LTE Call Flow

ShareTechnote
Basic Call Processing - Typical Packet Call
Page 1 of 35
Home : www.sharetechnote.com
In this section, I will go through a typical protocol sequence of LTE packet call. This will be the backbone structure for
all other call processing.
Basic State Machine
Big Picture First
Channel Mapping Table throughout Call Processing
Cell Configuration and Channel Configuration during Call Processing
Now in Very Detailed Picture
Overall Comparision with WCDMA
Interim Comments
Following is the over protocal sequence being exchanged between UE and Network. Actually understanding all the
details of these steps would be the goal of your whole LTE career.
1) <Cell Search and Detection>
2) MIB
3) SIB 1
4) <Check Cell Selection Criteria>
5) SIB 2 and other SIBs
6) RRC : PRACH Preamble
7) RRC : RACH Response
8) RRC : RRC Connection Request
9) RRC : RRC Connection Setup
10) RRC : RRC Connection Setup Complete + NAS : Attach Request + ESM : PDN Connectivity Request
11) RRC : DL Information Transfer + NAS : Authentication Request
12) RRC : UL Information Transfer + NAS : Authentication Response
13) RRC : DL Information Transfer + NAS : Security Mode Command
14) RRC : UL Information Transfer + NAS : Security Mode Complete
15) RRC : Security Mode Command
16) RRC : Security Mode Complete
17) RRC : RRC Connection Reconfiguration + NAS : Attach Accept + NAS : Activate Default EPS Bearer Context Req
18) RRC : RRC Connection Reconfiguration Complete + NAS : Attach Complete + NAS : Activate Default EPS Bearer
Context Accept
19) RRC : RRC Connection Release
20) <Perform Neibourcell Measurement>
21) <Check Cell Reselection Criteria >
22) < MO or MT call > : In MT call, Paging should be sent.
27) RRC : RRC Connection Setup Complete + NAS : Service Request
30) RRC : RRC Connection Reconfiguration + NAS : Activate Dedicated EPS Bearer Context Request
31) RRC : RRC Connection Reconfiguration Complete + NAS : Activate Dedicated EPS Bearer Context Accept
Basic State Machine

Following diagram shows a possible state machine that a UE would go through. The state transition in this post will be
about (s0)->(a)-> (b1) -> (c1) -> (d1) -> (e1) -> (f1) -> (g1) -> (h1). Most of other transition will be described in
"Handover" page.
http://www.sharetechnote.com/html/BasicCallFlow_LTE.html
23-03-2014
ShareTechnote
Page 2 of 35
Note for Step 23)~32) : Intial Registration and Default EPS Bearer Setup procedure would be common to almost all
LTE network. Of course, there would be a small variations but overall concept would be almost same. But the
procedure after <Idle> (Step 23~32) would be quite different among Network Operators. Following would be two
major variations.
Setup RRC Connection, RRC Connection Reconfiguration without creating any dedicated EPS Bearer.(In this
case, UE uses the existing Default EPS bearer for traffic).
Setup RRC Connection, RRC Connection Reconfiguration with a dedicated EPS Bearer.(In this case, Ue uses the
existing Default EPS bearer or Dedicated EPS Bearer depending on situation).
The example test sequence in this case shows the second case,
Big Picture First

Depending on which level you are working on in UE development/Test procedure, the amount of knowledge you need
to know would be different. But I think there are a couple of big pictures that may help almost anybody working in full
protocol stack.
First big picture I would like to introduce is the channel mapping as shown below. Just try to pick any RRC messages
and try to follow the arrow for the message. If you read those pages about MAC and RLC, it will remind you of a lot of
detailed information.
<< Overall Sequence and Layer Mapping >>
Following is a sequence diagram showing not only the message but also basic configurations of each layer. More
detailed description of each layer in the context of full protocol stack will be explained in "Full Stack" section.
Just read through this sequence whenever you have time until you can duplicate the sequence without looking into
this again. This can be a good framework for your study and good guide for troubleshooting.
23-03-2014
ShareTechnote
Page 3 of 35
<< Downlink Channel Map >>

The diagram you saw above a kind of message flow(event diagram) in time sequence. The diagram shown below is
not a time based, but it shows the channel mapping (or data flow across the full protocol stack). Pick one of the
message from the diagram shown above and try to find right route for this digram and see how much details you can
add.
For example, if you picked the message "RRC Connection Setup", the start point would be "RRC Message msg4".
23-03-2014
ShareTechnote
Page 4 of 35
Following is a tabular presentation of DL Channel Map. (LCID and TrCH Number would be different depending on the
network or Network Simulator)
RB
Lo CH
RLC
Lo CH
LCID
MAC Hdr
HARQ
RNTI
PCCH
PDCP
TM
PCCH
N/A
NONE
NONE
NONE
PCH
BCCH 0
TM
BCCH 0
N/A
NONE
NONE
NONE
BCH 0
BCCH 1
TM
BCCH 1
N/A
NONE
Broadcast
SI RNTI
DL SCH 0
RA_RES
TM
RA_RES
N/A
NONE
NONE
RA RNTI
DL SCH 1
TM
DL CCCH
NONE
NORMAL
T-CRNTI
DL SCH 1
NORMAL
NORMAL
CRNTI
DL SCH 1
USED
Tr CH
SRB0
DL CCCH
SRB1
DL DCCH
0
USED
AM
DL DCCH
0
SRB2
DL DCCH
1
USED
AM
DL DCCH
0
NORMAL
NORMAL
CRNTI
DL SCH 1
DRB 0
DL DTCH0
USED
UM/AM
DL DTCH0
NORMAL
NORMAL
CRNTI
DL SCH 1
DRB 1
DL DTCH1
USED
UM/AM
DL DTCH1
NORMAL
NORMAL
CRNTI
DL SCH 1
DRB 2
DL DTCH2
USED
UM/AM
DL DTCH2
NORMAL
NORMAL
CRNTI
DL SCH 1
<< Uplink Channel Map >>
23-03-2014
ShareTechnote
Page 5 of 35
Following is a tabular presentation of DL Channel Map. (LCID and TrCH Number would be different depending on the
network or Network Simulator)
RB
Lo CH
SRB0
RA_PRE
UL CCCH
PDCP
RLC
Lo CH
LCID
MAC Hdr
HARQ
RNTI
Tr CH
RA_PRE
UL CCCH
N/A
0
NONE
NONE
NONE
NORMAL
NONE
T-CRNTI
UL SCH 0
UL SCH 0
USED
TM
TM
SRB1
UL DCCH
0
USED
AM
UL DCCH
0
NORMAL
NORMAL
CRNTI
UL SCH 0
SRB2
UL DCCH
1
USED
AM
UL DCCH
0
NORMAL
NORMAL
CRNTI
UL SCH 0
DRB 0
UL DTCH0
USED
UM/AM
UL DTCH0
NORMAL
NORMAL
CRNTI
UL SCH 0
DRB 1
UL DTCH1
USED
UM/AM
UL DTCH1
NORMAL
NORMAL
CRNTI
UL SCH 0
DRB 2
UL DTCH2
USED
UM/AM
UL DTCH2
NORMAL
NORMAL
CRNTI
UL SCH 0
Channel Mapping Table throughout Call Processing

This is only an example case and Mapping (especiall LoCH No) can vary depending on situations. The point is that it
will be really helpful for your troubleshooting or test case creation if you create this kind of table for your case.
RB
Lo CH
LoCH No
MIB
Message
BCCH
LCID
-
SIB 1
BCCH
SIB 2
BCCH
RRC : PRACH Preamble
RRC : RACH Response
RRC : RRC Connection Request
SRB0
UL CCCH
RRC : RRC Connection Setup
SRB0
DL CCCH
RRC : RRC Connection Setup Complete + NAS : Attach Request + ESM : PDN Connectivity Request
SRB1
UL DCCH
RRC : DL Information Transfer + NAS : Authentication Request
SRB1
DL DCCH
RRC : UL Information Transfer + NAS : Authentication Response
SRB1
UL DCCH
RRC : DL Information Transfer + NAS : Security Mode Command
SRB1
DL DCCH
RRC : UL Information Transfer + NAS : Security Mode Complete
SRB1
UL DCCH
RRC : Security Mode Command
SRB1
DL DCCH
RRC : Security Mode Complete
SRB1
UL DCCH
RRC : RRC Connection Reconfiguration
SRB1
DL DCCH
RRC : RRC Connection Reconfiguration Complete
SRB1
UL DCCH
RRC : UL InformationTransfer + NAS : Attach Complete + NAS : Activate Default EPS Bearer
SRB2
UL DCCH
RRC : UL Information Transfer + ESM : PDN Connectivity Request
SRB2
UL DCCH
Note : Refer to TS 36.331 - 9.1.1 Logical channel configurations
Cell Configuration and Channel Configuration during Call Processing

Config 1) Activate Cell Physicall Layer
1) MIB
Config 2) Activate PHY, MAC, RLC for SIB Transmission (BCCH-DL DSCH)
2) SIB 1
3) SIB 2
Config 3) Configure PHY, MAC for PRACH Reception and RACH Response Transmission
Config 3) Configure PHY, MAC, RLC for Msg3 (RRC Connection Request) Reception (UL-CCCH)
Config 4) Configure MAC, RLC, PDCH for DL DCCH, UL DCCH
8) RRC : RRC Connection Setup Complete + NAS : Attach Request + ESM : PDN Connectivity Request
9) RRC : DL Information Transfer + NAS : Authentication Request
10) RRC : UL Information Transfer + NAS : Authentication Response
11) RRC : DL Information Transfer + NAS : Security Mode Command
12) RRC : UL Information Transfer + NAS : Security Mode Complete
Config 5) Configure PDCP for Integrity, Ciphering (We may disable Integiry/Ciphering for some test environment)
15) RRC : RRC Connection Reconfiguration + NAS : Attach Accept + NAS : Activate Default EPS Bearer Context Req
Config 6) Configure MAC, RLC, PDCP for DL/UL DTCH+DCCH
23-03-2014
ShareTechnote
Page 6 of 35
16) RRC : RRC Connection Reconfiguration Complete + NAS : Attach Complete + NAS : Activate Default EPS Bearer
Context Accept
Config 7) Deactivate all the channels related to DCCH, DTCH
Config 8) Activate channels for PCCH
< MO or MT call > : In MT call, Paging should be sent.
Config 9) Configure PHY, MAC for PRACH Reception and RACH Response Transmission
Config 10) Configure PHY, MAC, RLC for Msg3 (RRC Connection Request) Reception (UL-CCCH)
Config 11) Configure MAC, RLC, PDCH for DL DCCH, UL DCCH
22) RRC : RRC Connection Setup Complete + NAS : Service Request
25) RRC : RRC Connection Reconfiguration + NAS : Activate Dedicated EPS Bearer Context Request
Config 12) Configure MAC, RLC, PDCP for DL/UL DTCH+DCCH
26) RRC : RRC Connection Reconfiguration Complete + NAS : Activate Dedicated EPS Bearer Context Accept
Now in Very Detailed Picture

Now the next step is to describe each of the steps in as much detail as possible. The more in detail you can describe,
the easier the development, testing, troubleshooting will be. There are many steps I couldn't describe here because
the most of steps not described here would be related to company confidentials (Of course, you can say "Every details
are in 3GPP specification". Yes, that's true, but 3GPP says only about "What to do", it doesn't say much about "How to
do". In real implementation, this "How to do" part is as important as "What to do") You can take this as a minimum of
possible-detailed description. Going through this table, think about how much additional comments you think you can
put in 'Memo' column. (If you want to see what's really happening in real network, see the live air example in Full
Stack page)
Step
Direction
Message
UE <--- SS MIB
UE <--- SS SIB1
UE <--- SS SIB2,3 and others
UE ---> SS PRACH
UE <--- SS RACH Response
UE ---> SS RRC Connection Request

< UE >
UE MAC start mac-ContentionResolutionTimer
UE <--- SS ACK (PHICH)
UE <--- SS Contention Resolution

