Direct-to-Cell Satellite Network without Satellite Navigation

Direct-to-cell satellites enable global network services for our regular phones/IoTs via 4G, 5G, and beyond. To enforce highly available, trustworthy, and roaming policy-compliant network services, they heavily rely on user geolocation and timing information from external global navigation satellite systems (GNSS) to assist with their radio access, authentication, and authorization. Our analysis and field tests reveal that, this cross-technology over-reliance propagates satellite navigation’s defects to direct-to-cell satellite networks, leading to diverse issues such as intermittent connectivity, over/under-billing, unauthorized services, and service denials even when direct-to-cell satellites are accessible. Our solution, SN 2 , adopts the “fate-sharing” principle to reuse direct-to-cell satellites themselves for self-navigating networks. By exploiting the flexible tradeoffs between satellite network availability and navigation accuracy, it enables “good enough” built-in navigation for highly available and functionally correct network services at a negligible cost of hardware or communication resources. Our evaluations with commodity satellite phones and 3GPP NTN protocol stacks demonstrate SN 2 ’s 4.4–23.5× network availability boost and 1.9–12.3× access latency reduction over legacy solutions.

直连蜂窝（Direct-to-Cell）卫星网络通过4G、5G及未来技术，为普通手机和物联网（IoT）设备提供全球网络服务。为保障高可用、可信且符合漫游策略的网络服务，此类网络严重依赖外部全球导航卫星系统（GNSS）提供的用户地理位置和授时信息，以辅助其进行无线接入、认证和授权。

我们的分析与实地测试表明，这种跨技术的过度依赖会将卫星导航系统的固有缺陷传导至直连蜂窝卫星网络，从而引发多种问题，例如连接中断、计费错误（过多或过少）、未授权服务，甚至在直连蜂窝卫星信号可用的情况下仍出现服务拒绝。

我们提出的解决方案 SN² 遵循“命运共享”（fate-sharing）原则，复用直连蜂窝卫星自身来实现网络的自导航功能。该方案通过灵活权衡卫星网络的可用性与导航精度，以几乎可以忽略不计的硬件或通信资源成本，实现了“足够好”的内置导航，从而确保了网络服务的高可用性和功能正确性。

我们使用商用卫星电话和3GPP非地面网络（NTN）协议栈进行的评估验证，与传统解决方案相比，SN² 将网络可用性提升了 4.4 至 23.5 倍，并将接入延迟降低了 1.9 至 12.3 倍。

Introduction

Direct-to-cell satellites enable 4G, 5G, and beyond from space for our regular phones/IoTs across the Earth for anywhere, anytime network services. Thanks to the declining costs of manufacturing and launching vast satellites into space, they are being rapidly deployed into Low Earth Orbits (LEOs) at 340–2,000 km altitudes that are closer to our phones/IoTs for better radio quality, faster data speed, and more affordable terminal hardware. To date, some direct-to-cell satellites have been operational, such as Starlink [1], AST [2], Iridium [3], Globalstar for iPhones [4], and Skylo for Google Pixel [5]. Starlink has launched 674 direct-to-cell satellites [1, 6] and demonstrated their capability for video calls [7] and 17 Mbps downlink speed [8] using regular 4G phones. The global standardizations of 3GPP non-terrestrial networks (NTN) [9–19] for direct-to-cell satellites are also on the fast track.

直连蜂窝（Direct-to-cell）卫星技术能够通过4G、5G及未来移动通信技术，为地球上任何地点的普通手机和物联网（IoT）设备提供随时随地的空间网络服务。得益于卫星制造与发射成本的不断下降，大量此类卫星正被快速部署到距地表340至2000公里的低地球轨道（LEO）。更近的轨道距离能为用户的手机/物联网设备带来更佳的无线信号质量、更快的数据传输速率以及更经济的终端硬件。

至今，部分直连蜂窝卫星系统已经投入运营，例如Starlink [1]、AST [2]、Iridium [3]、为iPhone提供服务的Globalstar [4]以及为Google Pixel提供服务的Skylo [5]。其中，Starlink已发射674颗直连蜂窝卫星 [1, 6]，并已演示了使用普通4G手机进行视频通话 [7] 以及实现17 Mbps下行速率 [8] 的能力。与此同时，针对直连蜂窝卫星的3GPP非地面网络（NTN）[9–19]全球标准化工作也已步入快车道。

A salient feature of the direct-to-cell satellite network is its long-range spatiotemporal dynamics for users due to extreme LEO satellite mobility across the Earth. It poses multi-facet new challenges for users to activate their network services: It lowers satellite link availability via severe radio propagation delays and Doppler frequency shifts, forces frequent satellite re-authentications due to short-lived visibility for users, and complicates user authorizations with diverse roaming policies with different access control, QoS, and billing rules.

A common solution to these deficiencies is to renovate the radio access, authentication, and authorization functions with the assistance of users’ runtime geolocation and timing, as shown in Figure 1. To obtain them, both operational satellite systems [20, 21] and 3GPP standards [15] mandate the existence and use of external navigation services for users attempting to access satellites, primarily via global navigation satellite systems (GNSS) like GPS and Beidou which are usually the only option for unconnected terminals.

直连蜂窝卫星网络的一个显著特点是: 由于低轨卫星在全球范围内的高速移动，用户面临着大范围的时空动态性。这给用户激活网络服务带来了多方面的新挑战:

1. 严重的无线电传播延迟和多普勒频移降低了卫星链路的可用性
2. 单颗卫星对用户的可见时间短暂，导致需要频繁地进行重新认证
3. 多样化的漫游策略（涉及不同的接入控制、服务质量QoS和计费规则）使得用户授权过程变得异常复杂

应对这些挑战的一个通用解决方案是，借助用户实时的 地理位置和时间信息 来改进无线接入、认证和授权功能，如图1所示。为了获取这些信息， 现有的运营卫星系统 [20, 21] 和3GPP标准 [15] 都强制要求尝试接入卫星的用户必须能够并使用外部导航服务，而全球导航卫星系统（GNSS），如GPS和北斗，通常是未联网终端的唯一选择。

However, direct-to-cell satellites’ cross-technology reliance on external navigation satellites turns out to be an “Achilles’ heel” for networking. GNSS is well-known as prone to out-of-service and mislocalization under radio interference and malicious manipulation [22–28] due to its weak signals from distant medium Earth orbits (MEOs) at 20,000–35,000 km altitudes and small constellations with only tens of satellites. Our analysis and field tests in §3 show that these defects can propagate to direct-to-cell satellite networks to threaten their availability and correctness. They can lead to over/under-billing, unauthorized services, or out-of-service even when direct-to-cell satellites are accessible. Such cross-technology dependencies are beyond direct-to-cell satellites’ control. While they could be mitigated by using expensive military GNSS with more bandwidth and cryptographic protections, it is not available or affordable to our regular phones/IoTs.

然而，直连蜂窝卫星对外部导航卫星的这种跨技术依赖，已成为其网络服务的“阿喀琉斯之踵”。众所周知，GNSS系统因其信号来自20,000至35,000公里高的中地球轨道（MEO）、信号微弱、且星座规模仅有数十颗卫星，在面临无线电干扰和恶意操纵时 [22–28]，极易出现服务中断和定位错误。

我们的分析与实地测试（见§3）表明，这些缺陷会传导至直连蜂窝卫星网络，从而威胁其服务的可用性和正确性。即便在直连蜂窝卫星信号可用的情况下，这仍可能导致计费错误（过多/过少）、未授权服务或服务中断。

这种跨技术的依赖性超出了直连蜂窝卫星自身的控制范围。尽管使用具备更宽带宽和加密保护的军用级GNSS可以缓解这些问题，但这对于普通手机/物联网设备而言既不可用也无法负担。

In this paper, we examine the feasibility of enabling direct-tocell satellite networks without external satellite navigations. We believe this is a desirable feature for direct-to-cell satellites to mitigate uncontrollable threats from external services. The challenge, however, is how to retain their network function correctness when geolocation and timing information from external navigations are unavailable or unreliable.

To this end, we propose self-navigating direct-to-cell LEO satellite networks. This new paradigm follows the “fate-sharing” network design principle [29] to foster always-on direct-to-cell satellite networks as long as their communication links are alive, regardless of whether external navigation services are dependable. It is enabled by two ideas:

• Direct-to-cell satellites as navigators: Similar to GNSS, directto-cell satellites can be reused for navigation with their broadcast signals and predictable ephemeris. As long as in service, users can always leverage them for highly available built-in positioning and timing. Compared to small-scale GNSS from MEOs, LEO mega-constellations are closer to users with better radio signals and more satellites, thus making them a reliable complement to GNSS.

• Network-oriented navigation: Different from purpose-built navigation satellites, direct-to-cell satellites cannot always guarantee accurate localization or timing due to their communication nature. Fortunately, we will show that accurate navigation is not always necessary. There exist flexible, dynamic tradeoffs between direct-to-cell satellite network availability and navigation accuracy, allowing correct services based on less accurate navigation.

