Home | Reports | Technical Documents | Tech-Blog | One-Shot Gallery | Korea ICT News | Korea Communication Market Data | List of Contributors | Become a Contributor |    
Section 5G 4G LTE C-RAN/Fronthaul Gigabit Internet IPTV/Video Streaming IoT SDN/NFV Wi-Fi KT SK Telecom LG U+ Network Protocol Samsung   Korean Vendors
Real World Private 5G Cases   4 Deployment Models On-Premise Cases 5G Core Control Plane Sharing Cases

5G Core Sharing Cases

Private 5G Deployment   • Private 5G Frequency Allocation Status in Korea  South Korean government's regulations on private 5G and KT's strategy for entering the market
Cases in Korea   Private 5G Operators |   SK Networks Service (SI) Sejong Telecom (Wire-line Carrier) KT MOS (Affiliate of KT) • Newgens (SI) • NAVER Cloud more >>  
    Enterprise DIY |   Korea Hydro & Nuclear Power (Power Plant) Korea Electric Power Corporation (Energy) • Republic of Korea Navy more >>
CHANNELS     HFR Private 5G Solution (my5G)       my5G Solution Components       my5G Key Features        my5G Resources        my5G News          
EMM Procedure 1. Initial Attach - Part 2. Call Flow of Initial Attach
January 16, 2014 | By Netmanias (tech@netmanias.com)
Online viewer:
Comments (35)
Page 2 of 4



Table of Contents  

1. Introduction
2. Initial Attach Procedure

        2.1 IMSI Acquisition
        2.2 Authentication
        2.3 NAS Security Setup
        2.4 Location Update
        2.5 EPS Session Establishment
3. EPS Entity Information

        3.1 Before Initial Attach
        3.2 After Initial Attach
4. Closing



2. Initial Attach Procedure


Figure 1 illustrates initial attach procedures in EMM Case 1, along with function blocks required in each procedure, as defined in Part 1.



Figure 1. Summary of Initial Attach Procedures


2.1 IMSI Acquisition


Figure 2 shows the first step in the procedures. By the end of this first step, the MME obtains an IMSI from the UE. The UE attempts to initially attach to the network by sending an Attach Request message, with its IMSI in it, and the MME obtains the IMSI from the message. For the purpose of explanation, this step can be further divided into two sub-steps:  the UE stays in the initial state after radio link synchronization, and  the UE establishes ECM connection for delivering an Attach Request message to the MME. The ECM connection establishment phase can be further divided into two sub-phases: (1) RRC connection establishment, and (2) S1 signaling connection establishment.



Figure 2. Procedure for IMSI Acquisition


 Initial State after Radio Link Synchronization

In order for a UE to request initial attach to a network, communication with an eNB is essential. So, the UE selects an eNB (cell) through PLMN selection and cell search procedures, and has the radio link synchronized (PLMN selection and cell search procedures are out of the scope of this document, and thus will not be covered here). Then, the user can communicate with the eNB. At this time, the UE is in EMM-Deregistered, ECM-Idle, and RRC-Idle state.


 ECM Connection Establishment

On NAS layer, the UE sends an Attach Request (including IMSI and UE Network Capability) message to request initial attach to the NAS layer of the MME.

In order for the Attach Request message to be delivered, ECM connection is required between the UE and the MME. And for the ECM connection, RRC connection between the UE and the eNB, and S1 signaling connection between the eNB and the MME are required. NAS messages are sent as RRC messages (RRC Connection Setup Complete message) when passing through the RRC connection, and then as S1AP messages (Initial UE Message) through the S1 signaling connection.


(1) RRC Connection Establishment  

An RRC connection is established between the RRC layers of the UE and the eNB. Once established, the connection is used when delivering messages to the RRC layers or their upper layers, NAS layers, in the control plane. The procedure for establishing an RRC connection is as follows:


1) [UE → eNB] RRC Connection Request

An UE requests an RRC connection by sending an RRC Connection Request (Establishment Cause=“Mobile Originating Signaling”) message to an eNB. The “Mobile Originating Signaling” is a value used in the Establishment Cause field when a UE requests Attach, Detach or TAU (Tracking Area Update). The message sent by the UE is delivered to the eNB through SRB 0, the SRB (Signaling Radio Bearer) used by all UEs in a cell, and CCCH (Common Control Channel), a logical channel.


