How LTE/4G Works: OFDMA, MIMO, and the Evolved Packet Core

LTE (Long Term Evolution) is the fourth generation (4G) cellular network technology, standardized by 3GPP beginning with Release 8 in 2008. LTE introduced an all-IP flat architecture that replaced the circuit-switched voice and hierarchical node structure of 3G UMTS/WCDMA with a packet-switched core and a simplified radio access network. The result was a massive leap in performance: typical LTE deployments deliver 10-50 Mbps downlink throughput with 20-30 ms latency, compared to 3G's 1-5 Mbps and 60-100 ms. LTE achieved this through OFDMA for the downlink, SC-FDMA for the uplink, MIMO antenna techniques, and a streamlined core network called the Evolved Packet Core (EPC). Over a decade after its initial deployment, LTE remains the world's most widely used cellular technology, serving billions of connections worldwide and forming the foundation upon which 5G NR was built.

The LTE Air Interface: OFDMA and SC-FDMA

LTE uses OFDMA (Orthogonal Frequency Division Multiple Access) for the downlink (tower to device) and SC-FDMA (Single Carrier Frequency Division Multiple Access) for the uplink (device to tower). Both are based on OFDM, which divides the available bandwidth into many narrow subcarriers, each 15 kHz wide. A 20 MHz LTE channel, for example, contains 1,200 active subcarriers.

OFDMA allows the eNodeB (base station) to allocate different sets of subcarriers to different users simultaneously. The minimum allocation unit is a resource block (RB): 12 consecutive subcarriers (180 kHz) for one 0.5 ms time slot. A 20 MHz channel has 100 resource blocks, which the scheduler distributes among users based on channel conditions, quality of service requirements, and traffic volume.

SC-FDMA was chosen for the uplink instead of OFDMA because it has a lower Peak-to-Average Power Ratio (PAPR). OFDM's multiple subcarriers can constructively interfere, creating high power peaks that require an expensive, power-hungry linear amplifier. For a mobile device running on battery, this is impractical. SC-FDMA applies a DFT (Discrete Fourier Transform) pre-coding step before the OFDM modulation, which spreads each user's data across the allocated subcarriers in a way that produces a single-carrier-like waveform with lower PAPR. The tradeoff is slightly lower spectral efficiency than OFDMA, but the battery life improvement is worth it.

LTE supports channel bandwidths of 1.4, 3, 5, 10, 15, and 20 MHz, with the number of resource blocks scaling proportionally (6 to 100 RBs). Each subcarrier can use modulation schemes from QPSK (2 bits/symbol, robust but slow) to 64-QAM (6 bits/symbol, fast but requires excellent signal quality). LTE-Advanced extended this to 256-QAM on the downlink, squeezing 8 bits per symbol from each subcarrier in ideal conditions.

The Radio Access Network: eNodeB

In LTE, the base station is called an eNodeB (evolved Node B). Unlike 3G, where the base station (Node B) was a relatively simple radio transceiver controlled by a separate Radio Network Controller (RNC), the eNodeB absorbs most of the RNC's functions. This "flat" architecture eliminates a network element and reduces latency, because radio resource management, handover decisions, and scheduling all happen at the eNodeB without requiring round-trips to a controller.

Each eNodeB is responsible for:

• Radio resource management -- Allocating resource blocks to users based on channel quality indicators (CQI), buffer status reports (BSR), and QoS requirements
• Scheduling -- Deciding which users transmit/receive in each subframe (1 ms granularity). The scheduler is not standardized -- vendors compete on scheduler quality. Common algorithms include proportional fair scheduling (which balances throughput and fairness) and maximum throughput (which serves the user with the best channel conditions first).
• HARQ (Hybrid ARQ) -- Managing retransmissions at the MAC layer. If a user fails to decode a transport block, it sends a NACK, and the eNodeB retransmits within 8 ms (the HARQ round-trip time).
• Handover execution -- Measuring neighbor cell signal strengths reported by the UE, deciding when to hand over, and coordinating with the target eNodeB via the X2 interface (direct eNodeB-to-eNodeB signaling).
• Encryption and integrity -- All user-plane traffic is encrypted (using AES-128 or SNOW 3G) and integrity-protected between the UE and the eNodeB.

eNodeBs communicate with each other over the X2 interface for handover coordination and inter-cell interference management. They connect to the core network over the S1 interface: S1-MME for control plane signaling (to the MME) and S1-U for user plane data (to the S-GW). The S1 interface typically runs over fiber or microwave backhaul.

