapped to different layers of the OSI

7-layer model

Fig. 25

Security Sublayer Specified by the IEEE 802.16e-2005

• The security sublayer specified by the IEEE 802.16e-2005 only deals with the Data Link Layer security.

- Link Layer authentication and authorization ensures that the network is only accessed by permitted users.

- Link Layer encryption ensures privacy and protects traffic data from eavesdropping by unauthorized third parties.


TS09TEC09En 25

WiMAX Network Layer Security Measures

• Network Layer security measures protect the network from malicious attacks achieved through the use of firewalls and AAA servers.

• RADIUS is the most widely used protocol for AAA interactions.

• Mobile WiMAX network architecture addresses the use of these techniques by providing an AAA based secure roaming model.

WiMAX Transport and Application Layers security measures

The Transport and Application layers provide additional security measures as

deemed appropriate by:

• Network operator.

• Application service providers (ASPs).

• End users.

7 WiMAX Data Link Layer Security

IEEE 802.16 Data Link Layer Security

Fig. 26


TS09TEC09En 26

WiMAX Security Procedure

Fig. 27

WiMAX Data Link Layer Security “Authentication”

• Authentication comes in two forms:

- Unilateral authentication where the BS authenticates the MS.

- Mutual authentication where the BS authenticates the MS and the MS authenticates the BS.

• Every WiMAX implementation must have unilateral authentication.

• Experience has shown that mutual authentication is also extremely useful.

Privacy Key Management (PKM) Protocol

• WiMAX 802.16e-2005 standard defines a Privacy Key Management (PKM) protocol

• An SS uses the PKM protocol to obtain authorization and traffic keying material from the BS, and to support periodic reauthorization and key refresh.


TS09TEC09En 27

• PKM allows for three types of authentication:

- RSA based authentication - X.509 digital certificates together with RSA encryption.

- EAP based authentication (optional).

- RSA based authentication followed by EAP authentication.

Keys used in PKM

• 5 keys are used to secure WiMAX communications:

- Authentication (Authorization) Key (AK).

- Key Encryption Key (KEK).

- Downlink hash function-based message authentication code (HMAC) key.

- The uplink (HMAC) key.

- Traffic Encryption Key (TEK).

IEEE 802.16 Authentications

Fig. 28


TS09TEC09En 28

IEEE 802.16 Data Key Exchange

Fig. 29 Data Key Exchange

• Traffic Encryption Key (TEK).

• TEK is generated by BS randomly.

• TEK is encrypted with

- Triple-DES (use KEK).

- RSA (use SS’s Public key).

- AES (use KEK).

• Key Exchange message is authenticated by HMAC-SHA1.

• TEK is then used for encrypting the data traffic.

Privacy Key Management (PKM) Protocol

• SS uses the PKM protocol to obtain authorization and traffic keying material from the BS, and to support periodic reauthorization and key refresh.


TS09TEC09En 29

• PKM allows for three types of authentication:

- RSA based authentication - X.509 digital certificates together with RSA encryption.

- EAP based authentication (optional).

- RSA based authentication followed by EAP authentication.

Authentication between BS and MS in WiMAX

RSA based authentication

• BS authenticates the MS by its unique X.509 digital certificate issued by the MS manufacturer.

• X.509 certificate contains the MS’s Public Key (PK) and its MAC address.

• When requesting an AK, the MS sends its digital certificate to the BS which validates the certificate and then uses the verified PK to encrypt an AK which is then sent back to the MS.

• All MSs that use RSA authentication have factory installed private/public key pairs (or an algorithm to generate the keys dynamically) together with factory installed X.509 certificates.

EAP based authentication

• MS is authenticated either through a unique operator issued credential, such as a SIM or though an X.509 certificate.

• The choice of authentication method depends on the operator’s choice of type of EAP as follows:

- EAP-AKA (Authentication and Key Agreement) for SIM based authentication.

- EAP-TLS for X.509 based authentication.

- EAP-TTLS for MS-CHAPv2 (Microsoft-Challenge Handshake Authentication Protocol).


TS09TEC09En 30

Authorization

• After authentication, MS requests authorization from BS.

• This is a request for an AK as well as for an SA identity (SAID).

• The Authorization Request includes MS’s X.509 certificate, encryption algorithms and cryptographic ID.

• In response, the BS carries out the necessary validation (by interacting with an AAA server in the network) and sends back an Authorization reply which contains the AK encrypted with the MS’s public key, a lifetime key and an SAID.

• After the initial authorization, the AAA via the BS periodically reauthorizes the MS.

Traffic Encryption

• As previous, the authentication and authorization process results in the assignment of and Authorization Key, which is 160 bits long.

• The Key Encryption Key is derived directly from the AK and is 128 bits long.

• The KEK is not used for encrypting traffic data; for this we require the Traffic Encryption Key which is generated as a random number in the BS using the TEK encryption algorithm where KEK is used as the encryption key.

• TEK is then used for encrypting the data traffic.

Security Flaws in PKMv1

• Need for mutual authentication: authentication is one way

- BS authenticates SS.

- No way for SS authenticate BS.

- Rouge BS.


TS09TEC09En 31

• Authentication Key (AK) generation

- BS generates AK.

- No contribution from SS.

- SS must trust BS for the generation of AK.

PKMv2

• PKMv2, defines in IEEE 802.16e-2005, enhances PKMv1 by requiring mutual authentication between SS and BS.

• PKMv2 has also more enhanced security features such as new key hierarchy for AK derivation and Extensible Authentication Protocol (EAP).

PKMv2: The mutual authorization process

Fig. 30


TS09TEC09En 32

PKMv2: authorization messages

8 Summary of WiMAX standard addresses the security

requirements

Network User


TS09TEC09En 33

Network Operator

Access Control Architecture in WiMAX

Fig. 31

• EAP runs between MS and BS over the WiMAX PHY and MAC utilizing the PKMv2 protocol as defined in 802.16e-2005.

• If the authenticator function is not in the BS, the BS relays the authentication protocol to the authenticator (in the Access Services Network).


TS09TEC09En 34

• From the authenticator to the authentication server (typically in the Home Connectivity Service Network) EAP is carried over RADIUS.

• RADIUS is a widely used standard. It has client/server architecture and utilizes UDP messages.

• The authentication server is also the RADIUS server, whereas the authenticator acts as a RADIUS client.

• In addition to authentication, RADIUS also supports authorization and accounting functions.

