Connection-less communication of IoT devices over LTE mobile networks

Connection-less communication of IoT devices over LTE mobile networks Roger Piqueras Jover, Ilona Murynets AT&T Security Research Center, New York, NY {roger.jover,ilona}@att.com Abstract The emergence of the Internet of Things (IoT) introduces a vast ecosystem of new network-enabled objects. Although most current cellular IoT services run over 2G and 3G cellular networks, the Long Term Evolution (LTE) is expected to be one of the main platforms for the emergence of new Machine to Machine (M2M) communication systems. Cellular communication protocols were designed and optimized to handle human-originated communications. However, with the forecasted deployment of billions of M2M devices, there is a growing concern in the industry that the cellular core may be overloaded by the sharp increase in control plane signaling load. The traffic characteristics of IoT devices are very different from those of smartphones and can enhance the risk for signaling storms. A new connection-less communication protocol for IoT systems over LTE mobile networks is proposed to spare signaling exchanges at the cellular core for M2M communications. It requires no standards modification and provides an overlaying channel between connected objects and base stations. Its effectiveness is demonstrated through simulations with realistic background network load parameters extracted from real LTE traffic sniffed from a busy downtown Manhattan intersection. I. INTRODUCTION The recent evolution of communication systems introduces a great variety of network-enabled objects which interact with each other and provide a broad spectrum of new services. From a traditional scenario of connected computers and handheld devices (i.e. mobile-phones and smart-phones), connectivity is now reaching home appliances, machinery and vehicles. The convergence of the Internet and cellular mobile networks is breeding new Machine-to-Machine (M2M) communication systems, defining mobile networks as one of the main platforms for the Internet of Things (IoT) [1]. The surge of M2M embedded devices, with billions expected within the next few years [2], will set the foundations of the IoT, fueling the advent of novel communication services [3]. Wireless mobile networks are one of the main platforms for the widespread emergence of M2M systems. Although most current M2M systems run over 2G and 3G networks, the Long Term Evolution (LTE) is expected and widely acknowledged as the main enabler for the advent of the IoT [4], with major equipment manufacturers already starting to focus their investment in LTE-based IoT [5]. The combination of the planned shut down of 2G networks [6] and the higher capacity and low-power performance of LTE is shifting the deployment of the IoT towards LTE mobile networks. The traffic characteristics of many M2M networked appliances are known to be substantially different to those 978-1-4673-7331-9/15/$31.00 c 2015 IEEE from smartphones [7]. Mobile networks were designed and optimized to transport human-originated traffic, and hence they are known to suffer from resource utilization inefficiencies when handling M2M communication [8]. These are the source of increasing concern within the industry to understand the dynamics of M2M growth on LTE networks. It is acknowledged that LTE could be overwhelmed by the surge in both traffic and control plane signaling load [9], [10]. Instances of the impacts of such a surge in load at the mobile core have been reported in recent years [11] [13]. Security researchers have also argued that such inefficiencies could be exploited in malicious attacks. This has resulted in standardization bodies starting to propose solutions [14] to prevent signaling overloads and to propose enhanced M2M communication systems over LTE. This paper presents a new technique to transport M2M data over an LTE wireless access with no expensive signaling exchange at the mobile core. This connection-less M2M communication is designed to fit within the 3GPP (3rd Generation Partnership Project) standards. It leverages low level channels mapped on the LTE frame in order to encode data both in the uplink (UL) and downlink (DL). By encoding user data within certain fields of the packets in these physical layer (PHY) channels, one can potentially achieve throughputs of about 16kbps in the DL and 3.84 kbps in the UL. Given the characteristics of connection-less links, the method is intended for low throughput and delay tolerant M2M applications, such as remote security cameras, status check systems sending a stay alive message periodically, fleet location trackers reporting coordinates periodically, etc. The proposed method defines an alternative layer 1 protocol, providing a small Slotted ALOHA-like link at each LTE base station. Enhancements to the basic system are also proposed, which increase the maximum achievable throughput substantially. The feasibility of this new technology is demonstrated with system simulations. In order to provide highly realistic results, the simulations include a real background load of LTE traffic captured with a state of the art LTE sniffer in a crowded intersection of downtown Manhattan. The results indicate that connection-less M2M communications over LTE networks are feasible. They are a potential trafficand signaling-efficient alternative for the deployment of the IoT on LTE networks with close to zero impact on regular LTE traffic. The successful deployment of this technology, though, would require to address a number of security implications, discussed in the paper as well. The remainder of this manuscript is organized as follows. Section II briefly introduces basic concepts on LTE architecture and the main channels leveraged in connection-less M2M