在本文中， 我们旨在探究在 无需外部卫星导航 的情况下实现直连蜂窝卫星网络的可行性 。我们认为，这是直连蜂窝卫星为减轻外部服务带来的不可控威胁而应具备的一项理想特性。然而，其挑战在于，当来自外部导航的地理位置和时间信息不可用或不可靠时，如何保持网络功能的正确性。

为此，我们提出 自导航直连蜂窝低轨卫星网络 这一新范式。该范式遵循“命运共享”（fate-sharing）网络设计原则 [29]，旨在确保只要通信链路存在，直连蜂窝卫星网络就能始终在线，而无需依赖外部导航服务的可靠性。该范式由两个核心思想驱动：

• 将直连蜂窝卫星用作导航器：与GNSS类似，直连蜂窝卫星可凭借其广播信号和可预测的星历数据被复用于导航。只要卫星在轨服务，用户总能利用它们实现高可用的内置定位与授时。相较于来自中轨（MEO）的小规模GNSS星座，低轨（LEO）的巨型星座离用户更近、信号更强、卫星数量更多，因此能成为GNSS的可靠补充。

• 面向网络的导航：与专用导航卫星不同，直连蜂窝卫星因其通信本质，不能总是保证精确的定位或授时。幸运的是，我们将证明精确导航并非总是必需的。在直连蜂窝卫星网络的可用性与导航精度之间存在着灵活、动态的权衡空间，这使得系统可以基于较低精度的导航来提供功能正确的服务。

Our solution, SN 2 (Self-Navigating direct-to-cell Satellite Network), leverages both insights for highly available and resilient satellite networks. Rather than striving for high-precision navigation, SN 2 combines GNSS with its built-in direct-to-cell navigation to offer “good enough” geolocation and timing to activate network services as soon as possible at a negligible cost of hardware and communication resources. To achieve this, it revisits satellite cellular radio access, authentication, and authorization’s navigation requirements to relax them safely without compromising functional correctness. By reusing existing cellular signals and control messages, SN 2 is incrementally deployable in existing phones/IoTs, satellites, and 3GPP NTN architecture. We highlight that SN 2 will not replace GNSS, instead it is a hybrid option that can enhance the availability of direct-to-cell satellite networks. In the worst case (e.g., GNSS is out-of-service or inaccurate), SN 2 can be a fallback option that guarantees satellite services.

We prototype and evaluate SN 2 in commodity satellite phones and Amarisoft NTN protocol stack. Compared to the standard 3GPP NTN and operational Iridium/Globalstar direct-to-cell LEO satellites, SN 2 improves network availability by 4.4–23.5× and saves access latency by 1.9–12.3×.

Ethics: This work does not raise ethical issues. All experiments were conducted using our own equipment without compromising operational satellites, networks or users.

我们的解决方案 SN²（Self-Navigating direct-to-cell Satellite Network）综合利用了上述两个思想，以构建高可用和高弹性的卫星网络。

SN² 并不追求高精度导航，而是将GNSS与其内置的直连蜂窝导航相结合，以提供“足够好”的地理位置和时间信息，从而以可忽略不计的硬件和通信资源成本尽快激活网络服务。

为实现此目标，SN² 重新审视了卫星蜂窝无线接入、认证和授权的导航需求，以便在不损害功能正确性的前提下，安全地放宽这些要求。通过复用现有的蜂窝信号和控制消息，SN² 可在现有的手机/物联网设备、卫星和3GPP NTN架构中进行增量部署。我们强调，SN² 不会取代GNSS，而是一种混合选项，用以增强直连蜂窝卫星网络的可用性。在最坏情况下（例如GNSS服务中断或不准确），SN² 可作为保障卫星服务的后备方案。

我们在商用卫星电话和Amarisoft NTN协议栈上对SN²进行了原型实现与评估。与标准的3GPP NTN以及在运行的Iridium/Globalstar直连蜂窝低轨卫星相比，SN² 将网络可用性提升了 4.4–23.5倍，并将接入延迟缩短了 1.9–12.3倍。

伦理声明：本研究不涉及伦理问题。所有实验均使用我们自有的设备进行，未对运行中的卫星、网络或用户造成任何影响。

Direct-to-Cell Satellites

Direct-to-cell satellites emerge as complementary network access for regular phones/IoTs in underserved areas where terrestrial cellular networks are unavailable. Different from conventional geostationary satellite communications, recent direct-to-cell satellites [1–4] operate in LEOs at an altitude of 340–2,000 km to be closer to phones/IoTs for faster network speed, lower energy costs, and more affordable terminal hardware. They have partnered with more than 20 mobile operators [2, 30–36] worldwide to directly connect their regular iOS [4, 37] and Android [3, 5] phones and IoT devices.

To be compatible with regular phones/IoTs for a broader customer base, most direct-to-cell satellites reuse standard cellular protocols with optionally mild customizations [9–19]. Similar to accessing terrestrial 5G/4G, each terminal can reuse standard cellular procedures to scan all available satellites, select one of them based on its preferences, connect to this satellite via random access, authenticate it using security protocols and digital signatures, pass the network-side authorization based on its roaming policies, and then enjoy the direct-to-cell satellite network services.

直连蜂窝（Direct-to-cell）卫星是为常规手机和物联网（IoT）设备提供的一种补充性网络接入方式，主要面向地面蜂窝网络无法覆盖的服务匮乏区域。与传统的地球静止轨道卫星通信不同，近期的直连蜂窝卫星 [1–4] 运行在高度为340至2000公里的低地球轨道（LEO），通过更近的距离为手机/物联网设备提供更快的网络速率、更低的能耗和更经济的终端硬件。这些卫星运营商已与全球超过20家移动运营商 [2, 30–36] 建立合作，以直接连接其常规的iOS [4, 37] 和安卓 [3, 5] 手机及物联网设备。

为兼容常规手机/物联网设备以覆盖更广泛的用户群体， 大多数直连蜂窝卫星复用标准的蜂窝网络协议，并仅做少量可选的定制化修改 [9–19]。与接入地面5G/4G网络类似，每个终端可以复用标准的蜂窝网络流程：首先扫描所有可用卫星，然后根据自身偏好选择其中一颗，通过随机接入过程连接该卫星，接着使用安全协议和数字签名对其进行认证，并基于其漫游策略通过网络侧的授权，最终接入并使用直连蜂窝卫星网络服务。

Despite conceptually simple, it is nontrivial for cellular functions to work correctly in space for regular phones/IoTs. Different from terrestrial networks, LEO satellites exhibit extreme mobility and long-range spatiotemporal dynamics worldwide. This can violate cellular networks’ fundamental requirement for fixed, always-on, and trusted infrastructure, thus challenging at least three functions:

• Radio access: Fast satellite mobility along distant orbits leads to fluctuating long radio propagation delays and severe Doppler frequency shifts, both of which can compromise the satellite radio link availability, reliability, and performance.

• Authentication: At a speed of around 7 km/s, each LEO satellite only exhibits several-minute transient visibility to terrestrial users. This forces users to frequently disconnect from outgoing satellites, re-associate with new incoming satellites and reauthenticate them to avoid fake satellites.

• Authorization: Direct-to-cell satellites aim to serve global subscribers from diverse countries and mobile operators for higher revenues and social goods. These users are often associated with different geolocation-specific access control, QoS, billing, and security policies. To ensure roaming policy-compliant satellite network services, they must be authorized by satellites first based on their geolocations.

尽管这一过程在概念上看似简单，但要让蜂窝网络的功能在太空环境中为常规手机/物联网设备正确运行，实则面临巨大挑战。与地面网络不同，低轨卫星在全球范围内表现出极高的移动性和大范围的时空动态性。这违背了蜂窝网络对固定、永远在线且可信的基础设施的基本要求，从而对至少三个核心功能构成挑战：

• 无线接入 (Radio access): 卫星沿遥远轨道高速移动，导致了剧烈变化的远距离无线电传播延迟和严重的多普勒频移，这两者都会损害卫星无线链路的可用性、可靠性和性能

• 认证 (Authentication): 低轨卫星以大约7公里/秒的速度运行，导致其对地面用户的可见窗口仅有短暂的几分钟。这迫使用户必须频繁地与即将飞离的卫星断开连接，并与新进入的卫星重新关联和认证，以防范伪冒卫星

• 授权 (Authorization): 直连蜂窝卫星旨在服务来自不同国家和移动运营商的全球用户，以实现更高的商业收入和社会效益。这些用户通常与特定的地理位置绑定，并遵循不同的接入控制、服务质量（QoS）、计费和安全策略。为确保提供的卫星网络服务符合漫游策略，系统必须首先根据用户的地理位置对其进行授权

Over-Reliance on External GNSS

To address these challenges, both operational direct-to-cell satellite networks [20, 21] and 3GPP standards [15] renovate cellular radio link access, authentication, and authorization functions with the assistance of runtime user geolocation and timing, predominantly from external GNSS. As the 3GPP NTN standard [15] states: “If the UE does not have a valid GNSS position and/or valid ephemeris and Common TA, it shall not transmit until both are regained”. We next dive into direct-to-cell satellites’ cross-technology dependencies on GNSS for radio access (§3.1), authentication (§3.2), and authorization (§3.3) to analyze why they are needed and how they can threaten network availability and resiliency.

