eMTC测试信令分析之NAS Attach和TAU

简介

自3GPP R13推出eMTC(即LTE CAT-M1)标准以来,eMTC技术在全世界得到了广泛的应用。相比其他广域低功耗网络的技术如NB-IoT、2G、LoRA等,eMTC具有非常明显的优势,功耗低,移动性好,时延低,支持VoLTE语音,兼容LTE所以组网成本低,终端复杂度低,终端成本低,覆盖好,技术成熟度好。
目前eMTC技术已经成为北美、日本、澳洲、欧洲作为替代2G、3G的广域低功耗物联网主要技术方向。
国内由于政策原因,目前主推NB-IoT,但实际上各大运营商都已经对eMTC做了研究了实验网。只要政策放开,随时可以启动商用。

eMTC的NAS Attach信令

关于eMTC的NAS Attach的协议标准,可以阅读3GPP 24.301。
这里我们还是从实战出发,直接使用eMTC终端接入eMTC网络,在这个过程中,抓取整个入网过程的信令,对信令原始数据进行解码分析。
使用普通的信令综测仪可以测试eMTC信令接入,但是我们希望模拟现实商用的eMTC网络。比如美国Verizon的eMTC网络就是运行在其覆盖全美的4G LTE网络上的。网络里同时存在LTE终端和eMTC终端。在国内,我们可以使用微戎WR100来模拟美国运营商这样的LTE和eMTC共存的网络。
在WR100的配置界面上,设置为LTE FDD Band 13,同时勾选上eMTC,这样就可以同时使能Band 13的LTE和eMTC网络。将测试SIM卡插入两部支持Band 13的LTE手机,可以看到手机已经注册上网络,并且完成IMS注册,此时两部手机已经可以互相收发短信和拨打电话。我们再把测试 SIM卡插入eMTC终端,通过SIM卡的IMSI尾号005,我们在WR100配置界面上看到eMTC终端也成功接入网络。
eMTC测试信令分析之NAS Attach和TAU_第1张图片
WR100配置界面上可以进行信令跟踪,保存信令。下面是对刚刚eMTC接入网路过程的NAS Attach信令进行分析

NAS Attach request消息

下面是eMTC终端发到微戎WR100的Attach request消息

  [NAS] UL 2677 EMM: Attach request
    Protocol discriminator = 0x7 (EPS Mobility Management)
    Security header = 0x1 (Integrity protected)
    Auth code = 0xf9b63a0e
    Sequence number = 0x06
    Protocol discriminator = 0x7 (EPS Mobility Management)
    Security header = 0x0 (Plain NAS message, not security protected)
    Message type = 0x41 (Attach request)
    EPS attach type = 2 (combined EPS/IMSI attach)
    NAS key set identifier:
      TSC = 0
      NAS key set identifier = 0
    Old GUTI or IMSI:
      MCC = 001
      MNC = 01 
      MME Group ID = 32769
      MME Code = 1
      M-TMSI = 0x73898fb8
    UE network capability:
      0xf0 (EEA0=1, 128-EEA1=1, 128-EEA2=1, 128-EEA3=1, EEA4=0, EEA5=0, EEA6=0, EEA7=0)
      0xf0 (EIA0=1, 128-EIA1=1, 128-EIA2=1, 128-EIA3=1, EIA4=0, EIA5=0, EIA6=0, EIA7=0)
      0x00 (UEA0=0, UEA1=0, UEA2=0, UEA3=0, UEA4=0, UEA5=0, UEA6=0, UEA7=0)
      0x00 (UCS2=0, UIA1=0, UIA2=0, UIA3=0, UIA4=0, UIA5=0, UIA6=0, UIA7=0)
      0x00 (ProSe-dd=0, ProSe=0, H.245-ASH=0, ACC-CSFB=0, LPP=0, LCS=0, 1xSRVCC=0, NF=0)
      0x10 (ePCO=0, HC-CP CIoT=0, ERw/oPDN=0, S1-U data=1, UP CIoT=0, CP CIoT=0, ProSe-relay=0, ProSe-dc=0)
      0x00 (15 bearers=0, SGC=0, N1mode=0, DCNR=0, CP backoff=0, RestrictEC=0, V2X PC5=0, multipleDRB=0)
    ESM message container:
      Protocol discriminator = 0x2 (EPS Session Management)
      EPS bearer identity = 0
      Procedure transaction identity = 3
      Message type = 0xd0 (PDN connectivity request)
      Request type = 1 (initial request)
      PDN type = 3 (IPv4v6)
      Protocol configuration options:
        Ext = 1
        Configuration protocol = 0
        Protocol ID = 0x8021 (IPCP)
        Data = 01 00 00 10 81 06 00 00 00 00 83 06 00 00 00 00
        Protocol ID = 0x0003 (DNS Server IPv6 Address Request)
        Data =
        Protocol ID = 0x000a (IP address allocation via NAS signalling)
        Data =
        Protocol ID = 0x000d (DNS Server IPv4 Address Request)
        Data =
        Protocol ID = 0x0010 (IPv4 Link MTU Request)
        Data =
      Device properties = 0x00 (not configured for NAS signalling low priority)
    Last visited registered TAI:
      MCC = 001
      MNC = 01 
      TAC = 0x0001
    Old location area identification:
      Data = 00 f1 10 00 01
    Mobile station classmark 2:
      Length = 3
      Data = 47 08 00
    Additional update type = 0x01 (no additional information, keeping NAS signalling connection not required, SMS only)
    Old GUTI type = 0
    MS network feature support = 0x01 (MS supports the extended periodic timer in this domain)
    TMSI based NRI container:
      Length = 2
      Data = 13 00