2) [UE ← eNB] RRC Connection Setup

The eNB allocates a SRB (SRB1) dedicated to the UE by sending the UE an RRC Connection Setup message, which is delivered through SRB 0 and CCCH. The uplink/downlink radio resources of the UE are controlled by the eNB. So, after completing this step, the UE can use the radio resources by using the SRB configuration allocated through the RRC Connection Setup message. Then it transits to EMM-Deregistered, ECM-Idle and RRC-Connected state.


3) [UE → eNB] RRC Connection Setup Complete

The UE notifies the eNB that the RRC connection setup is completed by sending it an RRC Connection Setup Complete message through SRB 1 and DCCH (Dedicated Control Channel). For efficient delivery, the Attach Request message1 that was delivered to the NAS layer is sent to the eNB when delivering the RRC Connection Setup Complete message, as embedded in the Dedicated NAS Information field (DedicatedInfoNAS) of the RRC Connection Setup Complete message.


(2) S1 Signaling Connection Establishment

Control messages between the eNB and the MME are sent over S1-MME interface as embedded in S1AP messages. S1AP messages are delivered through S1 signaling connections dedicatedly established for each user. The S1 signaling connections are defined by an ID pair (eNB UE S1AP ID, MME UE S1AP ID) allocated by the eNB and the MME for identifying UEs.

In Figure 2, an Attach Request message, the first NAS message, arrives at the eNB before S1 signaling connection is established. The eNB then allocates an eNB UE S1AP ID for establishment of S1 signaling connection, and sends the MME an Attach Request message, as embedded in an Initial UE Message. The Attach Request message is delivered as embedded in the NAS-PDU field of the Initial UE Message. The Initial UE Message consists of the following information elements:



When the MME receives the Initial UE Message from the eNB over S1-MME, it allocates an MME S1AP UE ID for the UE. Now with this newly allocated ID and the previously allocated eNB UE S1AP ID, S1 signaling connection between the two entities are established. The MME UE S1AP ID is used later when the MME identifies UEs over S1-MME interface (Downlink).


(3) ECM S1 Connection Establishment

Through Steps (1) and (2) above, the ECM connection between the NAS layers of the UE and the MME is established. Then, the UE transits to EMM-Registered2, ECM-Connected and RRC-Connected state.


(4) IMSI Acquisition

The NAS layer of the MME acquires the IMSI of the UE from the Attach Request message sent from the NAS layer of the UE, and finds out the UE’s security capability by learning what security algorithms the UE can use from the UE’s network capability information.


After collecting the UE’s IMSI and security capability information from the Attach Request (IMSI, UE Network Capability) message received from the UE, the MME performs the authentication and NAS security Setup procedures for secured delivery of NAS messages, by using the collected information, and in accordance with the EPS-AKA (Evolved Packet System-Authentication and Key Agreement). The two procedures - authentication and NAS security setup - are described in Sections 2.2 and 2.3, respectively. As they are already explained in details in our LTE Security documents [3][4], they will be discussed briefly here in this document.


2.2 Authentication


Authentication procedure between a UE and a network (MME) is described in Figure 3. The procedure consists of the following two steps: Step (1), authentication vector acquisition, during which the MME acquires authentication vectors from the HSS for the UE, and Step (2), mutual authentication, during which the MME and the UE are mutually authenticated. Step (1) is performed over the S6a interface between the MME and the HSS using Diameter protocol, while Step (2) is performed between the UE and the MME using a NAS protocol.


Figure 3. Procedure for Authentication


(1) Acquisition of Authentication Vectors

1) [MME → HSS] Authentication Information Request

The MME sends the HSS an Authentication Information Request message, requesting authentication vector(s) (AV) for the UE that has an IMSI. At this time, it includes the UE’s SN ID (Serving Network ID) along with the IMSI in the message to make sure the HSS reflects the UE’s current serving network information (i.e. which operator’s network the UE is using) when generating authentication vectors for the UE. Main parameters in the Authentication Information Request message are:



2) [HSS] Generating Authentication Vectors

The HSS3 generates authentication vectors by using the LTE master key (LTE K) in the IMSI and the serving network ID (SN ID) of the UE. Authentication vectors are generated through the two steps as seen in Figure 4. First, the HSS generates SQN and RAND, and then inputs the values of {LTE K, SQN, RAND} in the crypto function to generate the values of {XRES, AUTN, CK, IK}. Next, it inputs the values of {SQN, SN ID, CK, IK} in the key derivation function to derive KASME.

