GSMA Femtocell Project

A coordinated approach for the mobile industry

Release 2 February 2009

GSMA Femtocells Project

Contents

1 Introduction
U

2 Interference and Frequency Management

U

3 Requirements on DSL Broadband

U

4 Architecture and Deployment Guidelines

U

5 Femtocell Management
U

11

6 Testing and Certification of Femtocells

U

14

7 Femtocell and Network Security

U

15

8 Femtocell Terminology
U

18

GSMA 2008 All rights reserved

GSMA Femtocells Project

Chapter 1 Introduction

The introduction of Femtocells into the mobile industry is expected to have a major impact on the approach that operators use to deploy their networks in the future and potentially on services. The prospective benefits to both users and Mobile Operators are substantial, but as with any new technology, there are barriers to overcome and issues to be resolved before wide scale deployment can become a reality. In order to realise the potential benefits of Femtocells, the GSMA has been studying a range of topics with the objective of accelerating the delivery of Femtocell solutions. The aims of this work are to stimulate further interest in Femtocells, provide guidelines for operators on Femtocell deployment, provide a feature list and minimum requirements for the technology, and support cross industry dialogue with relevant standards bodies such as the Femto Forum and 3GPP. The GSMA Femtocells Project identified a number of key topics where a coordinated industry approach would benefit the Mobile Industry. This paper provides an overview of the results of the studies carried out on these topics, including: Radio interference and frequency coordination DSL Broadband requirements Architecture and deployment guidelines Femtocell Management Testing and Certification of Femtocell Access Points Femtocell and Network Security

A detailed whitepaper has been published for each of these topics and if further and published papers can be found at www.gsmworld.com
HTU UTH

GSMA 2008 All rights reserved

GSMA Femtocells Project

Figure 1: Femtocell Access Point

T

A Femtocell is a low power GSM or 3G base-station that is designed to be suitable for installation at customer premises (either in corporate offices or subscribers homes). This can then provide a small footprint of 3G coverage intended primarily or exclusively for the use of the customer housing the Femtocell. In the case of enterprise/office applications, Femtocells may allow other users to access the Femtocell coverage area. The Femtocell Access Point is connected by Broadband DSL or other IP connection to interface with the GSM or UMTS core packet switched and circuit switched networks. Femtocells work with standard devices that are compliant with existing 2G and 3G air interface technologies. This ensures seamless service and good interoperability with existing networks and avoids the need for specifically adapted handsets.

GSMA 2008 All rights reserved

GSMA Femtocells Project

Chapter 2 Interference and Frequency Management

Femto Access Points will be implemented in customers homes and other uncontrolled environments; therefore it is important to understand the potential interference issues that may arise. Femto Access Points may be deployed either using the same carrier frequency as the Macro cellular layer, or using a different carrier. There are benefits and drawbacks for each approach, but a common issue is interference between Femto Access Points and the macrocell layer when they are in close proximity. There are two main interference scenarios that need to be considered: Management of co-channel interference, which will generally be within the domain of one operator Adjacent channel interference, which maybe caused by interference between different operator networks.

2.1 Co-Channel Interference In the co-channel deployment there are two main scenarios: 1. When a Femto Access Points is very close to the macrocell base station, causing the Femto Access Points to have a very limited effective coverage range, due to the high received signal level from the co-channel macrocell. 2. When a Femto Access Points is too far from the macrocell base station, where the Femto Access Point may cause a coverage outage (in some cases extending beyond the home or residence) to mobiles attached to the macrocell due to the low received signal level from the co-channel macrocell. The first instance (Femtocell downlink) provides the main deployment issue, and in the case where a Femto Access Points is located very close to the macrocell base station (less than 50 metres) then the Femto Access Points may become unusable. Interference also affects the Femto Access Points installed in homes that are close to the macrocell basestation when using the same carrier (i.e. co-channel Femto-Femto interference). This interference affects the downlink and may be experiences in multi occupancy buildings such as flats with low attenuation walls.
4 1
UE Macro UE A2 UE A2 HNB NB A A

