Many 4G networks cannot carry plain old telephone calls, so many mobile operators support voice calls by transferring the handset to a 2G or 3G network for the duration of the call. The procedure for doing this is called “Circuit-Switched Fallback”, or CSFB. CSFB is an interesting procedure from a network operation perspective and from a security perspective. With a pair of Legba LabKits, one in 2G mode and one in 4G mode, you can reproduce and modify the CSFB procedure on a test bench.
The “Why” and “What” of Circuit-Switched Fallback
Circuit-Switched? What is that anyway?
Since 1876, nearly all telephone calls in the public network have been “circuit switched” (CS), meaning that the network forms a dedicated connection, at the physical layer, between two telephones, and this connection is held for the duration of the call. The concept of a “packet switched” (PS) network, like the internet, did not even exist until 1960 and the first practical large-scale PS network, ARPANET, was not operational until 1975. In the late 1980s, ARPANET escaped the DoD labs and morphed into the Internet. Today most networking “experts” pass a whole career with zero knowledge of the Internet’s larger, older, CS counterpart, the global SS7 network, which still carries most of the world’s telephone calls and text messages, and also handles the mobility procedures that make international cellular service possible.
GPRS, IMS, and VoLTE
In the 1990s, GSM (2G) gave us the first global standard for digital mobile networks, but it was CS, based on ISDN, and optimized for voice. Around the year 2000, GPRS added PS capability to GSM networks, but it was slow and inefficient. Then UMTS (3G) standards introduced IMS as a way to carry telephone calls over the faster 3G PS connections. IMS made an all-PS network possible in principle, but mobile operators continued to use CS for telephone calls because CS made more efficient use of radio spectrum and battery power, and because they could continue to reuse legacy ISDN switches.
Then came LTE, a PS-only technology that eliminated the CS support from the cellular radio network. The intention was that telephone calls would be made with IMS, a feature marketed as “Voice over LTE” (VoLTE). In reality, VoLTE deployment has been slow, with problems in several segments of the network and taking years to get resolved, especially for smaller operators. Many operators continue to maintain 2G and/or 3G networks to carry CS telephone calls, waiting for VoLTE to work better and to continue providing telephone service for handsets that do not support VoLTE.
VoLTE Dream, CSFB Reality
Today, for a typical mobile operator, there is an LTE (PS) network that carries data and a GSM or UMTS/HSPA (CS) network that carries telephone calls. Handsets spend most of their time in the PS network, but when they need to make or receive a voice call, they get pushed onto the CS network using a technique called “Circuit-Switched Fallback” (CSFB), a name that makes sense once you know the background. Once the handset is in the CS network, it proceeds with the call. (If you watch the little service icon on your phone, you may notice that you leave the LTE network during a call.) In a CSFB procedure, the only role of the LTE network is to send the phone to the CS network, and signaling between the PS and CS networks is minimized.
This first figure shows the different network elements involved:
This second figure shows a typical (simplified) ladder diagram:
The failure of VoLTE presents a problem for many operators because it requires them to continue to maintain older CS networks in order to provide basic voice service. And the existence of the CSFB procedure exposes handsets to the all of the security risks associated with 2G networks.
CSFB on Your Test Bench
With two Legba Lab Kits, one in LTE mode and one in GSM mode, you can produce the CSFB procedure on your test bench, for education, for device testing, or for security research.
The LTE eNodeB can be configured to automatically push any handset to the GSM network, regardless of the EPC signaling on S1. The eNodeB configuration, in /etc/yate/sdr/enb-custom.conf, looks like this:
; CSFB configuration ; Preferred CSFB type, 2G or 3G ; If both 2G and 3G neighbors are available, prefer this type. ; If only one neighbor type is configured, this parameter has no effect. CsfbType = 2G ; Force CSFB for all connection attempts? ; This is a test feature, disabled by default, but enabled in this example. forceGsm = true ; 2G neighbors (listed by GSM ARFCNs) ; valid types are: GSM (for GSM in 850/900/1800), PCS1900 (for GSM in 1900) ; other types are not supported at this time Neighbors2GType=GSM Neighbors2G=600
On the GSM side, you must also configure the LTE neighbors in YateBTS, so that the phone knows how to return to LTE at the end of the call. This is done in the “handover” section of /etc/yate/sdr/ybts.conf:
[handover] ; EUTRAN.EARFCN: unsigned int: EARFCN of the LTE network; ; VALUE 0 DISABLES CIRCUIT-SWITCHED FALLBACK! ; Default: 0 EUTRAN.EARFCN=1300 ; EUTRAN.priority: int: Priority of the LTE network; ; It takes a number between 0 and 7 which represents the priority of the LTE network. ; Should be set higher than GSM and 3G. ; Default: 6 EUTRAN.priority=7 ; EUTRAN.thresh_priority_high: int: Reselection high threshold towards LTE FDD or TDD cells. ; It takes an EVEN integer value between 0 dB and 62 dB. ; Default: 18 EUTRAN.thresh_priority_high=0 ; EUTRAN.thresh_priority_low: int: Reselection low threshold towards LTE FDD or TDD cells. ; It takes an EVEN integer value between 0 dB and 62 dB. ; Default: 18 ;EUTRAN.thresh_priority_low=18 ; EUTRAN.QRXLEVMIN: int: Minimum requirred RX level for cells on the target LTE EARFCN. ; It takes a negative even integer from -140 dB to -78 dB ; Default: -140 ;EUTRAN.QRXLEVMIN=-140 ; GSM.priority: int: Priority of the GSM Network; ; It takes a number between 0 and 7 which represents the priority of the GSM network. ; Default = 2 ;GSM.priority=2
Any handset that attempts to connect to the LTE eNodeB will immediately be forced onto the YateBTS GSM cell, in this example a GSM cell on ARFCN 600 in the DCS1800 band. The YateBTS GSM network will then present the handset as a SIP client, which can be handled by the built in Yate SIP server, or forwarded an external server running a custom SIP application. This custom application will see GSM operations presented as SIP methods, following the same rules as OpenBTS.
|GSM Operation||SIP Method|
The SIP methods also include a custom header, P-PHY-Info, that provides real-time information about timing advance, power levels, and RSSI levels at the BTS and at the handset. For example:
P-PHY-Info: YateBTS;TA=2 TE=0.1 UpRSSI=-3 TxPwr=30 DnRSSIdBm=-48 time=1596094897.715
The fields are:
|TA||Timing advance commanded by the BTS||GSM symbols|
|TE||Timing error measured at the BTS||GSM symbols, negative is early, positive is late|
|UpRSSI||Uplink RSSI at the BTS||dB wrt full scale on the receiver|
|TxPwr||Uplink transmitted power from the phone||dBm|
|DnRSSIdBm||Downlink received power at the phone||dBm|
|time||Unix time of the measurements||seconds in the Unix epoch|
Here are the network elements involved:
And here is a typical ladder diagram:
In this Lab Kit configuration, the signaling on the radio interface, seen by the handset, is exactly the same as in an operator network.
In this post, we have explained what CSFB is, why it is used, and how it works. We have also shown how a pair of Legba Lab Kits can be used to recreate CSFB on a test bench or in a classroom.