The Evolved Packet Core (EPC)

The EPC is the LTE core network. It is a fully packet-switched architecture with a clean separation between the control plane (signaling) and the user plane (data). The key components are:

• MME (Mobility Management Entity) -- The control plane hub. Handles attach/detach procedures, authentication (via AKA protocol with the HSS), bearer establishment and modification, idle-mode paging, and handover signaling. The MME does not touch user data -- only signaling messages pass through it.
• S-GW (Serving Gateway) -- The user plane anchor for the eNodeB. All user traffic passes through the S-GW. During handover between eNodeBs, the S-GW provides a stable anchor point so that in-flight packets are not lost. The S-GW also handles inter-3GPP mobility (handover between LTE and 3G/2G).
• P-GW (PDN Gateway) -- The gateway to external packet data networks (PDNs), primarily the internet. The P-GW assigns the UE its IP address (via DHCP or static allocation), performs NAT if needed, applies policy and charging rules, and routes traffic to and from the internet. The P-GW is also the mobility anchor for non-3GPP access (e.g., WiFi offload).
• HSS (Home Subscriber Server) -- The master database of subscriber information. Stores IMSI, authentication keys (K), subscribed QoS profiles, and APN (Access Point Name) configurations. The HSS is the evolution of 3G's HLR (Home Location Register).
• PCRF (Policy and Charging Rules Function) -- Determines what QoS and charging policies apply to each session. The PCRF communicates with the P-GW to install policy rules (bandwidth limits, service priority, charging method) based on the subscriber's plan and the type of traffic.

Bearers: QoS in LTE

All traffic in LTE flows through bearers -- logical tunnels between the UE and the P-GW that define the QoS treatment for traffic. When a UE attaches to the network, a default bearer is established with a QoS class identifier (QCI) that provides best-effort connectivity. This bearer remains active for the duration of the session and carries all traffic that does not match a dedicated bearer.

Dedicated bearers are established on demand for traffic requiring specific QoS treatment. For example, a VoLTE call triggers the creation of a dedicated bearer with QCI 1 (conversational voice: guaranteed bit rate, 100 ms latency budget, highest priority). A video streaming session might get QCI 4 (non-conversational video: guaranteed bit rate, 300 ms latency budget). The PCRF determines which bearers to establish based on the application's requirements and the subscriber's service plan.

3GPP defines nine standard QCI values, each with specific characteristics:

• QCI 1 -- Conversational voice (VoLTE). GBR, 100 ms latency, priority 2.
• QCI 2 -- Conversational video. GBR, 150 ms latency, priority 4.
• QCI 3 -- Real-time gaming. GBR, 50 ms latency, priority 3.
• QCI 4 -- Non-conversational video (streaming). GBR, 300 ms latency, priority 5.
• QCI 5 -- IMS signaling (SIP for VoLTE). Non-GBR, 100 ms latency, priority 1.
• QCI 6 -- Video (buffered), TCP-based (YouTube, Netflix). Non-GBR, 300 ms latency, priority 6.
• QCI 7 -- Voice, video, interactive gaming. Non-GBR, 100 ms latency, priority 7.
• QCI 8 -- Video (buffered), TCP-based (premium). Non-GBR, 300 ms latency, priority 8.
• QCI 9 -- Video, TCP-based (default). Non-GBR, 300 ms latency, priority 9. The default bearer typically uses QCI 9.

Bearers are implemented as GTP (GPRS Tunneling Protocol) tunnels between the eNodeB and the S-GW, and between the S-GW and the P-GW. Each bearer has a unique Tunnel Endpoint Identifier (TEID) at each end. The GTP-U protocol encapsulates user IP packets in UDP/IP with a GTP header, carrying them through the core network. This tunneling allows the core network to route traffic for all bearers of all users through the same IP infrastructure while maintaining QoS separation.