2 6 5
UE B1 Macro UE UE Macro NB Macro

3
HNB NB B

UE A1

Macrocell A
T

NBartment Apartment A

NBartment Apartment B

Macrocell B

Figure 2 Femto/Macrcocell Radio Landscape HNB Home Node B, 3GPP term for Femto Access Point
T

GSMA 2008 All rights reserved

GSMA Femtocells Project

2.2 Adjacent Channel Interference Where a Femto Access Point uses a dedicated carrier adjacent to the macrocell carrier frequency, and for cases where there is closed access then further analysis is required. In particular an assessment is needed of the impact on mobiles which are visiting within the home containing an access point on an adjacent carrier, as they may face service degradation when close to the Femto Access Point. The extent of the degradation depends on how weak the signal is from the Macro cellular network.

2.3 Conclusions and Recommendations on Interference Femtocells are a promising technology that will extend indoor coverage and additional capacity; however they are subject to interference issues that must be carefully managed. If these issues are not addressed then it could lead to radio inference stopping a Femtocell from operating or connection issues for handsets connecting to the Marco network that are not within the Femtocell access group.. The severity of interference is related to the specific deployment environment and is more relevant when sharing the same carrier between the macrocell layer and Femto Access Point. The impacts of an outdoor macrocell base station over indoor Femtocell coverage are particularly critical for the Femtocell downlink when macrocells are located very close to a Femto Access Point. Uplink interference of users connected to a distant macrocell can also limit the Femto Access Point performance. Mutual interference between Femto Access Points located inside adjacent buildings can cause performance to decline, especially in the case of a high density of access points in flats and multi-occupancy buildings. In this case it is necessary to coordinate the appropriate installation location of Femto Access Point in individual apartments. Interference must be carefully taken into account and managed when deploying Femtocells. Solutions which can help to limit the effects are to: Ensure that Femto Access Points are not installed too close to a macrocell basestation Use a dedicated carrier for the Femtocell layer Use an open access deployment scenario (where Femtocells are able to manage traffic of all carrier users).

It is also desirable for the suppliers of Femtocell solutions to include functionality to the control and limit the transmitted power, and the ability to self select a suitable scrambling code.

GSMA 2008 All rights reserved

GSMA Femtocells Project

Chapter 3 Requirements on DSL Broadband

There are two basic scenarios for provisioning of the DSL Broadband connection. The first is where there is no interaction between the operator and DSL service provider and no specific requirements are asked of the DSL service provider. In this case there are a number of implications for the Femtocell service and there are several workarounds that operators may consider to mitigate the impacts. In the second case the operator may have a service level agreement with the DSL provider and examples of service requirements for this case have been identified. The overall recommendation is to limit the requirements on a DSL Provider or ISP to a minimum, i.e. only consider those requirements that could be showstoppers for the roll-out of Femtocell services. The three key areas to consider are as follows: Providing location information for the Femto Access Point (FAP) Broadband Performance: Availability, Bandwidth, Delay, Jitter, Packet Loss Congestion Management, including contention with other services supported on the Broadband link

3.1 Providing location information for the Femto Access Point (FAP) Three possible solutions are identified as the most suitable methods of providing a Femto Access Point location check. 1. Use information gathered from the macrocell layer of the network. This information would be gathered by the Femtocell searching (sniffing) the Macro layer and providing information back into the network. 2. Making it a contractual requirement of the provisioning of a Femtocell service that the customer provides the location information of the Femto Access Point. It would also be possible to cross reference this information against the billing address information of the DSL provider. 3. Adding a GPS device into the Femto Access Point and then programming the access point to send the exact location to the network. Once this information has been received into the network then it could be used to identify the most suitable frequency and power for the access point to use. From these options the GSMA have made further recommendations. The preference should be to use a network sniffing method in parallel with the billing address information provided by the ISP as a back up option. GPS is best used only if there is a regulatory requirement with in a specific country. This is due to the nature of GPS technology, as an access point may be often be located in an areas of poor coverage or in home locations where the GPS system is likely to suffer from poor satellite coverage.