< UE >
3GPP 36.321 5.1.5

CR Timer value is set in
SIB2
SS must send CR before
CRtimer get expired
UE MAC stop mac-ContentionResolutionTimer
UE <--- SS RRC Connection Setup
10
UE ---> SS ACK (PUCCH)
11
UE ---> SS Scheduling Request(PUCCH)
12
UE <--- SS UL Grant (DCI 0, PDCCH)

RRC Connection Setup Complete
UE ---> SS + Attach Requeset
+ (PDN Conn Request)
13
Memo
14
UE <--- SS ACK(PHICH)
15
UE <--- SS RLC ACK
16
UE <--- SS Authentication Request
17
18
19
20
UE ---> SS RLC ACK
21
22

UE ---> SS UL Grant (DCI 0, PDCCH)
23
UE ---> SS Authentication Response
24
25
UE <--- SS RLC ACK
23-03-2014
ShareTechnote
Page 7 of 35
26
UE <--- SS NAS Security Mode Command
27
28
29
30
UE ---> SS RLC ACK
31
32
33
UE ---> SS NAS Security Mode Complete
34
35
UE <--- SS RLC ACK
36
UE <--- SS RRC Security Mode Command
37
38
39
40
UE ---> SS RLC ACK
41
42
43
UE ---> SS RRC Security Mode Complete
44
UE ---> SS ACK (PHICH)
45
UE ---> SS RLC ACK
46
< Many other message can be added here depending on NW >
47
RRC Connection Reconfiguration

UE <--- SS + Attach Accept
+ Activate Default EPS Bearer Context Request
48
49
50
51
UE ---> SS RLC ACK
52

UE ---> SS + Attach Complete
+ Activate Default EPS Bearer Context Accept
53
54
UE <--- SS RLC ACK
55
< IP Data Traffic if needed >
58
UE <--- SS RRC Connection Release
59
UE
< Now UE should be in IDLE mode >
60
UE
Decode MIB
61
UE
Decode SIB1
63
UE
Decode or Doesn't Decode Other SIBs based on SystemInfoValueTag

on SIB1
64
UE <--- SS Paging
65
66
UE ---> SS PRACH
67
UE ---> SS RRC Connection Request
68
69
70
UE <--- SS RRC Connection Setup
71
72
73
74
UE ---> SS
75
76
UE <--- SS RLC ACK
77
UE <--- SS
UE <--- SS RACH Response
UE <--- SS Contention Resolution
RRC Connection Setup Complete

+ Service Requeset

+ Activate Dedicated EPS Bearer Context Request
23-03-2014
ShareTechnote
Page 8 of 35
78
79
80
81
UE ---> SS RLC ACK
82
UE ---> SS
83
84
UE <--- SS RLC ACK
85

+ Activate Dedicated EPS Bearer Context Accept
< IP Data Traffic if needed >
Overall Comparision with WCDMA

Even though overall sequence is pretty similar to WCDMA sequence, there are a couple of different points comparing
to WCDMA sequence.
First point you have to look at is that in LTE 'RACH Preamble' is sent as a part of MAC Layer process. As you know
RACH process was there in WCDMA, but in WCDMA it was a part of Physical layer process.
Another part I notice is that RRC Connection Setup Complete and Attach Request is carried in a single step. This is
only one example. In LTE, many of NAS Message is piggybacked on RRC Messages. This would make message
decoding/encoding process complicated but it would be efficient to reduce the number of message exchange between
UE and eNodeB.
These are the differences you can notice just by looking at the message type, there are more differences you will find
when you go into the information elements of each messages as you will see in following sections.
Next thing you will notice would be that there are much less SIBs being transmitted in LTE comparting to WCDMA. Of
course there are more SIBs not being transmitted in this sequence (LTE has 10 SIBs in total), but with only these two
SIBs it can transmit all the information to let UE camp on the network. In WCDMA there are a total 18 SIBs and in
most case we used at least SIB1,3,5,7,11 even in very basic configurations. And some of the WCDMA SIBs like SIB5
and 11 has multipe segments. In LTE, number of SIB is small and none of them are segmented.
MIB
MIB in LTE has very minimal information (This is a big difference from WCDMA MIB) . The only information it carries
are
i) BandWidth
ii) PHICH
iii) SystemFrameNumber
Of course the most important information is "BandWidth".
According to 36.331 section 5.2.1.2, the MIB scheduling is as follows :
The MIB uses a fixed schedule with a periodicity of 40 ms and repetitions made within 40 ms. The first transmission
ofthe MIB is scheduled in subframe #0 of radio frames for which the SFN mod 4 = 0, and repetitions are scheduled
insubframe #0 of all other radio frames.
SIB 1
SIB 1 in LTE contains the information like the ones in WCDMA MIB & SIB1 & SIB3. The important information on SIB
1 is
i) PLMN
ii) Tracking Area Code
iii) Cell Selection Info
iv) Frequency Band Indicator
v) Scheduling information (periodicity) of other SIBs
You may notice that LTE SIB1 is very similar to WCDMA MIB.
Especially at initial test case development, you have to be very careful about item v). If you set this value incorrectly,
all the other SIBs will not be decoded by UE. And as a result, UE would not recognize the cell and show "No Service"
message.
According to 36.331 section 5.2.1.2, the SIB1 scheduling is as follows :
The SystemInformationBlockType1 uses a fixed schedule with a periodicity of 80 ms and repetitions made within 80
ms.The first transmission of SystemInformationBlockType1 is scheduled in subframe #5 of radio frames for which the
SFNmod 8 = 0, and repetitions are scheduled in subframe #5 of all other radio frames for which SFN mod 2 = 0.
This means that even though SIB1 periodicity is 80 ms, different copies (Redudancy version : RV) of the SIB1 is
transmitted every 20ms. Meaning that at L3 you will see the SIB1 every 80 ms, but at PHY layer you will see it every
23-03-2014
ShareTechnote
Page 9 of 35
20ms. For the detailed RV assignment for each transmission, refer to 36.321 section 5.3.1 (the last part of the
section)
One example of LTE SIB1 is as follows :
RRC_LTE:BCCH-DL-SCH-Message
BCCH-DL-SCH-Message ::= SEQUENCE
+-message ::= CHOICE [c1]
+-c1 ::= CHOICE [systemInformationBlockType1]
+-systemInformationBlockType1 ::= SEQUENCE [000]
+-cellAccessRelatedInfo ::= SEQUENCE [0]
| +-plmn-IdentityList ::= SEQUENCE OF SIZE(1..6) [1]
| | +-PLMN-IdentityInfo ::= SEQUENCE
| | +-plmn-Identity ::= SEQUENCE [1]
| | | +-mcc ::= SEQUENCE OF SIZE(3) OPTIONAL:Exist
| | | | +-MCC-MNC-Digit ::= INTEGER (0..9) [0]
| | | +-mnc ::= SEQUENCE OF SIZE(2..3) [2]
| | | +-MCC-MNC-Digit ::= INTEGER (0..9) [0]
| | | +-MCC-MNC-Digit ::= INTEGER (0..9) [1]
| | +-cellReservedForOperatorUse ::= ENUMERATED [notReserved]
| +-trackingAreaCode ::= BIT STRING SIZE(16) [0000000000000001]
| +-cellIdentity ::= BIT STRING SIZE(28) [0000000000000000000100000000]
| +-cellBarred ::= ENUMERATED [notBarred]
| +-intraFreqReselection ::= ENUMERATED [notAllowed]
| +-csg-Indication ::= BOOLEAN [FALSE]
| +-csg-Identity ::= BIT STRING OPTIONAL:Omit
+-cellSelectionInfo ::= SEQUENCE [0]
| +-q-RxLevMin ::= INTEGER (-70..-22) [-53]
| +-q-RxLevMinOffset ::= INTEGER OPTIONAL:Omit
+-p-Max ::= INTEGER OPTIONAL:Omit
+-freqBandIndicator ::= INTEGER (1..64) [7]
+-schedulingInfoList ::= SEQUENCE OF SIZE(1..maxSI-Message[32]) [2]
| +-SchedulingInfo ::= SEQUENCE
| | +-si-Periodicity ::= ENUMERATED [rf8]
| | +-sib-MappingInfo ::= SEQUENCE OF SIZE(0..maxSIB-1[31]) [0]
| +-SchedulingInfo ::= SEQUENCE
| +-si-Periodicity ::= ENUMERATED [rf8]
| +-sib-MappingInfo ::= SEQUENCE OF SIZE(0..maxSIB-1[31]) [1]
| +-SIB-Type ::= ENUMERATED [sibType3]
+-tdd-Config ::= SEQUENCE OPTIONAL:Omit
+-si-WindowLength ::= ENUMERATED [ms20]
+-systemInfoValueTag ::= INTEGER (0..31) [0]
+-nonCriticalExtension ::= SEQUENCE OPTIONAL:Omit
SIB 2
23-03-2014
ShareTechnote
Page 10 of 35
The important information on SIB2 is

i) RACH Configuration
ii) bcch, pcch, pdsch, pusch, pucch configuration
iii) sounding RS Configuration
iv) UE Timers
I would say SIB2 is the most important SIB in LTE and you will look into this SIB most frequently when you are
implementing protocol stack and troubleshooting, since it defines the characteristics of the most physical channels.
If you have some issues at registration process especially before 'RRC Connection Reconfiguration'. The first part you
have to check is SIB2 and check if UE properly decoded this and properly configure UE according to SIB2. Sometimes
only one parameter mismatch of SIB2 between Network and UE can make difference between success and failure of
the whole registration process.
Following is one example of SIB2. I looks to me that LTE SIB2 is similar to WCDMA SIB5 configuring various common
channel.
RRC_LTE:BCCH-DL-SCH-Message
BCCH-DL-SCH-Message ::= SEQUENCE
+-c1 ::= CHOICE [systemInformation]
+-systemInformation ::= SEQUENCE
+-criticalExtensions ::= CHOICE [systemInformation-r8]
+-systemInformation-r8 ::= SEQUENCE [0]
+-sib-TypeAndInfo ::= SEQUENCE OF SIZE(1..maxSIB[32]) [1]
| +- ::= CHOICE [sib2]
| +-sib2 ::= SEQUENCE [00]
| +-ac-BarringInfo ::= SEQUENCE OPTIONAL:Omit
| +-radioResourceConfigCommon ::= SEQUENCE
| | +-rach-Config ::= SEQUENCE
| | | +-preambleInfo ::= SEQUENCE [0]
| | | | +-numberOfRA-Preambles ::= ENUMERATED [n52]
| | | | +-preamblesGroupAConfig ::= SEQUENCE OPTIONAL:Omit
| | | +-powerRampingParameters ::= SEQUENCE
| | | | +-powerRampingStep ::= ENUMERATED [dB2]
| | | | +-preambleInitialReceivedTargetPower ::= ENUMERATED [dBm-104]
| | | +-ra-SupervisionInfo ::= SEQUENCE
| | | | +-preambleTransMax ::= ENUMERATED [n6]
| | | | +-ra-ResponseWindowSize ::= ENUMERATED [sf10]
| | | | +-mac-ContentionResolutionTimer ::= ENUMERATED [sf48]
| | | +-maxHARQ-Msg3Tx ::= INTEGER (1..8) [4]
| | +-bcch-Config ::= SEQUENCE
| | | +-modificationPeriodCoeff ::= ENUMERATED [n4]
| | +-pcch-Config ::= SEQUENCE
| | | +-defaultPagingCycle ::= ENUMERATED [rf128]
| | | +-nB ::= ENUMERATED [oneT]
| | +-prach-Config ::= SEQUENCE
| | | +-rootSequenceIndex ::= INTEGER (0..837) [22]
| | | +-prach-ConfigInfo ::= SEQUENCE
| | | +-prach-ConfigIndex ::= INTEGER (0..63) [3]
| | | +-highSpeedFlag ::= BOOLEAN [FALSE]
| | | +-zeroCorrelationZoneConfig ::= INTEGER (0..15) [5]
| | | +-prach-FreqOffset ::= INTEGER (0..94) [2]
| | +-pdsch-Config ::= SEQUENCE
| | | +-referenceSignalPower ::= INTEGER (-60..50) [18]
| | | +-p-b ::= INTEGER (0..3) [0]
| | +-pusch-Config ::= SEQUENCE
| | | +-pusch-ConfigBasic ::= SEQUENCE
| | | | +-n-SB ::= INTEGER (1..4) [1]
| | | | +-hoppingMode ::= ENUMERATED [interSubFrame]
| | | | +-pusch-HoppingOffset ::= INTEGER (0..98) [4]
| | | | +-enable64QAM ::= BOOLEAN [FALSE]
| | | +-ul-ReferenceSignalsPUSCH ::= SEQUENCE
| | | +-groupHoppingEnabled ::= BOOLEAN [TRUE]
| | | +-groupAssignmentPUSCH ::= INTEGER (0..29) [0]
| | | +-sequenceHoppingEnabled ::= BOOLEAN [FALSE]
| | | +-cyclicShift ::= INTEGER (0..7) [0]
| | +-pucch-Config ::= SEQUENCE
| | | +-deltaPUCCH-Shift ::= ENUMERATED [ds2]
| | | +-nRB-CQI ::= INTEGER (0..98) [2]
| | | +-nCS-AN ::= INTEGER (0..7) [6]
| | | +-n1PUCCH-AN ::= INTEGER (0..2047) [0]
| | +-soundingRS-UL-Config ::= CHOICE [setup]
| | | +-setup ::= SEQUENCE [0]
23-03-2014
ShareTechnote
Page 11 of 35
| | | +-srs-BandwidthConfig ::= ENUMERATED [bw3]