(i) (XRESAUTN, CK, IK) = Crypto Function (LTE K, SQN, RAND)



Figure 4. Generating Authentication Vectors


The final form of authentication vectors is {RAND, AUTN, XRES, KASME}, and the roles of each authentication vector element are as follows:



(3) [MME ← HSS] Delivering Authentication Vectors

The HSS sends the authentication vectors, as included in the Authentication Information Response (AV4) message to the MME. The MME then uses this information to perform mutual authentication with the UE in Step (2).


(2) Mutual Authentication

LTE requires mutual authentication between a user and the network. So, a user must authenticate the network, and the network must authenticate the user. Once the MME received authentication vectors {RAND, AUTN, XRES, KASME} from the HHS, it sends RAND and AUTN on to the UE so that the UE can generate authentication vectors, and authenticate the network. However, the MME keeps XRES and KASME to use for user authentication and NAS security key derivation, respectively. KASME is not passed on to the UE (but generated when the UE generates authentication vectors), but KSIASME, an index for KASME, is delivered to the UE, instead. Mutual authentication procedures between the UE and MME are as follows:


4) [UE ← MME] Request by MME for User Authentication

The MME delivers the information (RAND, AUTN) required for the UE to generate authentication vectors, and KSIASME, as included in the Authentication Request (RAND, AUTN, KSIASMEmessage to the UE.


5) [UE] User’s Authenticating the Network: Generating Authentication Vectors and Authenticating the Network

After receiving the Authentication Request (RAND, AUTN, KSIASME) message from the MME, the UE first generates SQN from AUTN, and then authentication vectors as the HSS did (in Figure 4). Next, the UE compares its own AUTN (AUTNUE) and the AUTN received from the MME (AUTNHSS) to authenticate the network, and stores KSIASME as an index of KASME.


6) [UE → MME] Delivery of User RES to MME

After completing network authentication by comparing the AUTN values, the UE sends its own RES value to the MME, as included in the Authentication Response (RES) message, so that the MME can authenticate the user.


7) [MME] Network’s Authenticating the UE

Upon the receipt of the Authentication Response (RESmessage from the UE, the MME compares the RES value generated by the UE and the XRES value it received from the HSS, to authenticate the user.


Once the above steps are completed, the UE and the network (MME) are mutually authenticated. Now, the two begins the procedure for establishing NAS security setup for secured delivery of NAS messages.


2.3 NAS Security Setup


Once user authentication is completed, the MME initiates the NAS security setup procedure so that NAS messages can be securely exchanged between the two entities. Figure 5 shows the call flows in the NAS security setup procedure.


Figure 5. Procedure for NAS Security Setup


1) [MME] Generating NAS Security Keys

The MME selects ciphering and integrity algorithms to be applied to NAS messages from the Attach Request message received from the UE. Next, it derives a NAS integrity key (KNASint) and a NAS encryption key (KNASenc) from KASME, to be applied to NAS messages.


2) [UE ← MME] Helping UE to Generate NAS Security Keys

The MME informs the UE of the selected security algorithms, by including them in a Security Mode Command (KSIASME, Security Algorithm, NAS-MAC) message, helping the UE to generate NAS security keys. The message is sent with its integrity-protected (by including NAS-MAC).


3) [UE] Generating NAS Security Keys

When the UE receives the Security Mode Command message, the UE generates NAS security keys (KNASint and KNASenc) by using the NAS security algorithm that the MME selected, and performs an integrity validation on the Security Mode Command message by using the NAS integrity key (KNASint). If the message passes the integrity check, it can be seen that the NAS security keys are successfully set and properly working between the two entities.


4) [UE → MME] NAS Security Key Generation Complete

The UE informs the MME of the successful generation of NAS security keys by sending a Security Mode Complete (NAS-MAC) message, after having it encrypted and integrity protected using the generated keys.


After completing the above steps, the procedure for NAS security setup between the two entities ends. Then messages between the two thereafter are securely delivered, as encrypted and integrity-protected.


2.4 Location Update


Once the procedures for authentication and NAS security setup are completed, now the MME has to register the subscriber in the network, and find out what services the subscriber can use. To this end, the MME notifies the HSS the subscriber is registered in the network and located in its TAs, and then downloads information about the subscriber from the HSS. All these are done through the location update procedure, and by using Diameter protocol over the S6a interface between the MME and the HSS. The call flows during this procedure are as in Figure 6.


Figure 6. Procedure for Location Update


1) [MME → HSS] Notifying UE Location

The MME sends an Update Location Request (IMSI, MME ID) message to the HSS in order to notify of the UE’s registration and obtain the subscription information of the UE.


