Knowing it is not very nice to talk a lot about a certain thing, but to offer no tangible results, I’ve tried to create some minimal dump information for the things discussed lately on my posts.

They should be, though not end-to-end results, at least some hope-by-hope information.

So, let’s see first how an Initial Attach to the 4G network would look like, then how the UE asks for a dedicated bearer to put traffic on (specifically to put VoIP traffic on), and then take a closer look at a IMS call flow.

For the 4G dumps I must give credit to the wonderful company I work in, which helps me develop on the 4G core network side. While the IMS flows are generated using OpenIMSCore and Monster, the 2 solutions from the cool guys from Fraunhofer.

While my company’s solution is proprietary and closed-source, I would rather recommend you to buy it, but I am not able to give so much details on its architecture , the Fraunhofer solution is free and open-source and is nicely installed on a debian .

So, let’s first take a look at the attach procedure, which is captured on the S11 4G interface, between the MME and the SGW. The message here are Create Session Request and Create Session Response.

GTPv2 runs over UDP, so I’ll just show the message from the GTPv2 control-plane message above in the TCP/IP stack:

First the Create Session Request, coming from the MME to the SGW, by which the UE asks for an IP address and connectivity the PDN – Packet Data Network:

GPRS Tunneling Protocol V2

Create Session Request

Flags: 72

010. …. = Version: 2

…. 1… = T: 1

Message Type: Create Session Request (32)

Message Length: 201

Tunnel Endpoint Identifier: 0

Sequence Number: 7660

Spare: 45056

International Mobile Subscriber Identity (IMSI) :

IE Type: International Mobile Subscriber Identity (IMSI) (1)

IE Length: 8

000. …. = CR flag: 0

…. 0000 = Instance: 0

IMSI(International Mobile Subscriber Identity number): 220614000000001

MSISDN :

IE Type: MSISDN (76)

IE Length: 6

000. …. = CR flag: 0

…. 0000 = Instance: 0

Country Code: 40 Romania length 2

Address digits: 700000001

Mobile Equipment Identity (MEI) :

IE Type: Mobile Equipment Identity (MEI) (75)

IE Length: 8

000. …. = CR flag: 0

…. 0000 = Instance: 0

MEI(Mobile Equipment Identity): 999900000000100

User Location Info (ULI) :

IE Type: User Location Info (ULI) (86)

IE Length: 13

000. …. = CR flag: 0

…. 0000 = Instance: 0

…1 …. = ECGI Present Flag): True

…. 1… = TAI Present Flag): True

…. .0.. = RAI Present Flag): False

…. ..0. = SAI Present Flag): False

…. …0 = CGI Present Flag): False

Mobile Country Code (MCC): Romania (226)

Mobile Network Code (MNC): Orange Romania (10)

Tracking Area Code: 4113

Mobile Country Code (MCC): Romania (226)

Mobile Network Code (MNC): Orange Romania (10)

ECI (E-UTRAN Cell Identifier): 0

Serving Network :

IE Type: Serving Network (83)

IE Length: 3

000. …. = CR flag: 0

…. 0000 = Instance: 0

Mobile Country Code (MCC): Romania (226)

Mobile Network Code (MNC): Orange Romania (10)

RAT Type :

IE Type: RAT Type (82)

IE Length: 1

000. …. = CR flag: 0

…. 0000 = Instance: 0

RAT Type: EUTRAN (6)

Fully Qualified Tunnel Endpoint Identifier (F-TEID) :

IE Type: Fully Qualified Tunnel Endpoint Identifier (F-TEID) (87)

IE Length: 9

000. …. = CR flag: 0

…. 0000 = Instance: 0

1… …. = V4 (True-IPV4 address field Exists,False-Doesn’t Exist in F-TEID): True

.0.. …. = V6 (True-IPV6 address field Exists,False-Doesn’t Exist in F-TEID): False

…0 1010 = Interface Type: S11 MME GTP-C interface (10)

TEID/GRE Key: 3300033

F-TEID IPv4: 30.0.1.1 (30.0.1.1)

Fully Qualified Tunnel Endpoint Identifier (F-TEID) :

IE Type: Fully Qualified Tunnel Endpoint Identifier (F-TEID) (87)

IE Length: 9

000. …. = CR flag: 0

…. 0001 = Instance: 1

1… …. = V4 (True-IPV4 address field Exists,False-Doesn’t Exist in F-TEID): True

.0.. …. = V6 (True-IPV6 address field Exists,False-Doesn’t Exist in F-TEID): False

…0 0111 = Interface Type: S5/S8 PGW GTP-C interface (7)