GSMA 2008 All rights reserved

GSMA Femtocells Project

3.2 Broadband Performance: Availability, Bandwidth, Delay, Jitter, Packet Loss of traffic A fundamental element of the Femtocell architecture is based on the availability and quality of the broadband line between the Femto Access Point and the Operators core network. If there are performance issues, or if the DSL connection is lost then the access point becomes inoperable. To ensure that the performance of the Broadband line is suitable then a potential solution is for the operator and DSL provider to sign up to a Service Level Agreement (SLA) to ensure availability and to allow the operator to monitor and assess broadband performance - typical performance indicators are Bandwidth, Delay, Jitter and Packet Loss. If it is not suitable for an operator to agree with an ISP a set of performance SLAs - for example because it would be too complex to negotiate or to monitor, manage and police the SLA KPIs - it is recommended to implement at least a solution where the access point internally monitors the performance of the Broadband link and switches off the Femtocell service - including radio - if backhaul quality does not meet the performance criteria required to support a proper Femtocell service. The SLA may also need to include network QoS scheme to ensure QoS marking is consistent across the end-to-end connection. If DSL service provider does not implement QoS, then the DSL service provider shall at least agree not to strip off the QoS markings that Femtocell operator has inserted.

3.3 Congestion Management Congestion of a DSL line could have a major impact on the performance of Femtocells, this is especially the case in households where there are multiple devices connected to a single DSL line. To protect against this issue it is recommended that the Femto Access Point has the capability to redirect a call to the macrocell layer if congestion occurs. Femtocell traffic should be prioritised in a consistent way with all other devices and services sharing the same DSL link.

GSMA 2008 All rights reserved

GSMA Femtocells Project

Chapter 4 Architecture and Deployment Guidelines

One of the critical success factors for the deployment of Femtocell technology is to achieve interoperability between the Femto Access Point and networks. This will enable users to choose access points without undue restriction and enable competition between vendors. Operators should be able to deploy network equipment which can be independent of specific access point vendors. These interoperability requirements demand the development of a common architecture and appropriate technical standards to enable a mixand-match approach to access point and network selection. To achieve this objective, the Femto Forum has developed a functional architecture that is shown below, with the standard attributes that are defined for both the FAP (Femto Access Point) and the FGW (Femto Gateway).

Femto Management System FAP-MS

Fm FGW-MS Fg HPLMN Core Network Fr Fb-cs Fb-ps Fixed Broadband Fb-ims Subscriber Databases CS core

Femto GW
Fa Mobile device Radio i/f

Femto Access Point

FL

Home GW SeGW

PS core IMS core

HPLMN RAN

Figure 3. Femto reference architecture subject to change. Source: Femto Forum1.

P P

1. Standards work ongoing in 3GPP initial Home Node B and evolved Home Node B standard R8 and R9
T

GSMA 2008 All rights reserved

GSMA Femtocells Project

The Femto Access Points (FAP) would typically contain functionality:

T

3GPP Signaling, User Plane, Radio Resource Management IP transport functions QoS management functions Layer-3 Security functions TR-069 Management functions Auto configuration Firewall functions NAT, Security

The Femto Gateway (FGW) would typically contain functions like: 3GPP RANAP Network timing delivery and synchronisation Femtocell authentication and authorisation AP Topology hiding Network topology hiding IP Security functions (IPsec tunnel management functions, IPsec tunnel IP address management functions, etc.) Femtocell traffic aggregation and routing Auto configuration 1
TPF FPT

Along with these definitions the need for full interoperability was identified between different vendors designed Femto Access Points and Femto Gateways. There is still further work ongoing in the Femto Forum and within 3GPP to define architectures including an Iuh based architecture with Iucs and Iups towards the CN. To assist in guiding this work, there has been a detailed assessment of the Femtocell requirements that have been put forward in 3GPP specification TS 22.001 and now also within the new work on TS22.220, and a number of further architecture requirements from the operators perspective have been defined. A detailed explanation of this work can be found with the GSMA 3G Architecture Operator Deployment Guidelines document.