9 WiMAX Network Reference Model (NRM)

WiMAX Network Reference Model

Fig. 32

WiMAX network divided into two main parts:

• Access Service Network (ASN).

• Connectivity Service Network (CSN).


TS09TEC09En 35

ASN consists of

• WiMAX base stations.

• ASN Gateway:

• Controls and aggregates the traffic from one or more WiMAX base stations.

• Managing handover between them, which includes:

- Maintaining authentication.

- Service flows.

- Key distribution between base stations.

CSN is the core of the network providing control and management functions

such AAA, DHCP, FTP and IMS.

NRM Reference Points


TS09TEC09En 36

ASN Profile C and Security

• The NRM was developed by WiMAX Forum’s Network Working Group (NWG).

• NWG has defined three ASN profiles, referred as profile A, B and C from which vendors and service providers can select their preferred solution.

• Profile A and C both use centralized ASN Gateways, however, in Profile C the base stations are responsible for implementing the Radio Resource Management (RRM) and Handover management functions.

• Profile B embeds the key ASN functionality inside the base station, which removes the need for a centralized ASN gateway.

• Recently Profile A has been withdrawn leaving just Profiles B and C.

ASN profile C implementation between BS and ASN Gateway


TS09TEC09En 37

ASN Profile C security architecture

Fig. 33

ASN and CSN Interaction for Security

• Connectivity Service Network (CSN) is the core of the network.

• It controls and manages the ASNs and the subscribers with a variety of services such as AAA, Home Agent functions, DHCP server, etc.

• CSN is also responsible for connecting to other operator’s networks and enables inter-operator and inter-technology roaming.


TS09TEC09En 38

Protocol stack for AAA in mobile WiMAX network implementation

Fig. 34

EAP ‘layer’ operates over the R1/R3/R5 reference points and the EAP

methods (AKA, TSL/TTLS) operate over R2.

When authentications of both the end user and the device need to be

performed and these authentications terminate in different AAA servers, the

favored approach in PKMv2 is to use EAP-TTLS instead of double

authentication.

In double authentication, first device authentication then user EAP

authentication takes place before the MS is allowed access to IP services. In

EAP-TTLS authentication however, double authentication is dispensed with

and by virtue of tunnelling to the appropriate AAA server, the same AAA

server is used for both, thus shortening the authentication process.


TS09TEC09En 39

Service Flow Management and Authorization

• Service Flow Management (SFM) and Service Flow Authorization (SFA) are the logical functional entities, closely associated with QoS, located in the ASN that act as policy enforcement and policy decision points.

• For ASN Profile C, the SFM function is located in the BS and the SFA function is located at the ASN GW.

• SFM located in the BS is responsible for the creation, admission, activation, modification, and deletion of IEEE 802.16e-2005 service flows.

• It consists of an Admission Control (AC) function, data path function and the associated local resource information.

• AC decides whether a new service flow can be admitted to the system.

• SFA is located at the ASN GW and is responsible for evaluating any service request against the subscriber's QoS profile.

• If the SFA already has the user QoS profile then it evaluates the incoming service requests against the user’s profile.

• If the SFA does not have the user profile then it sends the service request to the Policy Function (PF) for decision making.

• The Policy Functions (PFs) and its associated database reside in the CSN of both the home and the visited network.

Security Association

• Data SA - 16-bit SA identifier.

- Cipher to protect data: DES-CBC.

- 2 TEK.

- TEK key identifier (2-bit).

- TEK lifetime.

- 64-bit IV.


TS09TEC09En 40

• Authorization SA

- X.509 certificate SS.

- 160-bit authorization key (AK).

- 4-bit AK identification tag.

- Lifetime of AK.

- KEK for distribution of TEK

= Truncate-128(SHA1(((AK| 044) xor 5364).

- Downlink HMAC key

= SHA1((AK|044) xor 3A64).

- Uplink HMAC key

= SHA1((AK|044) xor 5C64).

- A list of authorized data SAs.

Chapter 6: WiMAX Implementations

TS09TEC09En 1

Chapter 6 WiMAX Implementations

Aim of study This chapter introduces general WiMAX Implementation Scenarios.

Contents Pages 1 Implementations Scenarios 2

2 Siemens WiMAX products 4


TS09TEC09En 2

Chapter 6

WiMAX Implementations

1 General Implement Scenarios

• Range Extension DSL.

• Wireless DSL for Low User Densities.

• Wireless Backhaul for Remote DSLAM.

• Wireless Backhaul for Hot Spots. WiMAX Integration:

Range Extension DSL (Wireless DSL)

Fig.1

Fig. 1


TS09TEC09En 3

Wireless DSL for Low User Densities

Fig.2

Access Backhaul of Remote DSLAM

Fig.3


TS09TEC09En 4

Wireless Backhaul for Hot Spots

Fig .4 2 Siemens WiMAX Products:

SkyMAX Portfolio

Fig.5


TS09TEC09En 5

SkyMAX Access System

• Compliant with IEEE802.16-2004/ETSI HiperMAN OFDM 256 FFT size.

• Seamless upgradeable to IEEE802.16e SOFDMA (Scalable OFDM Access).

• Triple Play (HSIA, VoIP, video) services with guaranteed QoS.

• Platinum, Gold, Silver, Bronze user groups.

• Non-Line of Sight and Line of Sight operation.

• Multiple frequency bands, FDD, H-FDD and TDD duplex.

• Highest range (>30 km in LOS).

• Seamless integration into existing IP network.

• Different Subscriber Terminal models, indoor and outdoor installation.

• High data rate (30 Mbps per user). HSIA High Speed Internet Access

2.1 SkyMAX Base Station

Shelf Layout and Functional Units

• Carrier-Grade Redundancy

- Hot swappable functionality.

- Centralized management.

- Supports up to 4 sectors.

• 100/1000 Base-T Interface.

• ODU: HighPower remote OutDoor Unit (35 dBm = ca. 3,1 W).


TS09TEC09En 6

• CU: Connector Unit.

• SMU: Sector Modem Unit.

• CSU: Controller & Switching Unit.

Fig.6

Basic Technical Data


TS09TEC09En 7

SkyMAX Micro-Basestation

Overview and Main Technical Data

• Functional Units

- One SMU.

- One ODU.

• Networking

- 10/100 Base T network interface.

• Performance

- One Sector.

- Max net throughput 80 Mbps.

- Up to 16 Service Flows per ST.

• Physical & Mechanical

- 1U high, ETSI/19” rack mounting.