TEID/GRE Key: 0

F-TEID IPv4: 20.0.0.1 (20.0.0.1)

PDN Type :

IE Type: PDN Type (99)

IE Length: 1

000. …. = CR flag: 0

…. 0000 = Instance: 0

…. .001 = PDN Type: IPv4 (1)

Selection Mode :

IE Type: Selection Mode (128)

IE Length: 1

000. …. = CR flag: 0

…. 0000 = Instance: 0

…. ..00 = Selection Mode: MS or network provided APN, subscribed verified (0)

PDN Address Allocation (PAA) :

IE Type: PDN Address Allocation (PAA) (79)

IE Length: 5

000. …. = CR flag: 0

…. 0000 = Instance: 0

…. .001 = PDN Type: IPv4 (1)

PDN IPv4: 0.0.0.0 (0.0.0.0)

Indication :

IE Type: Indication (77)

IE Length: 2

000. …. = CR flag: 0

…. 0000 = Instance: 0

0… …. = DAF (Dual Address Bearer Flag): False

.0.. …. = DTF (Direct Tunnel Flag): False

..0. …. = HI (Handover Indication): False

…0 …. = DFI (Direct Forwarding Indication): False

…. 0… = OI (Operation Indication): False

…. .0.. = ISRSI (Idle mode Signalling Reduction Supported Indication): False

…. ..0. = ISRAI (Idle mode Signalling Reduction Activation Indication): False

…. …0 = SGWCI (SGW Change Indication): False

…. 0… = PT (Protocol Type): False

…. .0.. = TDI (Teardown Indication): False

…. ..0. = SI (Scope Indication): False

…. …0 = MSV (MS Validated): False

Access Point Name (APN) :

IE Type: Access Point Name (APN) (71)

IE Length: 18

000. …. = CR flag: 0

…. 0000 = Instance: 0

APN (Access Point Name): visited.com

APN Restriction :

IE Type: APN Restriction (127)

IE Length: 1

000. …. = CR flag: 0

…. 0000 = Instance: 0

APN Restriction: 0

Aggregate Maximum Bit Rate (AMBR) :

IE Type: Aggregate Maximum Bit Rate (AMBR) (72)

IE Length: 8

000. …. = CR flag: 0

…. 0000 = Instance: 0

AMBR Uplink (Aggregate Maximum Bit Rate for Uplink): 1

AMBR Downlink(Aggregate Maximum Bit Rate for Downlink): 1

Bearer Context : [Grouped IE]

IE Type: Bearer Context (93)

IE Length: 31

000. …. = CR flag: 0

…. 0000 = Instance: 0

EPS Bearer ID (EBI) :

IE Type: EPS Bearer ID (EBI) (73)

IE Length: 1

000. …. = CR flag: 0

…. 0000 = Instance: 0

…. 0101 = EPS Bearer ID (EBI): 5

Bearer Level Quality of Service (Bearer QoS) :

IE Type: Bearer Level Quality of Service (Bearer QoS) (80)

IE Length: 22

000. …. = CR flag: 0

…. 0000 = Instance: 0

…. …1 = PVI (Pre-emption Vulnerability): True

..00 00.. = PL (Priority Level): 0

.0.. …. = PCI (Pre-emption Capability): False

Label (QCI): 4

Maximum Bit Rate For Uplink: 65536000

Maximum Bit Rate For Downlink: 65536000

Guaranteed Bit Rate For Uplink: 0

Guaranteed Bit Rate For Downlink: 0

Recovery (Restart Counter) :

IE Type: Recovery (Restart Counter) (3)

IE Length: 1

000. …. = CR flag: 0

…. 0000 = Instance: 0

Restart Counter: 0

GPRS Tunneling Protocol V2

Create Session Response

Flags: 72

010. …. = Version: 2

…. 1… = T: 1

Message Type: Create Session Response (33)

Message Length: 126

Tunnel Endpoint Identifier: 3300033

Sequence Number: 7660

Spare: 45056

Cause :

IE Type: Cause (2)

IE Length: 2

000. …. = CR flag: 0

…. 0000 = Instance: 0

Cause: Request accepted (16)

…. …0 = Cause Source (CS: True-Error originated by remote node, False-Error originated by Node sending the Message): False

PDN Address Allocation (PAA) :

IE Type: PDN Address Allocation (PAA) (79)

IE Length: 5

000. …. = CR flag: 0

…. 0000 = Instance: 0

…. .001 = PDN Type: IPv4 (1)

PDN IPv4: 40.0.0.1 (40.0.0.1)

Fully Qualified Tunnel Endpoint Identifier (F-TEID) :