communications systems. Section III overviews the known challenges of the spread of the IoT on mobile networks. Next, Section IV introduces connection-less communications on LTE networks and how they are framed considering real LTE traffic captures. In Section V, the connection-less simulation results are presented. Finally, Section VI discusses the main implementation and security considerations of this proposed technique and Section VII concludes the paper. II. LTE MOBILE NETWORKS As opposed to the previous 3GPP-based standards for mobile communications, LTE was designed with the goal of offering only packet-switched services, providing IP connectivity between mobile devices and the Internet. The LTE network architecture defines two portions: the Radio Access Network (RAN) and the cellular packet core, known as Enhanced Packet Core (EPC) [15]. The EPC contains the nodes responsible for establishing a tunnel, known as bearer, to transport traffic between mobile devices and the Internet. Moreover, the EPC manages the bearer logistics and the authentication and encryption functions. The RAN is composed of two types of nodes, the User Equipment (UE), or mobile terminals, and the enodeb, or LTE base station. The RAN assigns radio resources to mobile terminals and manages their radio resource utilization. Fig. 1. LTE frame structure and mapping of DL control channels The LTE RAN provides capacity to UEs by means of a PHY layer based on Orthogonal Frequency Division Multiple Access (OFDMA) [15]. Radio resources are divided in both time and frequency. The minimum unit of allocation, known as Physical Resource Block (PRB), encodes 7x12 symbols in a block of one 1ms resource block in time and a Resource Block (RB) of 12 subcarriers in frequency. Two contiguous resource blocks in time form a subframe and, in turn, the 10ms LTE frame is formed by 10 subframes. The LTE standard supports multiple bandwidth (BW) configurations, from 1.5MHz (6 RBs in frequency per frame) to 20MHz (100 RBs in frequency per frame), being 10MHz the most commonly deployed. Figure 1 depicts the LTE frame in the case of a BW configuration with 6 RBs. A set of PHY channels are defined, mapped and modulated on the LTE frame. They are used to transport both signaling traffic as well as actual user communications [16]. The main PHY channels in the DL are included in Figure 1. With the exception of the allocation and mapping of radio resources for user traffic, the PRB mapping for all other channels is constant and known a priori, thus allowing the phone to correctly camp and connect to an enodeb. Any UE willing to access the network must first perform a cell selection procedure. Next, the UE decodes the Physical Broadcast Channel (PBCH) to extract basic system configuration, necessary to map and decode the other channels in the cell. At this point, the UE can initiate an actual connection by means of a Random Access procedure. Finally, a bearer is established through the EPC in order to send and receive user traffic. A. LTE random access procedure The Random Access Channel (RACH) is an uplink channel used to request a radio resource assignment during the initial access to the system. The first message exchange on this channel also allows the UE to achieve UL synchronization. The transmission on this channel is shared by all users within a sector and follows a Slotted-ALOHA/CSMA-like protocol, so collisions might occur. The RACH is multiplexed in time and frequency on each frame, with a number of RACH resources mapped on each frame. There is up to 16 different RACH configurations, allowing from 1 to 10 RACH resources to be mapped in a frame in time. The case of 10, with one RACH resource in each subframe, is designed for situations in which the RACH load is high. The LTE Random Access procedure, which is initiated by the UE, is based on the transmission of short preambles that contain one signature selected randomly from a pool of 64 available signatures. This procedure is performed in two steps, which are depicted in Figure 2. In the first step, a signature is randomly chosen from the pool of available signatures and a preamble packet is transmitted on one of the RACH resources. Upon reception of a preamble, the enodeb generates a reply message known as Random Access Response (RAR), which includes the signature used in the preamble that originated the RAR. In case of a collision detected by the enodeb or unavailability of radio resources, the enodeb includes a field in the RAR packet instructing the UE to backoff for a randomly generated number of frames. The mobile terminal expects to receive the RAR message within a pre-defined time window. If no response is received, the preamble is retransmitted after a minimum time of 3ms. The preamble message does not encode any information, so it has a 0 bit payload. It is built with prime-length Zadoff- Chu sequences, allowing for improved preamble detection performance. The RAR is a 56 bit packet that contains a series of fields: the id of the time-frequency slot where the preamble was received, the signature used in the preamble, a Time Advance (TA) instruction (for UL synchronization) and an initial UL resource grant. The RAR also includes the assignment of an arbitrary 16 bit network temporary id for the UE, known as Radio Network Temporary Identifier (RNTI). Figure 2 includes a real capture of the Random Access procedure between a smartphone and an Ericsson commercial lab enodeb. The capture was obtained with an off-the-shelf

Sanjole WaveJudge-Intelijudge 4900 LTE traffic sniffer [17]. All the traffic captures presented in this manuscript have been obtained with the same tool. B. Initial attach and RRC state transitions After the Random Access procedure, a Radio Resource Control (RRC) connection is set up, with a number of messages being exchanged between the enodeb and the UE. If the UE is connecting for the first time, the identity and authentication procedures are executed. At this stage, a pointto-point bearer through the EPC is set up, and the UE s RRC connection is reconfigured according to the type of IP service and Quality of Service (QoS) requested. The scarcity of spectrum and radio resources results in strict resource management policies. Whenever a UE has been observed as idle by the enodeb for more than a few seconds (often between 10 and 15 seconds), the RRC connection for this UE is released and its associated radio resources freed to be reused by other UEs [18]. Although just one message from the enodeb to the UE is sufficient to transition it down to an idle RRC state, each idle-connected and connected-idle transition involves a substantial amount of control plane signaling, with a large number of messages within the EPC. III. SCALABILITY AND IMPACT OF M2M/IOT ON MOBILE NETWORKS The