lpwan                                                    S. Farrell, Ed.
Internet-Draft                                    Trinity College Dublin
Intended status: Informational                          October 29, 2016
Expires: May 2, 2017

                             LPWAN Overview


   Low Power Wide Area Networks (LPWAN) are wireless technologies with
   characteristics such as large coverage areas, low bandwidth, possibly
   very small packet and application layer data sizes and long battery
   life operation.  This memo is an informational overview of the set of
   LPWAN technologies being considered in the IETF and of the gaps that
   exist between the needs of those technologies and the goal of running
   IP in LPWANs.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 2, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of

Farrell                    Expires May 2, 2017                  [Page 1]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Common Concerns . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  LPWAN Technologies  . . . . . . . . . . . . . . . . . . . . .   3
     4.1.  LoRaWAN . . . . . . . . . . . . . . . . . . . . . . . . .   4
       4.1.1.  Provenance and Documents  . . . . . . . . . . . . . .   4
       4.1.2.  Characteristics . . . . . . . . . . . . . . . . . . .   4
     4.2.  Narrowband IoT (NB-IoT) . . . . . . . . . . . . . . . . .  12
       4.2.1.  Provenance and Documents  . . . . . . . . . . . . . .  12
       4.2.2.  Characteristics . . . . . . . . . . . . . . . . . . .  12
     4.3.  SIGFOX  . . . . . . . . . . . . . . . . . . . . . . . . .  16
       4.3.1.  Provenance and Documents  . . . . . . . . . . . . . .  17
       4.3.2.  Characteristics . . . . . . . . . . . . . . . . . . .  17
     4.4.  WI-SUN  . . . . . . . . . . . . . . . . . . . . . . . . .  21
   5.  Gap Analysis  . . . . . . . . . . . . . . . . . . . . . . . .  21
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .  21
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  21
   8.  Contributors  . . . . . . . . . . . . . . . . . . . . . . . .  21
   9.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  23
   10. Informative References  . . . . . . . . . . . . . . . . . . .  24
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  26

1.  Introduction

   [[Editor comments/queries are in double square brackets like this.]]

   This document provides background material and an overview of the
   technologies being considered in the IETF's Low Power Wide-Area
   Networking (LPWAN) working group.  We also provide a gap analysis
   between the needs of these technologies and currently available IETF

   This document is largely the work of the people listed in Section 8.
   Discussion of this document should take place on the lpwan@ietf.org

   [[Editor's note: the eventual fate of this draft is a topic for the
   WG to consider - it might end up as a useful RFC, or it might be best
   maintained as a draft only until its utility has dissapated.  FWIW,
   the editor doesn't mind what outcome the WG choose.]]

Farrell                    Expires May 2, 2017                  [Page 2]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

2.  Terminology

   [[Not sure if 2119 terms will be needed.  Leave it here for now.]]
   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in RFC 2119 [RFC2119].

   [[Extract common terms here.  Maybe define and relate technology
   specific terms, e.g. lora g/w similar to sigfox bs etc.  There is
   text for this in the current "gaps" draft.]]

3.  Common Concerns

   [[Editors note: We may want a section like this that describes some
   cross-cutting issues, e.g. duty-cycles, some of the ISM band
   restrictions.  This isn't intended to be a problem statement nor a
   set of requirements but just to describe some issues that affect more
   than one of the LPWAN technologies.  Such a section might be better
   before or after Section 4, will see when text's added there.  There
   is some text for this in the current "gaps" draft.]]

   Most technologies in this space aim for similar goals of supporting
   large numbers of low-cost, low-throughput devices at very low-cost
   and with very-low power consumption, so that even battery-powered
   devices can be deployed for years.  And as the name implies, coverage
   of large areas is also a common goal.  There are some differences
   however, e.g., the Narrowband IoT specifications Section 4.2 also aim
   for increased indoor coverage.  However, by and large, the different
   technologies aim for deployment in very similar circumstances.

4.  LPWAN Technologies

   This section provides an overview of the set of LPWAN technologies
   that are being considered in the LPWAN working group.  The text for
   each was mainly contributed by proponents of each technology.

   Note that this text is not intended to be normative in any sesne, but
   simply to help the reader in finding the relevant layer 2
   specifications and in understanding how those integrate with IETF-
   defined technologies.  Similarly, there is no attempt here to set out
   the pros and cons of the relevant technologies.  [[Editor: I assume
   that's the right target here.  Please comment if you disagree.]]

   [[Editor's note: the goal here is 2-3 pages per technology.  If
   there's much more needed then we could add appendices I guess
   depending on what text the WG find useful to include.]]

Farrell                    Expires May 2, 2017                  [Page 3]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

4.1.  LoRaWAN

   [[Text here is from [I-D.farrell-lpwan-lora-overview] And yes, this
   section is too long right now.  Will shorten.]]

4.1.1.  Provenance and Documents

   LoRaWAN is a wireless technology for long-range low-power low-data-
   rate applications developed by the LoRa Alliance, a membership
   consortium.  <https://www.lora-alliance.org/> This draft is based on
   version 1.0.2 [LoRaSpec] of the LoRa specification.  (Note that
   version 1.0.2 is expected to be published in a few weeks.  We will
   update this draft when that has happened.  For now, version 1.0 is
   available at [LoRaSpec1.0])

4.1.2.  Characteristics

   In LoRaWAN networks, end-device transmissions may be received at
   multiple gateways, so during nominal operation a network server may
   see multiple instances of the same uplink message from an end-device.

   The LoRaWAN network infrastructure manages the data rate and RF
   output power for each end-device individually by means of an adaptive
   data rate (ADR) scheme.  End-devices may transmit on any channel
   allowed by local regulation at any time, using any of the currently
   available data rates.