2) [HSS] UE Location Update

The HSS registers the MME ID to indicate in which MME the UE is located in.


3) [MME ← HSS] Delivering User Subscription Information

The HSS sends the MME subscription information of the subscriber as included in an Update Location Answer message, so that the MME can create an EPS session and a default EPS bearer for the subscriber. The subscription information included in the Update Location Answer message is as follows:



4) [MME] Storing Subscription Information

The MME receives the Update Location Answer message from the HSS, and stores the subscription information from the message.


From the downloaded subscription information, the MME can check what services the user is subscribing to, and to which APN and with what QoS level the resources are to be allocated.


2.5 EPS Session Establishment


The MME, based on the subscription information, establishes an EPS session and a default EPS bearer for the user. By doing so, the MME allocates the network/radio resources for providing each user with satisfying QoS they are subscribing to. Figure 7 and Figure 8 illustrate procedures for establishing an EPS session and a default EPS bearer, respectively.



Figure 7. Procedure for EPS Session Establishment (1)


1) [MME] Assigning EPS Bearer ID

The MME selects a value from 5~15, and allocates it as an EPS Bearer ID (EBI) in order to establish a default EPS bearer for the newly attached user.


2) [MME] Selecting P-GW

The MME checks the APN received from the HSS, and decides to which P-GW to connect to access the APN. This decision can be made based on the subscription information received from the HSS (specifically, P-GW ID). Or if there is no such information, the MME queries the DNS server for APN FQDN (e.g. internet.apn.epc.mnc05.mcc450.3gppnetwork.org), and selects one from the returned P-GW IP address list in accordance with its P-GW selection policies6. At this time, it also chooses which S-GW to go through to get the selected P-GW.


◇ 3) ~ 4) Request for EPS Session Creation

The MME requests creation of an EPS session and a default EPS bearer by sending a Create Session Request message to the P-GW selected in Step 2) above. Here, the MME includes the subscription information it received from the HSS in the message, so that the P-GW can use it when requesting PCRF for EPS session creation. At this time, UE-AMBR is not included as it is to be determined by the MME.


3) [MME → S-GW] Request for EPS Session Creation

The MME and the S-GW communicate over S11 interface in the control plane using GTP protocol (GTP-C)7. The MME sends the S-GW selected in Step 2) a Create Session Request message, with the following parameters:



4) [S-GW → P-GW] Request for EPS Session Creation

The S-GW and the P-GW communicate over S5 interface in the user and control planes using GTP protocol (UP: GTP-U, CP: GTP-C). The S-GW allocates a downlink S5 TEID (S5 S-GW TEID) to establish S5 GTP to the P-GW indicated in the received Create Session Request message. Then, it sends the ID along with other parameters, as included in the Create Session Request message, to the P-GW.



5) [S5 Bearer: Downlink]

Once Step 4) is completed, the downlink S5 GTP-U tunnel is created, allowing the P-GW to send downlink traffic to the S-GW. In Figures 7 and 8, the entity that allocates and sends a GTP tunnel TEID is marked as “fill” (), and the one that receives it is marked as “empty” ().


6) [P-GW] Allocating User IP Address

The P-GW, upon receiving the Create Session Request message, realizes the user is attempting to access the network again with IMSI. So, it allocates an IP address to the UE so that the UE can use it when using APN.


7) [P-GW → PCRF] Notifying of EPS Session Setup

The P-GW and the PCRF communicate over Gx interface using Diameter protocol. When creating an EPS session for a user, resources allocation and QoS control for the user must be determined based on the services that the user is subscribing to. It is PCRF that is in charge of controlling policies concerning all the users who accessed to the network. So, the P-GW provides the PCRF with subscription information about the user, and obtains the PCRF’s authorization for resources allocation in accordance with the network operator’s policies. From the UE’s subscription information received from the MME, the P-GW gathers information required for the PCRF’s decision-making on the operator’s policies, and sends it to the PCRF through a CCR (CC-Request) message. An example of the message is as follows:


8) [PCRF → SPR] Requesting Access Profiles

The PCRF requests the SPR for the user’s access profile to determine PCC policies for the user.


9) [PCRF ← SPR] Returning Access Profiles

The SPR returns an access profile for the user. The profile may include information such as SDF Filter, QCI, ARP, APN-AMBR (UL/DL), Charging Method (e.g. Offline), Changing Reporting Action (e.g. Start Reporting ECGI, TAI), etc.