emergence of the IoT has a direct impact on the signaling load in the EPC. Certain features of the mobile core should be considered before deploying wireless embedded appliances that make use of packet services. Each individual traffic flow between a UE and an external host often results in control plane signaling to transition between RRC states. It is widely acknowledged that unnecessary signaling traffic could potentially overburden the core network, and researchers have theoretized that this could be leveraged in security attacks [20]. The negative consequences of a signaling overload in a mobile network were already observed in the wild [11] [13], [21] [23]. Such a large amount of known instances of signaling storms in the wild are a clear motivation to design new transmission techniques that require no control plane signaling. In this regard, the expected surge of such signaling due to expansion of M2M systems is acknowledged as a potential threat against LTE [14]. Consequently, the mobility network utilization should be optimized in order to minimize the ratio of signaling load per user data traffic. There is also a growing interest in the research community on the impact of the surge of the IoT on LTE. For example, the authors of [8] presented insights on such impact with a simulation study. Similarly, [24] introduces a performance study of LTE under M2M traffic load, concluding that a large number of low throughput devices could potentially induce the most negative effects. This correlates with the observations in [7], which presented the first analysis of M2M traffic over mobile networks and identified certain low throughput devices that induce large amounts of state transition. Similar results are presented in [10]. In parallel, extensive research aims to design new network mechanisms to efficiently handle the surge of cellular traffic originated from the IoT. In [25] and [26], new congestion control techniques for M2M LTE traffic are proposed. Fig. 2. C. Paging LTE Random Access procedure and capture from a real network Paging is the process used to initiate a mobile terminated connection and to trigger, from the network side, the idleto-connected state transition. Whenever there is an incoming communication addressed to a UE, the network must determine in which cell this user is located. If this location were known a priori, a mobile terminal would have to update its location with the network - a costly operation - each time it moved to a new cell. In order to reduce the load of location update signaling, the location of each UE is only known with a much larger granularity, known as the Tracking Area (TA). Upon receiving incoming traffic for UE j that is in idle state, the EPC triggers the broadcast of a paging message over each cell within the TA where UE j is known to be [19]. The mobile terminal replies to the paging message, disclosing its precise location in terms of cell or sector and triggers the establishment of a bearer by initiating a Random Access procedure. IV. CONNECTION-LESS IOT COMMUNICATIONS OVER LTE MOBILE NETWORKS This paper introduces a novel connection-less communication protocol for IoT devices over LTE mobile networks which requires no control plane signaling at the EPC. This technique is specifically designed for M2M embedded devices with low throughput and delay tolerant traffic, which often are the worst case scenario in terms of signaling load at the EPC. For example, a security camera reporting a picture every 5 minutes induces two RRC state transitions (idle-to-connected and connected-to-idle) every five minutes. In order to achieve the zero signaling goal, connection-less communication maps user data on the initial handshake messages between the UE and the enb. These are the messages exchanged until the Attach Request message from the UE, embedded within the RRCConnectionSetupComplete message, triggers the control plane signaling at the EPC [18]. To illustrate this message handshake, Figure 3 (a) plots the LTE attach procedure as defined by the 3GPP standards. Note that, in order to simplify the figure, certain handshakes are bundled into a single arrow. For the case of the RACH procedure and the RRC connection between the UE and enb, Figure 3 (b)

presents a real capture of the individual messages involved in both handshakes. One can observe the Attach Request message included within the RRCConnectionSetupComplete UL packet. (a) (b) Fig. 3. NAS attach procedure: a) control plane signaling and b) real capture of the initial UE-eNB handshake (RACH+RRC) Another goal of the connection-less protocol is a fully standards compliant design, requiring no standard modifications to operate. In this regard, the protocol embeds itself in the 3GPP standards, though requiring custom cellular modems for the IoT devices and a new software functionality at the enb. A. Uplink traffic An IoT device communicating over a connection-less link maps its UL traffic on the RACH preambles. The choice of a given signature from a pool of 64 signatures results in encoding 6 bits of information. Assuming a number k of RACH resources mapped on each 10ms LTE frame, the total throughput available to be shared by all IoT devices would k 6 be of 0.01 bits per second. This capacity would also have to be shared with the actual RACH preambles transmitted by smartphones and other mobile devices in the context of the Random Access procedure. Section IV-D discusses how this will not be a problem, as the RACH load is very low even in an urban densely populated area. The RACH can be mapped in 16 different configurations, with k ranging from 1 to 10, being 10 the case where there is a RACH resource allocated in every subframe [27]. In the frequency domain, studies demonstrate that the optimal preamble detection performance at the enb is with preamble signals of 6 and 12 RBs BW, which corresponds to 1.08MHz and 2.16MHz respectively [15]. Therefore, one can theoretically map up to 8 RACH resources in frequency within a 10MHz frame [27]. However, a configuration with multiple simultaneous RACH Fig. 4. LTE Random Access Time Advance measurement and transmission of two preambles within one subframe resources in frequency is not recommended in order to avoid processing spikes at the enb, which would have to detect and decode