- Max power consumption 120 W. SMU Sector Modem Unit

ODU Outdoor Unit

Fig.7


TS09TEC09En 8

SkyMAX Basestation Summary

• SkyMAX Base station

- WiMAX Compliant, upgradeable towards IEEE802.16e SOFDMA.

- SW Configurable RF Channel (up to 14MHz).

- Robust error correction technique for reliable data transmission.

- Flexible Architecture (split indoor-outdoor part).

- Maximize coverage (High Power ODU DL, RX Div./Sub-chann. UL).

- RX Diversity solution (integrated in one ODU).

- Redundancy concept (all units are protected).

- Synchronisation concept (GPS, external synch).

- Seamless Integration into existing network (Simple networking concept).

- Sophisticated scheduling algorithm for Grade of Service (GoS) Management.

• SkyMAX Micro-Base station

- Low capacity, low cost version.

- Same features set as SkyMAX BS.

2.2 SkyMAX Subscriber Terminal

Different CPE models for the different users:

• SkyMAX Residential

- Fully indoor, self-installing.

- For SOHO and residential users.


TS09TEC09En 9

- Three versions with different numbers and type of interface:

• SkyMAX Residential Modem.

• SkyMAX Residential Multi-User.

• SkyMAX Residential Portable Modem.

Fig.8

• SkyMAX Business

- Fully outdoor.

- For business customers and Gold residential users.

Fig.9

SkyMAX Subscriber Terminal

SkyMAX Residential

• SkyMAX Residential

- Fully indoor, self-installing, small-form-factor.

- Non-Line-Of-Sight operation (NLOS).


TS09TEC09En 10

- Several antenna options (omni directional, desktop, window, external antenna).

- Multi-level QoS via traffic classification.

- Networking features, Ethernet interface.

- Remote configuration, management and software upgrades.

Fig.10

SkyMAX Residential Versions

• SkyMAX Residential Modem: Ethernet 10/100 Base T.

• SkyMAX Residential Multi-User:

- Multiple Ethernet 10/100 Base T interface (RJ45).

- POTS interface (RJ11) for voice transport (SIP/H.323).

- Optional WiFi access point.

Fig.11

• SkyMAX Residential portable modem: battery, SIM cardholder for nomadic and portable usage.


TS09TEC09En 11

Fig.12

SkyMAX Business

• SkyMAX Business Modem provides cost efficient Broadband wireless access to SME/SOHO customers

- Fully outdoor unit with indoor connector box.

- Integrated high gain antenna (no feeder loss).

- Advanced routing functionalities.

- Single drop cable for power and subscriber interface.

- Non-Line-Of-Sight operation (NLOS).

- Multi-level QoS via traffic classification and SLA enforcement.

- Ethernet user interface, optional TDM interface.

- Remote configuration, management and software upgrades.

Fig.13


TS09TEC09En 12

Technical Data

2.3 SkyMAX Air Interface

Main features

• Compliant to IEEE802.16-2004 OFDM 256 FFT size.

• SkyMAX provides main IEEE802.16-2004 air-interface features

- BPSK, QPSK, 16QAM, 64QAM automatic modulation and coding Scheme.

- Subchanneling (up to 16 sub-channels).

- Automatic Repeat Request (ARQ).

- Payload Header Suppression (PHS).

- QoS (UGS, rt-PS, nrt-PS, BE scheduling services):

- Dynamic Services (DSx).

- PDU Concatenation, Packing and Fragmentation.

- Unicast, contention based and piggyback BW requests.


TS09TEC09En 13

- Automatic Transmit Power Control for UL (initial calibration and periodic adjustment).

- ST Authentication according to standard Security Sublayer.

• Different SLA’s supported with guaranteed QoS. SLA Service Level Agreement

SkyMAX Access System

E2E Reference Architecture

Fig.14

Chapter 7: Future Outlook

TS09TEC09En 1

Chapter 7 Future Outlook

Aim of study This chapter introduces general WiMAX Alternative Broadband Wireless Access

Technologies.

Contents Pages

1 Alternative Broadband Wireless Access

(BWA) Technologies

2


TS09TEC09En 2

Chapter 7

Future Outlook

1 Alternative Broadband Wireless Access (BWA)

Technologies

1.1 HSDPA –Overview

• HSDPA: High Speed Downlink Packet Access.

• Evolution of the Wideband Code Division Multiple Access (WCDMA).

• „Turbo-UMTS“.

• Software upgrade of UMTS.

• Standardized by the 3GPP (Third Generation Partnership Project) in Release 5 of the 3G specification.

• Jan. 2005: Siemens NodeB 8080 supports HSDPA.

• Pre-Series PC-Cards available.

• Peak downlink data rate: up to 4Mbit/s.

• Modulation scheme: QPSK, 16QAM.

• Adaptive modulation and coding (AMC).

• Typical applications:

- High volume data transfer.

- Realtime video streaming.


TS09TEC09En 3

1.2 FLASH-OFDM –Overview

• FLASH-OFDM: Fast Low-latency Access with Seamless Handoff – Orthogonal Frequency Division Multiplexing

• Developed by Flarion (partnership with Siemens): proprietary solution.

• Operates on 450 MHz.

• Directed to China, USA and Eastern Europe.

• Products will be available in 2005.

• Standard: IEEE 802.20 (not released yet).

1.3 FLASH-OFDM – Technical Overview

• Designed for IP transmission (VoIP etc.).

• Delay < 50 msec.

• Low costs due to usage of standard IP components.

• typical data rates with one carrier:

- Downlink: 1-1.5 MBit/s with a burst rate up to 3.2 Mbit/s*.

- Uplink: 300-500 kbit/s with a burst rates of 900 kbit/s.

• Supports moving users with speed up to 250km/h.

• Uses FDD.

• 1.25 MHz channel frequency.


TS09TEC09En 4

Positioning of WiMAX, HSDPA and FLASH-OFDM

Fig. 1

Comparison between BWA Alternatives

Chapter 8: Technical Aspects

TS09TEC09En 1

Chapter 8 Technical Aspects

Aim of study This chapter introduces MAC Protocol Data Unit & OFDM technology.