   LoRaWAN networks are typically organized in a star-of-stars topology
   in which gateways relay messages between end-devices and a central
   "network server" in the backend.  Gateways are connected to the
   network server via IP links while end-devices use single-hop LoRaWAN
   communication that can be received at one or more gateways.  All
   communication is generally bi-directional, although uplink
   communication from end-devices to the network server are favoured in
   terms of overall bandwidth availability.

   This section introduces some LoRaWAN terms.  Figure 1 shows the
   entities involved in a LoRaWAN network.

Farrell                    Expires May 2, 2017                  [Page 4]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

   |End-device| * * *
   +----------+       *   +---------+
                        * | Gateway +---+
   +----------+       *   +---------+   |   +---------+
   |End-device| * * *                   +---+ Network +--- Application
   +----------+       *                 |   | Server  |
                        * +---------+   |   +---------+
   +----------+       *   | Gateway +---+
   |End-device| * * *   * +---------+
       Key: *      LoRaWAN Radio
            +---+  IP connectivity

                      Figure 1: LoRaWAN architecture

   o  End-device: a LoRa client device, sometimes called a mote.
      Communicates with gateways.

   o  Gateway: a radio on the infrastructure-side, sometimes called a
      concentrator or base-station.  Communicates with end-devices and,
      via IP, with a network server.

   o  Network Server: The Network Server (NS) terminates the LoRaWAN MAC
      layer for the end-devices connected to the network.  It is the
      center of the star topology.

   o  Uplink message: refers to communications from end-device to
      network server or appliction via one or more gateways.

   o  Downlink message: refers to communications from network server or
      application via one gateway to a single end-device or a group of
      end-devices (considering multicasting).

   o  Application: refers to application layer code both on the end-
      device and running "behind" the network server.  For LoRaWAN,
      there will generally only be one application running on most end-
      devices.  Interfaces between the network server and application
      are not further described here.

   o  Classes A, B and C define different device capabilities and modes
      of operation for end-devices.  End-devices can transmit uplink
      messages at any time in any mode of operation (so long as e.g.,
      ISM band restrictions are honoured).  An end-device in Class A can
      only receive downlink messages at predetermined timeslots after
      each uplink message transmission.  Class B allows the end-device
      to receive downlink messages at periodically scheduled timeslots.
      Class C allows receipt of downlink messages at anytime.  Class

Farrell                    Expires May 2, 2017                  [Page 5]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

      selection is based on the end-devices' application use case and
      its power supply.  (While Classes B and C are not further
      described here, readers may have seen those terms elsewhere so we
      include them for clarity.)

   LoRaWAN radios make use of ISM bands, for example, 433MHz and 868MHz
   within the European Union and 915MHz in the Americas.

   The end-device changes channel in a pseudo-random fashion for every
   transmission to help make the system more robust to interference and/
   or to conform to local regulations.

   As with other LPWAN radio technologies, LoRaWAN end-devices respect
   the frequency, power and maximum transmit duty cycle requirements for
   the sub-band imposed by local regulators.  In most cases, this means
   an end-device is only transmitting for 1% of the time, as specified
   by ISM band regulations.  And in some cases the LoRaWAN specification
   calls for end-devices to transmit less often than is called for by
   the ISM band regulations in order to avoid congestion.

   Figure 2 below shows that after a transmission slot a Class A device
   turns on its receiver for two short receive windows that are offset
   from the end of the transmission window.  The frequencies and data
   rate chosen for the first of these receive windows depends on those
   used for the transmit window.  The frequency and data-rate for the
   second receive window are configurable.  If a downlink message
   preamble is detected during a receive window, then the end-device
   keeps the radio on in order to receive the frame.

   End-devices can only transmit a subsequent uplink frame after the end
   of the associated receive windows.  When a device joins a LoRaWAN
   network, there are similar timeouts on parts of that process.

   |----------------------------|         |--------|     |--------|
   |             Tx             |         |   Rx   |     |   Rx   |
   |----------------------------|         |--------|     |--------|
                                 Rx delay 1
                                 Rx delay 2

        Figure 2: LoRaWAN Class A transmission and reception window

   Given the different regional requirements the detailed specification
   for the LoRaWAN physical layer (taking up more than 30 pages of the
   specification) is not reproduced here.  Instead and mainly to
   illustrate the kinds of issue encountered, in Table 1 we present some
   of the default settings for one ISM band (without fully explaining

Farrell                    Expires May 2, 2017                  [Page 6]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

   those here) and in Table 2 we describe maxima and minima for some
   parameters of interest to those defining ways to use IETF protocols
   over the LoRaWAN MAC layer.

   |       Parameters       |              Default Value               |
   |       Rx delay 1       |                   1 s                    |
   |                        |                                          |
   |       Rx delay 2       |    2 s (must be RECEIVE_DELAY1 + 1s)     |
   |                        |                                          |
   |      join delay 1      |                   5 s                    |
   |                        |                                          |
   |      join delay 2      |                   6 s                    |
   |                        |                                          |
   |     868MHz Default     | 3 (868.1,868.2,868.3), date rate: 0.3-5  |
   |        channels        |                   kbps                   |