1
TP PT

Note auto configuration functions enabled by Auto Configuration Server

GSMA 2008 All rights reserved 9

GSMA Femtocells Project

4.1 Conclusions and Further work Femtocells are intended for deployment in customers homes, the customer should be given a selection of different types of operator certified and configured access points from a selection of different vendors to choose from. All of these should be suitable for connection into an Operators gateway. To obtain sufficiently large volumes to achieve economies of scale, standardised solutions and interoperability are seen as crucial to enable Femtocell success. Operators require that standardised protocols and interfaces are used between both the Femto Access Point and the Femto Gateway, and between the Femto Gateway and the mobile network. No extra application servers should need to be introduced between access points and the networks. In the longer term and to the extent possible there should be full interoperability between FAP and FGW from all vendors. This is required to achieve the economies of scale needed to exploit the full potential of the foreseen market for Femtocells and to create a sustainable business for the future. In order to achieve this, there is a need to continue the standardization activity which is partly completed and ongoing as listed below : The interface(s) between Femto Gateway and Femto Access Point (known as Iuh in 3GPP Rel 8) Security protocols (ongoing Rel 9 work in 3GPP) UICC or TPM (trusted platform module) for device (FAP) authentication (Rel 9 work in 3GPP) Common discovery and parameters for auto configuration Management capabilities based on TR-069, and standard management objects Open test interface implemented in the Femto Gateway to ensure interoperability over the Fa (Iuh) secure interface

Compliance with standards and a commitment to interoperability are important criteria when selecting vendor solutions for use in networks.

GSMA 2008 All rights reserved

10

GSMA Femtocells Project

Chapter 5 Femtocell Management

Radio aspects of the management of Femtocells are likely to be in common with the management of conventional macro cells, however, due to their nature combined with the large number of Femtocells is likely to raise some new and additional issues.

5.1 Subscriber premises deployment Femto Access Point will be implemented in subscribers homes and other uncontrolled environments. Therefore customers will be able to carry to some activities that will affect the performance of the Femtocell layer without operator involvement and in an uncontrolled way. Such activities could include; Removing and re-applying power Moving the physical location of the Femto Access Point Disconnecting the DSL line Re-setting the Femto Access Point Loading the DSL link with other data applications Possibly other activities, including tampering with the. Femto Access Point

5.2 Femtocell deployment scale Femtocells have the potential to be very widely deployed, for example it could be foreseen that over the medium term, larger networks may incorporate many millions of Femtocells, the Femtocell population could rapidly overtake the population of conventional cells, perhaps by several orders of magnitude.

5.3 Customer care Femtocell management may, in some cases, require the intervention of customers and there is a need to consider customer care processes as part of the Femtocell management system.

5.4 Integration with other home network systems It is expected in some applications, provision of FAP may be linked with DSL modem and other home network devices as part of an overall customer proposition. In these cases, management of Femtocells may need to be integrated with the management of these other devices.

GSMA 2008 All rights reserved

11

GSMA Femtocells Project

5.5 Femtocell management requirements Operators will require the provision of management capabilities for Femtocells, consistent with the management systems used for conventional macrocells. It will be particularly important for operators to ensure that they have secured certain management functions in order to comply with their local regulatory obligations and to support any needed operational co-ordination between operators. The following list of requirements may be useful in establishing contracts with Femtocell suppliers. Inventory management (especially for retail based distribution to customers). Provisioning of Femtocell customer equipment for individual or groups of Femto Access Points. Allow the use of profiles to ensure easy provisioning of Femto Access Points. The ability to be able to identify individual Femto Access Points and to link the identity with a specific customer and location address. Activation / deactivation of Femtocell customer equipment. The ability to enable and disable the Femtocell radio transmissions, overriding any control that the customer may also have. Configuration management. The ability to configure the key radio parameters, such as transmit power, frequency, etc. remotely. Note there may also be auto-configuration of these parameters, but operators will have the option to manually override any settings. Fault management (monitoring, incidents and problem management). 1. Alarms and reporting should be able to distinguish real faults from situations where users may regularly turn off their FAP or Broadband connection. 2. Location sensing and an ability to reconfigure or deactivate the Femto Access Point if its location changes. Change management, including the ability to provide remote software upgrade. Performance and capacity management. Service monitoring. Management of access control lists. It is expected that Femtocell subscribers will be able to add and remove the identities of end-users that are permitted to access the Femtocell. In addition, operators shall be able to pre-configure the list, make changes, and override the subscriber settings.