10) [PCRF] Determining Policies

The PCRF determines PCC policies for the EPS session to be established based on the user access profile.


11) [P-GW ← PCRF] Acknowledging EPS Session Establishment

The PCRF delivers the PCC policies determined in Step 10) to the P-GW, as included in a CCA (CC-Answer) message. An example of the message is as follows:



12) [P-GW] Policy Enforcement 

The P-GW applies the PCC policies received from the PCRF. As the PCC policies are applied to each SDF, the P-GW sets up mapping between SDFs and the EPS bearer, and prepares a QoS profile to be applied to the default EPS bearer (see our technical document, “LTE QoS: SDF and EPS Bearer QoS”[5] for more information).


◇ 13) ~ 15) EPS Session Creation Response

The P-GW informs the MME of the QoS information applied to the established EPS sessions and default EPS bearer, by sending it in a Create Session Response message. The PCRF may decide to keep the value the MME received from the HSS, or select a new value.


13) [S-GW  P-GW] EPS Session Creation Response

The P-GW allocates an uplink S5 TEID (S5 P-GW TEID) for establishing S5 GTP to the S-GW. It then includes the S5 P-GW TEID and the QoS profile to be applied to the default EPS bearer (S5 bearer) in the Create Session Response message, and sends it to the S-GW as a response to the Create Session Request message received in Step 4).


14) [S5 Bearer: Uplink] S5 Bearer Established

Completing Step 13) establishes the uplink S5 GTP-U tunnel, allowing the S-GW to exchange uplink/downlink traffic with the P-GW.


15) [MME ← S-GW] EPS Session Creation Response

When receiving the Create Session Response message from the P-GW, the S-GW keeps the uplink S5 TEID (S5 P-GW TEID) to be used for uplink traffic, and allocates an uplink S1 TEID (S1 S-GW TEID) of S1 GTP tunnel to be used for S1 bearer. After processing the message, the S-GW adds the newly allocated S1 S-GW TEID to the processed message, and sends it to the MME as a response to the Create Session Request message it received in Step 3).


16) [MME] Why MME Keeps S5 P-GW TEID?

Once attached to a network, if a UE performs a TAU or handover, its S-GW may be changed. For this reason, the MME informs the UE’s new S-GW of the uplink S5 TEID so that the new S-GW can deliver uplink traffic to the P-GW.


17) [S1 Bearer: Uplink]

Completing Step 15) establishes the uplink S1 GTP-U tunnel. However, since the eNB does not have this value (S1 S-GW TEID) yet, it cannot deliver uplink traffic to the S-GW at this time. 


18) [MME] Calculating UE-AMBR

Now, the MME returns an Attach Accept message to the UE as a response to the Attach Request message, and prepares for E-RAB setup (i.e. for allocating resources to radio link and S1 bearer) by controlling the eNB. For this, the MME calculates the UE-AMBR value to send to the eNB. The MME has already received the UE-AMBR value, as included in subscription information, from the HSS in Section 2.4 above. However, it can adjust the value to the extent not exceeding the total APN-AMBR of each APN, and allocates it instead.



Figure 8. Procedure for EPS Session Establishment (2)


19) Determining Information needed for E-RAB and NAS Signaling

By receiving the Create Session Response message from the P-GW, the MME learns resources have been approved and allocated to the user. Then, it becomes in charge of E-RAB (DRB+S1 bearer) setup, and controls the eNB and the S-GW. To this end, it determines the resources required for E-RAB setup and the information needed for NAS signaling (Attach Accept) as follows: 

  • Allocating a GUTI that the UE can use instead of the IMSI
  • Determining parameters related to controlling TAU (TAI list allocation, TAU Timer value)
  • Determining UE-AMBR for the eNB’s use
  • Allocating an E-RAB ID

20) [UE ← MME] Attach Accept

The MME includes information, such as the UE IP address allocated by the P-GW, the GUTI, TAI list, EPS Bearer ID, UE-AMBR values allocated by itself, and QoS parameters received from the S-GW, in the Attach Accept message8, and sends it to the UE as a response to the Attach Request message received in Section 2.1.

This message is delivered as included in the Initial Context Setup Request message through the S1 signaling connection, and then in the RRC Connection Reconfiguration message through the RRC connection.


21) [MME] Creating KeNB

The MME creates KeNB, the AS security base key, from KASME. This is to ensure the eNB can generate AS security keys to be used for secured communication between the eNB and the UE over radio link (i.e. for AS security setup).