3.1 Radio Access to Distant Satellites

An idle-state user terminal’s first step in using the direct-to-cell satellite network is to access its radio link. This process in terrestrial cellular networks does not need GNSS’s assistance because terminals and base stations can easily synchronize their time and frequency through dedicated radio preambles. However, when used in distant fast-moving LEO satellites, this process will suffer from long radio propagation delays and high Doppler frequency shifts that outstrip its tolerance, compromising the user terminal’s radio link accessibility.

To understand it, consider how the user terminal accesses the cellular radio link in Figure 2. It should run two tasks:

• Time synchronization: As shown in Figure 2a, the radio signals of terminals at different locations arrive at the base station asynchronously due to different propagation delays. This phenomenon complicates the base station’s radio resource scheduling among user terminals. It can even raise collisions when a faraway terminal’s signal arrives too late to overlap with nearby terminals’ signals in the next 5G/4G OFDM radio frame, thus causing interference and data loss/corruption. To prevent so, the cellular network synchronizes uplink transmission among user terminals at different locations. Upon receiving each user terminal’s random access request, the base station estimates its distance and RTT to this terminal based on the pre-defined preamble in this request, and replies with a Timing Advance (TA) command [38, 39]. Afterward, this terminal will send its radio signals in advance according to the RTT in the TA command. By aligning different terminals’ TA values, the base station lets all terminals’ signals arrive within the same radio frame to facilitate its radio resource scheduling. In terrestrial cellular networks, such design assumes that the base station and terminal are within a small distance (up to 100 km for 4G LTE, and less for 5G).

• Frequency synchronization: The user terminal should synchronize its radio frequency with the base station for correct communication. However, the user terminal mobility relative to its serving base station can incur Doppler frequency shifts, causing radio interference and channel quality degradation. To this end, the 5G/4G OFDM pre-allocates guard bands between radio frames to tolerate Doppler frequency shifts, as shown in Figure 2b. In terrestrial cellular networks, these guard band in tervals are designed to tolerate up to 1,000 km/h user mobility speed.

However, when enabling cellular radio access from space, both the time and frequency synchronizations are challenged by LEO satellites’ distant radio propagations (340–2000 km) and extreme mobility (up to 7 km/s). As shown in Figure 2c, the long delay has exceeded the guard time (0.516 ms for preamble format 1) in 5G/4G [40, 41]. The Doppler frequency shift has also significantly exceeded the guard band [42] to cause inter-band interference, as shown in Figure 2d. Expanding the TA range and the guard band could solve these problems but have two defects: (1) It requires modifying 5G/4G physical channel structures, thus incompatible with commodity terminals today; (2) Pre-allocating more guard bands lowers the radio communication resource efficiency.

To address these challenges with minimal resource costs, 5G/4G NTN standards introduce pre-compensation of timing and frequency based on the terminals’ geolocation [12, 15–17]. As shown in Figure 3, the terminal first calculates the delay and frequency offset using its position obtained from the navigation satellites and the position and velocity of the NTN satellites from broadcast system information blocks (SIBs). Then it precompensates its TA value and Doppler shift based on these offsets. After pre-compensation, the random access channel can tolerate residual offsets.

While effective, this navigation-assisted radio access will stop functioning without navigation satellites. Moreover, a small positioning error can compromise this radio access. When the time and frequency pre-compensation errors by inaccurate positioning exceed the maximum tolerance of time and frequency discrepancies [43, 44], the terminal will fail to connect to the satellite. The impact of positioning errors on TA and frequency depends on the satellite’s motion direction. Positioning bias in the direction away from the satellite has a more significant impact on TA, and bias along the direction of satellite motion has a more significant impact on Doppler shifts. For instance, as empirically validated in Figure 4 using our commodity 3GPP NTN protocol stack (detailed in §6), a navigation error that increases the distance to the satellite can prevent users from accessing direct-to-cell satellites at the 350 km altitude (e.g., Starlink). Such navigation errors occur at an alarming frequency in urban canyons, forests, and mountainous or hilly terrain [45–47], all of which are target usage scenarios for directto-cell satellite networks since they are unlikely to be covered by terrestrial networks.

Even worse, GNSS-dependent direct-to-cell satellite access is vulnerable to malicious manipulations [22–28]. According to [27, 28], more than 47,000 GPS interference-induced signal losses and 310,000 GPS spoofing events were observed in a year. It is possible to compromise satellite access by blocking GNSS signals. As showcased in Figure 5, both iOS and Android will be out of satellite SOS service when GNSS is not available. This blocking is much easier and more cost-effective than directly blocking direct-to-cell satellites due to GNSS’s weak signals from distant MEOs and small constellation scale [48–50].

处于空闲状态的用户终端使用直连蜂窝卫星网络的第一步是接入其无线链路。在地面蜂窝网络中，这一过程无需全球导航卫星系统（GNSS）的辅助，因为终端和基站可以通过专用的无线前同步码（preamble）轻松同步其时间和频率。然而，当应用于远距离、高速移动的低轨（LEO）卫星时，该过程会受到远距离无线电传播延迟和高多普勒频移的影响，其数值超出了系统的容忍范围，从而损害了用户终端无线链路的可接入性。

为了理解这一点，我们参考图2来分析用户终端如何接入蜂窝无线链路。它需要完成两项任务：

• 时间同步：如图2a所示，由于传播延迟不同，来自不同位置的终端信号会异步到达基站。这种现象使基站对各用户终端的无线资源调度变得复杂。当一个远距离终端的信号到达过晚，以至于与下一5G/4G OFDM无线帧中来自近处终端的信号发生重叠时，甚至会引发冲突，导致干扰和数据丢失/损坏。为防止这种情况，蜂窝网络需要在不同位置的用户终端之间同步上行传输。基站在收到每个用户终端的随机接入请求后，会根据请求中预定义的前同步码估算其与该终端的距离和往返时间（RTT），并回复一个时间提前（Timing Advance, TA）指令 [38, 39]。此后，该终端将根据TA指令中的RTT提前发送其无线信号。通过对齐不同终端的TA值，基站能让所有终端的信号在同一个无线帧内到达，以便于其进行无线资源调度。在地面蜂窝网络中，这种设计假定基站和终端之间的距离较小（4G LTE最高为100公里，5G则更短）。

• 频率同步：用户终端需要将其无线电频率与基站同步才能正确通信。然而，用户终端相对于服务基站的移动会引起多普勒频移，导致无线电干扰和信道质量下降。为此，5G/4G OFDM在无线帧之间预分配了保护带（guard bands）以容忍多普勒频移，如图2b所示。在地面蜂窝网络中，这些保护带间隔被设计为能够容忍高达1000公里/小时的用户移动速度。

然而，当从太空启用蜂窝无线接入时，时间和频率同步都受到了低轨卫星远距离无线电传播（340–2000公里）和极端移动性（高达7公里/秒）的挑战。如图2c所示，长延迟已超出了5G/4G中的保护间隔（对于前同步码格式1为0.516毫秒）[40, 41]。同时，如图2d所示，多普勒频移也显著超出了保护带 [42]，从而导致带间干扰。扩大TA范围和保护带虽然可以解决这些问题，但存在两个缺陷：（1）这需要修改5G/4G的物理信道结构，因此与当今的商用终端不兼容；（2）预分配更多的保护带会降低无线通信的资源效率。

为了以最小的资源成本应对这些挑战，5G/4G非地面网络（NTN）标准引入了基于终端地理位置对时间和频率进行预补偿的机制 [12, 15–17]。如图3所示，终端首先利用从导航卫星获取的位置信息，以及从广播的系统信息块（System Information Blocks, SIBs）中获取的NTN卫星位置和速度信息，来计算延迟和频率偏移。然后，它根据这些偏移量预补偿其TA值和多普勒频移。经过预补偿后，随机接入信道只需容忍残余的偏移量。

尽管这种方法有效，但一旦没有导航卫星，这种依赖导航的无线接入方式就会停止工作。此外，一个微小的定位误差就可能破坏此无线接入过程。当不准确的定位导致的时间和频率预补偿误差超过了时间和频率差异的最大容忍度时 [43, 44]，终端将无法连接到卫星。定位误差对TA和频率的影响取决于卫星的运动方向。偏离卫星方向的定位偏差对TA影响更大，而沿着卫星运动方向的偏差对多普勒频移影响更大。