                Table 1: Default settings for EU868MHz band

   | Parameter/Notes                               |  Min   |   Max    |
   | Duty Cycle: some but not all ISM bands impose |   1%   | no-limit |
   | a limit in terms of how often an end-device   |        |          |
   | can transmit. In some cases LoRaWAN is more   |        |          |
   | stringent in an attempt to avoid congestion.  |        |          |
   |                                               |        |          |
   | EU 868MHz band data rate/frame-size           |  250   |  50000   |
   |                                               | bits/s | bits/s : |
   |                                               |  : 59  |   250    |
   |                                               | octets |  octets  |
   |                                               |        |          |
   | US 915MHz band data rate/frame-size           |  980   |  21900   |
   |                                               | bits/s | bits/s : |
   |                                               |  : 19  |   250    |
   |                                               | octets |  octets  |

         Table 2: Minima and Maxima for various LoRaWAN Parameters

   Note that in the case of the smallest frame size (19 octets), 8
   octets are required for LoRa MAC layer headers leaving only 11 octets
   for payload (including MAC layer options).  However, those settings
   do not apply for the join procedure - end-devices are required to use
   a channel that can send the 23 byte Join-request message for the join

Farrell                    Expires May 2, 2017                  [Page 7]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

   Uplink and downlink higher layer data is carried in a MACPayload.
   There is a concept of "ports" (an optional 8 bit value) to handle
   different applications on an end-device.  Port zero is reserved for
   LoRaWAN specific messaging, such as the join procedure.

   The header also distinguishes the uplink/downlink directions and
   whether or not an acknowledgement ("confirmation") is required from
   the peer.

   All payloads are encrypted and ciphertexts are protected with a
   cryptographic Message Integrity Check (MIC) - see Section 6 for

   In addition to carrying higher layer PDUs there are Join-Request and
   Join-Response (aka Join-Accept) messages for handling network access.
   And so-called "MAC commands" (see below) up to 15 bytes long can be
   piggybacked in an options field ("FOpts").

   LoRaWAN end-devices can choose various different data rates from a
   menu of available rates (dependent on the frequencies in use).  It is
   however, recommended that end-devices set the Adaptive Data Rate
   ("ADR") bit in the MAC layer which is a signal that the network
   should control the data rate (via MAC commands to the end-device).
   The network can also assert the ADR bit and control data rates at
   it's discretion.  The goal is to ensure minimal on-time for radios
   whilst increasing throughput and reliability when possible.  Other
   things being equal, the effect should be that end-devices closer to a
   gateway can successfully use higher data rates, whereas end-devices
   further from all gateways still receive connectivity though at a
   lower data rate.

   Data rate changes can be validated via a scheme of acks from the
   network with a fall-back to lower rates in the event that downlink
   acks go missing.

   There are 16 (or 32) bit frame counters maintained in each direction
   that are incremented on each transmission (but not re-transmissions)
   that are not re-used for a given key.  When the device supports a 32
   bit counter, then only the least significant 16 bits are sent in the
   MAC header, but all 32 bits are used in cryptographic operations.
   (If an end-device only supports a 16 bit counter internally, then the
   topmost 16 bits are set to zero.)

   There are a number of MAC commands for: Link and device status
   checking, ADR and duty-cycle negotiation, managing the RX windows and
   radio channel settings.  For example, the link check response message
   allows the network server (in response to a request from an end-
   device) to inform an end-device about the signal attenuation seen

Farrell                    Expires May 2, 2017                  [Page 8]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

   most recently at a gateway, and to also tell the end-device how many
   gateways received the corresponding link request MAC command.

   Some MAC commands are initiated by the network server.  For example,
   one command allows the network server to ask an end-device to reduce
   it's duty-cycle to only use a proportion of the maximum allowed in a
   region.  Another allows the network server to query the end-device's
   power status with the response from the end-device specifying whether
   it has an external power source or is battery powered (in which case
   a relative battery level is also sent to the network server).

   The network server can also inform an end-device about channel
   assignments (mid-point frequencies and data rates).  Of course, these
   must also remain within the bands assigned by local regulation.

   A LoRaWAN network has a short network identifier ("NwkID") which is a
   seven bit value.  A private network (common for LoRaWAN) can use the
   value zero.  If a network wishes to support "foreign" end-devices
   then the NwkID needs to be registered with the LoRA Alliance, in
   which case the NwkID is the seven least significant bits of a
   registered 24-bit NetID.  (Note however, that the methods for
   "roaming" are currently being enhanced within the LoRA Alliance, so
   the situation here is somewhat fluid.)

   In order to operate nominally on a LoRaWAN network, a device needs a
   32-bit device address, which is the catentation of the NwkID and a
   25-bit device-specific network address that is assigned when the
   device "joins" the network (see below for the join procedure) or that
   is pre-provisioned into the device.

   End-devices are assumed to work with one or a quite limited number of
   applications, which matches most LoRaWAN use-cases.  The applications
   are identified by a 64-bit AppEUI, which is assumed to be a
   registered IEEE EUI64 value.

   In addition, a device needs to have two symmetric session keys, one
   for protecting network artefacts (port=0), the NwkSKey, and another
   for protecting appliction layer traffic, the AppSKey.  Both keys are
   used for 128 bit AES cryptpgraphic operations.  (See Section 6 for

   So, one option is for an end-device to have all of the above, plus
   channel information, somehow (pre-)provisioned, in which case the
   end-device can simply start transmitting.  This is achievable in many
   cases via out-of-band means given the nature of LoRaWAN networks.
   Table 3 summarises these values.

Farrell                    Expires May 2, 2017                  [Page 9]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

   | Value   | Description                                             |
   | DevAddr | DevAddr (32-bits) =  NwkId (7-bits) + device-specific   |
   |         | network address (25 bits)                               |
   |         |                                                         |
   | AppEUI  | IEEE EUI64 naming the application                       |
   |         |                                                         |
   | NwkSKey | 128 bit network session key for use with AES            |
   |         |                                                         |
   | AppSKey | 128 bit application session key for use with AES        |

              Table 3: Values required for nominal operation

   As an alternative, end-devices can use the LoRaWAN join procedure in
   order to setup some of these values and dynamically gain access to
   the network.