22) [eNB ← MME] Requesting E-RAB Setup

The MME sends an Initial Context Setup Request message so that the eNB can establish S1 bearer with the S-GW, and DRB with the UE. The Initial Context Setup Request message consists of the following information elements:



23) [S1 Bearer: Uplink]

Once Step 22) is completed, and the S1 S-GW TEID is obtained, the eNB can deliver uplink traffic to the S-GW.


When the eNB receives the MME’s Initial Context Setup Request message that requests E-RAB setup, it sets up DRB by sending an Attach Accept message to the UE. Then, it completes S1 bearer setup by including a downlink S1 TEID in the Initial Context Setup Response message, and sending the message as a response to the Initial Context Setup Request message to the MME, so that the MME can forward it to the S-GW.


◇ 24) ~ 27) AS Security Setup

Upon receiving the MME’s Initial Context Setup Request message, the eNB attempts to communicate with the UE to set up DRB. To ensure secured communication over the radio link, the eNB performs the procedure for AS security setup before sending messages to the UE (see our technical document, “LTE Security II: NAS and AS Security” [3] for more information).


24) [eNB] Generating AS Security Keys

The eNB generates AS security keys from KeNB received from the MME for safe delivery of RRC messages and user traffic to/from the UE. The eNB selects ciphering and integrity algorithms for RRC messages from the security algorithms that the MME forwarded for the UE, and ciphering algorithms for user traffic. Next, from KeNB, it derives KRRCint/KRRCenc, RRC integrity/ciphering keys, and KUPenc, a key for ciphering user traffic.


25) [UE ← eNB] Helping UE to Generate AS Security Keys

The eNB helps the UE to generate AS security keys (KRRCint, KRRCenc and KUPenc) by informing the UE of the AS security algorithms it selected (i.e. control plane RRC integrity/ciphering algorithm and user plane ciphering algorithm) through a Security Mode Command (AS Security Algorithm, MAC-I) message. The eNB sends this RRC message with its integrity-protected (by including MAC-I).


26) [UE] Generating AS Security Keys

Upon receiving the Security Mode Command message from the eNB, the UE generates AS security keys using the AS security algorithm that the eNB selected, and performs integrity check on the Security Mode Command message.


27) [UE → eNB] AS Keys Generation Complete

Once the integrity check on the Security Mode Command message is completed, AS security keys are successfully set up and ready to work between the UE and the eNB. The UE then indicates to the eNB that AS security keys are generated by sending a Security Mode Complete (MAC-I) message. The UE sends the message with its integrity-protected by using the RRC integrity key.


As the AS security setup over the radio link is ended, RRC messages exchanged over the radio link thereafter are sent as encrypted and integrity-protected, and user traffic is delivered as encrypted. Now, the eNB begins DRB establishment.


◇ 28) ~ 29) DRB Establishment


28) [UE ← eNB] Reconfiguring RRC Connection

The eNB allocates uplink/downlink DRB IDs, and configures DRB QoS parameters from E-RAB QoS in order to establish DRB, an EPS bearer over the radio link. Thereafter, it sends a RRC Connection Reconfiguration message to the UE through the secured RRC connection. The RRC connection was already established when the UE sent the Attach Request message. However, it must be reconfigured now that the UE needs to configure parameters according to the resources allocated by the network as a result of permission to access the network. The RRC layer of the UE allocates radio resources based on the configuration parameters gathered from the RRC Connection Reconfiguration message. Next, it extracts an Attach Accept message from the RRC Connection Reconfiguration message, and sends it to the NAS layer.


When the NAS layer of the UE receives the message, it obtains the UE IP address and GUTI from the message, and uses them for future communication.


29) [DRB Establishment: Uplink and Downlink] DRB Establishment Complete

Once Step 28) is completed, and the UE can deliver uplink/downlink traffic from/to the eNB.


39) [eNB → S-GW] E-RAB Setup Response

The eNB allocates a downlink S1 TEID (S1 eNB TEID) for S1 bearer. Then it includes the allocated ID in an Initial Context Setup Response message, and sends it to the MME as a response to the Initial Context Setup Request message received in Step 22), so that the MME can forwards it to the S-GW.


31) [eNB] Allocating a Downlink TEID for S1 Bearer

Once Step 29) is completed, a downlink TEID is allocated by the eNB to S1 bearer, establishing the downlink S1 GTP-U tunnel. However, since the S-GW does not know about the establishment yet, it cannot delivery downlink traffic to the eNB at this time.