Contents Pages

1 Comparisons 2

2 802.16 Layered Architecture 6

3 Traffic Connection Set-up 15

4 Mac Protocol Data Unit 19

5 Bandwidth Allocation and Request Mechanism 26

6 802.16 Framing 32

7 OFDM Technology 36

8 Adaptive Modulation 39

9 Network Entry 40


TS09TEC09En 2

Chapter 8

Technical Aspects 1 Comparisons 1.1 WIMAX versus WLAN

Points of comparison WIMAX WLAN

MAC layer

Grant request mechanism to authorize the exchange of data to facilitate resources sharing

Simple mechanism

security

Full range of securityTerminal authentication by exchanging certificates to prevent rogue devices and user authentication (EAP)

Poor of first release WEP

speed

Could be able to handle up to 70MB/S among users (up to DSL rate per user)

Can transmit up to 54MB/S

distance In KM in range of 50Km

In meter range(about30 m)


TS09TEC09En 3

1.2 Comparison between WIMAX and WI-FI

802.16 802.11b(WI -FI) Technical difference

rangeUp to 30 miles typical cell size (4-6miles)

Sub -300 feet(add access points for greater coverage)

802.16 tolerates greater multipath delay spread via 256 FFT vs. 64 FFT

coverage

Outdoor NLOS performance standard support for advanced antenna techniques

Optimized for indoor performance ,short range

802.16 systems has an overall higher system gain delivering greater penetration through obstacles at longer distances

scalability

Designed to support hundreds of CPES with unlimited subscribers behind each CPE

Intended for LAN applications ,users scale from one to tens with one subscriber for each CPE device

802.16 can use all available BW ,multiple channel support cellular deployment,802.11 is limited to license exempt spectrum

Bit rate

Up to 100 MB/S in 20 MHZ channel

Up to 54 MB/S in 20MHZ channel

Higher modulation coupled with flexible error correction

QOSBuilt in to MAC voice/video service levels

No QOS support

802.11 is contention based MAC (CSMA/CA) ,802.16 dynamic TDMA-based MAC with on-demand BW allocation

MAC Polling –based MAC layer

Contention based MAC


TS09TEC09En 4

802.16 802.16a 802.16e.

completed DEC 2001 802.16a JAN 2003

Estimated Q3 05

spectrum 10-66 GHZ Around 11 GHZ

Around 6 GHZ

Channel conditions L.O.S (PTP) N.L.O.S(PMP) NLOS

Bit rate 32-134 MB/S at 28 MHZ

Up to 75 MB/S at 20 MHZ

Up to 15 MB/S at 5MHZ channel

modulation QPSK,16QAM and 64QAM

OFDM(256 sub carriers ) QPSK ,16 QAM,64 QAM SC(optional)

Scalable OFDMA

mobility Fixed Fixed-nomadic

Pedestrian mobility (regional roaming)

Channel B.W

20,25and 28 MHZ

Selectable channel BW between 1.25 and 20MHZ

Same as 802.16a with UL-sub channels (1.25 -20 MHZ)

Typical cell radius 2-5 KM

5-8 KM max range 50KM based on power height antenna gain and transmit power

2-5 KM


TS09TEC09En 5

1.3 Broadband wireless technology

W-CDMA HSDPA WIMAX FLASH OFDM

system cellular

Fixed /nomadic wireless broadband internet access (incl mobility variant)

Cellular high speed wideband data mobility packed switched air interface TCP/IP (core)

mobility Global (around Km/h) Limited (around 120Km/h)(16e)

Global (around 250 Km)

Peak data rate 14 MB/S1.5MB/S at 5MHZ paired

Up to 70 MB/S (UL/DL) at 20 MHZ(BW scalable)

3MB/S DL 800KB/S UL at 1.25 MHZ paired

spectrum IMT-2000 FDD

Licensed and exempt around 6GHZ NLOS(2.5,3.5,2.4,5.8 GHZ)

Licensed bands around 3.5 GHZ

standardization 3GPP rel .5 802.16 complete 802.16e mid 2005

802.20 (2005)

technology CDM,FDD.CDMA/TDMAOFDM,FDD OR TDD TDMA/OFDMA

OFDM, FDDOFDMA


TS09TEC09En 6

2 802.16 Layered Architecture 2.1 WiMAX 802.16 Layered Architecture

The protocol architecture of WiMAX/802.16 is structure into two main layers:

the MEDIUM ACCESS CONTROL (MAC) LAYER and the PHYSICAL

LAYER.

MAC LAYER is formed by three sub layers: The CONVERGENCE SUB

LAYER, the COMMON SUB LAYER and the SECURITY SUB LAYER.

Fig.1 2.1.1 WiMax 802.16 MAC Convergence Sub Layer

The CONVERGENCE SUB LAYER (CS) adapts units of data (e.g. IP

packets or ATM cells) of higher level protocols to the MAC Service Data Unit

(SDU) format, and vice versa. The CONVERGENCE LAYER also sorts the

incoming MAC SDUs by the connection to which they belong.


TS09TEC09En 7

Fig.2

WayMax 802.16 MAC Convergence Sub Layer

In the present SVR three Convergence Sub-layers are supported:

• Ethernet or 802.3.

• IPv4 over 802.3 / Ethernet (same as previous but with additional classifier rules).

• 802.1Q VLAN.

WayMax MAC Convergence Sub Layer: Forwarding

BS Forwarding

• WiMAX adapts a connection oriented packet forwarding scheme on air interface: user data is assigned to a data traffic connection.

• According to the frame destination MAC address, the BS identifies the destination ST and the pool of CIDs associated to the ST.


TS09TEC09En 8

ST Forwarding

• Connections are activated by the BS only.

• The ST listens DL sub-frames, checks the CIDs in the received PDUs and retains only those PDUs addressed to them.

• ST builds its own a MAC address table.

• FILTERING (UL direction): the ST does not forward to the radio interface he UL local traffic (traffic directed to hosts connected to the ST LAN interface).

MAC Convergence Sub Layer: Classification

Quality of service handling requires that the User or Terminal Station is

identified and a Service Level Agreement is defined for that User or that

Terminal Station.

The Base Station shall be able to associate more than one connection to the

same User/Terminal Station and to differentiate connection parameters.

The base station shall classify the downlink traffic according to classification

criteria (such as IPv4 ToS, 802.1p priority field).

The same classification process is also supported in the Terminal Station.

Classification: IPv4 ToS

ToS values are in the range 0 to 63, considering only the 6 bits used to encode

the value and not taking into account the two least significant and unused bits

of the byte (DSCP). Considering the complete byte, the classical ToS values

(between 0 and 63) shall be multiplied by four.


TS09TEC09En 9

Fig.3 ToS field of one IPv4 packet

Classification: 802.1Q VLAN

Fig.4

2.1.2 WiMax 802.16 MAC Common Part Sub layer

The central element of the layer architecture is the COMMON PART SUB

LAYER (CPS). In this layer, MAC Protocol Data Units (PDUs) are

constructed, connections are established and bandwidth is managed.