例如，我们在商用3GPP NTN协议栈（详见§6）上进行的经验验证如图4所示，一个增加了与卫星之间距离的导航误差，就可能阻止用户接入350公里高度（如Starlink）的直连蜂窝卫星。此类导航误差在城市峡谷、森林以及山地或丘陵地带 [45–47] 以惊人的频率发生，而这些地区恰恰是直连蜂窝卫星网络的目标应用场景，因为它们不太可能被地面网络覆盖。

更糟糕的是，依赖GNSS的直连蜂窝卫星接入易受恶意操纵的攻击 [22–28]。根据 [27, 28] 的数据，一年内观测到超过47,000次由GPS干扰引起的信号丢失事件和310,000次GPS欺骗事件。通过阻断GNSS信号来破坏卫星接入是完全可能的。

如图5所示，当GNSS不可用时，iOS和Android手机的卫星SOS服务都将中断。由于GNSS信号来自遥远的中轨（MEO）且星座规模较小，其信号微弱 [48–50]，因此阻断GNSS信号比直接阻断直连蜂窝卫星信号要容易得多，成本也低得多。

3.2 Authentication of Transient Satellites

After successful time-frequency synchronization for radio access, the idle-state terminal’s next step is to authenticate the directto-cell satellite. The standard solution to this task is the 5G/4G authentication and key agreement (AKA) protocol [51, 52], which mutually verifies the satellite and terminal’s identity during the initial registration. This protocol is necessary but not sufficient for satellite authentication: It has been shown in [53–55] that, prior to the AKA procedure, a man-in-the-middle adversary can exploit the unencrypted broadcast cellular signaling messages to fake (satellite) base stations for user terminal hijacking, spoofing, or denial-of-service. To combat this threat, it is vital to authenticate plaintext initial signaling messages before interacting with this satellite.

To this end, a common proposal is to cryptographically sign base stations’ broadcast signaling messages (i.e., broadcast System Information Blocks (SIBs) [16, 17]), as shown in Figure 6. This proposal has been extensively advocated by academia [56, 57] and is being standardized by 3GPP [58].

A main threat for these digital signature-based solutions for broadcast bootstrap signaling messages is replay attacks. These broadcast messages can be captured and rebroadcast with old signatures to hijack users. To counter this, the terminal must verify the signature’s freshness. As shown in Figure 6b, some schemes validate the signature’s freshness based on sequence number or challenge-response. However, neither of these applies to SIB authentication due to the terminal’s inability to receive every message from the satellite and interact with the satellite during the SIB authentication.

Instead, most proposals [56–58] achieve this by comparing the timestamp embedded in the signaling’s digital signature against the terminal’s local time. If the time difference is below an acceptable tolerance, the message is considered fresh. Otherwise, it is considered expired and dropped. The tolerance ratio needs to be less than the time required for the attacker to replay digital signatures to resist replay attacks.

However, this timestamp-based digital signature is prone to timing manipulations [59]. If the terminal’s local time is set to a future time, its signature verification will always fail, leading to service denials. If the terminal’s local time is postponed, an attacker can increase its success rate of signature replay attacks and bypass the authentication. Both manipulations are hard in terrestrial networks because users have multiple timing sources for cross-validation, such as GNSS, NTP, and NITZ protocols [60]. However, users of direct-to-cell satellites mostly reside in under-served areas without access to other timing sources, usually leaving GNSS as its only option. This strong dependency has resurfaced replay and DoS attacks with a combination with timing spoofing.

在成功完成无线接入的时频同步后，处于空闲状态的终端下一步是对直连蜂窝卫星进行认证。此任务的标准解决方案是5G/4G的认证与密钥协商（Authentication and Key Agreement, AKA）协议 [51, 52]，它在初始注册期间相互验证卫星和终端的身份。然而，该协议对于卫星认证是必要但非充分的：研究 [53–55] 表明，在AKA过程开始之前，中间人攻击者可以利用未加密的广播蜂窝信令消息来伪造（卫星）基站，从而对用户终端进行劫持、欺骗或发起拒绝服务（Denial-of-Service）攻击。为抵御此威胁，在与该卫星进行交互之前，必须对明文的初始信令消息进行认证。

为此，一个常见的提议是对基站的广播信令消息（即广播的系统信息块，System Information Blocks, SIBs [16, 17]）进行加密签名，如图6所示。该提议已得到学术界的广泛倡导 [56, 57]，并正在由3GPP进行标准化 [58]。

对于这些基于数字签名的广播引导信令解决方案，一个主要威胁是重放攻击（replay attacks）。这些广播消息可被攻击者捕获并连同旧签名一起被重新广播，以劫持用户。为应对此问题，终端必须验证签名的时效性（freshness）。如图6b所示，一些方案基于序列号或挑战-响应机制来验证时效性。然而，这两种方法都不适用于SIB认证，因为在SIB认证期间，终端无法保证接收到来自卫星的每一条消息，也无法与卫星进行交互。

因此，大多数提议 [56–58] 通过比较嵌入在信令数字签名中的时间戳与终端的本地时间来实现时效性验证。如果时间差低于一个可接受的容忍度，则认为消息是新鲜的；否则，便认为其已过期并予以丢弃。为有效抵御重放攻击，该容忍度需要小于攻击者重放数字签名所需的时间。

然而，这种基于时间戳的数字签名易受时间操纵（timing manipulations）的影响 [59]:

• 如果终端的本地时间被设置为未来某一时刻，其签名验证将永远失败，从而导致服务被拒绝

• 如果终端的本地时间被延后，攻击者则可以提高其签名重放攻击的成功率，从而绕过认证

这两种操纵在地面网络中都很难实现，因为用户拥有多种时间源（如GNSS、NTP和NITZ协议 [60]）可用于交叉验证。然而，直连蜂窝卫星的用户大多居住在服务匮乏区域，无法接入其他时间源，通常只能将GNSS作为其唯一选项。这种强依赖性使得结合了时间欺骗（timing spoofing）的重放攻击和DoS攻击得以卷土重来。

3.3 Authorization with Diverse Geopolicies

In addition to satellite authentication, the network must also authorize each user based on its roaming policy. Unlike terrestrial regional carriers, direct-to-cell satellites offer global services with diverse location-dependent roaming policies. The satellite should ensure that the right user receives the appropriate service at the correct location. So, user geolocation becomes a must-have for satellite network authorization.

Figure 7 illustrates direct-to-cell satellites’ location-based roaming authorization. First, the user obtains its position from the external GNSS and then reports it to the satellite. Next, the network decides whether to provide service based on the user’s position. In practice, each satellite beam can cover broad areas with a radius of 10s–100s kilometers, encompassing multiple countries and regions with diverse access control, pricing, and QoS policies [61, 62], as exemplified in Figure 7. To ensure correct roaming policy enforcement, existing direct-to-cell satellites implicitly adopt a strict “all or nothing” model for GNSS: the user cannot gain services unless it reports its accurate geolocation to the network.

When the satellite navigation is unavailable or inaccurate, the user may be authorized with incorrect roaming policies or rejected for services. Both can lead to various negative impacts, such as unauthorized access, over/under-billing, and QoS downgrade. This cross-technology reliance can also be exploited by selfish users or external attackers. Internal selfish users can alter their location to gain unauthorized services or lower charges. External attackers can spoof a user’s location using available methods [22–26] to a high-cost/forbidden area to cause over-billing/service outages. As exemplified in Figure 8, spoofing to an unauthorized country can result in satellite SoS service outage for both direct-to-cell iOS and Android phones.

除了对卫星进行认证，网络还必须根据用户的漫游策略对其进行授权。与地面区域性运营商不同，直连蜂窝卫星提供的是全球性服务，其漫游策略具有多样化且与位置相关的特点。卫星系统必须确保正确的用户在正确的位置获得相应的服务。因此，用户地理位置成为卫星网络授权的必备信息。

图7阐释了直连蜂窝卫星基于位置的漫游授权流程。首先，用户从外部全球导航卫星系统（GNSS）获取其位置，然后上报给卫星。接着，网络根据用户的位置决定是否提供服务。在实践中，每个卫星波束可以覆盖半径达数十至数百公里的广大区域，其中可能包含多个国家和地区，而这些区域各自拥有不同的接入控制、定价和服务质量（QoS）策略 [61, 62]，如图7所示。为确保漫游策略的正确执行，现有的直连蜂窝卫星系统隐含地对GNSS采用了一种严格的“全有或全无”（all or nothing）模型：即用户除非向网络报告其准确的地理位置，否则无法获得服务。

当卫星导航服务不可用或不准确时，用户可能会被授予错误的漫游策略或被直接拒绝服务。这两种情况都可能导致各种负面影响，例如未授权接入、计费错误（过多/过少）以及服务质量（QoS）降级。这种跨技术的依赖性也可能被自私用户或外部攻击者利用。内部的自私用户可以篡改自身位置以获取未授权服务或更低的费用。外部攻击者则可利用现有方法 [22–26] 将用户位置欺骗至一个高费用或被禁止的区域，从而导致计费过高或服务中断。如图8所示，将位置欺骗至一个未授权的国家，会导致iOS和Android手机的直连蜂窝卫星SOS服务中断。

Self-Navigating Satellite Net

To address the above GNSS-induced deficiencies for direct-to-cell satellite networks, an intuitive idea is to enhance GNSS’s reliability and resiliency against manipulations. This has been a long-standing desire but fundamentally hard due to GNSS’s weak signals from distant MEOs (at 20,000–35,000 km altitudes) and small constellation scale (with tens of satellites only) [48–50]. GNSS’s robustness can also be enhanced with additional terrestrial navigation infrastructure [63], which, however, may not be available for direct-to-cell satellite users in underserved areas without terrestrial networks.