32) [UE → MME] Sending Attach Complete Message

The UE sends an Attach Complete message9 to the MME, as a response to the message in Step 20). The Attach Complete message is delivered through an UL Information Transfer message over the RRC connection, and then through an Uplink NAS Transport message over the S1 signaling connection.


33) [UE][MME] EMM State

Now the UE and the MME stay in EMM-Registered state. If an Attach Reject message is sent from the MME to the UE in Step 20), the UE must release the ECM/RRC connection and transit to EMM-Deregistered state. 


34) [MME → S-GW] Requesting S1 Bearer Modification

The MME forwards the downlink S1 TEID (S1 eNB TEID) received from the eNB to the S-GW through a Modify Bearer Request message.


35) [MME ← S-GW] Responding to S1 Bearer Modification Request

The S-GW sends the MME a Modify Bearer Response as a response to the Modify Bearer Request message. Now, the S-GW is ready to deliver downlink S1 traffic.


36) [S1 Bearer: Downlink] S1 Bearer Setup Complete

Step 35) completes the setup procedure for S1 bearer. With the establishment of S1 bearer, the eNB and the S-GW can exchange traffic with each other. Now, the default EPS bearer from the UE all the way to the P-GW is finally established, allowing uplink/downlink EPS bearer communication between the UE and the P-GW.



Page 2 of 4
fanrui 2014-07-08 19:20:50

Very good document. I have a question.

In the attach accept message, the IP address allocated to UE is mandatory. However, there is no DNS related information. I checked spec, in the PCO (protocol configuration options) DNS server address can be included. However PCO is optional. So I just wonder, without DNS server in PCO, how could UE access the internet?

nn 2018-01-21 22:21:29

Hi, Did you find the answer anywhere ? 


Hi Netmania ,


Can you please clarify points put by fanrui. Thanks in advance.



broncadocrl 2018-10-20 00:20:30



Normally, DNS server address is always included in PCO. If not, UE is only able to access internet using IPs (no DNS server to translate the domain, etc.) or manually defining the DNS server in the UE.

Nagarjuna 2014-09-18 22:07:16

Hi Netmanias,


                   First i have to thank you ,that you shred a very valuable document with us regarding lte stuffs , but here i have one small suggestion , in point of initial attach part-1 &2 ,document maily focusing on core network rather on RRC messages (i.e., between UE and Enodeb).can you please add one more document(which highlits UE and Enodeb messages and transcations) related also,so that end-to-end connection would be clear for us.






Vijayakumar 2015-04-12 21:45:11

Hi Netmanias,


Really appreciate the depth of the information provided. Can you please also add "Selection of MME" in the eNodeB (using static/DNS queried)?

HUAWENJIAN 2015-07-19 12:59:52

Very Excellent!Thanks for your sharing! I have got lot of information about my concern topic.

Siva Dugana 2015-10-20 11:58:00

Thanks for the detailed explanation. Appriciate to have a thought to share the knowledge like this...

DAniel 2016-04-05 09:37:32

Man, congratulations and thank you

Chandru 2016-05-25 18:40:09

Really Really Super. Thanks Guys

Netmanias 2016-05-29 04:15:31

Glad you liked it. And thank you for your interest!

Stay tuned!

Markus 2016-09-21 20:03:50

Great explanation! Thank you very much.

venkat 2016-10-17 13:31:10

Good explanation!!


bijukumar 2017-05-23 15:17:34

good explanation and  well explained in main areas of call flows

Ken Hu 2017-07-21 10:53:06

There is typo in "Figure 7. Procedure for EPS Session Establishment (1)" step 14 : "Receive S5 TEID (DL)" should be "Receive S5 TEID (UL)".

Wireless 2020 2023-06-25 23:23:45

yes corrrect

Marcin 2017-09-29 18:43:43

I was thinking same as you. Thank you for notice so I know i wasn't wrong.

Above all - good explanation

netti 2017-10-05 15:47:07

Can somebody help me with the softwares required in this simulation?

yasin akar 2017-12-19 23:24:37

hi everyone,


Is it possible to establish more than 1 default bearers? I mean within an initial attach procedure the EPS can setup more than one APN default bearers for example one for internet and other one is IMS bearers? Or only one default bearer can be setup within an initial attach procedures and other additional default bearers can be setup upon demanded?


thanks for your supports.

keyur shah 2018-08-09 15:19:05


Thanks for such nice explaination.