   To use the join procedure, an end-device must still know the AppEUI.
   In addition to the AppEUI, end-devices using the join procedure need
   to also know a different (long-term) symmetric key that is bound to
   the AppEUI - this is the application key (AppKey), and is distinct
   from the application session key (AppSKey).  The AppKey is required
   to be specific to the device, that is, each end-device should have a
   different AppKey value.  And finally the end-device also needs a
   long-term identifier for itself, syntactically also an EUI-64, and
   known as the device EUI or DevEUI.  Table 4 summarises these values.

     | Value   | Description                                        |
     | DevEUI  | IEEE EUI64 naming the device                       |
     |         |                                                    |
     | AppEUI  | IEEE EUI64 naming the application                  |
     |         |                                                    |
     | AppKey  | 128 bit long term application key for use with AES |

                Table 4: Values required for join procedure

   The join procedure involves a special exchange where the end-device
   asserts the AppEUI and DevEUI (integrity protected with the long-term
   AppKey, but not encrypted) in a Join-request uplink message.  This is
   then routed to the network server which interacts with an entity that
   knows that AppKey to verify the Join-request.  All going well, a
   Join-accept downlink message is returned from the network server to
   the end-device that specifies the 24-bit NetID, 32-bit DevAddr and

Farrell                    Expires May 2, 2017                 [Page 10]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

   channel information and from which the AppSKey and NwkSKey can be
   derived based on knowledge of the AppKey.  This provides the end-
   device with all the values listed in Table 3.

   There is some special handling related to which channels to use and
   for multiple transmissions for the join-request which is intended to
   ensure a successful join in as many cases as possible.  Join-request
   and Join-accept messages also include some random values (nonces) to
   both provide some replay protection and to help ensure the session
   keys are unique per run of the join procedure.  If a Join-request
   fails validation, then no Join-accept message (indeed no message at
   all) is returned to the end-device.  For example, if an end-device is
   factory-reset then it should end up in a state in which it can re-do
   the join procedure.

   In this section we describe the use of cryptography in LoRaWAN.  This
   section is not intended as a full specification but to be sufficient
   so that future IETF specifications can encompass the required
   security considerations.  The emphasis is on describing the
   externally visible characteristics of LoRaWAN.

   All payloads are encrypted and have data integrity.  Frame options
   (used for MAC commands) when sent as a payload (port zero) are
   therefore protected.  MAC commands piggy-backed as frame options
   ("FOpts") are however sent in clear.  Since MAC commands may be sent
   as options and not only as payload, any values sent in that manner
   are visible to a passive attacker but are not malleable for an active
   attacker due to the use of the MIC.

   For LoRaWAN version 1.0.x, the NWkSkey session key is used to provide
   data integrity between the end-device and the network server.  The
   AppSKey is used to provide data confidentiality between the end-
   device and network server, or to the application "behind" the network
   server, depending on the implementation of the network.

   All MAC layer messages have an outer 32-bit Message Integrity Code
   (MIC) calculated using AES-CMAC calculated over the ciphertext
   payload and other headers and using the NwkSkey.

   Payloads are encrypted using AES-128, with a counter-mode derived
   from IEEE 802.15.4 using the AppSKey.

   Gateways are not expected to be provided with the AppSKey or NwkSKey,
   all of the infrastructure-side cryptography happens in (or "behind")
   the network server.

   When session keys are derived from the AppKey as a result of the join
   procedure the Join-accept message payload is specially handled.

Farrell                    Expires May 2, 2017                 [Page 11]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

   The long-term AppKey is directly used to protect the Join-accept
   message content, but the function used is not an aes-encrypt
   operation, but rather an aes-decrypt operation.  The justification is
   that this means that the end-device only needs to implement the aes-
   encrypt operation.  (The counter mode variant used for payload
   decryption means the end-device doesn't need an aes-decrypt

   The Join-accept plaintext is always less than 16 bytes long, so
   electronic code book (ECB) mode is used for protecting Join-accept

   The Join-accept contains an AppNonce (a 24 bit value) that is
   recovered on the end-device along with the other Join-accept content
   (e.g.  DevAddr) using the aes-encrypt operation.

   Once the Join-accept payload is available to the end-device the
   session keys are derived from the AppKey, AppNonce and other values,
   again using an ECB mode aes-encrypt operation, with the plaintext
   input being a maximum of 16 octets.

4.2.  Narrowband IoT (NB-IoT)

   [[Text here is from [I-D.ratilainen-lpwan-nb-iot].]]

4.2.1.  Provenance and Documents

   Narrowband Internet of Things (NB-IoT) is developed and standardized
   by 3GPP.  The standardization of NB-IoT was finalized with 3GPP
   Release-13 in June 2016, but further enhancements for NB-IoT are
   worked on in the following releases, for example in the form of
   multicast support.  For more information of what has been specified
   for NB-IoT, 3GPP specification 36.300 [TGPP36300] provides an
   overview and overall description of the E-UTRAN radio interface
   protocol architecture, while specifications 36.321 [TGPP36321],
   36.322 [TGPP36322], 36.323 [TGPP36323] and 36.331 [TGPP36331] give
   more detailed description of MAC, RLC, PDCP and RRC protocol layers

4.2.2.  Characteristics

   [[Editor notes: Not clear if all the radio info here is needed.  Not
   clear what minimum MTU might be.  Many 3GPP acronyms/terms to
   eliminate or explain.]]