| | | +-srs-SubframeConfig ::= ENUMERATED [sc0]
| | | +-ackNackSRS-SimultaneousTransmission ::= BOOLEAN [TRUE]
| | | +-srs-MaxUpPts ::= ENUMERATED OPTIONAL:Omit
| | +-uplinkPowerControl ::= SEQUENCE
| | | +-p0-NominalPUSCH ::= INTEGER (-126..24) [-85]
| | | +-alpha ::= ENUMERATED [al08]
| | | +-p0-NominalPUCCH ::= INTEGER (-127..-96) [-117]
| | | +-deltaFList-PUCCH ::= SEQUENCE
| | | | +-deltaF-PUCCH-Format1 ::= ENUMERATED [deltaF0]
| | | | +-deltaF-PUCCH-Format1b ::= ENUMERATED [deltaF3]
| | | | +-deltaF-PUCCH-Format2 ::= ENUMERATED [deltaF0]
| | | | +-deltaF-PUCCH-Format2a ::= ENUMERATED [deltaF0]
| | | | +-deltaF-PUCCH-Format2b ::= ENUMERATED [deltaF0]
| | | +-deltaPreambleMsg3 ::= INTEGER (-1..6) [4]
| | +-ul-CyclicPrefixLength ::= ENUMERATED [len1]
| +-ue-TimersAndConstants ::= SEQUENCE
| | +-t300 ::= ENUMERATED [ms1000]
| | +-t301 ::= ENUMERATED [ms1000]
| | +-t310 ::= ENUMERATED [ms1000]
| | +-n310 ::= ENUMERATED [n1]
| | +-t311 ::= ENUMERATED [ms1000]
| | +-n311 ::= ENUMERATED [n1]
| +-freqInfo ::= SEQUENCE [00]
| | +-ul-CarrierFreq ::= INTEGER OPTIONAL:Omit
| | +-ul-Bandwidth ::= ENUMERATED OPTIONAL:Omit
| | +-additionalSpectrumEmission ::= INTEGER (1..32) [1]
| +-mbsfn-SubframeConfigList ::= SEQUENCE OF OPTIONAL:Omit
| +-timeAlignmentTimerCommon ::= ENUMERATED [sf750]
RRC : PRACH Preamble / RRC : RACH Response

I think this two steps can be best summerized by the following diagram. For the details, refer to
http://www.sharetechnote.com/html/RACH_LTE.html
Interim Comments
From this point on, the L3 message carries both RRC and NAS messages. So you need to have overall understanding
of NAS messages as well as RRC messages.
You need to understand all the details of TS 29.274 to handle to handle data traffic related IEs in NAS message. Of
course it would be impossible to understand all those details within a day.. my approach is to go through following
tables as often as possible until I get some big picture in my mind. You may have to go back and forth between
36.331 and 29.274.
* Table 7.2.2-1: Information Elements in a Create Session Response
* Table 7.2.3-1: Information Elements in a Create Bearer Request
23-03-2014
ShareTechnote
*
*
*
*
*
*
*
*
*
*
Table
Table
Table
Table
Table
Table
Table
Table
Table
Table
Page 12 of 35
7.2.3-2: Bearer Context within Create Bearer Request

7.2.5-1: Information Elements in a Bearer Resource Command
7.2.7-1: Information Elements in a Modify Bearer Request
7.2.8-1: Information Elements in a Modify Bearer Response
7.2.9.1-1: Information Elements in a Delete Session Request
7.2.9.2-1: Information Elements in a Delete Bearer Request
7.2.10.2-1: Information Elements in Delete Bearer Response
7.3.5-1: Information Elements in a Context Request
7.3.6-2: MME/SGSN UE EPS PDN Connections within Context Response
7.3.8-1: Information Elements in an Identification Request

'RRC Connection Request' and 'RRC Connection Setup' procedure can be summerized as in following diagram. For the
details, refer to http://www.sharetechnote.com/html/RACH_LTE.html (The message contents shown in the box is only
an example. The HEX arrays you would see on your device and network would be different from what you see here.
But overall structure should be similar to this)
Note : This example shows the case where Contention Resolution and RRC Connection Setup is being transmitted at a
single step, but it is also possible that Contention Resolution and RRC Connection Setup message is transmitted as
two separate process.
As you see in the following diagram, the most important IE (infomration element) in RRC Connection Setup message
is "RadioResourceConfigDedicated" under which you can setup SRB, DRB, MAC and PHY config. Even thouth there is
IEs related to DRB, in most case we setup only SRBs in RRC Connection Setup. It is similar to WCDMA RRC
Connection setup message in which you usually setup only SRB (Control Channel Part) even though there is IEs for
RB(Data Traffic).
One thing you have to notice is that you will find "RadioResourceCondigDedicated" IE not only in RRC Connection
Setup message but also in RRC Connection Reconfiguration message. In that case, you have to be careful so that the
one you set in RRC Connection Reconfig message properly match the one you set in RRC Connection Setup message.
It means that you have to understand the correlation very clearly between RRC Connection Setup message and RRC
Connection Reconfig message. This is also very similar to WCDMA case.
23-03-2014
ShareTechnote
Page 13 of 35
One example of RRC Connection Setup is as follows. As you see the contents below, main purpose of RRC Connection
Setup message is to specify the MAC/RLC/PHY setup for SRB 0 and SRB 1 bearer. So if you make any mistake in this
message, Network or UE will fail to decode messages that comes after this message.
Especially you have to be very careful about PhysicalConfigDedicated part. If you see one of the following issues after
'RRC Connection Setup', the first thing you have to check is PhysicalConfigDedicated. (You have to check all the
detailed parameter and make it sure that UE properly decoded those information and properly configure itself
according to the contents).
i) CRC Error for PUSCH
ii) UE log shows it transmit PUSCH, but Network log shows no PUSCH, not even CRC error
DL-CCCH-Message ::= SEQUENCE
+-c1 ::= CHOICE [rrcConnectionSetup]
+-rrcConnectionSetup ::= SEQUENCE
+-rrc-TransactionIdentifier ::= INTEGER (0..3) [0]
+-criticalExtensions ::= CHOICE [c1]
+-c1 ::= CHOICE [rrcConnectionSetup-r8]
+-rrcConnectionSetup-r8 ::= SEQUENCE [0]
+-radioResourceConfigDedicated ::= SEQUENCE [100101]
| +-srb-ToAddModList ::= SEQUENCE OF SIZE(1..2) [1] OPTIONAL:Exist
| | +-SRB-ToAddMod ::= SEQUENCE [11]
| | +-srb-Identity ::= INTEGER (1..2) [1]
| | +-rlc-Config ::= CHOICE [defaultValue] OPTIONAL:Exist
| | | +-defaultValue ::= NULL
| | +-logicalChannelConfig ::= CHOICE [defaultValue] OPTIONAL:Exist
| | +-defaultValue ::= NULL
| +-drb-ToAddModList ::= SEQUENCE OF OPTIONAL:Omit
| +-drb-ToReleaseList ::= SEQUENCE OF OPTIONAL:Omit
| +-mac-MainConfig ::= CHOICE [explicitValue] OPTIONAL:Exist
| | +-explicitValue ::= SEQUENCE [111]
| | +-ul-SCH-Config ::= SEQUENCE [11] OPTIONAL:Exist
| | | +-maxHARQ-Tx ::= ENUMERATED [n5] OPTIONAL:Exist
| | | +-periodicBSR-Timer ::= ENUMERATED [sf20] OPTIONAL:Exist
| | | +-retxBSR-Timer ::= ENUMERATED [sf320]
| | | +-ttiBundling ::= BOOLEAN [FALSE]
| | +-drx-Config ::= CHOICE [release] OPTIONAL:Exist
| | | +-release ::= NULL
| | +-timeAlignmentTimerDedicated ::= ENUMERATED [infinity]
| | +-phr-Config ::= CHOICE [setup] OPTIONAL:Exist
| | +-setup ::= SEQUENCE
| | +-periodicPHR-Timer ::= ENUMERATED [sf500]
| | +-prohibitPHR-Timer ::= ENUMERATED [sf200]
| | +-dl-PathlossChange ::= ENUMERATED [dB3]
| +-sps-Config ::= SEQUENCE OPTIONAL:Omit
| +-physicalConfigDedicated ::= SEQUENCE [1111001011] OPTIONAL:Exist
| +-pdsch-ConfigDedicated ::= SEQUENCE OPTIONAL:Exist
| | +-p-a ::= ENUMERATED [dB-3]
| +-pucch-ConfigDedicated ::= SEQUENCE [0] OPTIONAL:Exist
| | +-ackNackRepetition ::= CHOICE [release]
23-03-2014
ShareTechnote
Page 14 of 35
| | +-tdd-AckNackFeedbackMode ::= ENUMERATED OPTIONAL:Omit