The COMMON PART exchanged MAC Service Data unit (SDUs) with the

CONVERGENCE LAYER.


TS09TEC09En 10

Fig.5 2.1.3 WiMax 802.16 MAC Security Sub layer

The SEQURITY SUBLAYER is tightly integrated with the COMMON

PART. The SEQURITY SUBLAYER addresses authentication, establishment

of keys and encryption.

Fig.6


TS09TEC09En 11

2.1.4 WiMax 802.16 MAC Physical Layer

The PHYSICAL LAYER (PHY) is a two way mapping between MAC PDUs

and PHYSICAL LAYER frames received and transmitted through coding and

modulation of RF signal.

Fig.7

2.2 WiMax 802.16 MAC Connection Oriented

802.16 MAC is connection oriented. Every service is mapped to a connection,

and every connection is referenced with 16-bit connection identifier (CID) and

may require continuously granted bandwidth on demand {4}. MAC layer

connections can be seen in a way like TCP connections. Like TCP

connections, in which a computer may have simultaneously many different

active connections in different ports, in MAC connections the SS may have

many connections to a BS for different services like network management or

user data transport. The major different though, is that in MAC connections,

every connection may have different parameters for bandwidth, security and

priority.


TS09TEC09En 12

Every connection is identified by its CID- the CID is assigned by the BS.

When a SS is joining the network three CID's are assigned to it and each one

has different QoS requirements used by different management levels: Basic,

Primary Management and Secondary Management connections.

In WayMAX the SS can support 12 connections for traffic and 4 connections

for management (one is broadcast).

2.3 WiMax 802.16 connection Setup

Fig.8 2.4 WiMax 802.16 Quality of Service

The IEEE 802.16 supports many traffic types (data, voice, video) with

different QoS requirements.


TS09TEC09En 13

The standard defines four types of DATA FLOW, each one with distinct QoS

requirements.

1. UNSOLICED GRANT SERVICES (UGS): designed to support constant Bit Rate (CBR), such as T1/E1 link or delay-jitter dependent services like VOIP. They need constant bandwidth allocation.

3. NON REAL TIME PS (nrtPS): to support variable grant burst profiles: FTP. They require a minimum bandwidth allocation.

Supported by the WayMAX 1.1 = ــــــــــــــــ

2.4.1 Quality of Service Architecture: Base Station

Fig.9

2. REAL TIME POLLING SERVICES (rtPS): to support variable data packets on periodic basis, like MPEG video. They have specific bandwidth requirements.

4. BEST EFFORT (BE): access to Web Surfing. BE applications receive the remaining bandwidth after the allocation to the three previous type of service.


TS09TEC09En 14

• All incoming packets are forwarded according to their MAC addresses.

• Classifier function put the incoming frames onto one 802.16 connection within the CID pool selected by the forwarding function.

• Each connection is associated to a dedicated buffer (queue).

• Each queue has an associated priority.

• The Scheduler manages the CID queues determining which connection shall take the current transmit opportunity.

2.4.2 Quality of Service Architecture: Terminal Station

• Connections are activated by the BS only.

• The TS listens DL sub-frames, checks the CIDs in the received PDUs and retains only those PDUs addressed to them.

• TS builds its own a MAC address table.

• FIL TERING (UL direction): the TS does not forward to the radio interface he UL local traffic (traffic directed to hosts connected to the ST LAN interface).

Fig.10


TS09TEC09En 15

Resume

CONNECTIONS

• 802.16/WiMAX is connection oriented.

• For each direction, a connection identified with a 16 bit CID will be created.

• Each CID is associated with a Service Flow that QoS parameters for that CID.

MANAGEMENT MESSAGES

Management messages are broadcast or sent on three CIDs in each direction:

• Uplink Channel Descriptor.

• Downlink Channel Descriptor.

• UL-MAP.

• DL-MAP.

• DSA-REQ.

• DSA-RSP.

3 Traffic Connections set-up

Profiles

The Network Operator defines for each Base Station a set of PROFILES that

intends to adapt: they are all listed in a table and some of them will be

associated, by the Network Operator, to the connections that will be created

for each Terminal Station.


TS09TEC09En 16

Profile is defined as a set of the following information:

• Profile Name.

• Class of Service of radio connection (UGS, rtPS, nrtPS, BE).

• List of QoS rules.

For each direction is possible to specify the following parameters:

• Class of Service.

• MSTR.

• MRTR.

• CRC enabling.

• Fragmentation enabling.

• Packing enabling.

MSTR = Maximum Sustained Traffic Rate

MRTR = Minimum Reserved Traffic Rate

CRC = Cyclic Redundancy Check

Example of Terminal Station connections set up (1)

Step 1: The End User subscribes the Service Level Agreement (SLA)

proposed by the service provider and it receives a new Terminal Station

identified by the MAC address

Ex: 00:01:E3: FA: 86:70.


TS09TEC09En 17

Step 2: The Network operator inserts the MAC address of the new Terminal

Station inside the Base Station (Sector 1). TID 3 is assigned automatically by

the BS to this entry.

Fig.11


Step 3: according to the subscribed SLA, the Network Operator assigns the

Profile 1 and 3. The Network Operator assigns the profile 1 as the default one.

The provisioned Service Flows have been created.

Fig.12


TS09TEC09En 18


Step 4: Each Profile assigned to TID 3 is associated to a different Service

Flow Identifier (SFID) by the Base Station.

Fig.13

Step 5: During the Ranging procedure, the Terminal Station announces its

MAC address. The Base Station uses The Terminal MAC 00:01:E3:FA:86:70

to identify the associated TID (TID=3).

Step 6: TID value is used to identify all the SFIDs defined for the associated

Terminal Station.


Step 7: Each SFID of this Terminal Station is uniquely assigned to a CID that

activates a specific Service Flow having the specified set of traffic parameters

and classifiers.

Step 8: The Base Station now can forward the user traffic directed to the

Terminal Station 3 using the CIDs applying, to the incoming packets, the set

of defined QoS rules for those CIDs.


TS09TEC09En 19

Example of Terminal Station connection set up (Downlink)

Fig.14

4 MAC Protocol Data Unit

Because the 802.16 PHY is a wireless PHY layer, the main focus of the MAC

layer is to manage the resources of the air-link in an efficient manner.