   Specific targets for NB-IoT include: Less than 5$ module cost,
   extended coverage of 164 dB maximum coupling loss, battery life of

Farrell                    Expires May 2, 2017                 [Page 12]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

   over 10 years, ~55000 devices per cell and uplink reporting latency
   of less than 10 seconds.

   NB-IoT supports Half Duplex FDD operation mode with 60 kbps peak rate
   in uplink and 30 kbps peak rate in downlink, and a maximum size MTU
   of 1600 bytes.  As the name suggests, NB-IoT uses narrowbands with
   the bandwidth of 180 kHz in both, downlink and uplink.  The multiple
   access scheme used in the downlink is OFDMA with 15 kHz sub-carrier
   spacing.  On uplink multi-tone SC-FDMA is used with 15 kHz tone
   spacing or as a special case of SC-FDMA single tone with either 15kHz
   or 3.75 kHz tone spacing may be used.

   NB-IoT can be deployed in three ways.  In-band deployment means that
   the narrowband is multiplexed within normal LTE carrier.  In Guard-
   band deployment the narrowband uses the unused resource blocks
   between two adjacent LTE carriers.  Also standalone deployment is
   supported, where the narrowband can be located alone in dedicated
   spectrum, which makes it possible for example to refarm the GSM
   carrier at 850/900 MHz for NB-IoT.  All three deployment modes are
   meant to be used in licensed bands.  The maximum transmission power
   is either 20 or 23 dBm for uplink transmissions, while for downlink
   transmission the eNodeB may use higher transmission power, up to 46
   dBm depending on the deployment.

   For signaling optimization, two options are introduced in addition to
   legacy RRC connection setup, mandatory Data-over-NAS (Control Plane
   optimization, solution 2 in [TGPP23720]) and optional RRC Suspend/
   Resume (User Plane optimization, solution 18 in [TGPP23720]).  In the
   control plane optimization the data is sent over Non Access Stratum,
   directly from Mobility Management Entity (MME) in core network to the
   UE without interaction from base station.  This means there are no
   Access Stratum security or header compression, as the Access Stratum
   is bypassed, and only limited RRC procedures.

   The RRC Suspend/Resume procedures reduce the signaling overhead
   required for UE state transition from Idle to Connected mode in order
   to have a user plane transaction with the network and back to Idle
   state by reducing the signaling messages required compared to legacy

   With extended DRX the RRC Connected mode DRX cycle is up to 10.24
   seconds and in RRC Idle the DRX cycle can be up to 3 hours.

   NB-IoT has no channel access restrictions allowing up to a 100% duty-

   3GPP access security is specified in [TGPP33203].

Farrell                    Expires May 2, 2017                 [Page 13]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

   |UE| \              +------+      +------+
   +--+  \             | MME  |------| HSS  |
          \          / +------+      +------+
   +--+    \+-----+ /      |
   |UE| ----| eNB |-       |
   +--+    /+-----+ \      |
          /          \ +--------+
         /            \|        |    +------+     Service PDN
   +--+ /              |  S-GW  |----| P-GW |---- e.g. Internet
   |UE|                |        |    +------+
   +--+                +--------+

                    Figure 3: 3GPP network architecture

   Mobility Management Entity (MME) is responsible for handling the
   mobility of the UE.  MME tasks include tracking and paging UEs,
   session management, choosing the Serving gateway for the UE during
   initial attachment and authenticating the user.  At MME, the Non
   Access Stratum (NAS) signaling from the UE is terminated.

   Serving Gateway (S-GW) routes and forwards the user data packets
   through the access network and acts as a mobility anchor for UEs
   during handover between base stations known as eNodeBs and also
   during handovers between other 3GPP technologies.

   Packet Data Node Gateway (P-GW) works as an interface between 3GPP
   network and external networks.

   Home Subscriber Server (HSS) contains user-related and subscription-
   related information.  It is a database, which performs mobility
   management, session establishment support, user authentication and
   access authorization.

   E-UTRAN consists of components of a single type, eNodeB. eNodeB is a
   base station, which controls the UEs in one or several cells.

   The illustration of 3GPP radio protocol architecture can be seen from
   Figure 4.

Farrell                    Expires May 2, 2017                 [Page 14]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

   +---------+                                       +---------+
   | NAS     |----|-----------------------------|----| NAS     |
   +---------+    |    +---------+---------+    |    +---------+
   | RRC     |----|----| RRC     | S1-AP   |----|----| S1-AP   |
   +---------+    |    +---------+---------+    |    +---------+
   | PDCP    |----|----| PDCP    | SCTP    |----|----| SCTP    |
   +---------+    |    +---------+---------+    |    +---------+
   | RLC     |----|----| RLC     | IP      |----|----| IP      |
   +---------+    |    +---------+---------+    |    +---------+
   | MAC     |----|----| MAC     | L2      |----|----| L2      |
   +---------+    |    +---------+---------+    |    +---------+
   | PHY     |----|----| PHY     | PHY     |----|----| PHY     |
   +---------+         +---------+---------+         +---------+
               LTE-Uu                         S1-MME
       UE                     eNodeB                     MME

                Figure 4: 3GPP radio protocol architecture

   The radio protocol architecture of NB-IoT (and LTE) is separated into
   control plane and user plane.  Control plane consists of protocols
   which control the radio access bearers and the connection between the
   UE and the network.  The highest layer of control plane is called
   Non-Access Stratum (NAS), which conveys the radio signaling between
   the UE and the EPC, passing transparently through radio network.  It
   is responsible for authentication, security control, mobility
   management and bearer management.