| +-pusch-ConfigDedicated ::= SEQUENCE OPTIONAL:Exist
| | +-betaOffset-ACK-Index ::= INTEGER (0..15) [9]
| | +-betaOffset-RI-Index ::= INTEGER (0..15) [6]
| | +-betaOffset-CQI-Index ::= INTEGER (0..15) [6]
| +-uplinkPowerControlDedicated ::= SEQUENCE [1] OPTIONAL:Exist
| | +-p0-UE-PUSCH ::= INTEGER (-8..7) [0]
| | +-deltaMCS-Enabled ::= ENUMERATED [en0]
| | +-accumulationEnabled ::= BOOLEAN [TRUE]
| | +-p0-UE-PUCCH ::= INTEGER (-8..7) [0]
| | +-pSRS-Offset ::= INTEGER (0..15) [3]
| | +-filterCoefficient ::= ENUMERATED [fc4] OPTIONAL:Exist
| +-tpc-PDCCH-ConfigPUCCH ::= CHOICE OPTIONAL:Omit
| +-tpc-PDCCH-ConfigPUSCH ::= CHOICE OPTIONAL:Omit
| +-cqi-ReportConfig ::= SEQUENCE [10] OPTIONAL:Exist
| | +-cqi-ReportModeAperiodic ::= ENUMERATED [rm30] OPTIONAL:Exist
| | +-nomPDSCH-RS-EPRE-Offset ::= INTEGER (-1..6) [0]
| | +-cqi-ReportPeriodic ::= CHOICE OPTIONAL:Omit
| +-soundingRS-UL-ConfigDedicated ::= CHOICE OPTIONAL:Omit
| +-antennaInfo ::= CHOICE [defaultValue] OPTIONAL:Exist
| +-schedulingRequestConfig ::= CHOICE [setup] OPTIONAL:Exist
| +-setup ::= SEQUENCE
| +-sr-PUCCH-ResourceIndex ::= INTEGER (0..2047) [20]
| +-sr-ConfigIndex ::= INTEGER (0..155) [30]
| +-dsr-TransMax ::= ENUMERATED [n4]
< Note 1 >
+-pdsch-ConfigDedicated ::= SEQUENCE OPTIONAL:Exist
| +-p-a ::= ENUMERATED [dB-3]
: transmission power is calculated according to Section 5.2 of 3GPP TS36.213 from the reference signal power and the
values of the P_A and P_B parameters specified for this procedure. These parameters set the PDSCH transmission
power differences between symbols with and without RS.
Unproper settings for this value would cause large amount of CRC errors on PDSCH reception on UE side, resulting in
a lot of HARQ NACK from UE.
< Note 2 >
If you see SRB-ToAddMod IE, you would see a couple of Default Value. What does this mean ?
Following two sections of 36.331 will give you the answer.
9.1.2 SRB configurations
9.2 Default radio configurations
RRC : RRC Connection Setup Complete + NAS : Attach Request + ESM : PDN Connectivity Request
This step would be one of very important steps during the initial registration process mainly because UE send a lot of
it's capability information (especailly NAS layer capability information) to the core network.
23-03-2014
ShareTechnote
Page 15 of 35
As you see this step carries two important NAS message as follows.
NAS : Attach Request : The most important information carried by this message would be UE capability in terms of
ciphering and integrity. If you don't do proper following step (especially at Attach accept step) based on the
information on this, UE will fail to registration. Even bigger problem is that the failure mode of registration varies
depending UE protocol stack implementation. So in many case it is very hard to find the root cause of the problem.
ESM : PDN Connectivity Request : The most information of this message would be the protocol configuration options
(PCO). From this you can figure out what kind of packet service UE support or want to get supported. If you don't
properly handle this information, it will also result in registration failure and the failure mode would vary depending
on UE implementation.
Attach request ::= DIVISION
+-Security header type ::= V
| +-Security header type ::= CHOICE [Plain NAS message, not security protected]
+-EPS mobility management protocol discriminator ::= V
| +-Protocol discriminator ::= PD [7]
+-Attach request message identity ::= V
| +-Message type ::= MSG [41]
+-NAS key set identifier ::= V
| +-TSC ::= CHOICE [native security context (for KSI ASME)]
| +-NAS key set identifier ::= CHOICE [possible values for the NAS key set identifier 1]
+-EPS attach type ::= V
| +-Spare ::= FIX [0]
| +-EPS attach type value ::= CHOICE [EPS attach]
+-Old GUTI or IMSI ::= LV
| +-Octet1 ::= DIVISION
| | +-Length of EPS mobile identity contents ::= LEN (0..255) [11]
| | +-Spare ::= FIX [F]
| | +-Odd/even indication ::= CHOICE [even number of identity digits and also when the GUTI is used]
| | +-Type of identity ::= CHOICE [GUTI]
| | +-MCC digit 2 ::= INT (0..15) [0]
| | +-MCC digit 1 ::= INT (0..15) [0]
| | +-MNC digit 3 ::= INT (0..15) [15]
| | +-MCC digit 3 ::= INT (0..15) [1]
| | +-MNC digit 2 ::= INT (0..15) [1]
| | +-MNC digit 1 ::= INT (0..15) [0]
| | +-MME Group ID ::= INT (0..255) [0]
| | +-MME Group ID(continued) ::= INT (0..255) [1]
| | +-MME Code ::= INT (0..255) [1]
| | +-M-TMSI ::= INT (0..255) [18]
| | +-M-TMSI(continued) ::= INT (0..255) [52]
| +-M-TMSI(continued) ::= INT (0..255) [120]
+-UE network capability ::= LV
| | +-Length of UE network capability contents ::= LEN (0..255) [2]
| | +-EEA0 ::= CHOICE [EPS encryption algorithm EEA0 supported]
| | +-128-EEA1 ::= CHOICE [EPS encryption algorithm 128-EEA1 supported]
| | +-EEA3 ::= CHOICE [EPS encryption algorithm EEA3 not supported]
| | +-spare ::= FIX [0]
| | +-128-EIA1 ::= CHOICE [EPS integrity algorithm 128-EIA1 supported]
| | +-EIA3 ::= CHOICE [EPS integrity algorithm EIA3 not supported]
23-03-2014
ShareTechnote
Page 16 of 35

| | +-UEA0 ::= CHOICE [UMTS encryption algorithm UEA0 not supported]
| | +-UCS2 ::= CHOICE [The UE has a preference for the default alphabet (defined in 3GPP TS 23.038 [3]) over
UCS2 (see ISO/IEC 10646 [29])]
| | +-UIA1 ::= CHOICE [UMTS integrity algorithm UIA1 not supported]
| | +-spare ::= FIX [0]
| | +-1xSRVCC ::= CHOICE [SRVCC from E-UTRAN to cdma2000 1xCS not supported]
| | +-spare ::= FIX [0]
| +-Octet7-14 ::= DIVISION
| +-Spare ::= OCTETARRAY SIZE(0..8) [00]
+-ESM message container ::= LV-E
| +-Octet1-Octet2 ::= DIVISION
| | +-Length of ESM message container ::= LEN (0..65535) [23]
| +-Octet3- ::= DIVISION
| +-ESM message container contents ::= OCTETARRAY SIZE(0..65535)
[0201D031D1271080000100000300000A00000C00000D00]
+-Old P-TMSI signature ::= TV OPTIONAL:Omit
| | +-P-TMSI signature IEI ::= IEI [19]
| +-P-TMSI signature value ::= INT (0..16777215) [0]
+-Additional GUTI ::= TLV OPTIONAL:Omit
| | +-EPS mobile identity IEI ::= IEI [50]
| | +-Length of mobile identity IEI ::= LEN (0..255) [1]
| | +-Identity digit 1 ::= INT (0..15) [0]
| | +-Odd/even indication ::= CHOICE [even number of identity digits and also when the GUTI is used]
| | +-Type of identity ::= CHOICE [IMSI]
| +-Identity digit p ::= OCTETARRAY SIZE(0..10)
+-Last visited registered TAI ::= TV OPTIONAL:Exist
| | +-Tracking area identity IEI ::= IEI [52]
| | +-MCC digit 2 ::= INT (0..15) [1]
| | +-MCC digit 1 ::= INT (0..15) [3]
| | +-MNC digit 3 ::= INT (0..15) [0]
| | +-MCC digit 3 ::= INT (0..15) [1]
| | +-MNC digit 2 ::= INT (0..15) [8]
| | +-MNC digit 1 ::= INT (0..15) [4]
| | +-TAC ::= INT (0..255) [0]
| +-TAC(continued) ::= INT (0..255) [1]
+-DRX parameter ::= TV OPTIONAL:Omit
+-MS network capability ::= TLV OPTIONAL:Omit
+-Old location area identification ::= TV OPTIONAL:Omit
+-TMSI status ::= TV OPTIONAL:Omit
+-Mobile Station Classmark 2 ::= TLV OPTIONAL:Omit
+-Mobile Station Classmark 3 ::= TLV OPTIONAL:Omit
+-Supported Codecs ::= TLV OPTIONAL:Omit
If you decode the ESM message container contents part, you will get the following contents.
NAS_LTE:ESM,PDN connectivity request
PDN connectivity request ::= DIVISION
23-03-2014
ShareTechnote
Page 17 of 35
+-EPS bearer identity ::= V

| +-EPS bearer identity value ::= CHOICE [No EPS bearer identity assigned]
+-EPS session management protocol discriminator ::= V
+-Procedure transaction identity ::= V
| +-Procedure transaction identity ::= CHOICE [Procedure transaction identity value 1]
+-PDN connectivity request message identity ::= V
| +-Message type ::= MSG [D0]
+-PDN type ::= V
| +-spare ::= FIX [0]
| +-PDN type value ::= CHOICE [IPv4v6]
+-Request type ::= V
| +-Spare ::= FIX [0]
| +-Request type value ::= CHOICE [initial request]
+-ESM information transfer flag ::= TV OPTIONAL:Exist
| +-ESM information transfer flag IEI ::= IEI [D-]
| +-spare ::= FIX [0]
| +-EIT value ::= CHOICE [security protected ESM information transfer required]
+-Access point name ::= TLV OPTIONAL:Omit
| | +-Access point name IEI ::= IEI [28]
| | +-Length of access point name contents ::= LEN (0..255) [0]
| +-Access point name value ::= OCTETARRAY SIZE(0..100)
+-Protocol configuration options ::= TLV OPTIONAL:Exist
+-Octet1 ::= DIVISION
| +-Protocol configuration options IEI ::= IEI [27]
| +-Length of protocol config options contents ::= LEN (0..255) [16]
| +-ext ::= EXT1 [1]
| +-spare ::= FIX [0]
| +-Configuration protocol ::= CHOICE [PPP for use with IP PDP type]
+-Octet4-Octet253 ::= DIVISION
+-protocol config options contents ::= OCTETARRAY SIZE(0..250) [000100000300000A00000C00000D00]
There are couple of important information in this message as described below.

ESM information transfer flag : According to Step 9a1 of Table 4.5.2.3-1: UE registration procedure (state 1 to state
2) of 36.508, Network has to go through ESM : Information Request as described below.
IF the UE sets the ESM information transfer flag in the last PDN CONNECTIVITY REQUEST message THEN the SS
transmits an ESM INFORMATION REQUEST message to initiate exchange of protocol configuration options
and/or APN
PDN Type : specifies IP version that the UE wants to use for EPS Bearer and Network may or may not use the same IP
version in Default (or Dedicated) EPS Bearer Context Request. Some UE would accept whatever IP version is specified
by the network at EPS Bearer establishment step, but some UE fail to setup EPS bearer if the IP version Network
specify in Default (or Dedicated) EPS Bearer Context Request does not match the PDN type in this message.
Access Point Name : UE shows many different behavior related to this APN name. Followings are some of the behavior
that I observed from a couple of difference devices.
i) UE does not specify any APN here and accept whatever Network specifies in Activate Default EPS Bearer Context
Request.
ii) UE specify a specific APN here, but it accept whatever Network specifies in Activate Default EPS Bearer Context
Request.
iii) UE specify a specific APN here, but it reject the APN that Network specifies in Activate Default EPS Bearer Context
Request if it is different from what UE specified here.
Protocol Configuration Options : You can get the detailed information from this protocol config options contents from
TS24_008 10.5.6.3 Protocol configuration options which can be summarized as follows.
This is a pretty complicated topic. So I will describe this on a separate post here.
RRC : DL Information Transfer + NAS : Authentication Request

RRC : UL Information Transfer + NAS : Authentication Response
"Authentication" process is a process similar to 'log in' process when you use a computer. In C2K and GSM, this
authentication process is 'uni-directional', meaning that only Network authenticate UE and UE does not authenticate
the network. As you may easily guess, this would cause a serious security problem. If I make a fake network which
accept any UE, I can cheat a UE to camp on the fake network rather than the one the UE is supposed to camp on to.
(But this kind of 'uni directional' authentication would make it so easy to test a UE using network simulator -:)
23-03-2014
ShareTechnote
Page 18 of 35
To improve this security issues, in LTE (in WCDMA as well) they do 'bi-directional' authentication, meaning that UE
has to pass the authentication process and Newtork also has to pass the process as well.
The overall authentication process is as follows.
There are three main components of this authentication process :

i) Input Parameters
ii) Authentication Algorithm
iii) Output Values (calcuated by Authentication Algorithm using the Input Parameters).
Both UE and Network uses the same Input Parameters and the same Authentication Algorithms, so they both should
produce the same Output Values, otherwise Authentication fails.
One thing you have to keep in mind is that UE and Network exchange only Input Parameters and Output values, not
the authentication Algorithm. Authentication Algorithm on UE side is stored in USIM and Authentication Algorithm on
NW side is stored in Authentication Center. Both UE and NW just assume that they would use the identical algorithms.
Normally use use diffent Authentication Algorithm for testing and for live network. The most commonly used
algorithm for testing is what we often call "Dummy XOR" algorithm which is defined in 36.508 section 4.9 Common
test USIM parameters for LTE and 34.408 section 8 Test USIM Parameters for WCDMA.
The most common used algorithm in live network (as far as I know) is Milenage algorithm.
One example of Authentication Request and Authentication Response is as follows. You would notice
that RAND, AUTN are carried by Authentication Request message and RES value is carried by
Authentication Response.
NAS_LTE:EMM,Authentication request
Authentication request ::= DIVISION
+-Authentication request message type ::= V
+-Spare half octet ::= V
| +-Spare half octet ::= FIX [0]
+-NAS key set identifier ASME ::= V
+-Authentication parameter RAND ::= V
| +-RAND value ::= OCTETARRAY SIZE(16..16) [A3DE0C6D363E30C364A4078F1BF8D577]
+-Authentication parameter AUTN ::= LV
23-03-2014
ShareTechnote
Page 19 of 35

| +-Length of AUTN contents ::= LEN (0..255) [16]
+-AUTN ::= OCTETARRAY SIZE(0..16) [5E726B56B4EC9001A3CF2E5E726BC6B5]
NAS_LTE:EMM,Authentication response
Authentication response ::= DIVISION
+-Authentication response message identity ::= V
+-Authentication response parameter ::= LV
| +-Length of Authentication response parameter contents ::= LEN (0..255) [8]
+-Octet2-17 ::= DIVISION
+-RES ::= OCTETARRAY SIZE(0..16) [A3CF2E5E726B56B4]
RRC : DL Information Transfer + NAS : Security Mode Command