NAS Attach accept消息

下面是微戎WR100回复的Attach accept消息。通过该消息,eMTC终端建立起了默认承载,并且获得到了IP地址。

[NAS] DL 2677 EMM: Attach accept
    Protocol discriminator = 0x7 (EPS Mobility Management)
    Security header = 0x2 (Integrity protected and ciphered)
    Auth code = 0x1029edba
    Sequence number = 0x03
    Protocol discriminator = 0x7 (EPS Mobility Management)
    Security header = 0x0 (Plain NAS message, not security protected)
    Message type = 0x42 (Attach accept)
    EPS attach result = 2 (combined EPS/IMSI attach)
    T3412 value:
      Value = 5
      Unit = 1 (1 minute)
    TAI list:
      Length = 6
      Data = 00 00 f1 10 00 01
    ESM message container:
      Protocol discriminator = 0x2 (EPS Session Management)
      EPS bearer identity = 5
      Procedure transaction identity = 3
      Message type = 0xc1 (Activate default EPS bearer context request)
      EPS Qos:
        QCI = 9
      Access point name = "default.mnc001.mcc001.gprs"
      PDN address:
        PDN type = 1 (IPv4)
        IPv4 = 192.168.9.2
      ESM cause = 0x32 (PDN type IPv4 only allowed)
      Protocol configuration options:
        Ext = 1
        Configuration protocol = 0
        Protocol ID = 0x8021 (IPCP)
        Data = 03 00 00 0a 81 06 ca 60 86 85
        Protocol ID = 0x000d (DNS Server IPv4 Address)
        Data = ca 60 86 85
    GUTI:
      MCC = 001
      MNC = 01 
      MME Group ID = 32769
      MME Code = 1
      M-TMSI = 0x73898fb8
    Location area identification:
      Data = 00 f1 10 00 01
    MS identity:
      TMSI/P-TMSI/M-TMSI = 0x73898fb8
    Emergency number list:
      Length = 8
      Data = 03 1f 19 f1 03 1f 11 f2
    EPS network feature support:
      0x01 (CP CIoT=0, ERw/oPDN=0, ESRPS=0, CS-LCS=0, EPC-LCS=0, EMC BS=0, IMS VoPS=1)
    Additional update result = 0x02 (SMS only)