Data Frames

Fig.15


TS09TEC09En 20

Generic Mac Header

The Generic MAC Header (GMH) contains details of the MAC Protocol Data

Units (MPDUs).

Fig.16

The sub headers are used to implement the signaling necessary for

fragmentation, packing, ARQ and mesh features of the MAC.

A 32 bit CCITT standard CRC of the entire MPDU may be appended to the

frame if required.

Payload field

The payload can either contain a management message or transport data.

A payload in a transport connection can contain:

• A MAC Service Data Unit (MSDU).

• Bandwidth requests.

• Fragments of MSDUs (Fragmentation).

• Aggregates of MDSUs (Packing).

• Automatic Retransmission Requests (ARQ).


TS09TEC09En 21

Generic MAC PDUs (1)

Generic MPDUs carry transport and management information, dependent on

which connection the CID in the header indicated. Each generic MPDU begins

with a Generic Mac Header (GMH).

HT bit is set to 0 in order that the header is a GMH.

The EG bit indicates that the frame is encrypted.

The CRC indicator CI indicates the presence of the optional CRC at the end of

the MPDU.

The encryption Key sequence EKS indicates which key was used to encrypt

the frame.

The 11 bits of the LEN field indicate the number of bytes in the MPDU

including the header and the CRC.

This limits the frame length to a total of 2047 bytes.

The CID indicates which connection the MPDU is serving.

The HCS is a 8-byte CRC of the first 5 bytes of the GMH.

The Type field contains 6 bits that indicate what is present in the payload.

The sub headers are used to implement the signaling necessary for

fragmentation, packing, ARQ and mesh features of the MAC.


TS09TEC09En 22

Generic MAC PDUs (2)

Fig.17

Type Field:

• Bit 0 is set when a grant management sub header is present in the payload.

• Bit 1 is set when a packing sub header is present in the payload.

• Bit 2 is set when a fragmentation sub header is present in the payload.

• Bit 3 is set when the fragmentation or packing headers are extended.

• Bit 4 is set when the frame contains an ARQ feedback payload.

• Bit 5 is set when a mesh sub header is present.

Bandwidth Request PDUs

To request changes to the granted characteristics of a connection, a 6-byte

bandwidth request is transmitted from the SS to the Bs in place of the Generic

Mac Header.

The Header Type (HT) bit is set to 1 to indicate that the header is a bandwidth

request header and not a GMH.

The Encryption control bit (EC) must be set 0.


TS09TEC09En 23

The 6-bit Type field takes the value 0 to indicate an incremental bandwidth

request or a value of 1 to indicate an aggregate request that is the SS informs

the BS of its total current bandwidth needs for a connection. This allows the

BS to reset its perception of the SSs needs, acknowledging the use of granted

bandwidth.

The CID field indicates the connection for which the bandwidth request is

being mode.

The BR field indicates the number of uplink bytes of bandwidth being

requested.

The HCS field is an 8 bit CRC of the first 5 bytes of the bandwidth request

header. No payload is transmitted.

Fig.18

Grant Management Sub-Header (1)

The GRANT management sub header is a lightweight way to attach a request

uplink bandwidth. Each connection, identified by the 16 bit CID, has a

particular class of scheduling service assigned to it. If the CID in the GMH

indicates a channel that is using the Unsolicited Grant Service (UGS) then the

following grant management sub-header format is used.


TS09TEC09En 24

Fig.19

The Slip Indicator (SI) bit is used by the Terminal station to inform the Base

Station that the uplink buffer servicing a flow has filled up, generally due to

the rate of arrival of the data to be sent being slightly faster than the granted

uplink rate. It acts as a request to the Base Station to make additional uplink

grants.

The Poll Me (PM) bit is used to request that the Base Station sends a

bandwidth poll.

Grant Management Sub-Header (2)

In the case of any of the other scheduling services (rtPS, nrtPS, or BE), the

following format is used:

Fig.20

The PIGGYBACK request is a 16 bit number that represent the number of

uplink bytes of bandwidth being requested for the connection. The piggyback

request is used to explicitly indicate the amount of uplink bandwidth that the

Terminal Station wants to be granted to it.


TS09TEC09En 25

Fragmentation

As MSDU may be divided into fragments that are transmitted independently.

To signal this, a Fragment Sub Header (FSH) is included at the start of the

payload.

Fig.21

The FSH describes a fragment of an MSDU.

The Fragment Control (FC) bits indicate whether the fragment is the first

fragment of an MSDU (10), the last fragment (01) or a fragment somewhere in

the middle (11). The Fragment Sequence Number (FSN) increases by one for

each fragment of an MSDU so the receiver can reassemble fragments

appropriately.

Fig.22

Packing

Multiple MSDUs or multiple MSDU fragments can be packet into a single

MSDU. This is sometimes referred to as MAC-level PACKET

AGGREGATION.


TS09TEC09En 26

To indicate that packing is used in an MPDU, a bit in the GMH indicates the

presence of a packing sub header. An MPDU can contain multiple packing

sub header, each followed by either an MSDU or a fragment of an MSDU.

Fig.23

Since an MSDU can be broken into fragments and transmitted in packed

frames, this enables the Base station to make better use of the available slots

and the channel. For instance, an MSDU that does not fit into the remainder of

an MPDU can be allocated to occupy the remainder of the current MPDU and

the rest will be send in the subsequent MPDUs.

The length field enables the receiver to identify where the start are of next

PSH begins in the MSDU payload.

5 Bandwidth Allocation and Request Mechanism

Bandwidth allocation and request mechanism

BANDWIDTH RERQUES From SS to Bs

GRANT From BS to SS

POLLING From BS to SS

The request-grant mechanism is designed to be scalable, efficient, and self-

correcting. The 802.16 access system does not lose efficiency when presented

with multiple connections per Terminal, multiple QoS levels per terminal and

a large number of statistically multiplexer users.


TS09TEC09En 27

It takes advantage of a wide variety of request mechanisms, balancing the

stability of connection-less access with the efficiency of connection-oriented

access.

Polling

Polling is the process by which the BS allocates to the SSs bandwidth

specifically for the purpose of making bandwidth requests.

Bs transmits inside the UL-MAP (Phy Frame), messages to the SSs in order to

receive from them bandwidth requests.

Polling may be:

UNICAST The SS receives in the UL-MAP a bandwidth

allocation from BS. If SS does not need bandwidth, it

returns a stuff byte. A SS with UGS service, can be

polled only after the Poll Me Bit has set. The SS is

polled individually.