Security Mode Command message to inform the UE of the following information (instructions).
i) I (Newtork) am capable of these kinds of ciphering (encryption) algorithms
ii) I (Newtork) am capable of these kinds of integrityalgorithms
iii) Among those ciphering algorithm which I am capable of, I will be using "this specific
algorithm" for the communication with you (UE).
iv) Among those integrityalgorithm which I am capable of, I will be using "this specific
algorithm" for the communication with you (UE)
In LTE, they are using separate Security Mode process for NAS and RRC, whereas in WCDMA only one security mode
process (RRC only) was used (NAS is indirectly protected since NAS message was embedded in RRC and protected as
a part of RRC message). The part marked in blue is for item i) and ii) listed above and the part marked in red is for
item iii) and iv).
NAS_LTE:EMM,Security mode command

Security mode command ::= DIVISION
+-Security mode command message identity ::= V
| +-Message type ::= MSG [5D]
+-Selected NAS security algorithms ::= V
| +-spare ::= FIX [0]
| +-Type of ciphering algorithm ::= CHOICE [EPS encryption algorithm EEA0(ciphering not used)]
| +-spare ::= FIX [0]
| +-Type of integrity protection algorithm ::= CHOICE [Reserved 0]
+-NAS key set identifier ::= V
+-Replayed UE security capabilities ::= LV
| | +-Length of UE security capability contents ::= LEN (0..255) [2]
| | +-EEA0 ::= CHOICE [EPS encryption algorithm EEA0 supported]
| | +-spare ::= FIX [1]
23-03-2014
ShareTechnote
Page 20 of 35

| | +-spare ::= FIX [0]
| +-spare ::= FIX [0]
| +-GEA1 ::= CHOICE [GPRS encryption algorithm GEA1 not supported]
+-IMEISV request ::= TV OPTIONAL:Omit
| +-IMEISV request IEI ::= IEI [C-]
| +-spare ::= FIX [0]
| +-IMEISV request value ::= CHOICE [IMEISV not requested]
+-Replayed nonce UE ::= TV OPTIONAL:Omit
| | +-Nonce IEI ::= IEI [55]
| +-Nonce value ::= OCTETARRAY SIZE(4..4) [00000000]
+-Nonce MME ::= TV OPTIONAL:Omit
| +-Nonce IEI ::= IEI [56]
+-Nonce value ::= OCTETARRAY SIZE(4..4) [00000000]
RRC : UL Information Transfer + NAS : Security Mode Complete
Security Mode Complete is the answer to "Security Mode Command" message, so it is simple. If UE is also capable of
the Integrity, Security algorithm that NW want to use, it send 'Security Mode Complete', if UE is not capable of them,
it send 'Security Mode Failure'.
NAS_LTE:EMM,Security mode complete

Security mode complete ::= DIVISION
+-Security mode complete message identity ::= V
| +-Message type ::= MSG [5E]
+-IMEISV ::= TLV OPTIONAL:Omit
| +-Mobile Identity IEI ::= IEI [23]
| +-Length of mobile identity contents ::= LEN (0..255) [0]
| +-Identity digit 1 ::= INT (0..15) [0]
| +-Odd/even indication ::= CHOICE [even number of identity digits and also when the TMSI/PTMSI is used]
| +-Type of identity ::= CHOICE [No Identity]
+-Identity digit p ::= OCTETARRAY SIZE(0..8)

This is the same step as NAS:Security Mode Command, the only difference is that this is only for
RRC message.
23-03-2014
ShareTechnote
Page 21 of 35
RRC_LTE:DL-DCCH-Message
DL-DCCH-Message ::= SEQUENCE
+-c1 ::= CHOICE [securityModeCommand]
+-securityModeCommand ::= SEQUENCE
+-c1 ::= CHOICE [securityModeCommand-r8]
+-securityModeCommand-r8 ::= SEQUENCE [0]
+-securityConfigSMC ::= SEQUENCE
| +-securityAlgorithmConfig ::= SEQUENCE
| +-cipheringAlgorithm ::= ENUMERATED [eea1]
| +-integrityProtAlgorithm ::= ENUMERATED [eia1]
For Ciphering Algorithm Paramter, refer to EEA page.

For Integrity Algorithm Paramter, refer to EIA page.

Security Mode Complete is the answer to "Security Mode Command" message, so it is simple. If UE is also capable of
the Integrity, Security algorithm that NW want to use, it send 'Security Mode Complete', if UE is not capable of them,
it send 'Security Mode Failure'.
UL-DCCH-Message ::= SEQUENCE

+-c1 ::= CHOICE [securityModeComplete]
+-securityModeComplete ::= SEQUENCE
+-criticalExtensions ::= CHOICE [securityModeComplete-r8]
+-securityModeComplete-r8 ::= SEQUENCE [0]
RRC : RRC Connection Reconfiguration + NAS : Attach Accept + NAS : Activate Default EPS Bearer Context
Request
An important procedure done in this step is "ESM : Activate Default EPS Bearer Context Request".
One thing you notice here is that in LTE Packet call is initiated by Network where as in UMST most of the packet call is
initiated by UE. Network specifies an IP for the UE here.
If you have any experience with WCDMA protocol, you may take this message to be similar to 'Radio Bearer Setup' +
'Attach Accept' + Activate PDP Context Accept.
At this step, UE gets an IP from the network and this IP does not get returned to Network even after 'RRC connection
Release' and UE gets into IDLE mode.
23-03-2014
ShareTechnote
Page 22 of 35
An example of RRC Connection Reconfiguration is as follows. Don't try to look into all the details
since this message is one of the most complicated message in LTE. Just try to understand overall
structure and compare the tree map shown above and the real messages shown below.
Probably it will take several month to understand all the details of these elements, so don't be so
hurry.
Whenever you study a little bit further details of the topicsin the tree diagram shown above, open
up this section and see the details under the topics you studied. If you fully understand all the
information elements shown below, you can say you mastered the LTE. Again don't try to understand
all of these at once. It will just raise your blood pressure. Just look through these items as
often as possible and get familiar with the overall structure first.

+-c1 ::= CHOICE [rrcConnectionReconfiguration]
+-rrcConnectionReconfiguration ::= SEQUENCE
+-c1 ::= CHOICE [rrcConnectionReconfiguration-r8]
+-rrcConnectionReconfiguration-r8 ::= SEQUENCE [001100]
+-measConfig ::= SEQUENCE OPTIONAL:Omit
+-mobilityControlInfo ::= SEQUENCE OPTIONAL:Omit
+-dedicatedInfoNASList ::= SEQUENCE OF SIZE(1..maxDRB[11]) [1] OPTIONAL:Exist
| +-DedicatedInfoNAS ::= OCTET STRING SIZE(ALIGNED)
[074201E0060000F1100001002C5201C101091003777777
07616E726974737503636F6D05010A012037270E808021
0A0300000A81060A000001500BF600F11080010100000001]
+-radioResourceConfigDedicated ::= SEQUENCE [110101] OPTIONAL:Exist
| +-drb-ToAddModList ::= SEQUENCE OF SIZE(1..maxDRB[11]) [1] OPTIONAL:Exist
| | +-DRB-ToAddMod ::= SEQUENCE [11111]
| | +-eps-BearerIdentity ::= INTEGER (0..15) [5] OPTIONAL:Exist
| | +-drb-Identity ::= INTEGER (1..32) [1]
| | +-pdcp-Config ::= SEQUENCE [101] OPTIONAL:Exist
| | | +-discardTimer ::= ENUMERATED [infinity] OPTIONAL:Exist
| | | +-rlc-AM ::= SEQUENCE OPTIONAL:Omit
| | | +-rlc-UM ::= SEQUENCE OPTIONAL:Exist
| | | | +-pdcp-SN-Size ::= ENUMERATED [len12bits]
| | | +-headerCompression ::= CHOICE [notUsed]
| | | +-notUsed ::= NULL
| | +-rlc-Config ::= CHOICE [um-Bi-Directional] OPTIONAL:Exist
| | | +-um-Bi-Directional ::= SEQUENCE
| | | +-ul-UM-RLC ::= SEQUENCE
| | | | +-sn-FieldLength ::= ENUMERATED [size10]
| | | +-dl-UM-RLC ::= SEQUENCE
| | | +-sn-FieldLength ::= ENUMERATED [size10]
| | | +-t-Reordering ::= ENUMERATED [ms50]
| | +-logicalChannelIdentity ::= INTEGER (3..10) [3] OPTIONAL:Exist
| | +-logicalChannelConfig ::= SEQUENCE [1] OPTIONAL:Exist
| | +-ul-SpecificParameters ::= SEQUENCE [1] OPTIONAL:Exist
| | +-priority ::= INTEGER (1..16) [13]
| | +-prioritisedBitRate ::= ENUMERATED [infinity]
| | +-bucketSizeDuration ::= ENUMERATED [ms100]
| | +-logicalChannelGroup ::= INTEGER (0..3) [2] OPTIONAL:Exist
23-03-2014
ShareTechnote
Page 23 of 35
| +-pdsch-ConfigDedicated ::= SEQUENCE OPTIONAL:Omit

| +-pucch-ConfigDedicated ::= SEQUENCE OPTIONAL:Omit
| +-pusch-ConfigDedicated ::= SEQUENCE OPTIONAL:Omit
| +-uplinkPowerControlDedicated ::= SEQUENCE OPTIONAL:Omit
| +-tpc-PDCCH-ConfigPUCCH ::= CHOICE [setup] OPTIONAL:Exist
| | +-tpc-RNTI ::= BIT STRING SIZE(16) [0000001111111111]
| | +-tpc-Index ::= CHOICE [indexOfFormat3]
| | +-indexOfFormat3 ::= INTEGER (1..15) [1]
| +-tpc-PDCCH-ConfigPUSCH ::= CHOICE [setup] OPTIONAL:Exist
| +-cqi-ReportConfig ::= SEQUENCE OPTIONAL:Omit
| +-antennaInfo ::= CHOICE [explicitValue] OPTIONAL:Exist
| | +-transmissionMode ::= ENUMERATED [tm1]
| | +-codebookSubsetRestriction ::= CHOICE OPTIONAL:Omit
| | +-ue-TransmitAntennaSelection ::= CHOICE [release]
| | +-release ::= NULL
| +-schedulingRequestConfig ::= CHOICE OPTIONAL:Omit
+-securityConfigHO ::= SEQUENCE OPTIONAL:Omit
Even though the decoded message shown above looks very complicated already, it is not fully decoded. It shows only
RRC part decode. If you decode the NAS part in this message, you will get the following contents.
One very important thing you have to keep in mind is that you have to carefully populate this message so that I can
properly handles/matches the information sent from UE via Attach Request, otherwise this would lead to registration
failure.
AS_LTE:EMM,Attach accept
Attach accept ::= DIVISION
+-Attach accept message identity ::= V
+-EPS attach result ::= V
| +-Spare ::= FIX [0]
| +-EPS attach result value ::= CHOICE [EPS only]
+-T3412 value ::= V
| +-Unit ::= CHOICE [value indicates that the timer is deactivated]
| +-Timer value ::= INT (0..31) [0]
+-TAI list ::= LV
| | +-Length of tracking area identity list contents ::= LEN (0..255) [6]
| +-tracking area identity list contents ::= OCTETARRAY SIZE(0..96) [0000F1100001]
| | +-Length of ESM message container ::= LEN (0..65535) [44]
| +-Octet3- ::= DIVISION
| +-ESM message container contents ::= OCTETARRAY SIZE(0..65535)
[5201C10109100377777707616E726974737503636F6D
05010A012037270E8080210A0300000A81060A000001]
+-GUTI ::= TLV OPTIONAL:Exist
| | +-EPS mobile identity IEI ::= IEI [50]
| | +-Length of EPS mobile identity contents ::= LEN (0..255) [11]
| | +-Spare ::= FIX [F]
| | +-Odd/even indication ::= CHOICE [even number of identity digits and also when the GUTI is
used]
| | +-Type of identity ::= CHOICE [GUTI]
| | +-MCC digit 2 ::= INT (0..15) [0]
| | +-MCC digit 1 ::= INT (0..15) [0]
23-03-2014
ShareTechnote
Page 24 of 35
| | +-MNC digit 3 ::= INT (0..15) [15]