NAS Attach complete消息

   [NAS] UL 2677 EMM: Attach complete
    Protocol discriminator = 0x7 (EPS Mobility Management)
    Security header = 0x2 (Integrity protected and ciphered)
    Auth code = 0xf0a95e39
    Sequence number = 0x07
    Protocol discriminator = 0x7 (EPS Mobility Management)
    Security header = 0x0 (Plain NAS message, not security protected)
    Message type = 0x43 (Attach complete)
    ESM message container:
      Protocol discriminator = 0x2 (EPS Session Management)
      EPS bearer identity = 5
      Procedure transaction identity = 0
      Message type = 0xc2 (Activate default EPS bearer context accept)
    00:00:40.780 [NAS] DL 2677 EMM: EMM information
    Protocol discriminator = 0x7 (EPS Mobility Management)
    Security header = 0x2 (Integrity protected and ciphered)
    Auth code = 0xac51debc
    Sequence number = 0x04
    Protocol discriminator = 0x7 (EPS Mobility Management)
    Security header = 0x0 (Plain NAS message, not security protected)
    Message type = 0x61 (EMM information)
    Full name for network:
      Length = 14
      Data = 86 d7 72 5a fe 76 83 9c 65 fa fd 2d 5f 03
    Short name for network:
      Length = 7
      Data = 86 d7 72 5a fe 76 03
    Local time zone = 0
    Universal time and local time zone:
      Data = 91 80 71 00 00 04 00
    Network daylight saving time:
      Length = 1
      Data = 00

Tracking area update request

    [NAS] UL 2681 EMM: Tracking area update request
    Protocol discriminator = 0x7 (EPS Mobility Management)
    Security header = 0x1 (Integrity protected)
    Auth code = 0xdaef7b3c
    Sequence number = 0x0a
    Protocol discriminator = 0x7 (EPS Mobility Management)
    Security header = 0x0 (Plain NAS message, not security protected)
    Message type = 0x48 (Tracking area update request)
    EPS update type:
      Value = 3 (periodic updating)
      Active flag = 0
    NAS key set identifier:
      TSC = 0
      NAS key set identifier = 0
    Old GUTI:
      MCC = 001
      MNC = 01 
      MME Group ID = 32769
      MME Code = 1
      M-TMSI = 0x73898fb8
    Last visited registered TAI:
      MCC = 001
      MNC = 01 
      TAC = 0x0001
    EPS bearer context status:
      Length = 2
      Data = 20 00
    Additional update type = 0x01 (no additional information, keeping NAS signalling connection not required, SMS only)
    Old GUTI type = 0
    MS network feature support = 0x01 (MS supports the extended periodic timer in this domain)

Tracking area update accept

    [NAS] DL 2681 EMM: Tracking area update accept
    Protocol discriminator = 0x7 (EPS Mobility Management)
    Security header = 0x2 (Integrity protected and ciphered)
    Auth code = 0x7fba2f00
    Sequence number = 0x05
    Protocol discriminator = 0x7 (EPS Mobility Management)
    Security header = 0x0 (Plain NAS message, not security protected)
    Message type = 0x49 (Tracking area update accept)
    EPS update result = 1 (combined TA/LA updated)
    T3412 value:
      Value = 5
      Unit = 1 (1 minute)
    GUTI:
      MCC = 001
      MNC = 01 
      MME Group ID = 32769
      MME Code = 1
      M-TMSI = 0x73898fb8
    TAI list:
      Length = 6
      Data = 00 00 f1 10 00 01
    EPS bearer context status:
      Length = 2
      Data = 20 00
    Location area identification:
      Data = 00 f1 10 00 01
    Emergency number list:
      Length = 8
      Data = 03 1f 19 f1 03 1f 11 f2
    EPS network feature support:
      0x01 (CP CIoT=0, ERw/oPDN=0, ESRPS=0, CS-LCS=0, EPC-LCS=0, EMC BS=0, IMS VoPS=1)
    Additional update result = 0x02 (SMS only)

Detach request

    [NAS] UL 2675 EMM: Detach request
    Protocol discriminator = 0x7 (EPS Mobility Management)
    Security header = 0x1 (Integrity protected)
    Auth code = 0x06c6f8e9
    Sequence number = 0x05
    Protocol discriminator = 0x7 (EPS Mobility Management)
    Security header = 0x0 (Plain NAS message, not security protected)
    Message type = 0x45 (Detach request)
    Detach type = 11 (switch_off=1, combined EPS/IMSI detach)
    NAS key set identifier = 0
    GUTI or IMSI:
      MCC = 001
      MNC = 01 
      MME Group ID = 32769
      MME Code = 1
      M-TMSI = 0x73898fb8

你可能感兴趣的:(LTE/eMTC/NB-IoT)