Attach Procedure: From Power-On to Data

When a UE powers on and connects to an LTE network, it goes through the attach procedure -- a multi-step process involving authentication, security setup, and bearer establishment:

1. Cell search and selection -- The UE scans for LTE frequencies, synchronizes to a cell using the Primary and Secondary Synchronization Signals (PSS/SSS), and reads the Master Information Block (MIB) and System Information Blocks (SIBs) to learn the cell's configuration.
2. Random Access (RACH) -- The UE sends a Random Access Preamble on the PRACH to the eNodeB, which responds with timing advance and a temporary C-RNTI (identifier).
3. Attach Request -- The UE sends an Attach Request to the MME (via the eNodeB), including its IMSI (or a previously assigned temporary identifier, GUTI).
4. Authentication (AKA) -- The MME contacts the HSS to obtain authentication vectors. It challenges the UE with a random value; the UE's USIM computes a response using its secret key K. If the response matches, the UE is authenticated. This process also derives encryption and integrity keys for the session.
5. NAS Security Mode Command -- The MME activates NAS (Non-Access Stratum) encryption and integrity protection between the UE and the MME.
6. AS Security Mode Command -- The eNodeB activates AS (Access Stratum) encryption and integrity protection between the UE and the eNodeB for the radio interface.
7. Default Bearer Setup -- The MME signals the S-GW and P-GW to establish a default bearer. The P-GW assigns an IP address to the UE. GTP tunnels are created across S1-U and S5/S8 interfaces.
8. Attach Accept -- The MME sends an Attach Accept to the UE with the assigned IP address, the default bearer's QoS parameters, and a GUTI (Globally Unique Temporary Identifier) for future use.

This entire process typically completes in 50-200 ms. After the attach is complete, the UE has an IP address, a default bearer to the internet, and can send and receive data.

Handover: Mobility Without Interruption

As a UE moves between cells, the network must hand over the connection from the source eNodeB to the target eNodeB without dropping the session. LTE supports several handover types:

• X2 handover (intra-MME) -- The most common type. The source eNodeB decides to hand over (based on measurement reports from the UE showing the target cell has a stronger signal), sends a Handover Request to the target eNodeB over the X2 interface, and the target prepares resources. The UE detaches from the source and attaches to the target. During the brief transition (typically 20-50 ms), packets destined for the UE are forwarded from the source eNodeB to the target over X2. The S-GW then switches the GTP tunnel endpoint to the target eNodeB.
• S1 handover (inter-MME) -- When the target eNodeB is served by a different MME, the handover must go through the core network. The source MME forwards the handover request to the target MME, which coordinates with the target eNodeB. This is slower than X2 handover but necessary for mobility between MME service areas.
• Inter-RAT handover -- Handover between LTE and 3G (UMTS) or 2G (GSM). The S-GW provides the anchor point, maintaining the GTP tunnel while the radio connection changes. This is used when a UE moves out of LTE coverage into an area served only by 3G/2G.

The key insight in LTE handover design is that the UE is always connected to exactly one cell (there is no soft handover as in 3G CDMA). This simplifies the radio interface but puts pressure on the network to make fast, accurate handover decisions. If the handover is triggered too late (the UE loses signal from the source before connecting to the target), the call drops. If triggered too early (before the target cell is reliably better), the UE may "ping-pong" between cells, wasting resources.

MIMO and LTE-Advanced

MIMO (Multiple Input, Multiple Output) uses multiple antennas at both the transmitter and receiver to increase throughput and reliability. LTE supports up to 4x4 MIMO on the downlink in its initial release, meaning four transmit antennas at the eNodeB and four receive antennas at the UE.

MIMO works in two primary modes:

• Spatial multiplexing -- Different data streams are transmitted simultaneously from different antennas. In 2x2 MIMO, two independent streams double the peak throughput. This requires sufficient signal quality and multipath propagation so the receiver can distinguish the streams.
• Transmit diversity -- The same data is sent from multiple antennas with different coding. This does not increase throughput but improves reliability and coverage at cell edges where signal quality is poor.