GSMA 2008 All rights reserved

12

GSMA Femtocells Project

5.6 Conclusions and Recommendations A comprehensive management system will be a major factor in the success of Femtocell deployment. This is important in order to offer good quality of service to customers, and to avoid excessive costs of managing and supporting Femtocell solutions. Operators need the ability to monitor, control and update the Femto Access Point in a subscribers home. Many vendors are proposing solutions which use the existing Broadband Forum TR-069 specification to deal with remote management requirements. TR-069 is a robust and proven protocol suite which deals primarily with the requirements of DSL modems and their configuration. The basic elements of the Broadband access of the Femto Access Point can be managed in this way. However, TR-069 as specified is not sufficient to detail the radio and user configuration parameters, which will either require extension of the current standard or another method of configuration. At the moment BBF and FF are working on a common object model which will be referenced in 3GPP SA5 standard work. It is recommended that the industry should collaborate via the Femto Forum, Broadband Forum (formally known as the DSL Forum), 3GPP and the Open Mobile Alliance to guide and facilitate the development of standard management objects for a Femtocell management system.

GSMA 2008 All rights reserved

13

GSMA Femtocells Project

Chapter 6 Testing and Certification of Femtocells

6.1 Testing To ensure a positive customer experience and general market acceptance, the Femtocells components (Femto Access Point, Femto Gateway) and any supporting capabilities in terminals must be available well in advance of the commercial launch of Femtocell services, To facilitate early delivery of Femtocells and ensure interoperability with terminals the following key requirements are envisaged: Network operators, Femtocell vendors and terminal vendors shall agree common system specifications with relevant test equipment vendors, ideally through the appropriate industry bodies. Interworking tests (IWT) shall start early during development and debugging phase. Interoperability testing (IOT), conformance testing and type approval are also required to be in place at an early enough stage to ensure timely availability of equipment. a. b. c. Interworking between Terminals and Femto Access Point Interworking between Femto Access Point and Femto Gateway Interworking between Femto Gateway and Core Network

6.2 Certification A Femtocell Service Certification Regime will establish confidence in interoperability. This shall have the purpose of ensuring implementation as well as making the time-to-market as short and as cost efficient as possible. It is expected that established industry bodies such as the Global Certification Forum (GCF) and the Femto Forum shall be used. The Femtocell Service Certification Regime should cover the following key building blocks of test areas: 1. Regulatory requirements 2. RF characteristics 3. Interoperability and conformance testing on protocol level (layers 1, 2, 3) 4. Conformance testing on protocol level (layers 1, 2, 3) against validated test equipment where IOT against actual Femtocell access point is not possible. 5. Field testing in live networks 6. Testing of service quality for the key services offered by Femtocell Access Point systems 7. Registration 8. Security audits 9. Femto Access Point management

GSMA 2008 All rights reserved

14

GSMA Femtocells Project

The Femtocell Certification activity is split into two separate areas: 1. Certification of terminals supporting Femtocell services, where existing certification bodies are expected to continue to deal worth terminal certification. 2. Certification of Femto Access Points and Femto Gateway, which will require new processes and may require a new certification forum or significant changes to existing terminal certification.

GSMA 2008 All rights reserved

15

GSMA Femtocells Project

Chapter 7 Femtocell and Network Security

This section provides a summary of the key security issues identified and related recommendations from the GSMA.

7.1 Operator Control of access point international location As Femtocells operate in licensed radio spectrum there is the need for operators to control the location in which they are operating. This control is required because it must be possible for an operator to identify if an access point is operating in a country or frequency range outside of their licence. The Femtocell management system should be capable of shutting down or preventing initialisation of an access point if the location cannot be established. This requires a connection to the management system during device powerup and then regular location verifications during device operation.