CONTENTION-

BASED

Connection-based bandwidth request is used when

insufficient bandwidth is available to individually poll

many inactive SS's. The allocation is multicast or

broadcast to a group of SS's that have to contend for

the opportunity to send bandwidth requests. Due to

the non-deterministic delay that can be caused by

collision and retries, contention based request are

allowed only for certain lower QoS classes of

services.


TS09TEC09En 28

Request The BS schedules regularly, in a preemptive manner, grants of the size negotiated at connection setup, without an explicit request from the SS.

The GRANT SUB-HEADER includes the POLL ME BIT as well as the SLIP INDICATOR FLAG.

The BS, upon detecting the slip indicator flag can allocate some additional capacity to the SS, allowing it to recover the normal queue state.

Connections configured with UGS are not allowed to utilize random access opportunities for request. The SS needs not request bandwidth. The BS grants it UNSOLICATED.

To short circuit the normal polling cycle, any SS with a connection running UGS can use the POLL ME BIT to let the BS know it needs to be polled for bandwidth needs on another connection.

They are services that are dynamic in nature, but the BS offers PERIODIC dedicated bandwidth request opportunities to meet Real Time Requirements. The capacity is granted only according to the real need of the connection.

It ia almost identical to the real time polling service except that connections may utilize RANDOM access transmit opportunities for sending bandwidth requests.

UGS Service

CONSTANT BIT RATE

VOICE over IP, STREEMING VIDEO or AUDIO

REAL TIME POLLING SERVICE

Delay tolerant with variable packet size and a periodic transmission. E.G. : FTP

NON REAL TIME POLLING SERVICE


TS09TEC09En 29

The SS sends requests for bandwidth in either RANDOM access slots or DEDICATED transmission opportunities. The occurrence of dedicated opportunities is subject to network load, and the SS cannot rely on their presence.

Fig.24

A more conventional way to request bandwidth is to send a Bandwidth request

MAC PDU that consists of simply the Bandwidth Request Header and no

payload.

WEB Surfing

BEST EFFORT service


TS09TEC09En 30

A closely method of requesting data is to use a GRANT Management Sub

Header to PIGGYBACK a request for additional bandwidth for the SAME

connection within a PDU.

GRANT

Fig.25

The IEEE 802.16 MAC accommodates two classes of SS, differentiated by

their ability to accept bandwidth grants simply for a connection or for the SS

as a whole. Both classes of SS request BW per connection to allow the BS

uplink scheduling algorithm to properly consider QoS when allocating BW.

With the GPC class of SS, bandwidth is granted explicitly to a connection,

and the SS uses the grant only for that connection.

With GPSS class, SSs are granted bandwidth aggregated into a single grant to

the SS itself. The GPSS SS needs to be more intelligent in its handling of

QoS. All the services will use the SS base CID.


TS09TEC09En 31

QoS Mechanism for multimedia Services

Fig.26

Fig.27


TS09TEC09En 32

6 802.16 Framing

WiMax 802.16 Framing: FDD

At the PHYSICAL LAYER, the flow of bits is structured as a sequence of

frames of equal length. There is a DOWNLINK subframe and an uplink

subframe. Two modes of operation are possible: FREQUENCY DIVISION

DUPLEX (FDD) and TIME DIVISION DUPLEX (TDD).

In FDD, the downlink subframe and uplink subframe are simultaneous, but

don't interfere because they are sent on different frequencies. The uplink is

TIME DIVISION MULTIPLE Access (TDMA) which means that the

bandwidth is divided into time slots. Each time slot is allocated to an

individual Terminal Station being served by the Base Station.

Fig.28

WiMax 802.16 Framing: TDD (1)

In TDD, the downlink subframe and the uplink subframe are consecutive. TX

and RX frequencies are the same.


TS09TEC09En 33

Fig.29 WiMax 802.16 Framing: TDD (2)

In TDD, it is interesting to note the adaptive subframe boundary whereby

allocation of downlink and uplink resources can be carefully controlled. This

is ideal for asymmetric services.

Fig.30

WiMax 802.16 Framing

A DOWNLINK SUBFRAME consists of two main parts. The first part

contains control information while the second part contains data. The control

information consists of a REAAMPLE and MAPS. The PREAMPLE is for

frame synchronization purposes.


TS09TEC09En 34

The data part consists of a sequence of bursts. Each burst is transmitted

according to a profile of modulation and a kind of forward error correction.

They are sent in an increasing degree of demodulation difficulty. Hence, a

Terminal Station may only receive the bursts while it has the capability to do

it and ignores the bursts it cannot demodulate.

Fig.31 WiMax 802.16 Framing: more details

Fig.32


TS09TEC09En 35

• The present SVR supports FDD mode. The frame duration is 5ms.

• Base Station periodically transmits DCD and UCD message.

• DCD Interval is set to 4 s. In order to support also H-FDD Terminal

Stations, the same message shall be repeated, without any modification,

in two consecutives frames.

• UCD Interval is set to 4 s. Like the previous, it shall be repeated in two consecutives frames.

• DL-MAP and UL-MAP shall be transmitted in every frame.

• Base Station periodically allocates an Initial Ranging Window in the uplink, allowing Terminal Stations not yet aligned with the Base Station to transmit and acquiring both timing and transmission power level alignment. Bursts transmitted by Terminal Stations for network entry purposes shall use PHY mode based on BPSK modulation format.

The default value of the Initial Ranging Interval parameter is set to 1s. It

shall be possible configuring this parameter between 20 ms and 2 s, with 20

ms granularity.

Each Initial Ranging Window shall be formed by a fixed number of

transmission opportunities.

The time length of each opportunity depends on the OFDM symbol period

and on the delay introduced by the Cell. For this reason via LCT will be

necessary to specify the Maximum Cell Size.

Transmission opportunities are broadcast in downlink.


TS09TEC09En 36

7 ODFM Technology

WiMax 802.16 OFDM (1)

Orthogonal Frequency division Multiplexing (OFDM) technology provides

operators with an efficient means to overcome the challenges of NLOS

propagation. The WiMAX OFDM waveform offers the advantage of being

able to operate with larger delay spread of the NLOS environment. By virtue

of the OFDM symbol time and use of a cyclic prefix, the OFDM waveform

eliminates the inter-symbol interference (ISI) problems and the complexities

of adaptive equalization. Because the OFDM waveform is composed of

multiple narrowband orthogonal carriers, selective fading is localized to a

subset of carriers that are relatively easy to equalize. As example is shown

below as a comparison between an OFDM signal and a single carrier signal,

with the information being sent in parallel for OFDM and in serial foe single

carrier.