| | +-MCC digit 3 ::= INT (0..15) [1]
| | +-MNC digit 2 ::= INT (0..15) [1]
| | +-MNC digit 1 ::= INT (0..15) [0]
| | +-MME Group ID ::= INT (0..255) [128]
| | +-MME Group ID(continued) ::= INT (0..255) [1]
| | +-MME Code ::= INT (0..255) [1]
| | +-M-TMSI ::= INT (0..255) [0]
| +-M-TMSI(continued) ::= INT (0..255) [1]
+-Location area identification ::= TV OPTIONAL:Omit
| | +-Location Area Identification IEI ::= IEI [13]
| | +-MCC digit 2 ::= INT (0..15) [0]
| | +-MCC digit 1 ::= INT (0..15) [0]
| | +-MNC digit 3 ::= INT (0..15) [0]
| | +-MCC digit 3 ::= INT (0..15) [0]
| | +-MNC digit 2 ::= INT (0..15) [0]
| | +-MNC digit 1 ::= INT (0..15) [0]
| | +-LAC ::= INT (0..255) [0]
| +-LAC (continued) ::= INT (0..255) [0]
+-MS identity ::= TLV OPTIONAL:Omit
| | +-Mobile Identity IEI ::= IEI [23]
| | +-Length of mobile identity contents ::= LEN (0..255) [0]
| | +-Identity digit 1 ::= INT (0..15) [0]
| | +-Odd/even indication ::= CHOICE [even number of identity digits and also when the TMSI/PTMSI is used]
| | +-Type of identity ::= CHOICE [No Identity]
| +-Identity digit p ::= OCTETARRAY SIZE(0..7)
+-EMM cause ::= TV OPTIONAL:Omit
| | +-EMM cause IEI ::= IEI [53]
| +-Cause value ::= CHOICE [#2:IMSI unknown in HSS]
+-T3402 value ::= TV OPTIONAL:Omit
| | +-GPRS Timer IEI ::= IEI [17]
| +-Unit ::= CHOICE [value is incremented in multiples of 2 seconds]
| +-Timer value ::= INT (0..31) [0]
+-T3423 value ::= TV OPTIONAL:Omit
| | +-GPRS Timer IEI ::= IEI [59]
| +-Unit ::= CHOICE [value is incremented in multiples of 2 seconds]
| +-Timer value ::= INT (0..31) [0]
+-Equivalent PLMNs ::= TLV OPTIONAL:Omit
| | +-PLMN List IEI ::= IEI [4A]
| | +-Length of PLMN List contents ::= LEN (0..255) [0]
| | +-MCC digit 2 PLMN 1 ::= INT (0..15) [0]
..... Octet 4 - Octet 45 .....
| | +-MNC digit 3 PLMN 15 ::= INT (0..15) [0]
23-03-2014
ShareTechnote
Page 25 of 35

| +-MNC digit 2 PLMN 15 ::= INT (0..15) [0]
| +-MNC digit 1 PLMN 15 ::= INT (0..15) [0]
+-Emergency Number List ::= TLV OPTIONAL:Omit
| | +-Emergency Number List IEI ::= IEI [34]
| | +-Length of Emergency Number List IE contents ::= LEN (0..255) [0]
| +-Emergency Number List IE contents ::= OCTETARRAY SIZE(0..48)
+-EPS network feature support ::= TLV OPTIONAL:Omit
| | +-EPS network feature support IEI ::= IEI [64]
| | +-Length of EPS network feature support contents ::= LEN (0..255) [0]
| +-Spare ::= FIX [0]
| +-IMS VoPS ::= CHOICE [IMS voice over PS session in S1 mode not supported]
+-Additional update result ::= TV OPTIONAL:Omit
+-Additional update result IEI ::= IEI [F-]
+-Spare ::= FIX [0]
+-Additional update result value ::= CHOICE [no additional information]
If you see the contents shown above, you would see "ESM message container contents", which can be further
decoded as below. The IE (information element) marked in blue would be the most important IEs for UE connection to
data service application.
NAS_LTE:ESM,Activate default EPS bearer context request
Activate default EPS bearer context request ::= DIVISION
| +-EPS bearer identity value ::= CHOICE [EPS bearer identity value 5]
| +-Procedure transaction identity ::= CHOICE [Procedure transaction identity value 1]
+-Activate default EPS bearer context request message identity ::= V
| +-Message type ::= MSG [C1]
+-EPS QoS ::= LV
| | +-Length of EPS quality of service contents ::= LEN (0..255) [1]
| | +-QCI ::= CHOICE [QCI 9]
| | +-Maximum bit rate for uplink ::= CHOICE [Reserved(network to UE direction)/Subscribed
maximum bit rate for uplink(UE to network direction)]
| | +-Maximum bit rate for downlink ::= CHOICE [Reserved(network to UE direction)/Subscribed
| | +-Guaranteed bit rate for uplink ::= CHOICE [Reserved(network to UE direction)/Subscribed
| | +-Guaranteed bit rate for downlink ::= CHOICE [Reserved(network to UE direction)/Subscribed
| | +-Maximum bit rate for uplink (extended) ::= CHOICE [Use the value indicated by the maximum
bit rate for uplink in octet 4]
| | +-Maximum bit rate for downlink (extended) ::= CHOICE [Use the value indicated by the maximum
bit rate for uplink in octet 4]
| | +-Guaranteed bit rate for uplink (extended) ::= CHOICE [Use the value indicated by the
guaranteed bit rate for uplink in octet 6]
| +-Guaranteed bit rate for downlink (extended) ::= CHOICE [Use the value indicated by the
guaranteed bit rate for uplink in octet 6]
+-Access point name ::= LV
| | +-Length of access point name contents ::= LEN (0..255) [16]
| +-Access point name value ::= OCTETARRAY SIZE(0..100) [0377777707616E726974737503636F6D]
+-PDN address ::= LV
| | +-Length of PDN address contents ::= LEN (0..255) [5]
23-03-2014
ShareTechnote
Page 26 of 35
| | +-spare ::= FIX [0]

| | +-PDN type value ::= CHOICE [IPv4]
| +-PDN address information ::= OCTETARRAY SIZE(0..12) [0A012037]
+-Transaction identifier ::= TLV OPTIONAL:Omit
| | +-Transaction identifier IEI ::= IEI [5D]
| | +-Length of Transaction identifier contents ::= LEN (0..255) [0]
| | +-TI flag ::= CHOICE [The message is sent from the side that originates the TI]
| | +-TIO ::= CHOICE [TI value 0]
| | +-Spare ::= FIX [0]
| +-ext ::= EXT (0..1) [1]
| +-TIE ::= CHOICE [Reserved]
+-Negotiated QoS ::= TLV OPTIONAL:Omit
| | +-Quality of service IEI ::= IEI [30]
| | +-Length of quality of service IE ::= LEN (0..255) [0]
| | +-spare ::= FIX [0]
| | +-Delay class ::= CHOICE [Subscribed delay class(MS to network direction)/Reserved(network to
MS direction)]
| | +-Reliability class ::= CHOICE [Subscribed reliability class(MS to network
direction)/Reserved(network to MS direction)]
| | +-Peak throughput ::= CHOICE [Subscribed peak throughput(MS to network direction)/Reserved
(network to MS direction)]
| | +-spare ::= FIX [0]
| | +-Precedence class ::= CHOICE [Subscribed precedence(MS to network direction)/Reserved
| | +-spare ::= FIX [0]
| | +-Mean throughput ::= CHOICE [Subscribed mean throughput(MS to network direction)/Reserved
| | +-Traffic Class ::= CHOICE [Subscribed traffic class(MS to network direction)/Reserved
| | +-Delivery order ::= CHOICE [Subscribed delivery order(MS to network direction)/Reserved
| | +-Delivery of erroneous SDUs ::= CHOICE [Subscribed delivery of erroneous SDUs(MS to network
| | +-Maximum SDU size ::= CHOICE [Subscribed maximum SDU size(MS to network direction)/Reserved
| | +-Maximum bit rate for uplink ::= CHOICE [Subscribed maximum bit rate for uplink(MS to
network direction)/Reserved(network to MS direction)]
| | +-Maximum bit rate for downlink ::= CHOICE [Subscribed maximum bit rate for uplink(MS to
network direction)/Reserved(network to MS direction)]
| | +-Residual BER ::= CHOICE [Subscribed residual BER(MS to network direction)/Reserved(network
to MS direction)]
| | +-SDU error ratio ::= CHOICE [Subscribed SDU error ratio(MS to network direction)/Reserved
| | +-Transfer delay ::= CHOICE [Subscribed transfer delay(MS to network direction)/Reserved
| | +-Traffic Handling priority ::= CHOICE [Subscribed traffic handling priority(MS to network
| | +-Guaranteed bit rate for uplink ::= INT (0..255) [0]
| | +-Guaranteed bit rate for downlink ::= INT (0..255) [0]
| | +-Spare ::= FIX [0]
| | +-Signalling Indication ::= CHOICE [Not optimised for signalling traffic]
| | +-Source Statistics Descriptor ::= CHOICE [unknown]
| | +-Maximum bit rate for downlink (extended) ::= CHOICE [Use the value indicated by the Maximum
bit rate for downlink in octet 9.]
| | +-Guaranteed bit rate for downlink (extended) ::= CHOICE [Use the value indicated by the
23-03-2014
ShareTechnote
Page 27 of 35
Maximum bit rate for downlink in octet 9.]