LTE-Advanced (3GPP Releases 10-13) extended the capabilities significantly:

• Carrier aggregation (CA) -- Bonding multiple LTE carriers together for wider effective bandwidth. Up to five component carriers of 20 MHz each, for a maximum aggregate bandwidth of 100 MHz. Carriers can be in different bands (inter-band CA) or the same band (intra-band CA, contiguous or non-contiguous). In practice, most deployments use 2-3 carrier aggregation, achieving 150-450 Mbps real-world throughput.
• Enhanced MIMO -- Up to 8x8 MIMO on the downlink and 4x4 on the uplink. LTE-Advanced Pro (Release 13+) introduced Full Dimension MIMO (FD-MIMO) with up to 64 antenna ports, the precursor to 5G's massive MIMO.
• 256-QAM -- Higher-order modulation that packs 8 bits per symbol instead of 6 (64-QAM). Only usable in very good signal conditions but provides a 33% throughput increase when applicable.
• Coordinated Multipoint (CoMP) -- Multiple eNodeBs coordinate their transmissions to reduce interference at cell edges. Joint Processing CoMP has multiple cells transmit the same data to a cell-edge user, while Coordinated Beamforming avoids scheduling interfering transmissions.
• Licensed Assisted Access (LAA) -- Allows LTE to operate in unlicensed 5 GHz spectrum (the same band as WiFi), using Listen-Before-Talk (LBT) to coexist with WiFi. The unlicensed carrier is aggregated with a licensed carrier as an anchor.

VoLTE: Voice Over LTE

LTE was designed as a data-only network. In early LTE deployments, voice calls were handled by "falling back" to the 3G or 2G circuit-switched network (Circuit Switched Fallback, CSFB). This caused a multi-second delay when initiating or receiving a call while on LTE, as the phone had to switch radio access technology.

VoLTE (Voice over LTE) solves this by carrying voice as a VoIP service over the LTE data network, using the IP Multimedia Subsystem (IMS). When a VoLTE call is made:

1. The UE initiates a SIP (Session Initiation Protocol) session through the IMS core
2. The PCRF triggers the creation of a dedicated bearer with QCI 1 (guaranteed bit rate, low latency)
3. Voice is encoded using the AMR-WB (Adaptive Multi-Rate Wideband) codec at 12.65-23.85 kbps
4. RTP (Real-time Transport Protocol) packets carry the encoded voice over the dedicated bearer
5. The eNodeB's scheduler prioritizes QCI 1 traffic, ensuring consistent low latency

VoLTE delivers significantly better voice quality than 3G because AMR-WB encodes audio at 50-7000 Hz (compared to 300-3400 Hz for narrowband codecs), and the dedicated bearer guarantees the bandwidth and latency needed for real-time voice. Call setup time is also faster -- around 1-2 seconds compared to 5-8 seconds for CSFB.

LTE Security Architecture

LTE implements security at multiple layers:

• Authentication -- Mutual authentication using the AKA (Authentication and Key Agreement) protocol. Both the network and the UE prove their identity using a shared secret key (K) stored in the USIM and the HSS. This prevents rogue base stations from impersonating legitimate networks -- a significant improvement over 2G, which had no mutual authentication.
• NAS encryption -- Signaling between the UE and the MME is encrypted using EEA (EPS Encryption Algorithm) -- either AES-128-CTR (EEA2) or SNOW 3G (EEA1).
• AS encryption -- User plane and control plane traffic between the UE and the eNodeB is encrypted using the same algorithms.
• Integrity protection -- NAS and RRC (Radio Resource Control) signaling messages are integrity-protected to prevent tampering. User plane data is not integrity-protected in LTE (this was added in 5G).

A notable weakness: LTE does not encrypt traffic between the eNodeB and the core network by default. The S1-U and X2 interfaces rely on the backhaul network's physical security. In practice, many operators use IPsec tunnels on these interfaces, but it is not mandated by the standard.

LTE and the IP Network

From the P-GW outward, LTE traffic is standard IP. The P-GW connects to the internet (or a private corporate APN) via the SGi interface, which is simply an IP connection. Mobile operators announce their address blocks via BGP from their autonomous systems -- for example, T-Mobile US (AS21928), AT&T (AS7018), or Verizon Wireless (AS22394). When you use LTE to access the internet, your device's IP address belongs to one of these operator prefixes, and the traffic is routed through the operator's backbone before reaching internet exchange points and peering connections. You can trace your mobile device's path through the global routing table using the god.ad looking glass.