multiple preamble signals simultaneously. Based on this, the range of possible values for k is k = 1,..., 10 8. Note that the case of k = 80 implies that the entire frame is devoted to the transmission of preambles, with no room for actual data transmission. This case would only make sense in the scenario of an enb exclusively dedicated to connectionless traffic, perhaps covering an indoors warehouse or other area with no smartphone traffic. Note also that k = 80 would also result in processing spikes. Assuming a collision probability of p UE collision = 1% (which includes RACH collisions, decoding errors, etc), k = 10 RACH frequency-time resources per frame and 64 signatures, the RACH can process a load of up to RRACH max = 10 64 ln(1 p UE collision ) = 6.432 preambles per frame. This results in a maximum connection-less UL traffic capacity of RUL max = 6.432 6 0.01 = 3.86kbps. Note that this raw maximum capacity would be shared among all the connection-less IoT devices within the cell. The RACH resources are also shared with the preamble traffic from smartphones and other connected devices communicating normally over LTE. The capacity for UL connection-less traffic can potentially be enhanced in a number of ways. The most basic one is increasing the number of RACH resources per frame. In parallel, multiple preambles could potentially be received by the enb within a RACH slot. The duration of a preamble signal is substantially shorter than the actual slot it is transmitted in, preventing the propagation delay from resulting in collision with the next slot 1. Therefore, a smart scheduler could allow two or more IoT devices to transmit a preamble within the same slot if they were at sufficiently dissimilar distances from the enb, such as in the scenario depicted in Figure 4. B. Downlink traffic DL traffic is transmitted as a response to a given UL communication from an IoT connection-less device or as network initiated DL traffic. Either way, the data is encoded in the RNTI field. This arbitrary id, not necessary in connectionless mode, allows encoding 16 bits of DL traffic in each RAR message. Independently of whether there are collisions or decoding errors at the RACH, this channel is designed in such a way that a RAR message can be transmitted in the DL upon reception of a preamble in a given RACH slot. Therefore, the maximum number of RAR messages that can be transmitted per frame is one per each RACH resource mapped on the LTE frame [15]. Assuming the same configuration as in Section IV-A, with 10 RACH resources assigned per frame, the maximum throughput 1 Note that the UE is not yet UL synchronized at the time of the RACH preamble transmission [15].

that can be delivered to connection-less devices in the DL is RDL max = 10 16 0.01 = 16kbps. As with the UL capacity, this link raw throughput is to be shared among all connection-less IoT devices within the cell plus the RAR messages transmitted to regular mobile devices. Results on the investigation of this background RACH load are discussed in Section IV-D. A potential way to enhance the DL throughput leverages the fact that the TA field in the RAR message is not necessary for connection-less devices, as these do not require UL synchronization to encode and transmit data. Therefore, the enb can encode further data in this 11 bit field, achieving a maximum DL throughput of 10 (16+11) 0.01 = 27kbps. Alternatively, a portion of the 11 bit TA field could be used as a destination id field, such that the intended IoT device can identify its corresponding DL traffic. Given the design and transmission characteristics of the RACH, it is possible to correctly decode multiple preambles within a single slot, either due to different signatures or sufficiently dissimilar propagation delays. In the case of connection-less DL traffic transmitted as a response to UL traffic, all the colliding UEs would receive the same RAR message. By means of checking the signature encoded in one of the fields in the RAR, the intended recipient would be identified and the other UEs would discard the message. If two or more UEs had selected the same signature, though, this would result in a collision that should be detected and resolved at higher layers or with the aforementioned destination id field encoded in part or the totality of the 11 bit TA field. Section IV-E discusses some potential system enhancements to resolve such collisions. C. Connection-less mode initiation In order to be able to transmit data on a connectionless link, both the UE and the enb have to perform a handshake such that both parties know that UL and DL data will be encoded in the preamble signatures and the RNTI field, respectively. This handshake should be designed such that it can be triggered by the UE (mobile originated traffic) and by the enb (mobile terminated traffic). Fig. 5. bits LTE paging message captured from a real network with 3 padding In the event of a burst of mobile terminated traffic, the enb triggers the activation of the connection-less mode by means of a Paging message. This type of message includes a tail of 3 padding bits, which are always set to zero. A capture of a real paging message from an LTE network is displayed in Figure 5, with the 3 padding bits set to 0 highlighted. Without disrupting the operation and communication of regular LTE mobile devices, the enb encodes in those 3 bits the instruction to activate the connection-less mode. In that case, the TMSI (Temporary Mobile Subscriber Identity) field in the Paging message would correspond to a device specific id assigned to each connection-less embedded device. The capacity of the PCH (Paging Channel) is shared for both connection-less IoT appliances and regulat LTE mobile devices camped on the same cell. The experiments in Section IV-D indicate that the current load in the PCH is low enough to allow mapping the trigger for a connection-less mobile terminated flow. In the event of a mobile initiated flow of data, the UE initiates the connection-less mode. The simplicity of the preamble message makes such action very complex. Nevertheless, it is very important to be able to trigger connection-less communication from the UE because this is the predominant traffic flow direction of many delay tolerant and low throughput M2M applications [7]. This is the case of, for example, security cameras and alarms reporting periodically. The simplest method to initiate an UL connection-less flow is to reserve one of the 64 RACH signatures to this end. This would result in marginal deterioration of the maximum UL throughput capacity. In the event of a regular LTE terminal transmitting a preamble with the reserved signature, the enb would process it as both regular and connection-less preamble, responding with a RAR message to the former. In the case of a regular LTE device, the UL RRCConnectionRequest message would indicate the enb that it was indeed a regular preamble. The absence of such message would indicate the opposite. An alternative to trigger the connection-less mode would be to define a sequence of M signatures S = [s 1, s 2, s M ] : s i {64RACHsignatures}. The transmission of M preambles in contiguous frames, with its signatures corresponding to sequence S would indicate to the enb the beginning of an UL connection-less flow. D. LTE mobile background traffic at the RACH and paging channels As discussed in the previous subsections, the messages leveraged in connection-less data transmission (RACH preambles, RARs and paging messages) share the same resources as very important control channels of the LTE PHY layer. In order to assess the feasibility of a connection-less link, one should investigate the load in these channels in current LTE mobile networks. A 30 minute over the air capture of real LTE traffic was taken on Friday October 24th 2014 during lunch break. The capture was taken at a busy intersection in downtown Manhattan, one of the most densely populated areas in the US. Traffic for two cells was captured. It is important to explicitly highlight that all traffic over the LTE air interface is encrypted, so no user data communication can be extracted from the traffic capture. Moreover, specific filters were applied to the capture such that only signaling plane messages were recorded. RACH preambles, RAR messages and paging traffic were analyzed individually. In the case of RACH preambles and

their corresponding RAR responses, both slots and signatures were checked in order to identify any potential collisions. The results can be summarized as follows: RACH load: The Random Access traffic per cell is very low, with an absence of RACH traffic in most frames and, at most, one preamble attempt per frame. Utilizing basic statistical tools, the RACH load was approximated and modeled as a Bernoulli random variable with parameter p = 0.0580826 (probability of having one preamble in one 10ms frame). Random Access Responses: Given the low RACH load, only one RAR response per preamble was observed, resulting in the same number and frequency of RAR DL messages as RACH preamble attempts in the UL. Paging: An average of 2.55 paging messages per second are observed, which results in 0.0255 paging messages per frame. Based on these results, one can observe that the traffic load on both the RACH and PCH is very low, even in a highly densely populated area during a time of the day, lunch break, when users commonly check social networks, read news and overall generate a spike in mobile network traffic. This supports the feasibility of deploying connection-less links overlayed on current LTE deployments without noticeably affecting the background RACH and paging traffic from the LTE network. E. System enhancements and limitations It is imperative that the enb always gives absolute priority to regular LTE traffic on the RACH and the paging channels. Therefore, the start of a DL connection-less flow, triggered by a Paging message, would be deferred until there was no regular paging messages in queue to be transmitted. Given the paging load observed in Section IV-D, the latency this would introduce would be marginal, with no impact to the delay tolerant connection-less traffic. DL RAR messages, which transport DL connection-less traffic, can also be used to acknowledge (ACK) UL messages. For example, out of the 16 bits of data that can be encoded in the RNTI field, a number of bits could be used to transmit a hash of the 6 bits transmitted in the UL. Alternatively, the ACK bits could be encoded in the 11 bit TA command of the RAR, which is not necessary in connection-less mode. Either way, the enb shall not transmit a connection-less ACK in the corresponding DL resource to the RACH slot in which a regular LTE RACH preamble was received. The system gives priority to the Random Access RAR messages sent to standard LTE mobile devices. In the event of multiple preambles transmitted in the same RACH slot from different connection-less IoT devices, a collision could not be resolved if two or more preambles had the same signature. The weighting of the TA command as ACK message provides a method for such collision resolution. The 3 unused padding bits of the Paging message allow for up to 8 different connection-less modes. The connection-less mode defines the amount of RACH slots per frame a flow will attempt to utilize. A connection-less link might be configured to map data on, for example, just one RACH slot per frame or only in odd numbered frames. This would result a lower load on the RACH and less collisions at the cost of a lower traffic throughput. It would also allow to synchronize connection-less traffic from multiple devices. This new PHY layer method for data communication is mainly designed and intended for very low throughput and delay-tolerant IoT applications. Connection-less links could theoretically also be used for high throughput IoT applications and even to provide a link for smartphones similar to that of the Universal Mobile Telecommunications System (UMTS) Cell-FACH RRC state [28]. This option is not recommended, though, due to the high load the connection-less traffic would induce on essential LTE PHY control channels, which could result in service deterioration for regular mobile devices. In this regard, there are certain key security and implementation considerations that should be considered, which will be discussed in Section VI. A further limitation of connection-less links is that, as an alternative layer 1 transmission protocol, it bypasses all the higher layer LTE protocols, thus not providing the means for seamless mobility. This technology