| | +-Maximum bit rate for uplink (extended) ::= CHOICE [Use the value indicated by the Maximum
bit rate for downlink in octet 9.]
| +-Guaranteed bit rate for uplink (extended) ::= CHOICE [Use the value indicated by the
Maximum bit rate for downlink in octet 9.]
+-Negotiated LLC SAPI ::= TV OPTIONAL:Omit
| | +-LLC SAPI IEI ::= IEI [32]
| +-Spare ::= FIX [0]
| +-LLC SAPI value ::= CHOICE [LLC SAPI not assigned]
+-Radio priority ::= TV OPTIONAL:Omit
| +-Radio priority IEI ::= IEI [8-]
| +-spare ::= FIX [0]
| +-Radio priority level value ::= CHOICE [priority level 1 (highest)]
+-Packet flow identifier ::= TLV OPTIONAL:Omit
| | +-Packet Flow Identifier IEI ::= IEI [34]
| | +-Length of Packet Flow Identifier IE ::= LEN (0..255) [0]
| +-spare ::= FIX [0]
| +-Packet Flow Identifier value ::= CHOICE [Best Effort]
+-APN-AMBR ::= TLV OPTIONAL:Omit
| | +-APN aggregate maximum bit rate IEI ::= IEI [5E]
| | +-Length of APN aggregate maximum bit rate contents ::= LEN (0..255) [0]
| | +-APN-AMBR for downlink ::= CHOICE [1kbps]
| | +-APN-AMBR for uplink ::= CHOICE [1kbps]
| | +-APN-AMBR for downlink (extended) ::= CHOICE [Use the value indicated by the APN-AMBR for
downlink in octet 3]
| | +-APN-AMBR for uplink (extended) ::= CHOICE [8700kbps]
| | +-APN-AMBR for downlink (extended-2) ::= CHOICE [Use the value indicated by the APN-AMBR for
downlink and APN-AMBR for downlink (extended) in octets 3 and 5 0]
| +-APN-AMBR for uplink (extended-2) ::= CHOICE [Use the value indicated by the APN-AMBR for
downlink and APN-AMBR for downlink (extended) in octets 3 and 5 0]
+-ESM cause ::= TV OPTIONAL:Omit
| | +-ESM cause IEI ::= IEI [58]
| +-Cause value ::= CHOICE [#8:Operator Determined Barring]
+-Protocol configuration options ::= TLV OPTIONAL:Exist
| +-ext ::= EXT1 [1]
| +-spare ::= FIX [0]
+-protocol config options contents ::= OCTETARRAY SIZE(0..250) [80210A0300000A81060A000001]
There is one important thing you have to know at this point. It is about how to specify PDN address. Following three
examples can be self sufficient (I hope -:). For a little bit further details for IPv6, refer to IPv6 page.
< Example : IPv4 >

| | +-spare ::= FIX [0]
23-03-2014
ShareTechnote
Page 28 of 35
| +-PDN address information ::= OCTETARRAY SIZE(0..12) [0A012037]
< Example : IPv6 >

: Specify the link local address of IPv6 address.
| | +-spare ::= FIX [0]
| +-PDN address information ::= OCTETARRAY SIZE(0..12) [0000000001010002]
< Example : IPv4v6 >

: Specify the link local address of IPv6 address followed by IPv4 address.
| | +-spare ::= FIX [0]
| | +-PDN type value ::= CHOICE [IPv4v6]
| +-PDN address information ::= OCTETARRAY SIZE(0..12) [00000000010100020A0A0A0A]
< Protocol configuration options >

This is a pretty complicated topic. So I will describe this on a separate post here.
RRC : RRC Connection Reconfiguration Complete + NAS :

AttachComplete + ESM : Activate Default EPS Bearer Context Accept
An important procedure done in this step is "ESM : Activate Default EPS Bearer Context Accept".
RRC Connection Reconfiguration Complete part is very simple as follows.
RRC_LTE:UL-DCCH-Message
+-c1 ::= CHOICE [rrcConnectionReconfigurationComplete]
+-rrcConnectionReconfigurationComplete ::= SEQUENCE
+-criticalExtensions ::= CHOICE [rrcConnectionReconfigurationComplete-r8]
+-rrcConnectionReconfigurationComplete-r8 ::= SEQUENCE [0]
NAS part has pretty complicated structure since it is Piggybacked multiple times.
+-c1 ::= CHOICE [ulInformationTransfer]
+-ulInformationTransfer ::= SEQUENCE
+-c1 ::= CHOICE [ulInformationTransfer-r8]
+-ulInformationTransfer-r8 ::= SEQUENCE [0]
+-dedicatedInfoType ::= CHOICE [dedicatedInfoNAS]
| +-dedicatedInfoNAS ::= OCTET STRING SIZE(ALIGNED) [074300035200C2]
23-03-2014
ShareTechnote
Page 29 of 35
If you decode dedicatedInfoNAS ::= OCTET STRING SIZE(ALIGNED) [074300035200C2], you will get the following
message(Attach Complete).
NAS_LTE:EMM,Attach complete
Attach complete ::= DIVISION
+-Attach complete message identity ::= V
| +-Length of ESM message container ::= LEN (0..65535) [3]
+-Octet3- ::= DIVISION
+-ESM message container contents ::= OCTETARRAY SIZE(0..65535) [5200C2]
If you decode ESM message container contents ::= OCTETARRAY SIZE(0..65535) [5200C2] part, you will get the
following message (Activate default EPS bearer context accept).
NAS_LTE:ESM,Activate default EPS bearer context accept
Activate default EPS bearer context accept ::= DIVISION
| +-Procedure transaction identity ::= CHOICE [No procedure transaction identity assigned]
+-Activate default EPS bearer context accept message identity ::= V
+-Protocol configuration options ::= TLV OPTIONAL:Omit
| +-ext ::= EXT1 [1]
| +-spare ::= FIX [0]
+-protocol config options contents ::= OCTETARRAY SIZE(0..250)

Same as step 6, but establishment cause gets different as shown below. It will be mt-Access or mo-Data depending
on whether it is MT call or MO call.
RRC_LTE:UL-CCCH-Message
UL-CCCH-Message ::= SEQUENCE
+-c1 ::= CHOICE [rrcConnectionRequest]
+-rrcConnectionRequest ::= SEQUENCE
+-criticalExtensions ::= CHOICE [rrcConnectionRequest-r8]
+-rrcConnectionRequest-r8 ::= SEQUENCE
+-ue-Identity ::= CHOICE [s-TMSI]
| +-s-TMSI ::= SEQUENCE
| +-mmec ::= BIT STRING SIZE(8) [00000001]
| +-m-TMSI ::= BIT STRING SIZE(32) [00000000000000000000000000000001]
+-establishmentCause ::= ENUMERATED [mt-Access]
+-spare ::= BIT STRING SIZE(1) [0]

Refer to RRC Connection Setup
RRC : RRC Connection Setup Complete + NAS : Service Request
+-c1 ::= CHOICE [rrcConnectionSetupComplete]
+-rrcConnectionSetupComplete ::= SEQUENCE
23-03-2014
ShareTechnote
Page 30 of 35

+-c1 ::= CHOICE [rrcConnectionSetupComplete-r8]
+-rrcConnectionSetupComplete-r8 ::= SEQUENCE [00]
+-selectedPLMN-Identity ::= INTEGER (1..6) [1]
+-registeredMME ::= SEQUENCE OPTIONAL:Omit
+-dedicatedInfoNAS ::= OCTET STRING SIZE(ALIGNED) [C7E00000]
If you decode dedicatedInfoNAS ::= OCTET STRING SIZE(ALIGNED) [C7E00000] part, you will get the following
message (Service Request).
NAS_LTE:EMM,Service request
Service request ::= DIVISION
| +-Security header type ::= CHOICE [Security header for the SERVICE REQUEST message]
+-KSI and sequence number ::= V
| +-KSI ::= CHOICE [no key is available]
| +-Sequence number(short) ::= INT (0..31) [0]
+-Message authentication code (short) ::= V
| +-Short MAC value ::= INT (0..255) [0]
+-Short MAC value(continued) ::= INT (0..255) [0]

Refer to RRC : Security Mode Command

Refer to RRC : Security Mode Complete
RRC : RRC Connection Reconfiguration + NAS : Activate Dedicated EPS Bearer Context Request
This is another 'RRC Connection Reconfiguration' message. But you would see some difference between this message
and the message at step 15.
You don't see any 'Attach Accept' part because you already went through 'attach' process during the registration. And
now you created only 'Dedicated EPS Bearer'. Does this mean that you cannot use the 'Default EPS Bearer' you
created at step 15) ? No.. the default Bearer is still alive once it is created during the registration. That's why you
don't have to recreate the default EPS bearer at this step.
23-03-2014
ShareTechnote
Page 31 of 35
One think you would notice would be that 'Activate Dedicated EPS Bearer Context Request' does not have IP address
setting. This is because Dedicated EPS is using the same IP configuration specified by Default EPS Bearer. The
purpose of Default EPS bearer is to create a data pipe with a different QoS from Default EPS QoS. It means Dedicated
EPS Bearer is linked to a specific Default EPS bearer.
Then, how do we know which default EPS bearer is linked to which Dedicated EPS Bearer ?
This link is specified by 'Linked EPS Bearer Identity'. For example, if 'Linked EPS Bearer Identity' is set to be 5. It
means this 'Dedicated EPS Bearer' is linked to the Default EPS Bearer with Bearer ID = 5 and use the same IP
configuration as defined in the default EPS bearer.

+-c1 ::= CHOICE [rrcConnectionReconfiguration]
+-rrcConnectionReconfiguration ::= SEQUENCE
+-c1 ::= CHOICE [rrcConnectionReconfiguration-r8]
+-rrcConnectionReconfiguration-r8 ::= SEQUENCE [001100]
+-measConfig ::= SEQUENCE OPTIONAL:Omit
+-mobilityControlInfo ::= SEQUENCE OPTIONAL:Omit
+-dedicatedInfoNASList ::= SEQUENCE OF SIZE(1..maxDRB[11]) [1] OPTIONAL:Exist
| +-DedicatedInfoNAS ::= OCTET STRING SIZE(ALIGNED)
[1700000000036200C5050904686848480000000006213100023011]
+-radioResourceConfigDedicated ::= SEQUENCE [110101] OPTIONAL:Exist
| +-drb-ToAddModList ::= SEQUENCE OF SIZE(1..maxDRB[11]) [2] OPTIONAL:Exist
| | | +-eps-BearerIdentity ::= INTEGER (0..15) [5] OPTIONAL:Exist
| | | +-drb-Identity ::= INTEGER (1..32) [1]
| | | +-pdcp-Config ::= SEQUENCE [101] OPTIONAL:Exist
| | | | +-discardTimer ::= ENUMERATED [infinity] OPTIONAL:Exist
| | | | +-rlc-AM ::= SEQUENCE OPTIONAL:Omit
| | | | +-rlc-UM ::= SEQUENCE OPTIONAL:Exist
| | | | | +-pdcp-SN-Size ::= ENUMERATED [len12bits]
| | | | +-headerCompression ::= CHOICE [notUsed]
| | | | +-notUsed ::= NULL
| | | +-rlc-Config ::= CHOICE [um-Bi-Directional] OPTIONAL:Exist
| | | | +-um-Bi-Directional ::= SEQUENCE
| | | | +-ul-UM-RLC ::= SEQUENCE
| | | | | +-sn-FieldLength ::= ENUMERATED [size10]
| | | | +-dl-UM-RLC ::= SEQUENCE
| | | | +-t-Reordering ::= ENUMERATED [ms50]
| | | +-logicalChannelIdentity ::= INTEGER (3..10) [3] OPTIONAL:Exist
| | | +-logicalChannelConfig ::= SEQUENCE [1] OPTIONAL:Exist
| | | +-ul-SpecificParameters ::= SEQUENCE [1] OPTIONAL:Exist
| | | +-priority ::= INTEGER (1..16) [13]
| | | +-prioritisedBitRate ::= ENUMERATED [infinity]
| | | +-bucketSizeDuration ::= ENUMERATED [ms100]
| | | +-logicalChannelGroup ::= INTEGER (0..3) [2] OPTIONAL:Exist
| | +-eps-BearerIdentity ::= INTEGER (0..15) [6] OPTIONAL:Exist
| | +-drb-Identity ::= INTEGER (1..32) [2]
| | +-pdcp-Config ::= SEQUENCE [101] OPTIONAL:Exist
| | | +-discardTimer ::= ENUMERATED [infinity] OPTIONAL:Exist
| | | +-rlc-AM ::= SEQUENCE OPTIONAL:Omit
| | | +-rlc-UM ::= SEQUENCE OPTIONAL:Exist
| | | | +-pdcp-SN-Size ::= ENUMERATED [len12bits]
| | | +-headerCompression ::= CHOICE [notUsed]
| | | +-notUsed ::= NULL
| | +-rlc-Config ::= CHOICE [um-Bi-Directional] OPTIONAL:Exist
| | | +-um-Bi-Directional ::= SEQUENCE
| | | +-ul-UM-RLC ::= SEQUENCE
| | | +-dl-UM-RLC ::= SEQUENCE
| | | +-sn-FieldLength ::= ENUMERATED [size10]
| | | +-t-Reordering ::= ENUMERATED [ms50]
| | +-logicalChannelIdentity ::= INTEGER (3..10) [4] OPTIONAL:Exist
| | +-logicalChannelConfig ::= SEQUENCE [1] OPTIONAL:Exist
| | +-ul-SpecificParameters ::= SEQUENCE [1] OPTIONAL:Exist
| | +-priority ::= INTEGER (1..16) [13]
23-03-2014
ShareTechnote
Page 32 of 35
| | +-prioritisedBitRate ::= ENUMERATED [infinity]

| | +-bucketSizeDuration ::= ENUMERATED [ms100]
| | +-logicalChannelGroup ::= INTEGER (0..3) [3] OPTIONAL:Exist
| +-pdsch-ConfigDedicated ::= SEQUENCE OPTIONAL:Omit
| +-pucch-ConfigDedicated ::= SEQUENCE OPTIONAL:Omit
| +-pusch-ConfigDedicated ::= SEQUENCE OPTIONAL:Omit
| +-uplinkPowerControlDedicated ::= SEQUENCE OPTIONAL:Omit
| +-tpc-PDCCH-ConfigPUCCH ::= CHOICE [setup] OPTIONAL:Exist
| +-tpc-PDCCH-ConfigPUSCH ::= CHOICE [setup] OPTIONAL:Exist
| +-cqi-ReportConfig ::= SEQUENCE OPTIONAL:Omit
| +-antennaInfo ::= CHOICE [defaultValue] OPTIONAL:Exist
| +-schedulingRequestConfig ::= CHOICE OPTIONAL:Omit
+-securityConfigHO ::= SEQUENCE OPTIONAL:Omit
Activate dedicated EPS bearer context request ::= DIVISION