IE Type: Fully Qualified Tunnel Endpoint Identifier (F-TEID) (87)

IE Length: 9

000. …. = CR flag: 0

…. 0000 = Instance: 0

1… …. = V4 (True-IPV4 address field Exists,False-Doesn’t Exist in F-TEID): True

.0.. …. = V6 (True-IPV6 address field Exists,False-Doesn’t Exist in F-TEID): False

…0 1011 = Interface Type: S11/S4 SGW GTP-C interface (11)

TEID/GRE Key: 1

F-TEID IPv4: 30.0.2.1 (30.0.2.1)

Fully Qualified Tunnel Endpoint Identifier (F-TEID) :

IE Type: Fully Qualified Tunnel Endpoint Identifier (F-TEID) (87)

IE Length: 9

000. …. = CR flag: 0

…. 0001 = Instance: 1

1… …. = V4 (True-IPV4 address field Exists,False-Doesn’t Exist in F-TEID): True

.0.. …. = V6 (True-IPV6 address field Exists,False-Doesn’t Exist in F-TEID): False

…0 0111 = Interface Type: S5/S8 PGW GTP-C interface (7)

TEID/GRE Key: 1

F-TEID IPv4: 20.0.0.1 (20.0.0.1)

APN Restriction :

IE Type: APN Restriction (127)

IE Length: 1

000. …. = CR flag: 0

…. 0000 = Instance: 0

APN Restriction: 0

Bearer Context : [Grouped IE]

IE Type: Bearer Context (93)

IE Length: 63

000. …. = CR flag: 0

…. 0000 = Instance: 0

Cause :

IE Type: Cause (2)

IE Length: 2

000. …. = CR flag: 0

…. 0000 = Instance: 0

Cause: Request accepted (16)

…. …0 = Cause Source (CS: True-Error originated by remote node, False-Error originated by Node sending the Message): False

EPS Bearer ID (EBI) :

IE Type: EPS Bearer ID (EBI) (73)

IE Length: 1

000. …. = CR flag: 0

…. 0000 = Instance: 0

…. 0101 = EPS Bearer ID (EBI): 5

Fully Qualified Tunnel Endpoint Identifier (F-TEID) :

IE Type: Fully Qualified Tunnel Endpoint Identifier (F-TEID) (87)

IE Length: 9

000. …. = CR flag: 0

…. 0000 = Instance: 0

1… …. = V4 (True-IPV4 address field Exists,False-Doesn’t Exist in F-TEID): True

.0.. …. = V6 (True-IPV6 address field Exists,False-Doesn’t Exist in F-TEID): False

…0 0001 = Interface Type: S1-U SGW GTP-U interface (1)

TEID/GRE Key: 33

F-TEID IPv4: 30.0.2.1 (30.0.2.1)

Fully Qualified Tunnel Endpoint Identifier (F-TEID) :

IE Type: Fully Qualified Tunnel Endpoint Identifier (F-TEID) (87)

IE Length: 9

000. …. = CR flag: 0

…. 0001 = Instance: 1

1… …. = V4 (True-IPV4 address field Exists,False-Doesn’t Exist in F-TEID): True

.0.. …. = V6 (True-IPV6 address field Exists,False-Doesn’t Exist in F-TEID): False

…0 0101 = Interface Type: S5/S8 PGW GTP-U interface (5)

TEID/GRE Key: 33

F-TEID IPv4: 20.0.0.1 (20.0.0.1)

Bearer Level Quality of Service (Bearer QoS) :

IE Type: Bearer Level Quality of Service (Bearer QoS) (80)

IE Length: 22

000. …. = CR flag: 0

…. 0000 = Instance: 0

…. …0 = PVI (Pre-emption Vulnerability): False

..00 00.. = PL (Priority Level): 0

.0.. …. = PCI (Pre-emption Capability): False

Label (QCI): 9

Maximum Bit Rate For Uplink: 8640000

Maximum Bit Rate For Downlink: 8640000

Guaranteed Bit Rate For Uplink: 0

Guaranteed Bit Rate For Downlink: 0

Recovery (Restart Counter) :

IE Type: Recovery (Restart Counter) (3)

IE Length: 1

000. …. = CR flag: 0

…. 0000 = Instance: 0

Restart Counter: 0

 

GPRS Tunneling Protocol V2

Modify Bearer Request

Flags: 72

010. …. = Version: 2

…. 1… = T: 1

Message Type: Modify Bearer Request (34)

Message Length: 30

Tunnel Endpoint Identifier: 1

Sequence Number: 7660

Spare: 45568

Bearer Context : [Grouped IE]

IE Type: Bearer Context (93)