Technique AGPS Macro network sniffing DSL Port/ IP Address Customer Provided Installation address

Granularity Achieved Accurate to <100m Accurate to <300m (Urban) Subject to RIR but can be regional/Country Specific Exact address mapping

Table 1 Physical Location and Protection of Femto Access Points

The introduction of Femtocells into subscribers homes will open the mobile network to a number of new risks that need to be protected against. For the first time customers will have direct access to an item of equipment that has a direct link into the mobile network. They will have the ability to physically access the hardware components of the device and to adapt/make changes to the device to allow fraudulent use in much the same way as is done with Satellite and Cable receiver boxes. It is recommended that operators use O&M capabilities to defend against unauthorised access to Femto Access Point this may include tamper notification, automatic soft failure and notification if components or key parameters such as transmit power are modified. Access points shall be physically and logically hardened e.g. OS hardening, no open ports, measures to avoid exposing sensitive data to system buses and memory devices, tamper resistance, tamper detection, trusted computing platform, etc. Boot up software for access points shall be protected by a cryptographic means such as using a TPM (Trusted platform module) and all software updates, configuration changes should be cryptographically signed. Femto Access Point shall also be provided with a visual indication of physical attempt at tampering for both protection and warranty purposes.

GSMA 2008 All rights reserved

16

GSMA Femtocells Project

7.2 Femtocell Management Specific implementation vulnerabilities may be found in Femtocell products that may require operators to remotely patch a large number of Femto Access Points in the field. Several security vulnerabilities in Wi-Fi access points have previously been discovered and it is likely that Femtocell products will also need to be remotely patched on a regular basis for security and performance issues.

7.3 Femtocell Device Authentication The use of UICC as proposed in a 3GPP SA3 TR is one option to support device authentication but this approach may not be the preferred option. The implementation of an appropriate mechanism to pair the UICC and the FAP would facilitate the authentication of a FAP with a secure token such as a UICC card. Secure pairing requires a secure channel to be established between the Femto Access Point and the UICC. An example implementation is described in ETSI TS 102 484. A robust pairing mechanism, that is not susceptible to the type of security compromise that has been evidenced with SIM lock mechanisms in mobile handsets, could be used to bind the UICC to the FAP. Such a mechanism would mitigate, if not counter, the risk of the valid authentication token being used in other unauthorised devices. This would prevent unauthorised devices that are equipped with UICC readers from obtaining access to the operator IP network. More information are available in TR 33.820 where a Trusted Platform Module is mandatory and UICC for hosting party authentication is optional to be used and deployed within a FAP.

7.4 Authorisation In a typical consumer offering a Femto Access Point will be purchased from a retail outlet including phone and computer resellers. The access point will need to be configured with network and user parameters and in all cases any access point must be authorised by the network Operator prior to bringing it into service.

7.5 Algorithm Licensing It is very likely that Femto Access Points will be attacked to allow eavesdropping and unauthorised access. Therefore it is essential that access point manufactures ensure that current up to date GSM and UMTS algorithms are implemented on their equipment.

7.6 Export Control of Femtocell Access Point Due to the operation of Femtocells in licensed spectrum it is essential that the export of Femto Access Points is controlled. Without this there are risks of uncontrolled and unwanted operation in areas that are outside of operators licensed radio frequencies and therefore interference issues will occur. Ensuring full compliance with appropriate regulations is the responsibility of individual Femtocell equipment suppliers.

7.7 Lawful Interception Lawful Intercept requirements are not impacted by the introduction of Femtocells. It is recommended that Femtocell solutions shall support all the current requirements on the macrocell network.

GSMA 2008 All rights reserved

17

GSMA Femtocells Project

The accuracy of location data for the purposes of lawful interception, and emergency calls, must satisfy local regulatory requirements. The use of a reliable and tamper proof GPS function within the Femto Access Point should be considered, if this is the chosen solution.