   Access Stratum (AS) is the functional layer below NAS, and in control
   plane it consists of Radio Resource Control protocol (RRC)
   [TGPP36331], which handles connection establishment and release
   functions, broadcast of system information, radio bearer
   establishment, reconfiguration and release.  RRC configures the user
   and control planes according to the network status.  There exists two
   RRC states, RRC_Idle or RRC_Connected, and RRC entity controls the
   switching between these states.  In RRC_Idle, the network knows that
   the UE is present in the network and the UE can be reached in case of
   incoming call.  In this state the UE monitors paging, performs cell
   measurements and cell selection and acquires system information.
   Also the UE can receive broadcast and multicast data, but it is not
   expected to transmit or receive singlecast data.  In RRC_Connected
   the UE has a connection to the eNodeB, the network knows the UE
   location on cell level and the UE may receive and transmit singlecast
   data.  RRC_Connected mode is established, when the UE is expected to
   be active in the network, to transmit or receive data.  Connection is
   released, switching to RRC_Idle, when there is no traffic to save the
   UE battery and radio resources.  However, a new feature was
   introduced for NB-IoT, as mentioned earlier, which allows data to be

Farrell                    Expires May 2, 2017                 [Page 15]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

   transmitted from the MME directly to the UE, while the UE is in
   RRC_Idle transparently to the eNodeB.

   Packet Data Convergence Protocol's (PDCP) [TGPP36323] main services
   in control plane are transfer of control plane data, ciphering and
   integrity protection.

   Radio Link Control protocol (RLC) [TGPP36322] performs transfer of
   upper layer PDUs and optionally error correction with Automatic
   Repeat reQuest (ARQ), concatenation, segmentation and reassembly of
   RLC SDUs, in-sequence delivery of upper layer PDUs, duplicate
   detection, RLC SDU discard, RLC-re-establishment and protocol error
   detection and recovery.

   Medium Access Control protocol (MAC) [TGPP36321] provides mapping
   between logical channels and transport channels, multiplexing of MAC
   SDUs, scheduling information reporting, error correction with HARQ,
   priority handling and transport format selection.

   Physical layer [TGPP36201] provides data transport services to higher
   layers.  These include error detection and indication to higher
   layers, FEC encoding, HARQ soft-combining.  Rate matching and mapping
   of the transport channels onto physical channels, power weighting and
   modulation of physical channels, frequency and time synchronization
   and radio characteristics measurements.

   User plane is responsible for transferring the user data through the
   Access Stratum.  It interfaces with IP and consists of PDCP, which in
   user plane performs header compression using Robust Header
   Compression (RoHC), transfer of user plane data between eNodeB and
   UE, ciphering and integrity protection.  Lower layers in user plane
   are similarly RLC, MAC and physical layer performing tasks mentioned

   Under worst-case conditions, NB-IoT may achieve data rate of roughly
   200 bps.  For downlink with 164 dB coupling loss, NB-IoT may achieve
   higher data rates, depending on the deployment mode.  Stand-alone
   operation may achieve the highest data rates, up to few kbps, while
   in-band and guard-band operations may reach several hundreds of bps.
   NB-IoT may even operate with higher maximum coupling loss than 170 dB
   with very low bit rates.

4.3.  SIGFOX

   [[Text here is from [I-D.zuniga-lpwan-sigfox-system-description].]]

Farrell                    Expires May 2, 2017                 [Page 16]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

4.3.1.  Provenance and Documents

   The SIGFOX LPWAN is in line with the terminology and specifications
   being defined by the ETSI ERM TG28 Low Throughput Networks (LTN)
   group [etsi_ltn].  As of today, the SIGFOX LPWAN/LTN has been fully
   deployed in 6 countries, with ongoing deployments on 14 other
   countries, which in total will reach 316M people.

4.3.2.  Characteristics

   SIGFOX LPWAN autonomous battery-operated devices send only a few
   bytes per day, week or month, allowing them to remain on a single
   battery for up to 10-15 years.

   The radio interface is compliant with the following regulations:

      Spectrum allocation in the USA [fcc_ref]

      Spectrum allocation in Europe [etsi_ref]

      Spectrum allocation in Japan [arib_ref]

   The SIGFOX LTN radio interface is also compliant with the local
   regulations of the following countries: Australia, Brazil, Canada,
   Kenya, Lebanon, Mauritius, Mexico, New Zealand, Oman, Peru,
   Singapore, South Africa, South Korea, and Thailand.

   The radio interface is based on Ultra Narrow Band (UNB)
   communications, which allow an increased transmission range by
   spending a limited amount of energy at the device.  Moreover, UNB
   allows a large number of devices to coexist in a given cell without
   significantly increasing the spectrum interference.

   Both uplink and downlink communications are possible with the UNB
   solution.  Due to spectrum optimizations, different uplink and
   downlink frames and time synchronization methods are needed.

   The main radio characteristics of the UNB uplink transmission are:

   o  Channelization mask: 100 Hz (600 Hz in the USA)

   o  Uplink baud rate: 100 baud (600 baud in the USA)

   o  Modulation scheme: DBPSK

   o  Uplink transmission power: compliant with local regulation

   o  Link budget: 155 dB (or better)

Farrell                    Expires May 2, 2017                 [Page 17]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

   o  Central frequency accuracy: not relevant, provided there is no
      significant frequency drift within an uplink packet

   In Europe, the UNB uplink frequency band is limited to 868,00 to
   868,60 MHz, with a maximum output power of 25 mW and a maximum mean
   transmission time of 1%.