Instead, we argue that the direct-to-cell satellites should be able to operate independently even in the absence of GNSS. While it is possible to redesign some direct-to-cell satellite network functions to mitigate their need for navigation [12, 58, 64, 65] (at the cost of incompatibility with regular phones), this is generally hard (if not impossible) for those driven by timing and geolocation-based roaming policies, as shown in §3.2–3.3. Therefore, the challenge becomes how to obtain geolocation and timing information without GNSS and other assistance to support direct-to-cell satellite network services under high spatiotemporal LEO dynamics.

为解决上述由GNSS（全球导航卫星系统）给直连蜂窝卫星网络带来的缺陷，一个直观的想法是增强GNSS自身的可靠性及其抵御操纵的弹性。尽管这是一个长久以来的目标，但实现起来却极其困难，根本原因在于GNSS信号来自遥远的中地球轨道（MEO，高度20,000–35,000公里），信号微弱，且星座规模小（仅有数十颗卫星）[48–50]。虽然可以借助额外的地面导航基础设施来增强GNSS的稳健性 [63]，但对于身处没有地面网络的服务匮乏区域的直连蜂窝卫星用户而言，这些设施通常是不可用的。

我们转而主张，直连蜂窝卫星应该具备即使在没有GNSS的情况下也能独立运行的能力。尽管可以通过重新设计部分网络功能来降低其对导航的需求 [12, 58, 64, 65]（但这通常以牺牲与常规手机的兼容性为代价），然而对于那些由授时和基于地理位置的漫游策略驱动的功能而言，这通常是极其困难的（如果不是不可能的话），正如§3.2–3.3所揭示的。因此，挑战就变成了： 在没有GNSS及其他辅助手段的情况下，如何获取地理位置和授时信息，以支持在低轨（LEO）高时空动态性下的直连蜂窝卫星网络服务

In this paper, we explore the feasibility of self-navigating directto-cell satellite networks via “fate-sharing.” It is based on the insight that direct-to-cell satellites themselves can serve as navigation satellites. It is inspired by recent efforts to reuse LEO broadband satellite mega-constellations for navigation [48–50]. Unlike traditional small-scale GNSS from MEOs, LEO mega-constellations are naturally closer to users with better radio signals and more satellites, thus making them a dependable complement to GNSS. Moreover, as long as the LEO communication signals are available, users can always reuse them for navigation as the worst-case guarantee.

在本文中，我们通过“命运共享”（fate-sharing）的理念来探索自导航直连蜂窝卫星网络的可行性。其 核心思想在于，直连蜂窝卫星本身可以充当导航卫星 。这一想法受到了近期利用LEO宽带卫星巨型星座进行导航的研究工作的启发 [48–50]。与来自MEO的传统小规模GNSS不同，LEO巨型星座天然地离用户更近，信号质量更好，卫星数量也更多，使其成为GNSS的一个可靠补充。更重要的是，只要LEO的通信信号可用，用户总能将其复用于导航，以此作为最坏情况下的保障。

Despite appealing, navigation by direct-to-cell satellites is fundamentally limited by their communication nature. Unlike GNSS, they are not equipped with purpose-built hardware for precise navigation. Moreover, they cannot reuse existing LEO navigation techniques [48–50] for two reasons. First, these proposals require broadband satellites (e.g., with 240 MHz bandwidth) and terminals with advanced phased array antennas, which hardly hold for narrowband direct-to-cell satellites (e.g., with only 5 MHz bandwidth [66]) and regular phones/IoTs. Second, these navigation-only solutions prefer consuming more precious bandwidth and time for more accurate navigation, which could lower narrowband direct-to-cell LEO networks’ availability and service quality.

尽管这一想法颇具吸引力，但利用直连蜂窝卫星进行导航会受其通信本质的根本性限制。与GNSS不同，它们没有配备用于精确导航的专用硬件。此外，它们也无法直接复用现有的LEO导航技术 [48–50]，原因有二：

首先，这些技术方案要求使用宽带卫星（如240 MHz带宽）和配备先进相控阵天线的终端，而这对于通常只有窄带（如5 MHz带宽 [66]）的直连蜂窝卫星和常规手机/物联网设备而言几乎是不可能满足的。

其次，那些纯导航方案倾向于消耗更多宝贵的带宽和时间资源来换取更高的导航精度，这可能会降低窄带直连蜂窝LEO网络的可用性及服务质量。

We thus propose SN 2 , a network-oriented self-navigation scheme for direct-to-cell LEO satellites. Instead of striving for high-precision navigation, SN 2 combines GNSS with built-in direct-to-cell satellitebased navigation to offer “good enough” geolocation/timing for high network availability at no cost of hardware and communication resources. To achieve this, it revisits direct-to-cell satellite network’s navigation needs to relax them without compromising function correctness (Figure 9). Specifically, we will show that

• Radio access (§3.1): To access the direct-to-cell satellite radio link, what the terminal really needs to estimate is its distance and relative motions to the serving satellite rather than its accurate geolocations. Both estimations can be simplified and stopped earlier (despite errors) once the terminal succeeds in connecting to the satellite.

• Authentication (§3.2): A terminal does not necessarily mandate precise timing to authenticate satellites’ digital signatures. Instead, as long as its timing is authentic and ahead of the replayed signature, the terminal can be assured of detecting and bypassing fake satellites.

• Authorization (§3.3): Satellites can usually validate a user’s roaming policy without precise geolocations. Their tolerance to navigation errors exhibits spatiotemporal dynamics as they pass through different regions of the Earth, leaving considerable room for high network availability.

In the following, we elaborate on how SN 2 leverages these opportunities to achieve network-oriented self-navigation for highly available and resilient direct-to-cell satellite radio link access (§4.1), authentication (§4.2), and authorization (§4.3).

因此，我们提出了 SN²，一种面向网络的直连蜂窝LEO卫星自导航方案。SN² 并不追求高精度导航，而是将GNSS与内置的、基于直连蜂窝卫星的导航相结合，以零硬件和通信资源成本为代价，提供“足够好”的地理位置/授时信息，从而实现高的网络可用性。为达此目的，它重新审视了直连蜂窝卫星网络的导航需求，以便在不损害功能正确性的前提下放宽这些需求（图9）

具体而言，我们将展示：

• 无线接入 (§3.1): 终端要接入直连蜂窝卫星的无线链路，其真正需要估算的是自身与服务卫星之间的距离和相对运动，而非其精确的地理位置。一旦终端成功连接到卫星，这两项估算过程便可简化并提早终止（即便存在误差）。

• 认证 (§3.2): 终端认证卫星的数字签名时，未必需要精确的授时。相反，只要其获取的时间是真实的，并且早于被重放的签名时间戳，终端就能确保检测并规避伪冒卫星。

• 授权 (§3.3): 卫星在验证用户的漫游策略时，通常无需用户提供精确的地理位置。随着卫星飞越地球上不同的区域，其对导航误差的容忍度也呈现出时空动态性，这为在较低精度导航下实现高的网络可用性留下了相当大的空间。

在下文，我们将详细阐述SN²如何利用这些机会，为高可用和高弹性的直连蜂窝卫星无线链路接入（§4.1）、认证（§4.2）和授权（§4.3）实现面向网络的自导航。

4.1 Built-in Navigation for Accessibility

We first examine the radio access function and see how to relax its navigation needs for high availability and resiliency. Our goal is that, as long as at least one legitimate direct-to-cell satellite exists, the terminal can always succeed in time-frequency radio synchronization with its legitimate serving satellite as soon as possible even in the absence of GNSS. As described in §3.1, this task is hard since the terminal needs to compute its distance and relative motion to the remote mobile satellite for timing advance and Doppler frequency shift pre-compensation. Both values should be accurate enough even if GNSS is unavailable or inaccurate. To address this issue, SN² exploits three opportunities unique to satellite cellular radio access functions:

1. Relax navigation accuracy for high availability: As analyzed in §3.1, small positioning bias in certain directions may have a large impact on timing advance and Doppler frequency shift pre-compensation, resulting in radio access failure. However, the terminal can estimate these pre-compensations with an inaccurate geolocation in other directions. As shown in Figure 10, even if the user terminal at \(p = (x, y, z)\) is localized to an incorrect position \(p' = (x', y', z')\), its calculated timing advance to the serving satellite can still be correct if \(|p' - p_{sat}| = |p - p_{sat}| = d\), where \(p_{sat}\) is the serving satellite's position. Its Doppler shift estimation also has similar tolerances. Moreover, as explained in §3.1, the radio access function can tolerate a certain level of time and frequency discrepancies for uplink synchronization (denoted as \(e_t\) and \(e_f\) respectively). This margin further relaxes the geolocation error tolerance into gray annular zones in Figure 10. Instead of spending more time and resources on more accurate locations, it is sufficient to position the terminal within these zones for successful direct-to-cell satellite radio access.