IE Length: 18

000. …. = CR flag: 0

…. 0000 = Instance: 0

EPS Bearer ID (EBI) :

IE Type: EPS Bearer ID (EBI) (73)

IE Length: 1

000. …. = CR flag: 0

…. 0000 = Instance: 0

…. 0101 = EPS Bearer ID (EBI): 5

Fully Qualified Tunnel Endpoint Identifier (F-TEID) :

IE Type: Fully Qualified Tunnel Endpoint Identifier (F-TEID) (87)

IE Length: 9

000. …. = CR flag: 0

…. 0000 = Instance: 0

1… …. = V4 (True-IPV4 address field Exists,False-Doesn’t Exist in F-TEID): True

.0.. …. = V6 (True-IPV6 address field Exists,False-Doesn’t Exist in F-TEID): False

…0 0000 = Interface Type: S1-U eNodeB GTP-U interface (0)

TEID/GRE Key: 33

F-TEID IPv4: 30.0.0.1 (30.0.0.1)

 

GPRS Tunneling Protocol V2

Modify Bearer Response

Flags: 72

010. …. = Version: 2

…. 1… = T: 1

Message Type: Modify Bearer Response (35)

Message Length: 42

Tunnel Endpoint Identifier: 3300033

Sequence Number: 7660

Spare: 45568

Cause :

IE Type: Cause (2)

IE Length: 2

000. …. = CR flag: 0

…. 0000 = Instance: 0

Cause: Request accepted (16)

…. …0 = Cause Source (CS: True-Error originated by remote node, False-Error originated by Node sending the Message): False

Bearer Context : [Grouped IE]

IE Type: Bearer Context (93)

IE Length: 24

000. …. = CR flag: 0

…. 0000 = Instance: 0

EPS Bearer ID (EBI) :

IE Type: EPS Bearer ID (EBI) (73)

IE Length: 1

000. …. = CR flag: 0

…. 0000 = Instance: 0

…. 0101 = EPS Bearer ID (EBI): 5

Cause :

IE Type: Cause (2)

IE Length: 2

000. …. = CR flag: 0

…. 0000 = Instance: 0

Cause: Request accepted (16)

…. …0 = Cause Source (CS: True-Error originated by remote node, False-Error originated by Node sending the Message): False

Fully Qualified Tunnel Endpoint Identifier (F-TEID) :

IE Type: Fully Qualified Tunnel Endpoint Identifier (F-TEID) (87)

IE Length: 9

000. …. = CR flag: 0

…. 0000 = Instance: 0

1… …. = V4 (True-IPV4 address field Exists,False-Doesn’t Exist in F-TEID): True

.0.. …. = V6 (True-IPV6 address field Exists,False-Doesn’t Exist in F-TEID): False

…0 0001 = Interface Type: S1-U SGW GTP-U interface (1)

TEID/GRE Key: 33

F-TEID IPv4: 30.0.2.1 (30.0.2.1)

 

GPRS Tunneling Protocol V2

Create Bearer Request

Flags: 72

010. …. = Version: 2

…. 1… = T: 1

Message Type: Create Bearer Request (95)

Message Length: 86

Tunnel Endpoint Identifier: 3300033

Sequence Number: 0

Spare: 256

EPS Bearer ID (EBI) :

IE Type: EPS Bearer ID (EBI) (73)

IE Length: 1

000. …. = CR flag: 0

…. 0000 = Instance: 0

…. 0101 = EPS Bearer ID (EBI): 5

Bearer Context : [Grouped IE]

IE Type: Bearer Context (93)

IE Length: 69

000. …. = CR flag: 0

…. 0000 = Instance: 0

EPS Bearer ID (EBI) :

IE Type: EPS Bearer ID (EBI) (73)

IE Length: 1

000. …. = CR flag: 0

…. 0000 = Instance: 0

…. 0000 = EPS Bearer ID (EBI): 0

Fully Qualified Tunnel Endpoint Identifier (F-TEID) :

IE Type: Fully Qualified Tunnel Endpoint Identifier (F-TEID) (87)

IE Length: 9

000. …. = CR flag: 0

…. 0000 = Instance: 0

1… …. = V4 (True-IPV4 address field Exists,False-Doesn’t Exist in F-TEID): True

.0.. …. = V6 (True-IPV6 address field Exists,False-Doesn’t Exist in F-TEID): False

…0 0001 = Interface Type: S1-U SGW GTP-U interface (1)

TEID/GRE Key: 34

F-TEID IPv4: 30.0.2.1 (30.0.2.1)

Fully Qualified Tunnel Endpoint Identifier (F-TEID) :

IE Type: Fully Qualified Tunnel Endpoint Identifier (F-TEID) (87)