I have one doubt.why HSS Generate more than one AV(Authentication Vector) for single UE?





gorgedowdy 2020-04-01 08:08:18

Yes i've the same doubt. Someone clarify it

Alassane MAMADOU 2018-09-25 18:11:25

Hi , 

Good explanation . 

I have one question , i got a lot of Attach rejection and when i checked ,all  are related to the case when Attach complete were not sent to the MME .

How can we analyse this issue ? 

I am using Astellia 


Tushar Waman 2019-03-21 00:06:13


In Step 14, Should'nt it be ReceiveS5 TEID (UL) instead of Receive S5 TEID (DL) on the S-GW ? Or did i miss something :/

diy 2019-03-27 06:26:19



Great Explanation, Thank You for taking the time to document in such great detail. 

I have one question regarding MSISDN, With reference to Fig 7. Create Session Request, will MSISDN be exchanged between SGW and PGW?

One more thing will IMSI be always included in the create session request message?

Thank you for all your help



Wireless 2020 2023-06-25 23:25:49

yes IMSI will be present in CSR

Wireless 2020 2023-06-25 23:25:43

yes IMSI will be present in CSR

treyon13579 2020-10-01 00:47:51

Yes MSISDN is found in ULA and CSR

Chaitu 2019-04-23 01:14:04

Hii ,

      If I want to make a volte call ,will this lte authentication happens first before going to ims part?

Saravanan 2020-03-13 18:37:00

Hi Chaitu,

Yes. UE(device) LTE authentication happens first, once UE gets IP Address then IMS Registration( authentication) happens.



Spoorthi Devanand 2019-05-21 20:00:58

Thabk you for the detailed explanation!

Can you please explain what NAS-MAC is ?

Dominic Antony 2019-12-11 20:07:26

Hi Folks,

Could someone please explain, how internet connectivity is established in UE? I'm looking for that sepecific message (RRC/ NAS) which upon receiving establishes a successfull internet access. Like if look at the smartphone, there should be up and down arrow at the signal range icon. Please see the attached image. So when will this happen or which message establishes this internet connection? Please help.



ANIS UR REHMAN 2020-02-05 17:26:38

Hi Netmanias,

Could you please explain the CSFB call flow ?




yasir69093735 2020-02-10 15:51:04

I Have A Quary, when UE first time attaching with the network, how it get LAI in 3G and tAI in 4G.?????

aaa12312 2020-08-23 13:22:02

Is it possible to establish more than 1 default bearers

superanimes.ru 2023-09-23 13:06:44


Thanks for such nice explaination.

I have one doubt.why HSS Generate more than one 



Anurag K Sinha 2024-01-22 20:49:11

Hi Netmanias,

After step 29 there should be step 30 but it is mistakenly written as 39.

Also, in the same step, the E-RAB Setup Response is shown between e-Nb and S-GW, but it should be between e-nb and MME.

Kindly acknowledge.

Thank you for visiting Netmanias! Please leave your comment if you have a question or suggestion.
Related Contents
Netmanias One-Shot Gallery
Netmanias Blog
Netmanias Technical Documents
Netmanias Technical Documents
Netmanias Blog
Netmanias Technical Documents
Netmanias Blog

[HFR Private 5G: my5G]


Details >>







Subscribe FREE >>

Currently, 55,000+ subscribed to Netmanias.

  • You can get Netmanias Newsletter

  • You can view all netmanias' contents

  • You can download all netmanias'

    contents in pdf file







View All (181)
5G (9) 6G (1) Backbone (2) Backhaul (3) Blockchain (1) CDN (1) Carrier Ethernet (3) Charging (1) Cloud Native (1) Core (1) DHCP (4) ECM (2) EMM (16) EPS (2) Google (1) HLS (1) HTTP Adaptive Streaming (3) Handover (5) IPTV (4) Initial Attach (2) IoT (2) Korea (1) LTE (39) LTE Identification (2) LTE-A (1) MPLS (2) Mobility (2) NAT (7) Netflix (1) Network Architecture (3) Network Protocol (20) New Radio (1) OTT (1) PCRF (3) Private 5G (1) QoS (3) RCS (3) SDF (2) SDN/NFV (3) SK Telecom (2) Samsung (3) Security (5) Sk Telecom (1) Transparent Cache (1) Video Streaming (4) VoLTE (2) Wi-Fi (1) YouTube (2)
Password confirmation
Please enter your registered comment password.