2. Stop navigation early for faster radio access: Given these relaxed navigation demands, the terminal can stop its ongoing localization earlier if it can already synchronize with the serving satellite. To this end, SN² takes a “trial and error” approach to let the terminal keep attempting to access the satellite in parallel with its localization. If the access attempt fails, it indicates that the positioning result is not accurate enough, so the terminal continues refining it. Otherwise, the terminal can already access network and will not wait for more accurate localizations.

3. Built-in navigation as the bottom-line guarantee: In SN², the terminal can run the above localizations using either GNSS, direct-to-cell satellites, or both. When the GNSS is unavailable or inaccurate, the terminal can still reuse the direct-to-cell satellite’s periodically broadcast primary/secondary synchronization signals (PSS/SSS) for ranging, obtain their runtime location from their broadcast ephemeris¹, and use both information for the triangular localization. Even in the worst case that only one legitimate direct-to-cell LEO satellite is available (which is also the terminal’s only available choice for access), SN² can still leverage this satellite’s fast mobility to generate multiple “virtual satellites” for triangular localization: As shown in Figure 11, it keeps listening to this satellite’s PSS/SSS and ephemeris as it moves, extracts time difference of arrivals (TDoAs) and Doppler frequency shifts by differing consecutive PSS/SSS samples, and runs triangular localization based on them. This single-satellite navigation may take longer time than usual, but enables radio access in the worst case that state-of-the-art solutions in §3.1 cannot. As we will show in §6.2, this process can offer enough localization results even within this single satellite’s short-lived visibility to the terminal. Note that this only available satellite is also the terminal’s serving satellite, thus offering direct and more reliable signal measurements of its distance for timing advance and frequency offsets for Doppler pre-compensation. Of course, if the GNSS is also available, SN² can combine GNSS satellites and direct-to-cell satellites for faster, more accurate, and more robust localizations for cellular radio access. SN² performs this multi-satellite-based positioning and bottom-line positioning in parallel to output multiple positioning candidates concurrently, and tries to access satellites based on these results one by one. SN² does not need to verify the trustworthiness of the GNSS signals directly, but rather obtains a “good enough” positioning that can accelerate the access to satellites. The bottom-line method guarantees satellite access when multi-satellite positioning is spoofed.

First-time vs. follow-up radio access: The above procedure implicitly assumes that the terminal accesses the direct-to-cell satellite for the first time without prior knowledge of its geolocation. After this first-time radio access, it can reuse this localization result for later satellite access (e.g., switching satellites due to high mobility of LEO satellites) without waiting.

Handling user mobility: If the terminal moves, its position should be updated for satellite radio access. SN² naturally supports it since its built-in navigation runs continuously to update user locations to assist radio access in mobility. Moreover, the user mobility in 5G/4G (up to 1,000 km/h) is 2–3 orders slower than the LEO satellite at 25,200 km/h, incurring negligible impacts on its Doppler shift and timing advance to its distant serving satellite most of the time. This ensures that SN² can also handle satellite switching caused by user mobility.

Handling dense simultaneous access: The “trial and error” approach may raise contention under dense simultaneous access. This issue happens not only in SN² but also in the state-of-the-art solutions, especially when GNSS satellites are unavailable. SN² can mitigate it and has an acceptable impact on communication performance for two reasons: (1) It uses more satellites to improve the positioning accuracy to reduce the unnecessary contention. (2) The terminal in SN² can locally filter out unnecessary attempts with inaccurate positioning results (e.g., the result exceeds cell coverage) to further reduce the contention.

Solution analysis: A terminal with SN² can access the satellite radio link independently even without GNSS, thus improves network availability and reliability compared to state-of-the-art in §3.1. If combined with GNSS, SN²’s built-in navigation expands the number of usable satellites for navigation from \(M\) to \(M + N\), where \(M\) is the number of visible GNSS satellites, and \(N\) is the number of visible direct-to-cell satellites. Note that \(N \gg M\) for recent direct-to-cell LEO mega-constellations, implying significant network availability and reliability improvements. It is worth noting that the beam footprint distortions at high altitude do not affect SN² because its

我们首先审视无线接入功能，探讨如何放宽其导航需求以实现高可用性和高弹性。我们的目标是，只要至少存在一颗合法的直连蜂窝卫星，终端就能够在即使没有GNSS的情况下，尽快成功地与其合法的服务卫星完成时频同步。如§3.1所述，这项任务非常困难，因为终端需要计算其与远端移动卫星的距离和相对运动，以进行时间提前量和多普勒频移的预补偿。即便在GNSS不可用或不准确的情况下，这两个值也必须足够精确。 为解决此问题，SN² 利用了卫星蜂窝无线接入功能所特有的三个机会：

1. 放宽导航精度要求以实现高可用性： 正如§3.1中的分析，特定方向上的微小定位偏差可能对时间提前量和多普勒频移预补偿产生巨大影响，导致无线接入失败。然而，终端可以在其他方向地理位置不精确的情况下，估算出这些预补偿值。如图10所示，即使用户终端从位置 \(p = (x, y, z)\) 被定位到了一个错误的位置 \(p' = (x', y', z')\)，只要满足 \(|p' - p_{sat}| = |p - p_{sat}| = d\)（其中 \(p_{sat}\) 为服务卫星的位置），其计算出的到服务卫星的时间提前量仍可能是正确的。其多普勒频移的估算也存在类似的容忍度。此外，如§3.1所述，无线接入功能可以容忍一定程度的时间和频率偏差（分别表示为 \(e_t\) 和 \(e_f\)）以完成上行同步。这一裕度将地理位置的误差容忍度进一步放宽到图10所示的灰色环形区域内。因此， 我们无需花费更多时间和资源去追求更精确的定位，只需将终端定位在这些区域内，便足以成功实现直连蜂窝卫星的无线接入。

2. 提早停止导航以加速无线接入： 鉴于这些被放宽的导航要求，如果终端已经能够与服务卫星同步，它就可以提早停止正在进行的定位过程。为此，SN² 采用一种“试错法”（trial and error），让终端在进行定位的同时，并行地持续尝试接入卫星。如果接入尝试失败，则表明定位结果尚不够精确，终端将继续优化其定位；反之，若接入成功，终端则可立即接入网络，无需再等待更精确的定位结果。

3. 内置导航作为底线保障： 在SN²中，终端可以利用GNSS、直连蜂窝卫星或两者结合来进行上述定位。当GNSS不可用或不准确时，终端仍然可以复用直连蜂窝卫星周期性广播的主/辅同步信号（PSS/SSS）进行测距，从其广播的星历（ephemeris）¹中获取实时位置，并综合这两种信息进行三角定位。即使在最坏情况下，即只有一颗合法的低轨（LEO）直连蜂窝卫星可用（这也是终端唯一可接入的选择），SN² 仍能利用该卫星的高速移动性来生成多个“虚拟卫星”以完成三角定位：

如图11所示，终端在卫星移动过程中持续监听其PSS/SSS信号和星历，通过比较连续的PSS/SSS样本提取到达时间差（TDoAs）和多普勒频移，并基于这些信息进行三角定位。这种单星导航可能比常规方法耗时更长，但在§3.1所述的现有技术方案无法接入的最坏情况下，它保障了无线接入的可能性。我们将在§6.2中证明，即便在单颗卫星对终端短暂的可见窗口内，该过程也能提供足够多的定位结果。值得注意的是，这颗唯一可用的卫星同时也是终端的服务卫星，因此能为其提供更直接、更可靠的信号测量，用于时间提前量和多普勒频移的预补偿。当然，如果GNSS也可用，SN² 可以结合GNSS卫星和直连蜂窝卫星，以实现更快、更准、更稳健的定位，从而完成蜂窝无线接入。SN² 并行地执行这种基于多星的定位和底线保障定位，同时输出多个候选定位结果，并逐一尝试基于这些结果接入卫星。SN² 无需直接验证GNSS信号的可信度，而是获得一个“足够好”的定位来加速卫星接入。当多星定位被欺骗时，这种底线保障方法仍能确保卫星接入的成功。