+-Activate dedicated EPS bearer context request message identity ::= V
+-Linked EPS bearer identity ::= V
| +-Linked EPS bearer identity value ::= CHOICE [EPS bearer identity value 5]
+-EPS QoS ::= LV
| | +-Length of EPS quality of service contents ::= LEN (0..255) [9]
| | +-QCI ::= CHOICE [QCI 4]
| | +-Maximum bit rate for uplink ::= CHOICE [384kbps]
| | +-Maximum bit rate for downlink ::= CHOICE [384kbps]
| | +-Guaranteed bit rate for uplink ::= CHOICE [128kbps]
| | +-Guaranteed bit rate for downlink ::= CHOICE [128kbps]
| | +-Maximum bit rate for uplink (extended) ::=
CHOICE [Use the value indicated by the maximum bit rate for uplink in octet 4]
| | +-Maximum bit rate for downlink (extended) ::=
CHOICE [Use the value indicated by the maximum bit rate for uplink in octet 4]
23-03-2014
ShareTechnote
Page 33 of 35

| | +-Guaranteed bit rate for uplink (extended) ::=
CHOICE [Use the value indicated by the guaranteed bit rate for uplink in octet 6]
| +-Guaranteed bit rate for downlink (extended) ::=
CHOICE [Use the value indicated by the guaranteed bit rate for uplink in octet 6]
+-TFT ::= LV
| | +-Length of traffic flow template IE ::= LEN (0..255) [6]
| | +-TFT operation code ::= CHOICE [Create new TFT]
| | +-E bit ::= CHOICE [parameters list is not included]
| | +-Number of packet filters ::= INT (0..15) [1]
| +-Packet filter list/Parameters list ::= OCTETARRAY SIZE(0..254) [3100023011]
+-Transaction identifier ::= TLV OPTIONAL:Omit
| | +-Transaction identifier IEI ::= IEI [5D]
| | +-Length of Transaction identifier contents ::= LEN (0..255) [0]
| | +-TI flag ::= CHOICE [The message is sent from the side that originates the TI]
| | +-TIO ::= CHOICE [TI value 0]
| | +-Spare ::= FIX [0]
| +-ext ::= EXT (0..1) [1]
| +-TIE ::= CHOICE [Reserved]
+-Negotiated QoS ::= TLV OPTIONAL:Omit
| | +-Quality of service IEI ::= IEI [30]
| | +-Length of quality of service IE ::= LEN (0..255) [0]
| | +-spare ::= FIX [0]
| | +-Delay class ::= CHOICE [Subscribed delay class(MS to network direction)/Reserved(network to MS
direction)]
| | +-Reliability class ::=
CHOICE [Subscribed reliability class(MS to network direction)/Reserved(network to MS direction)]
| | +-Peak throughput ::=
CHOICE [Subscribed peak throughput(MS to network direction)/Reserved(network to MS direction)]
| | +-spare ::= FIX [0]
| | +-Precedence class ::=
CHOICE [Subscribed precedence(MS to network direction)/Reserved(network to MS direction)]
| | +-spare ::= FIX [0]
| | +-Mean throughput ::=
CHOICE [Subscribed mean throughput(MS to network direction)/Reserved(network to MS direction)]
| | +-Traffic Class ::=
CHOICE [Subscribed traffic class(MS to network direction)/Reserved(network to MS direction)]
| | +-Delivery order ::=
CHOICE [Subscribed delivery order(MS to network direction)/Reserved(network to MS direction)]
| | +-Delivery of erroneous SDUs ::=
CHOICE [Subscribed delivery of erroneous SDUs(MS to network direction)/Reserved(network to MS
direction)]
| | +-Maximum SDU size ::=
CHOICE [Subscribed maximum SDU size(MS to network direction)/Reserved(network to MS direction)]
| | +-Maximum bit rate for uplink ::=
CHOICE [Subscribed maximum bit rate for uplink(MS to network direction)/Reserved(network to MS
direction)]
| | +-Maximum bit rate for downlink ::=
CHOICE [Subscribed maximum bit rate for uplink(MS to network direction)/Reserved(network to MS
direction)]
| | +-Residual BER ::=
CHOICE [Subscribed residual BER(MS to network direction)/Reserved(network to MS direction)]
| | +-SDU error ratio ::=
CHOICE [Subscribed SDU error ratio(MS to network direction)/Reserved(network to MS direction)]
| | +-Transfer delay ::=
CHOICE [Subscribed transfer delay(MS to network direction)/Reserved(network to MS direction)]
| | +-Traffic Handling priority ::=
23-03-2014
ShareTechnote
Page 34 of 35
CHOICE [Subscribed traffic handling priority(MS to network direction)/Reserved(network to MS

direction)]
| | +-Guaranteed bit rate for uplink ::= INT (0..255) [0]
| | +-Guaranteed bit rate for downlink ::= INT (0..255) [0]
| | +-Spare ::= FIX [0]
| | +-Signalling Indication ::= CHOICE [Not optimised for signalling traffic]
| | +-Source Statistics Descriptor ::= CHOICE [unknown]
| | +-Maximum bit rate for downlink (extended) ::=
CHOICE [Use the value indicated by the Maximum bit rate for downlink in octet 9.]
| | +-Guaranteed bit rate for downlink (extended) ::=
| | +-Maximum bit rate for uplink (extended) ::=
| +-Guaranteed bit rate for uplink (extended) ::=
+-Negotiated LLC SAPI ::= TV OPTIONAL:Omit
| | +-LLC SAPI IEI ::= IEI [32]
| +-Spare ::= FIX [0]
| +-LLC SAPI value ::= CHOICE [LLC SAPI not assigned]
+-Radio priority ::= TV OPTIONAL:Omit
| +-Radio priority IEI ::= IEI [8-]
| +-spare ::= FIX [0]
| +-Radio priority level value ::= CHOICE [priority level 1 (highest)]
+-Packet flow identifier ::= TLV OPTIONAL:Omit
| | +-Packet Flow Identifier IEI ::= IEI [34]
| | +-Length of Packet Flow Identifier IE ::= LEN (0..255) [0]
| +-spare ::= FIX [0]
| +-Packet Flow Identifier value ::= CHOICE [Best Effort]
| +-ext ::= EXT1 [1]
| +-spare ::= FIX [0]
+-Octet4-253 ::= DIVISION
RRC : RRC Connection Reconfiguration Complete + NAS : Activate Dedicated EPS Bearer Context Accept
RRC Connection Reconfiguration Complete part is very simple as shown below.
+-c1 ::= CHOICE [rrcConnectionReconfigurationComplete]
+-rrcConnectionReconfigurationComplete ::= SEQUENCE
+-criticalExtensions ::= CHOICE [rrcConnectionReconfigurationComplete-r8]
+-rrcConnectionReconfigurationComplete-r8 ::= SEQUENCE [0]
ESM,Activate dedicated EPS bearer context accept part is carried by UL information transfer message
as follows.
+-c1 ::= CHOICE [ulInformationTransfer]
+-ulInformationTransfer ::= SEQUENCE
23-03-2014
ShareTechnote
Page 35 of 35

+-c1 ::= CHOICE [ulInformationTransfer-r8]
+-ulInformationTransfer-r8 ::= SEQUENCE [0]
+-dedicatedInfoType ::= CHOICE [dedicatedInfoNAS]
| +-dedicatedInfoNAS ::= OCTET STRING SIZE(ALIGNED) [6200C6]
If you decode dedicatedInfoNAS ::= OCTET STRING SIZE(ALIGNED) [6200C6] part, you will get the following
message(ESM,Activate dedicated EPS bearer context accept)
NAS_LTE:ESM,Activate dedicated EPS bearer context accept

Activate dedicated EPS bearer context accept ::= DIVISION
+-Activate dedicated EPS bearer context accept message identity ::= V
| +-ext ::= EXT1 [1]
| +-spare ::= FIX [0]
23-03-2014

LTE Call Flow

Uploaded by

Copyright:

Available Formats

LTE Call Flow

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LTE Call Flow

Uploaded by

Copyright:

Available Formats

ShareTechnote

Basic Call Processing - Typical Packet Call

Basic State Machine

Big Picture First

<< Downlink Channel Map >>

<< Uplink Channel Map >>

Channel Mapping Table throughout Call Processing

RRC : PRACH Preamble

RRC : RACH Response

RRC : RRC Connection Request

RRC : RRC Connection Setup

RRC : DL Information Transfer + NAS : Authentication Request

RRC : UL Information Transfer + NAS : Authentication Response

RRC : DL Information Transfer + NAS : Security Mode Command

RRC : UL Information Transfer + NAS : Security Mode Complete

RRC : Security Mode Command

RRC : Security Mode Complete

RRC : RRC Connection Reconfiguration

RRC : RRC Connection Reconfiguration Complete

RRC : UL Information Transfer + ESM : PDN Connectivity Request

Note : Refer to TS 36.331 - 9.1.1 Logical channel configurations

Cell Configuration and Channel Configuration during Call Processing

Now in Very Detailed Picture

UE <--- SS SIB2,3 and others

UE <--- SS RACH Response

UE ---> SS RRC Connection Request

UE MAC start mac-ContentionResolutionTimer

UE <--- SS ACK (PHICH)

UE <--- SS Contention Resolution

3GPP 36.321 5.1.5

UE MAC stop mac-ContentionResolutionTimer

UE <--- SS RRC Connection Setup

UE ---> SS ACK (PUCCH)

UE ---> SS Scheduling Request(PUCCH)

UE <--- SS UL Grant (DCI 0, PDCCH)

UE <--- SS RLC ACK

UE <--- SS Authentication Request

UE ---> SS ACK (PUCCH)

UE ---> SS Scheduling Request(PUCCH)

UE <--- SS UL Grant (DCI 0, PDCCH)

UE ---> SS RLC ACK

UE ---> SS Scheduling Request(PUCCH)

UE ---> SS Authentication Response

UE <--- SS RLC ACK

UE <--- SS NAS Security Mode Command

UE ---> SS ACK (PUCCH)

UE ---> SS Scheduling Request(PUCCH)

UE <--- SS UL Grant (DCI 0, PDCCH)

UE ---> SS RLC ACK

UE ---> SS Scheduling Request(PUCCH)

UE <--- SS UL Grant (DCI 0, PDCCH)

UE ---> SS NAS Security Mode Complete

UE <--- SS RLC ACK

UE <--- SS RRC Security Mode Command

UE ---> SS ACK (PUCCH)

UE ---> SS Scheduling Request(PUCCH)

UE <--- SS UL Grant (DCI 0, PDCCH)

UE ---> SS RLC ACK

UE ---> SS Scheduling Request(PUCCH)