is therefore only intended for non-mobile applications. F. End-to-end architecture Connection-less IoT communications are only intended to provide a layer 1 link between M2M devices and LTE base stations with a PHY architecture that does not impact the standardized LTE PHY. As such, this new type of connection provides a narrow slotted-aloha access link at each enb. In order to interface this technology to the layer 3 Packet Data Network (PDN), two alternatives are proposed. On one hand, the enb can be securely directly interfaced with the PDN such that connection-less traffic is directly forwarded to the Internet. This option, although feasible, is not recommended due to its scalability challenges. In order to ensure a secure connection, each enb should be equipped with a secure gateway which implemented several security functions, such as the firewall functionality, as opposed to the current network-based implementation of security functions. On the other hand, the current EPC could alternatively set and maintain a perpetual bearer between the enb and the P- GW. All the connection-less traffic originating at or terminating at M2M connected devices camped on a given cell would then be routed through that always-on bearer to the P-GW, where firewall, NAT (Network Address Translation) and other security functions are executed in a standard LTE architecture. V. EXPERIMENTAL RESULTS In order to assess the feasibility of the proposed protocol, two system models of a connection-less link have been built in Python and on the OPNET Modeler network simulation tool [29]. The simulation scenario consists of one 10MHz LTE enb. A variable number k of RACH resources is mapped on each frame, with k ranging from 1 to 20. The special case of a dedicated connection-less cell with N = 80 is also simulated. In the simulation, a number N of M2M devices is camped on the cell with a constant flow of UL traffic reaching their modem. Each M2M device attempts the transmission of one

preamble in each frame. In the DL, a constant flux of traffic per UE is assumed as well, mapping data on the RAR messages sent to ACK UL packets. Thus, a maximum of one DL packet per UE per frame is transmitted. In order to provide realistic results, a background RACH, RAR and paging load is added to the simulation. This background load is modeled from the same 30 minute over the air capture of real LTE traffic described in Section IV-D. Note that this is the network load seen during lunch break on a weekday on a busy intersection in downtown Manhattan. Simulations are also run for the case of a RACH and PCH load 10 times higher to the one observed in downtown Manhattan. 20 repetitions of each simulation are run and their results averaged. Fig. 6. UL and DL connection-less throughput with different RACH resource allocations in the LTE frame Figure 6 plots the raw throughput, both in the UL and the DL, for three different configurations of the RACH resources mapped in an LTE frame (k). The third case, with k = 80 RACH resources within a 10MHz frame, is the case of a fully connection-less dedicated cell. As expected, the contentionbased nature of the connection-less link results in a substantial deterioration of the throughput as the load increases. Note that this deterioration would also severely tamper the performance of the regular LTE network. Based on the results, and assuming a controlled deployment with no malicious or misbehaving IoT devices, 20 to 30 IoT devices could be deployed within a cell without impact on regular LTE traffic and a maximum UL throughput of about 4kbps to 8kbps, which corresponds with the derivations in Section IV-A. Though small, this number of connected devices would be sufficient for typical M2M applications, such as security cameras and remote alarms in a office/warehouse facility or commercial mall under the coverage of a couple of cells. A connection-less dedicated enb could host around 120 embedded devices. This could be the case of dedicated LTE small-cells deployed throughout the warehouse with a very dense deployment of M2M devices. The next step of this analysis is to determine the connection-less achievable throughput reduction due to the LTE background load at the RACH. This is investigated in Figure 7, which plots the throughput with a configuration of 10 RACH resources per frame. Results are collected in the event of no background load, with the aforementioned downtown Manhattan load and, finally, with a hypothetical load 10 times higher. Fig. 7. load UL and DL connection-less throughput with background LTE RACH The results indicate that the RACH background load of one of the most highly densely populated areas in the US would not impact the performance of a connection-less link. As a result, assuming a controlled M2M deployment and absence of adversarial UEs, the impact of the connection-less link on regular LTE communications would be almost null. In the hypothetical case of a RACH background load 10 times more intense than downtown Manhattan, the connection-less data throughput would be potentially degraded by 5% in the DL and 4% in the UL. In this scenario, both the cellular operator and the M2M service provider should carefully plan and deploy the connection-less UEs in order to prevent deterioration of the LTE performance in that cell. One could argue, though, that a 10MHz cell with 10 times more users than downtown Manhattan would not be a hot-spot of high QoS without the overlay of connection-less devices anyways. A potential way to reduce the impact of a connectionless link to the QoS of regular LTE users is to reserve a number of RACH resources for each type of traffic. With a 20 RACH resources mapped fer frame, simulations were run to compare the performance of the system leveraging all the RACH slots and the case where 50% of the slots are used for LTE traffic and the rest for connection-less communication. In this configuration, there would be no impact of the connectionless traffic on the operation of regular LTE devices, at the expense of less RACH resources for both system. The results, summarized in Figure 8, indicate an expected decrease in throughput and capacity for M2M devices. The maximum achievable throughput decreases by over 50% due to the 50% decrease in RACH slots for traffic plus the increase in collisions between connection-less preambles. Despite this decrease in throughput, the system is still able to efficiently operate about 66% of the M2M population. The decrease in capacity for regular LTE RACH traffic is out of the scope of this analysis, but the notably low load of preambles and RAR messages seen in the wild in very dense areas indicates that the impact would be marginal. Finally, we aim to investigate the impact of connectionless traffic on the Random Access procedure of LTE devices. To this end, we implement a complete simulation of an enodeb and its RACH channel. A series of regular LTE mobile devices connect and communicate with this enb, generating the same RACH load as extracted from the over