首次接入 vs. 后续接入 (First-time vs. follow-up radio access): 上述流程隐含地假设终端是首次在不具备先验地理位置知识的情况下接入直连蜂窝卫星。在完成首次无线接入后，它可以复用此次的定位结果，用于后续的卫星接入（例如，因LEO卫星高速移动而切换卫星），无需再等待。

处理用户移动性 (Handling user mobility): 如果终端发生移动，其位置需要为卫星无线接入而更新。SN² 天然支持这一点，因为其内置导航功能会持续运行以更新用户位置，从而辅助移动中的无线接入。此外，5G/4G网络中的用户移动速度（最高1,000 km/h）比LEO卫星的速度（25,200 km/h）慢2–3个数量级，在大多数情况下，这对远距离服务卫星的多普勒频移和时间提前量的影响可以忽略不计。这确保了SN² 同样能处理因用户移动性导致的卫星切换。

处理密集并发接入 (Handling dense simultaneous access): “试错法”在密集的并发接入场景下可能会引发信道竞争。这个问题不仅存在于SN²中，在现有技术方案里也同样存在，尤其是在GNSS卫星不可用时。SN² 能缓解此问题，并且对通信性能的影响在可接受范围内，原因有二：（1）它利用更多卫星来提高定位精度，从而减少不必要的竞争。（2）SN² 中的终端可以在本地过滤掉由不准确的定位结果（例如，结果超出了小区覆盖范围）引发的不必要接入尝试，从而进一步减少竞争。

方案分析 (Solution analysis): 采用SN²的终端即便在没有GNSS的情况下也能独立接入卫星无线链路，因此与§3.1中的现有技术相比，提升了网络的可用性和可靠性。如果结合GNSS，SN²的内置导航将可用于导航的卫星数量从 \(M\) 颗（可见GNSS卫星数）扩展到 \(M + N\) 颗（\(N\)为可见直连蜂窝卫星数）。值得注意的是，对于近期的LEO巨型星座而言，\(N \gg M\)，这意味着网络可用性和可靠性将得到显著提升。此外，高轨道下的波束足迹变形不会影响SN²，因为定位算法依赖于距离和多普勒频移，而不是波束大小

4.2 Monotonic Timing for Authentication

The next task for SN² is assisting the idle-state terminal to authenticate direct-to-cell satellites with sufficient timing information. Our goal is that once at least one authentic direct-to-cell satellite exists, the terminal can succeed in bypassing fake satellites in §3.2 for correct services regardless of GNSS jamming, spoofing, and replayed direct-to-cell satellite digital signatures. This task is hard since both GNSS and direct-to-cell satellites can be unauthentic. They can manipulate the terminal’s local time to assist fake direct-to-cell satellites for digital signature replay. Although the terminal may mitigate this threat using military GNSS systems that are cryptographically protected, this high-end GNSS is usually unavailable for most commodity regular phones/IoTs.

Instead, SN² exploits timing monotonicity to calibrate the terminal’s local time for authentication by cross-checking multiple potentially manipulated direct-to-cell satellites and GNSS. Its key observation is that, a fake satellite cannot forge future digital signatures. So, when both legitimate and fake direct-to-cell satellites are present with digital signatures, the integrity-protected timestamp inside the legitimate satellite’s digital signature must be no later than fake satellites’ replayed signatures’. As shown in Figure 12, the terminal can scan all available satellites and calibrate its local time as the newest one in these satellites' digital signatures. As long as at least one of these satellites is authentic, the terminal can gain an authentic and sufficiently new local time to detect fake satellites. Otherwise, all satellites are fake in this extreme case; the terminal cannot gain authentic access anyway and SN² still performs no worse than the state-of-the-art.

To further calibrate this timing for higher accuracy, SN² allows the terminal to use the optional timing from combined GNSS and direct-to-cell satellite navigations in §4.1 if it is newer than those from digital signatures. This monotonic calibration retains resiliency to digital signature replay attacks. Its combination of GNSS and direct-to-cell satellites also increases the attack cost. In the worst case that no direct-to-cell satellites have digital signatures, the terminal still retains the last-line defense by initiating the cellular authentication and key agreement (AKA) protocol [51, 52], thus being no worse than the state-of-the-art in §3.2.

Solution analysis: SN² can achieve self-timing for authentication when GNSS timing is unavailable or spoofed. It guarantees that as long as one legitimate satellite exists, the terminal can always find it to bypass any number of fake satellites. SN²'s cross-checking method is more effective in recent LEO satellite mega-constellations: Similar to §4.1, it forces the adversary to overshadow all visible satellites to perform long-lasting fake satellite attacks, which greatly increases attack costs from \(M+1\) to \(M+N (N \gg M)\).

SN²的下一个任务是辅助处于空闲状态的终端，利用充分的授时信息来认证直连蜂窝卫星。我们的目标是，一旦至少存在一颗真实的直连蜂窝卫星，无论GNSS是否遭受干扰、欺骗，或直连蜂窝卫星的数字签名是否被重放，终端都能成功绕过§3.2中描述的伪冒卫星，获得正确的服务。这项任务非常困难，因为GNSS和直连蜂窝卫星都可能不可信。它们都可能操纵终端的本地时间，以协助伪冒卫星进行数字签名重放攻击。尽管终端可以使用经过加密保护的军用GNSS系统来缓解此威胁，但这种高端GNSS对于大多数商用普通手机/物联网设备而言通常是不可用的。

为此，SN² 利用时间单调性（timing monotonicity），通过交叉验证多个可能被操纵的直连蜂窝卫星和GNSS源，来校准用于认证的终端本地时间。

其关键洞察在于，伪冒卫星无法伪造未来的数字签名。因此，当网络中同时存在合法的和伪冒的直连蜂窝卫星并都带有数字签名时，合法卫星数字签名中受完整性保护的时间戳，必定不晚于伪冒卫星所重放的签名时间戳。 如图12所示，终端可以扫描所有可用的卫星，并将其本地时间校准为这些卫星数字签名中最新的一个。只要这些卫星中至少有一颗是真实的，终端就能获得一个真实且足够新的本地时间来检测出伪冒卫星。否则，在所有卫星都是伪冒的极端情况下，终端无论如何也无法获得真实接入，此时SN²的表现不劣于现有技术。

为了进一步校准时间以获得更高精度，SN² 允许终端使用§4.1中来自GNSS和直连蜂窝卫星组合导航的可选授时信息，前提是该时间比从数字签名中获得的时间更新。这种单调性校准保留了对数字签名重放攻击的弹性。GNSS和直连蜂窝卫星的组合也增加了攻击成本。在最坏情况下，即没有任何直连蜂窝卫星带有数字签名，终端仍保留了通过发起蜂窝网络 认证与密钥协商（AKA）协议 [51, 52] 的最后一道防线，因此其表现不劣于§3.2中的现有技术。

方案分析 (Solution analysis): 当GNSS授时不可用或被欺骗时，SN²能够实现用于认证的自授时。它保证了只要存在一颗合法的卫星，终端总能找到它并绕过任意数量的伪冒卫星。SN²的交叉验证方法在近期的LEO巨型星座中更为有效：与§4.1类似，它迫使攻击者必须遮蔽所有可见卫星才能实施长期的伪冒卫星攻击，这将攻击成本从 \(M+1\) 大幅增加到 \(M+N (N \gg M)\)。

4.3 Flexible Non-Blocking Authorization

After the terminal connects to an authentic satellite, SN²’s last task is to help this direct-to-cell satellite authorize the terminal with roaming policy-compliant services. As shown in §3.3, this task mandates the user terminal’s navigation information. State-of-the-art direct-to-cell satellites implicitly adopt a strong “all or nothing” model for GNSS: The terminal can gain services if and only if its navigation information satisfies all network functions’ accuracy demands. This model inevitably lowers network availability: The terminal has to spend more time measuring more satellite signals to meet the strictest navigation requirement, before which its service is blocked. In GNSS, this navigation latency can take up to minutes [67] which is already comparable to a fast-moving LEO satellite’s visibility time to user terminals.