   The format of the uplink frame is the following:

   |Preamble|  Frame | Dev ID |     Payload      |Msg Auth Code| FCS |
   |        |  Sync  |        |                  |             |     |

                       Figure 5: Uplink Frame Format

   The uplink frame is composed of the following fields:

   o  Preamble: 19 bits

   o  Frame sync and header: 29 bits

   o  Device ID: 32 bits

   o  Payload: 0-96 bits

   o  Authentication: 16-40 bits

   o  Frame check sequence: 16 bits (CRC)

   The main radio characteristics of the UNB downlink transmission are:

   o  Channelization mask: 1.5 kHz

   o  Downlink baud rate: 600 baud

   o  Modulation scheme: GFSK

   o  Downlink transmission power: 500 mW (4W in the USA)

   o  Link budget: 153 dB (or better)

   o  Central frequency accuracy: Centre frequency of downlink
      transmission are set by the network according to the corresponding
      uplink transmission.

Farrell                    Expires May 2, 2017                 [Page 18]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

   In Europe, the UNB downlink frequency band is limited to 869,40 to
   869,65 MHz, with a maximum output power of 500 mW with 10% duty

   The format of the downlink frame is the following:

   |  Preamble  |Frame|   ECC   |     Payload      |Msg Auth Code| FCS |
   |            |Sync |         |                  |             |     |

                      Figure 6: Downlink Frame Format

   The downlink frame is composed of the following fields:

   o  Preamble: 91 bits

   o  Frame sync and header: 13 bits

   o  Error Correcting Code (ECC): 32 bits

   o  Payload: 0-64 bits

   o  Authentication: 16 bits

   o  Frame check sequence: 8 bits (CRC)

   The radio interface is optimized for uplink transmissions, which are
   asynchronous.  Downlink communications are achieved by querying the
   network for existing data from the device.

   A device willing to receive downlink messages opens a fixed window
   for reception after sending an uplink transmission.  The delay and
   duration of this window have fixed values.  The LTN network transmits
   the downlink message for a given device during the reception window.
   The LTN network selects the BS for transmitting the corresponding
   downlink message.

   Uplink and downlink transmissions are unbalanced due to the
   regulatory constraints on the ISM bands.  Under the strictest
   regulations, the system can allow a maximum of 140 uplink messages
   and 4 downlink messages per device.  These restrictions can be
   slightly relaxed depending on system conditions and the specific
   regulatory domain of operation.

Farrell                    Expires May 2, 2017                 [Page 19]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

                |EP| *                    +------+
                +--+   *                  |  RA  |
                         *                +------+
                +--+       *                 |
                |EP| * * *   *               |
                +--+       *   +----+        |
                             * | BS | \  +--------+
                +--+       *   +----+  \ |        |
        DA -----|EP| * * *               |   SC   |----- NA
                +--+       *           / |        |
                             * +----+ /  +--------+
                +--+       *   | BS |/
                |EP| * * *   * +----+
                +--+         *
                +--+     *
                |EP| * *

                      Figure 7: ETSI LTN architecture

   Figure 7 depicts the different elements of the SIGFOX architecture.

   The architecture consists of a single core network, which allows
   global connectivity with minimal impact on the end device and radio
   access network.  The core network elements are the Service Center
   (SC) and the Registration Authority (RA).  The SC is in charge of the
   data connectivity between the Base Station (BS) and the Internet, as
   well as the control and management of the BSs and End Points.  The RA
   is in charge of the End Point network access authorization.

   The radio access network is comprised of several BSs connected
   directly to the SC.  Each BS performs complex L1/L2 functions,
   leaving some L2 and L3 functionalities to the SC.

   The devices or End Points (EPs) are the objects that communicate
   application data between local device applications (DAs) and network
   applications (NAs).

   EPs (or devices) can be static or nomadic, as they associate with the
   SC and they do not attach to a specific BS.  Hence, they can
   communicate with the SC through one or many BSs.

   Due to constraints in the complexity of the EP, it is assumed that
   EPs host only one or very few device applications, which communicate
   to one single network application at a time.

Farrell                    Expires May 2, 2017                 [Page 20]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

   The radio protocol provides mechanisms to authenticate and ensure
   integrity of the message.  This is achieved by using a unique device
   ID and a message authentication code, which allow ensuring that the
   message has been generated and sent by the device with the ID claimed
   in the message.

   Security keys are independent for each device.  These keys are
   associated with the device ID and they are pre-provisioned.
   Application data can be encrypted by the application provider.

4.4.  WI-SUN

   [[Add text here when available.  Source = bheile@ieee.org]]

5.  Gap Analysis

   [[Add text here from [I-D.minaburo-lpwan-gap-analysis].]]

6.  Security Considerations

7.  IANA Considerations

   There are no IANA considerations related to this memo.

8.  Contributors

   As stated above this document is mainly a collection of content
   developed by the full set of contributors listed below.  The main
   input documents and their authors were:

   o  The text on LoRaWAN was based on [I-D.farrell-lpwan-lora-overview]
      co-authored by Alper Yegin and Stephen Farrell.

   o  Text for Section 4.2 was provided by Antti Ratilainen in

   o  Text for Section 4.3 was provided by Juan Carlos Zuniga and Benoit
      Ponsard in [I-D.zuniga-lpwan-sigfox-system-description].

   o  Text for Section 5 was provided by Ana Minabiru, Carles Gomez,
      Laurent Toutain, Josep Paradells and Jon Crowcroft in
      [I-D.minaburo-lpwan-gap-analysis].  Additional text from that
      draft is also used elsewhere above.