Fig.33


TS09TEC09En 37


The ability to overcome delay spread, multi-path, and ISI in an efficient

manner allows for higher data throughput. As example, it is easier to equalize

the individual OFDM carriers than it is to equalize the broader single carrier

signal.

Fig.34


Sub Channelization in the uplink is an option within WiMAX. Without sub

channelization, regulatory restrictions and the need for cost effective CPEs,

typically cause the link budget to be symmetrical, this cause the system range

to be up limited. Sub channeling enables the link budget to be balanced such

that the system gains are similar for both the up and down links. Sub

channeling concentrates the transmit power into fewer OFDM carriers; this is

what increase the system gain that can either be used to extend the reach of the

system, overcome the building penetration losses, and or reduce the power

consumption of the CPE. The use of sub-channeling is further expanded in

orthogonal frequency division multiple access (OFDMA) to enable a more

flexible use of resources that can support nomadic or mobile operation.


TS09TEC09En 38

Fig.35

WiMax Parameters (802.16d)

OFDM SYMPOL

MODULATION AND CODING Seven combinations of modulation and coding scheme:


TS09TEC09En 39

All the sub-carrier are allocated for the transmission of a single Terminal

Station

Examples of Thresholds

8 Adaptive Modulation

The use of adaptive modulation and adaptive coding enables each end-user

link to dynamically adapt to the propagation path conditions for that particular

link. When received signal levels are low, as would be the case for users more

distant from the base station, the link automatically throttles down to a more

robust, but less efficient, modulation scheme. Since each modulation scheme

has a different modulation efficiency the effective channel capacity can only

be determined by knowing what modulation and coding scheme is being used

for each end-user link sharing that particular channel.


TS09TEC09En 40

Fig.36

9 Network Entry

Intro

Each Subscriber Station has an a standard MAC address, but this serves

mainly as an equipment identifier, since the primary addresses used during

operation are the CIDs.

Upon entering the network, the Subscriber Station is assigned three

management connections in each direction.

The first of these is the BASIC CONNECTION for short like MAC and Radio

Link Control (RLC).

The second is the PRIMARY MANAGEMENT CONNECTION, used to

transfer longer messages like authentication and connection set-up.


TS09TEC09En 41

The last is the SECONDARY MANAGEMENT CONNECTION used for the

transfer of other standard-based management messages such as Dynamic Host

Configuration Protocol (DHCP), Trivial File Transfer Protocol (TFTP) and

Simple Network Management Protocol (SNMP).

In addition to these management connections, SSs are allocated transport

connections for the contracted services. Transport connections are

unidirectional to facilitate different uplink and downlink QoS and traffic

parameters; they are typically assigned in pair.

Subscriber Station Network Entry

Fig.37

Terminal Station Identifier

The Ranging Request Message from the Terminal Station to the Base Station

contains the MAC address of the Terminal Station, which is unique in the

world.


TS09TEC09En 42

The MAC address shall be associated to a shorter identifier to identify a

specified Terminal Station, called TID (Terminal Station Identifier)

TID is 2 byte long.

Downlink Channel Synchronization

When a Terminal Station wishes to enter the network, it scans for a channel in

the defined frequency list. Normally a Terminal Station is configured to use a

specific Base Station with a given set of operational parameters, when

operating in a licensed band. If the Terminal finds a DL channel and is able to

synchronize at the physical level (it detects the periodic frame preamble), then

the MAC layer looks for Down link Channel Descriptor (DCD) and Uplink

Channel Descriptor (UCD) to get information on modulation and other DL

and UL parameters.

Fig.38


TS09TEC09En 43

Initial Ranging

When a Terminal Station has synchronized with the DL channel and received

the DL and UL MAP for a frame, it begins the initial ranging process by

sending a ranging request MAC message on the initial ranging interval using

the minimum transmission power. If it does not receive a response, the

Terminal Station sends the ranging request again in a subsequent frame, using

higher transmission power. Eventually the terminal Station receives a ranging

response. The response either indicates power and timing corrections that the

Terminal Station must make or indicates success. If the response indicates

corrections, the Terminal Station makes these corrections and sends another

ranging request. I the response indicates success, the Terminal Station is ready

to send data on the UL.

Fig.39

Capabilities Negotiation

After successful completion of initial Ranging, the Terminal Station sends a

capability request message to the Base Station describing its capability in

terms of the supported modulation levels, coding schemes and rates, and

duplexing methods. The Base Station accepts or denies the Terminal Station,

based on its capabilities.


TS09TEC09En 44

Fig.40

Authentication

After capability negotiation, the Base Station authenticates the Terminal

Station and provides key material to enable the ciphering of data. The

Terminal Station sends the X.509 certificate of the Terminal Station

manufacturer and a description of the supported cryptographic algorithms to

its Base Station. The Base Station validates the identify of the Terminal

Station, determines the cipher algorithm and protocol that should be used, and

sends an authentication response to the Terminal Station. The response

contains the key material to be used by the Terminal Station.

Fig.41


TS09TEC09En 45

Registration

After successful completion of authentication, the Terminal Station registers

with the network. The Terminal Station sends a registration request message

to the Base Station and the Base Station sends a registration response to the

Terminal Station. The registration exchange includes IP version support,

Terminal Station managed or non-managed support, ARQ parameters support,

classification option support, CRC support, and flow control.

Fig.42

IP Connectivity (Optional)

The Terminal Station then starts DHCP to get the IP address and other

parameters to establish IP connectivity. The Base Station and Terminal Station

maintain the current data and time using the time of the day protocol. The

Terminal Station then downloads operational parameters using TFTP.


TS09TEC09En 46

Fig.43

Transport Connection Creation After completion of registration and the transfer of operational parameters,

transport connection is created. For pre provisioned service flows, the

connection creation process is initiated by the Base Station. The Base Station

sends a dynamic service flow addition request message to the Terminal

Station and the Terminal Station sends a response to confirm the creation of

the connection.

Fig.44


TS09TEC09En 47

Periodic Ranging

After the connection is establish, Periodic ranging is necessary to maintain a

link. The ranging operation is the basis of control loops that synchronize the

timing and power of the SSs transmission to the BS.

Fig.45

Documents

Department of: technology programs and customer service ... · • Provides QoS: allows transmission realtime sensitive services like VoIP or IP-TV. • An alternative to cable DSL