7.8 Anti-Fraud protection The strength of security countermeasures should be appropriate for particular Femto Access Point deployments. It is believed that some Femtocell applications may override, or conflict with, some of the security mechanisms already inherent in mobile technologies. In particular, there is a concern that Femtocell mobility management procedures may negatively impact the Temporary IMSI (TMSI) feature used, instead requiring that the IMSI is requested and transmitted in the clear. The GSMA recommends that the secure interfaces are used between the Femto Access Point and mobile network to provide physical and logical security of the Femto Access Points sensitive data to ensure it never leaves the protected domain within the Femto Access Point. It is also recommended that only TMSIs are used over the air. In addition to attacks against deployed Femto Access Points, it is important to remember how the equipment itself could potentially be used for illegal purposes. It is important that Femtocell equipment is only supplied to reputable buyers as failure to do so opens up the possibility of Femto Access Points being used to support illegal call selling and traffic routing activities, avoidance of lawful interception, use as a false base station to launch man-in-the-middle attacks, etc.

7.9 Network and Backhaul Security The connection mechanism for Femto Access Points is via the public internet and DSL links, resulting in a number of new security issues. These issues range from defending against eavesdropping of calls to a user injecting of malicious traffic into the backhaul network. Any security solution should also efficiently handle multiple simultaneous calls over the backhaul. The most significant threat exists on the last few metres to the Femto Access Point, which are usually based on Ethernet. Further backhaul over WAN is of secondary importance. In order to mitigate these concerns GSMA recommends that Femto Access Point traffic except local IP - and Internet breakout traffic) should be secured using IPSEC VPN over xDSL backhaul (however, it is noted other candidate security solutions exist including SRTP), with all traffic being secured cryptographically including the User and Control plane traffic. Protection of Control Plane and Management Plane are likely to be required by regulations pertaining in most countries. The same could be true for the User Plane but, even in countries where User Plane privacy is not required and subsequent encryption not deployed, the risk of eavesdropping locally on the last metres of any Ethernet connection to user provided DSL routers or backhaul must be carefully assessed by the operator.

7.10 Femtocell Access Point Security/Authentication A major threat to the roll out of Femtocells is the development and use of cloned or unauthorised equipment. Protection should be provided against non authorised access points connecting to the network. The use of stolen and unapproved access points should be addressed by device authentication described in a previous recommendation

GSMA 2008 All rights reserved

18

GSMA Femtocells Project

Chapter 8 Femtocell Terminology

The table below defines some of the new definitions and terminology that will be used when entering into the field of Femtocells and their deployment. The definitions have been defined by the Femto Forum and within for the GSMA Femtocells project. The GSMA support all of these definitions, and believe that they should the standard terms used in discussion that relate to Femtocell technology.

Access Control Access Control List Local (PS) Breakout

Mechanism for restricting access to a particular FAP to a specific list of Femto users. List of Femto users with access right to a particular FAP. Mechanism by which a FAP user's packet data traffic, after the FAP user has completed registration and authentication, is routed to the FAP subscribers local intranet or the backhaul broadband network providers local network/Internet, instead of being routed via the femto service provider's femto core network. A Femtocell deployment model where only a defined set of Femto Users can access the FAP. A feature of femtocells that allows access to a Femtozone to be restricted to a particular set of Femto users. This could be members of a household and guests in a residential context, or employees in a corporate environment. A FAP optimized for corporate environments. Still self-install and low power (<20mW), but may have higher capacity than residential FAP e.g. 8 or 16 simultaneous calls. Will have additional functionality such as handover between FAPs within a Femto Cluster and support for specific network features e.g. 802.1X security, PBX integration, managed by IT for single central Access Control List etc.

Closed Access Closed Subscriber Group Enterprise FAP (Enterprise Femto)

Extended Femto Cluster Fa interface

A non-contiguous Femto Cluster. A single managed network, with one Access Control List but geographically distinct Femtozones. Interface between FAP and FGW. This refers to a generic (air-interface agnostic) architectural interface; specific standards will have their own implementations for this interface. A specific example is Iu-h interface being defined by 3GPP for W-CDMA. The access network (potentially backhaul broadband IP network connecting FAP to FGW) where the FAP subscriber has permanent subscription. The person who is responsible for the FAP, controls the access list and likely to have the billing relationship with the Femtocell service provider. Will typically be the lead user in a household, but could be the corporate IT manager in an enterprise context.