   The full list of contributors are:

Farrell                    Expires May 2, 2017                 [Page 21]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

      Jon Crowcroft
      University of Cambridge
      JJ Thomson Avenue
      Cambridge, CB3 0FD
      United Kingdom

      Email: jon.crowcroft@cl.cam.ac.uk

      Carles Gomez
      C/Esteve Terradas, 7
      Castelldefels 08860

      Email: carlesgo@entel.upc.edu

      Ana Minaburo
      2bis rue de la Chataigneraie
      35510 Cesson-Sevigne Cedex

      Email: ana@ackl.io

      Josep PAradells
      C/Jordi Girona, 1-3
      Barcelona 08034

      Email: josep.paradells@entel.upc.edu

      Benoit Ponsard
      425 rue Jean Rostand
      Labege  31670

      Email: Benoit.Ponsard@sigfox.com
      URI:   http://www.sigfox.com/

      Antti Ratilainen

Farrell                    Expires May 2, 2017                 [Page 22]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

      Hirsalantie 11
      Jorvas  02420

      Email: antti.ratilainen@ericsson.com

      Laurent Toutain
      Institut MINES TELECOM ; TELECOM Bretagne
      2 rue de la Chataigneraie
      CS 17607
      35576 Cesson-Sevigne Cedex

      Email: Laurent.Toutain@telecom-bretagne.eu

      Alper Yegin
      Paris, Paris

      Email: alper.yegin@actility.com

      Juan Carlos Zuniga
      425 rue Jean Rostand
      Labege  31670

      Email: JuanCarlos.Zuniga@sigfox.com
      URI:   http://www.sigfox.com/

9.  Acknowledgements

   Thanks to all those listed in Section 8 for the excellent text.
   Errors in the handling of that are solely the editor's fault.

   Thanks to [your name here] for comments.

   Stephen Farrell's work on this memo was supported by the Science
   Foundation Ireland funded CONNECT centre <https://connectcentre.ie/>.

Farrell                    Expires May 2, 2017                 [Page 23]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

10.  Informative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,

              Farrell, S. and A. Yegin, "LoRaWAN Overview", draft-
              farrell-lpwan-lora-overview-01 (work in progress), October

              Minaburo, A., Gomez, C., Toutain, L., Paradells, J., and
              J. Crowcroft, "LPWAN Survey and GAP Analysis", draft-
              minaburo-lpwan-gap-analysis-02 (work in progress), October

              Zuniga, J. and B. PONSARD, "SIGFOX System Description",
              draft-zuniga-lpwan-sigfox-system-description-00 (work in
              progress), July 2016.

              Ratilainen, A., "NB-IoT characteristics", draft-
              ratilainen-lpwan-nb-iot-00 (work in progress), July 2016.

              3GPP, "TS 36.300 v13.4.0 Evolved Universal Terrestrial
              Radio Access (E-UTRA) and Evolved Universal Terrestrial
              Radio Access Network (E-UTRAN); Overall description; Stage
              2", 2016,

              3GPP, "TS 36.321 v13.2.0 Evolved Universal Terrestrial
              Radio Access (E-UTRA); Medium Access Control (MAC)
              protocol specification", 2016.

              3GPP, "TS 36.322 v13.2.0 Evolved Universal Terrestrial
              Radio Access (E-UTRA); Radio Link Control (RLC) protocol
              specification", 2016.

              3GPP, "TS 36.323 v13.2.0 Evolved Universal Terrestrial
              Radio Access (E-UTRA); Packet Data Convergence Protocol
              (PDCP) specification (Not yet available)", 2016.

Farrell                    Expires May 2, 2017                 [Page 24]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

              3GPP, "TS 36.331 v13.2.0 Evolved Universal Terrestrial
              Radio Access (E-UTRA); Radio Resource Control (RRC);
              Protocol specification", 2016.

              3GPP, "TS 36.201 v13.2.0 - Evolved Universal Terrestrial
              Radio Access (E-UTRA); LTE physical layer; General
              description", 2016.

              3GPP, "TR 23.720 v13.0.0 - Study on architecture
              enhancements for Cellular Internet of Things", 2016.

              3GPP, "TS 33.203 v13.1.0 - 3G security; Access security
              for IP-based services", 2016.

              "ETSI Technical Committee on EMC and Radio Spectrum
              Matters (ERM) TG28 Low Throughput Networks (LTN)",
              February 2015.

   [fcc_ref]  "FCC CFR 47 Part 15.247 Telecommunication Radio Frequency
              Devices - Operation within the bands 902-928 MHz,
              2400-2483.5 MHz, and 5725-5850 MHz.", June 2016.

              "ETSI EN 300-220 (Parts 1 and 2): Electromagnetic
              compatibility and Radio spectrum Matters (ERM); Short
              Range Devices (SRD); Radio equipment to be used in the 25
              MHz to 1 000 MHz frequency range with power levels ranging
              up to 500 mW", May 2016.

              "ARIB STD-T108 (Version 1.0): 920MHz-Band Telemeter,
              Telecontrol and data transmission radio equipment.",
              February 2012.

              LoRa Alliance, "LoRaWAN Specification Version V1.0.2", Nov
              2016, <URL TBD>.

              LoRa Alliance, "LoRaWAN Specification Version V1.0", Jan
              2015, <https://www.lora-alliance.org/portals/0/specs/

Farrell                    Expires May 2, 2017                 [Page 25]

Internet-Draft   Low Power Wide Area Networking Overview    October 2016

Author's Address

   Stephen Farrell (editor)
   Trinity College Dublin
   Dublin  2

   Phone: +353-1-896-2354
   Email: stephen.farrell@cs.tcd.ie

Farrell                    Expires May 2, 2017                 [Page 26]