collisions is very low. As a result, given that the network would always give priority to LTE RACH traffic, the impact of connection-less links on the LTE RACH performance would be close to zero. Fig. 8. UL and DL connection-less throughput analysis when reserving RACH slots the air capture analyzed in Section IV-D. A variable number of connection-less devices is overlayed, with the same constant traffic pattern implemented in the previous results. Two types of collision are defined. A recoverable collision occurs when an LTE RACH preamble is sent in the same RACH resource as any connection-less UL message. Despite the collision, the different signature in the LTE RACH preamble allows the enb to decode it and reply with the appropriate RAR message. A non-recoverable collision is defined as a recoverable collision with the addition that the LTE preamble selects the same signature as any of the connection-less UL messages it collides with. In this case, the enb will not be able to decode the LTE preamble, resulting in a small negative contribution on the network access latency of LTE users. Fig. 9. traffic Collisions in standard RACH traffic due to M2M connection-less Figure 9 plots the average percentage of both types of collision. The results indicate that, although the optimal size of an M2M connection-less deployment (as determined from Figure 6) would result in about 50% of recoverable collisions, the amount of non-recoverable collisions is close to zero. This result is intuitive as non-recoverable collisions would occur only in the event that a connection-less preamble matched in RACH resource and signature with an LTE preamble. Given the very low load of LTE RACH preambles observed in downtown Manhattan, the probability of non-recoverable VI. SECURITY AND IMPLEMENTATION CONSIDERATIONS Despite the potential functionality and results of connection-less links for IoT low throughput delay tolerant traffic over LTE links, there are several important aspects to consider. As a basic layer 1 data transmission protocol, this technology does not provide any means for authentication and encryption. This functionality, commonly implemented at the LTE Mobility Management Entity (MME) and the Home Subscriber Server (HSS), is bypassed in a connection-less system. Therefore, both authentication and encryption should be managed at upper layers. A service provider deploying a new connection-less-based IoT system must implement traffic encryption to prevent an attacker to eavesdrop the data traffic. Mutual authentication must also be explicitly implemented in order to prevent Man in the Middle (MitM) attacks. With a partnership with the cellular network operator, service providers could implement authentication and encryption at the enb. This would require substantial changes at the enb, though, plus M2M service and subscriber provisioning at the base stations, which could be complex. Either way, it is important to note that such explicit encryption and authentication overhead will reduce the maximum achievable throughput for the connection-less data channel. The main challenge of the proposed protocol is to minimize its impact on the regular operation of LTE terminals. A connection-less UE modem wil inject load on the LTE RACH channel in order to establish a data link. Although careful planning and a controlled number of IoT devices per cell will keep the RACH load under control, both the M2M Original Equipment Manufacturer (OEM) and the cellular operator must enforce strict policies to prevent the radio access to be overloaded. The saturation of the RACH channel has been proven to result in a total denial of service for the overloaded cell [30]. At the protocol layer, a number of resources can be applied to prevent saturation of the RACH. For example, a number of signatures can be reserved for regular LTE traffic. Importing RACH load control techniques from UMTS, a persistency probability p can be defined, such as that a connection-less IoT device with data to transmit will send a preamble in a given frame with probability p. With probability 1 p, transmission will be deferred to the next frame. A further layer of protection is necessary as there are known instances of attacks which, by interacting with the modem s drivers or firmware, implement protocol misbehavior in CSMA-like access networks [31]. Connection-less M2M devices should be hardware (HW) limited such that the interference with LTE RACH traffic is minimized. For example, the Radio Frequency (RF) front end of such devices could be designed such that the effective BW of the device is only 1.5MHz to 3MHz, thus preventing M2M nodes from injecting load in the RACH resources mapped in the outermost RBs of the frame. As with the connection-less protocol schemes to