FAP Backhaul Network Femto Subscriber

GSMA 2008 All rights reserved

19

GSMA Femtocells Project

Femto Access Point (FAP)

Customer-premises equipment that connects a mobile device over licensed spectrum wireless air interface (such as 3G and/or 4G) to a mobile operators network using broadband IP backhaul. Defining characteristics include: limited number of users (typically four); self-install (zero-touch); low RF power (usually <20mW to meet ICNIRP radiation threshold); using unmanaged networks for backhaul connectivity (eg residential broadband). Note 1: 3GPP refers to this device as Home NodeB or Home eNodeB. Note 2: FAP may or may not integrate broadband access modems, such as DSL/cable modem into a single device.

Femto Cluster

A group of several FAPs connected and managed as a single network with single access control list and supporting a contiguous Femtozone larger than the coverage of a single FAP. Will typically support handoff between FAPs A mobile network operators equipment (usually physically located on mobile operator premises e.g. in a POP) through which FAP gets access to mobile operators core network. Key capabilities provided by this system include signalling and bearer traffic tunnelling and inter-working function, among others. Note 1: Vendors have traditionally used other terms such as Access Controller, Access Gateway and Femto Aggregator to refer to this device in their respective literature..

Femto Gateway (FGW)

Femto User

A Mobile operator client who has the right to access and place calls on one or several FAP connected to the Mobile Operator Network. Note 1: Femto user may or may not own the FAP. E.g., In Multiple Dwelling Unit (MDU), FAP may be owned by MDU association, whereas individual residents in the MDU are merely using the Femtocell service.

Femtocell

A technology that extends the coverage of licensed wireless technology such as WCDMA, GSM, GPRS, cdma2000, WiMAX, LTE etc. to customer premises over a broadband IP backhaul. Note 1: This term is sometimes loosely used to refer to the FAP itself. The subscriber pays and has a contractual relationship with the Femtocell service provider. Will typically be the cellular operator who owns the spectrum used by the FAP (MNO) but could be a third-party such as an MVNO (The brand on the box) Region within the boundary where femto tariffs and services are available. Typically the coverage of a single FAP, but may also be the coverage area of an FAP cluster Protocol defined to transport Iu control signalling over the Internet on Iu-h interface between HNB and HNB-GW. This is a process of Femto user registering its presence in a registration area, for instance regularly or when entering a new registration area. A deployment model where any cellular subscriber can use the FAP i.e. there is no Closed Subscriber Group

Femtocell Service Provider Femtozone Home Node B Application Protocol (HNBAP) Location Registration (LR) Open Access

GSMA 2008 All rights reserved

20

GSMA Femtocells Project

Picocells

Mainly indoor cells, with a radius typically less than 100 metres (source: 3GPP 21.905.v8.0.0 or 3GPP2 XXX). Historically defined within conventional network architecture (Eg Abis over dedicated backhaul connection) and require specific, manual installation & frequency planning. Increasingly, a high-capacity system with higher RF power (e.g. 23dBm), using broadband backhaul with and more simultaneous calls e.g. 16 or more, than an FAP or Enterprise Femto. This will typically have additional sophisticated functionality eg soft-handoff or support for Femto Cluster. It may still require operator installation.

Registration Registration Area Security Gateway (SeGW) Or Femto Security Gateway (F-SeGW) Super Femto

This is the process of camping on a femtozone and doing any necessary Location Registrations (LR). An area covered by one or many FAPs governed by an administrative domain, such as, an enterprise or a femto network operator. A device establishing secure credentials for FAP and terminals before allowing them to access services from core network (CN). In addition, SeGW helps establish Security Association (SA) between FAPs, terminals and core network elements. SeGW may be integrated with FGW or could be a standalone device sitting between FAP and FGW. A high-capacity FAP which is typically deployed in an open access environment. This is still selfinstall and low power (<20mW). Example would be in a coffee shop supporting eight simultaneous calls.

Document Reference: FCG.07Version1/Nov2008

GSMA 2008 All rights reserved

21