IE Length: 9

000. …. = CR flag: 0

…. 0001 = Instance: 1

1… …. = V4 (True-IPV4 address field Exists,False-Doesn’t Exist in F-TEID): True

.0.. …. = V6 (True-IPV6 address field Exists,False-Doesn’t Exist in F-TEID): False

…0 0101 = Interface Type: S5/S8 PGW GTP-U interface (5)

TEID/GRE Key: 34

F-TEID IPv4: 20.0.0.1 (20.0.0.1)

EPS Bearer Level Traffic Flow Template (Bearer TFT) :

IE Type: EPS Bearer Level Traffic Flow Template (Bearer TFT) (84)

IE Length: 8

000. …. = CR flag: 0

…. 0000 = Instance: 0

001. …. = Operation Code: Create New TFT (1)

…. 0001 = Number of Packet Filters: 1

…0 …. = Ebit: False

Packet Filter 1

…. 0010 = Packet Filter Identifier: 2

..11 …. = Direction: bidirectional (3)

Evaluation Precedence: 2

Length of Packet Filter: 3

Component Type: Single remote port type (5060)

Single remote port type: 5060

Bearer Level Quality of Service (Bearer QoS) :

IE Type: Bearer Level Quality of Service (Bearer QoS) (80)

IE Length: 22

000. …. = CR flag: 0

…. 0000 = Instance: 0

…. …0 = PVI (Pre-emption Vulnerability): False

..01 11.. = PL (Priority Level): 7

.0.. …. = PCI (Pre-emption Capability): False

Label (QCI): 3

Maximum Bit Rate For Uplink: 65535000

Maximum Bit Rate For Downlink: 65535000

Guaranteed Bit Rate For Uplink: 65535000

Guaranteed Bit Rate For Downlink: 65535000

 

GPRS Tunneling Protocol V2

Create Bearer Response

Flags: 72

010. …. = Version: 2

…. 1… = T: 1

Message Type: Create Bearer Response (96)

Message Length: 55

Tunnel Endpoint Identifier: 1

Sequence Number: 0

Spare: 256

Cause :

IE Type: Cause (2)

IE Length: 2

000. …. = CR flag: 0

…. 0000 = Instance: 0

Cause: Request accepted (16)

…. …0 = Cause Source (CS: True-Error originated by remote node, False-Error originated by Node sending the Message): False

Bearer Context : [Grouped IE]

IE Type: Bearer Context (93)

IE Length: 37

000. …. = CR flag: 0

…. 0000 = Instance: 0

Cause :

IE Type: Cause (2)

IE Length: 2

000. …. = CR flag: 0

…. 0000 = Instance: 0

Cause: Request accepted (16)

…. …0 = Cause Source (CS: True-Error originated by remote node, False-Error originated by Node sending the Message): False

EPS Bearer ID (EBI) :

IE Type: EPS Bearer ID (EBI) (73)

IE Length: 1

000. …. = CR flag: 0

…. 0000 = Instance: 0

…. 0110 = EPS Bearer ID (EBI): 6

Fully Qualified Tunnel Endpoint Identifier (F-TEID) :

IE Type: Fully Qualified Tunnel Endpoint Identifier (F-TEID) (87)

IE Length: 9

000. …. = CR flag: 0

…. 0000 = Instance: 0

1… …. = V4 (True-IPV4 address field Exists,False-Doesn’t Exist in F-TEID): True

.0.. …. = V6 (True-IPV6 address field Exists,False-Doesn’t Exist in F-TEID): False

…0 0000 = Interface Type: S1-U eNodeB GTP-U interface (0)

TEID/GRE Key: 34

F-TEID IPv4: 30.0.0.1 (30.0.0.1)

Fully Qualified Tunnel Endpoint Identifier (F-TEID) :

IE Type: Fully Qualified Tunnel Endpoint Identifier (F-TEID) (87)

IE Length: 9

000. …. = CR flag: 0

…. 0001 = Instance: 1

1… …. = V4 (True-IPV4 address field Exists,False-Doesn’t Exist in F-TEID): True

.0.. …. = V6 (True-IPV6 address field Exists,False-Doesn’t Exist in F-TEID): False

…0 0001 = Interface Type: S1-U SGW GTP-U interface (1)

TEID/GRE Key: 34

F-TEID IPv4: 30.0.2.1 (30.0.2.1)

Tags: 4G, Diameter, eNodeB, EPC, HSS, I-CSCF, IMS, loose routing, LTE, MME, P-CSCF, passion, PCRF, PGW, Register, S-CSCF, SGW, strict routing, techie, UE