throttle RACH load, the RF BW reduction would come at the cost of reduced maximum achievable throughput. Despite the aforementioned security considerations, connection-less links should still be carefully planned and deployed. VII. CONCLUSIONS Given the expected surge in IoT devices, there is an ongoing concern in the industry regarding the potential impact that billions of embedded devices will have on modern LTE mobile networks. The traffic characteristics of many types of M2M systems are acknowledged to exacerbate the inefficiencies of the bearer-based architecture of the mobile core architecture. As a result, there is a notable risk of potential signaling storms that could severely impact the performance of the network. Although there are ongoing standardization efforts proposing means to mitigate such threats, there is a growing need to provide connectivity to M2M devices over mobile networks without requiring expensive signaling traffic among the cellular core nodes. This paper has proposed and analyzed a novel technique to provide a small slotted ALOHA-like communication link embedded within each LTE enb, providing the means for connection-less communications for IoT devices. This new type of wireless link is designed for low throughput delay tolerant IoT applications, which are often the least efficient in terms of the ratio of signaling traffic load to actual data traffic. This new technology leverages certain PHY layer LTE channels to embed both UL and DL data traffic within the initial handshake of mobile devices with the enb, resulting in no control plane signaling at the EPC. Over the air captures of real LTE traffic in one of the most densely populated regions in the US (downtown Manhattan) indicated that the current load of such channels is very low. Therefore, although the proposed system adds load to essential LTE control channels, there is plenty of room for a connection-less link with no impact to regular LTE traffic. Realistic simulation results, including the background load observed in a real LTE network, evidence the feasibility of the proposed technique. A connection-less link could potentially provide, under a typical RACH configuration as defined by the 3GPP standards, a maximum achievable throughput of about 4kbps in the UL and 9kbps in the DL. The analysis herein presented show that the impact a connection-less link would have on current LTE networks would be marginal, while the potential benefits are substantial. REFERENCES [1] A. Iera, C. Floerkemeier, J. Mitsugi, and G. Morabito, Special Issue on the Internet of Things, in IEEE Wireless Communications, vol. 17, December 2010, pp. 8 9. [2] More than 50 billion connected devices, Ericsson, Ericsson White Paper, February 2011, http://goo.gl/xi7de1. [3] G. Wu, S. Talwar, K. Johnsson, N. Himayat, and K. Johnson, M2M: From mobile to embedded internet, Communications Magazine, IEEE, vol. 49, no. 4, pp. 36 43, april 2011. [4] D. Lewis, Closing in on the Future With 4G LTE and M2M, Verizon Wireless News Center, September 2012, http://goo.gl/zvf7pd. [5] Sierra Wireless invests in LTE-M future for lower power and better coverage in the Internet of Things, M2M NOW, July 2014, http://goo. gl/nfs33w. [6] M2M Industry Faces Call to Action with 2G GSM Sunset, Aeris, January 2014, http://goo.gl/mbmkq6. [7] M. Shafiq, L. Ji, A. Liu, J. Pang, and J. Wang, Large-scale measurement and characterization of cellular machine-to-machine traffic, Networking, IEEE/ACM Transactions on, vol. 21, no. 6, pp. 1960 1973, December 2013. [8] T. Petsch, S. Khan Marwat, Y. Zakit, and C. Gorg, Influence of Future M2M Communication on the LTE system, in Wireless and Mobile Networking Conference (WMNC), 2013 6th Joint IFIP. IEEE, 2013, pp. 1 4. [9] A. Prasad, 3GPP SAE-LTE Security, in NIKSUN WWSMC, July 2011. [10] M. Jaber, N. Kouzayha, Z. Dawy, and A. Kayssi, On cellular network planning and operation with m2m signalling and security considerations, in Communications Workshops (ICC), 2014 IEEE International Conference on. IEEE, 2014, pp. 429 434. [11] M. Dano, The Android IM app that brought T-Mobile s network to its knees, Fierce Wireless, October 2010, http://goo.gl/o3qsg. [12] C. Gabriel, DoCoMo demands Google s help with signalling storm, Rethink Wireless, January 2012, http://goo.gl/dplwyw. [13] Signal storm caused Telenor outages, Norway News in English, June 2011, http://goo.gl/pqup8e. [14] 3rd Generation Partnership Project; Technical Specification Group Services and Systems Aspects, Study on Core Network Overload and Solutions. 3GPP TR 23.843, vol. v0.7.0, 2012. [15] S. Sesia, M. Baker, and I. Toufik, LTE, The UMTS Long Term Evolution: From Theory to Practice. Wiley, 2009. [16] 3rd Generation Partnership Project; Technical Specification Group Radio Access Network, Physical layer aspects for Evolved Universal Terrestrial Radio Access (UTRA). 3GPP TR 25.814, vol. v7.1.0, 2006. [17] Sanjole, WaveJudge 4900A LTE analyzer, http://goo.gl/zg6ccx. [18] 3rd Generation Partnership Project; Technical Specification Group Radio Access Network, Evolved Universal Terrestrial Radio Access (E- UTRA) - Radio Resource Control (RRC) - Protocol Specification. 3GPP TS 36.331, vol. v8.20.0, 2012. [19], Evolved Universal Terrestrial Radio Access (E-UTRA) - User Equipment (UE) procedures in idle mode. 3GPP TS 36.304, vol. v9.11.0, 2012. [20] P. Lee, T. Bu, and T. Woo, On the Detection of Signaling DoS Attacks on 3G Wireless Networks, in INFOCOM 2007. 26th IEEE International Conference on Computer Communications. IEEE, May 2007. [21] M. Donegan, Operators Urge Action Against Chatty Apps, Light Reading, September 2011, http://goo.gl/feqs4r. [22] S. Corner, Angry Birds + Android + ads = network overload, iwire, June 2011, http://goo.gl/nci0dx. [23] S. Decius, OTT service blackouts trigger signaling overload in mobile networks, Nokia Networks, September 2013, http://goo.gl/rafs96. [24] C. Ide, B. Dusza, M. Putzke, C. Muller, and C. Wietfeld, Influence of M2M communication on the physical resource utilization of LTE, in Wireless Telecommunications Symposium (WTS), 2012. IEEE, 2012, pp. 1 6. [25] S. Duan, Congestion control for M2M communications in LTE networks, University of British Columbia, 2013. [26] S.-Y. Lien and K.-C. Chen, Massive Access Management for QoS Guarantees in 3GPP Machine-to-Machine Communications, Communications Letters, IEEE, vol. 15, no. 3, pp. 311 313, March 2011. [27] 3rd Generation Partnership Project; Technical Specification Group Radio Access Network, Evolved Universal Terrestrial Radio Access Network (E-UTRAN); Physical channels and modulation. 3GPP TS 36.211, vol. v10.3.0, 2011. [28] H. Holma and A. Toskala, HSDPA/HSUPA for UMTS: high speed radio access for mobile communications. John Wiley & Sons, 2007. [29] OPNET Modeler, http://goo.gl/gw7wgo. [30] D. Spaar, A practical DoS attack to the GSM network, in In DeepSec, 2009, http://tinyurl.com/7vtdoj5. [31] A. L. Toledo and X. Wang, Robust detection of mac layer denial-ofservice attacks in csma/ca wireless networks, Information Forensics and Security, IEEE Transactions on, vol. 3, no. 3, pp. 347 358, 2008.