在终端连接到一颗真实的卫星后，SN²的最后一项任务是帮助该卫星为终端授权符合漫游策略的服务。如§3.3所示，这项任务强制要求获取用户终端的导航信息。现有技术的直连蜂窝卫星隐含地 对GNSS采用了一种严格的“全有或全无”（all or nothing）模型：终端当且仅当其导航信息满足所有网络功能要求的精度时，才能获得服务

这种模型不可避免地降低了网络可用性： 终端必须花费更多时间测量更多卫星信号，以满足最严格的导航要求，在此之前其服务一直被阻塞 。在GNSS中，这种导航延迟可达数分钟 [67]，这已经与高速移动的LEO卫星对用户的可见时长相当。

Instead, we observe that this strong navigation accuracy requirement can be relaxed in most cases to safely improve network availability. We have identified two opportunities:

• Spatiotemporal diversity of navigation needs: As a direct-to-cell LEO satellite moves, the tolerable location and timing errors for its network services evolve over time. Figure 13a exemplifies this with the authorization in §3.3. When this satellite’s runtime coverage areas are associated with identical roaming policies (e.g., in the same country), it does not need the terminal’s geolocation: A terminal that can reach this satellite must reside in its coverage and use the same roaming policy. We use Starlink’s operational ephemeris [68] to quantify the proportion of this simple case. In this experiment, we calculate the beam coverage based on the ephemeris and count the proportion of beams that cover diverse/identical roaming policies. As shown in Figure 13b, it accounts for 90.8–93.7% of all satellite beams on land areas only and even 99% on land and oceanic areas. Figure 14 further shows that, 97.0–100% of global areas belong to this simple policy homogeneity case depending on satellite operators’ global roaming policies. Instead, the satellite needs precise geolocation for authorization only if its coverage spans areas with heterogeneous roaming policies (e.g., national borders), which is rare in practice.
• Service-specific navigation demand: The direct-to-cell satellite network’s navigation accuracy requirements also differ among services, as shown in Table 1. For example, basic satellite messaging and voice calls only require beam coverage level geolocations to ensure packet reachability. Instead, emergency satellite SOS services need more accurate user locations to assist rescues [69].

我们观察到，在大多数情况下，这种严格的导航精度要求可以被放宽，从而安全地提升网络可用性。我们发现了两个机会：

• 导航需求的时空多样性：
  • 随着直连蜂窝LEO卫星的移动，其网络服务对位置和授时误差的容忍度随时间演进。图13a以§3.3中的授权为例说明了这一点
  • 当该卫星运行时的覆盖区域适用相同的漫游策略时（例如，在同一个国家内），它并不需要终端的地理位置信息：因为一个能接入该卫星的终端，必定位于其覆盖范围内，并使用相同的漫游策略
  • 我们使用Starlink的在轨星历 [68] 来量化这种简单情况的占比。在该实验中，我们基于星历计算波束覆盖范围，并统计覆盖不同/相同漫游策略的波束比例。如图13b所示，在仅陆地区域，该比例占所有卫星波束的90.8%–93.7%；在陆地和海洋区域，该比例甚至达到99%。图14进一步显示， 根据不同卫星运营商的全球漫游策略，全球97.0%–100%的区域都属于这种简单的策略同质化场景
  • 反之，仅当卫星覆盖范围横跨具有异构漫游策略的区域时（例如，国界线），才需要精确的地理位置进行授权，而这种情况在实践中很少见
• 特定于服务的导航需求：
  • 直连蜂窝卫星网络对导航精度的要求也因服务类型而异，如表1所示
  • 例如，基础的卫星短信和语音通话仅需波束覆盖级别的地理位置来确保数据包的可达性
  • 相比之下，紧急卫星SOS服务则需要更精确的用户位置以协助救援 [69]

To this end, SN² offers an on-demand, non-blocking service model for direct-to-cell satellite network authorization. Different from the state-of-the-arts in §3.3, it lets each direct-to-cell satellite dynamically estimate its user geolocation demand, authorize the terminal as soon as possible once its location report is accurate enough and trustworthy, and only refine user geolocation for authorization (thus unavoidably longer service delays) when necessary.

Figure 15 illustrates SN²'s network-side authorization using this flexible model. After the terminal connects to the direct-to-cell satellite, it is asked to report its runtime geolocation information for authorization. Note that this report can be inaccurate or untrusted (e.g., due to selfish terminal’s location manipulation for unauthorized services). Upon receiving this report, the network classifies it into the following categories (sorted by decreasing occurrence probability) based on the serving satellite’s runtime status:

• Common case: Homogeneous policy. This happens when the satellite’s runtime beam coverage areas are associated with identical roaming policies and services. As shown in Figure 13–14, this accounts for most terminal service requests. Since the terminal’s signal has reached this satellite, it implicitly proves that this terminal is within the beam coverage to be served with this single roaming policy. So, the satellite can directly authorize or deny the terminal’s service request without checking its geolocation report.
• Corner case: Heterogeneous policies. When the satellite’s beam covers more than one roaming policy (e.g., national borders), the network should decide which roaming policy the terminal should use. Note the user-reported geolocation can be inaccurate or even malicious for this purpose. To this end, SN² calibrates the user report location with network-side navigation refinement based on the following insight: The serving LEO satellite can estimate the user terminal distance based on incoming radio signals. Due to the requirement for connected-state uplink synchronization, the satellite should continuously track the connected user terminal’s uplink synchronization signals, estimate the distance, and instruct the terminal for timing advance via standard 5G/4G MAC-layer control element commands [38, 39]. The terminal cannot easily spoof this distance by manipulating its signals; otherwise, it will be out of synchronization with the satellite and lose services. With this reliable information, the satellite can reuse the single-satellite navigation method in §4.1 to narrow down the terminal’s actual location range for authorization. This has two further cases (Figure 15):
  • Corner case 1: The calibrated user location falls into one policy area. The satellite can directly authorize or deny the terminal without requesting for more precise geolocation.
  • Corner case 2: The calibrated user location still crosses different policy areas. The satellite cannot tell which roaming policy the terminal should use. Same as the state-of-the-art solutions in §3.3, it requests the terminal to refine its geolocation accuracy for later authorizations. As shown in Figure 14, this is an extremely rare scenario. SN² retains the same network availability as the state-of-the-art solutions.

为此，SN² 提供了一种 按需、非阻塞式 的服务模型用于直连蜂窝卫星网络授权。与§3.3中的现有技术不同，它让每颗直连蜂窝卫星动态地评估其对用户地理位置的需求，一旦用户的位置报告足够准确且可信，就尽快授权终端，仅在必要时才为了授权而优化用户地理位置（这会不可避免地导致更长的服务延迟）。

图15阐释了SN² 使用这种灵活模型进行网络侧授权的过程。终端连接到直连蜂窝卫星后，被要求上报其运行时的地理位置信息以供授权。注意，该报告可能不准确或不可信（例如，由于自私终端为获取未授权服务而进行位置操纵）。收到报告后，网络会根据服务卫星的运行时状态，将其划分为以下几类（按出现概率降序排列）：

• 通用场景：同质化策略 (Common case: Homogeneous policy)。 当卫星运行时的波束覆盖区域适用相同的漫游策略和服务时，即为此场景。如图13–14所示，这涵盖了绝大多数终端服务请求。由于终端的信号已到达该卫星，这隐含地证明了该终端位于波束覆盖范围内，应采用此单一漫游策略。因此，卫星可以直接授权或拒绝终端的服务请求，无需核对其地理位置报告。
• 边界场景：异构化策略 (Corner case: Heterogeneous policies)。 当卫星的波束覆盖了多种漫游策略时（例如，跨越国界），网络需要决定终端应适用哪一种。注意，用户上报的地理位置可能不准甚至出于恶意。为此，SN² 基于以下洞察，通过网络侧导航优化来校准用户上报的位置：服务LEO卫星可以根据接收到的无线信号估算用户终端的距离。由于连接状态下的上行同步要求，卫星会通过标准的5G/4G MAC层控制信令 [38, 39]，持续跟踪已连接用户终端的上行同步信号，估算距离，并指示终端进行时间提前。终端无法轻易地通过操纵信号来欺骗这个距离，否则它将与卫星失步并失去服务。利用这个可靠信息，卫星可以复用§4.1中的单星导航方法，来缩小终端的实际位置范围以供授权。这又可分为两种子情况（图15）：
  • 边界场景1： 校准后的用户位置落入单一策略区域内。卫星可以直接授权或拒绝终端，无需请求更精确的地理位置。
  • 边界场景2： 校准后的用户位置仍然横跨不同的策略区域。卫星无法判断应采用何种漫游策略。与§3.3中的现有技术方案相同，它会请求终端优化其地理位置精度以供后续授权。如图14所示，这是一个极其罕见的场景。在此场景下，SN² 保持了与现有技术方案相同的网络可用性。

The solution so far assumes the terminal requests one service in Table 1. If it requests multiple services, SN² will run the above process for each one for separate authorizations to prevent service blocking by the most stringent one.

User location privacy preservation: SN² does not create new side channels to track users for both internal and external attackers. For internal attackers, SN² does not reveal more accurate positions than existing solutions [74], which mandates accurate locations. Instead, SN² is more privacy preserving using a “good enough” location to determine the user’s service policy. For external attackers, they cannot track users with SN² because all positioning signaling in §4.1 is measured locally in the terminal. When authorizing service, all signaling is encrypted and transferred after mutual identity authentication, which cannot be eavesdropped on by external attackers.

Solution analysis: SN² relaxes the existing roaming service model for non-blocking authorizations. Most of the time, terminals can gain early and policy-compliant access to satellite network services without mandating high-precision locations (e.g., GNSS is unavailable or under attack). In the rare worst case (i.e., corner case 2), SN² ensures that its waiting delay to be authorized is no longer than existing solutions in §3.3. In Appendix A, we prove that under any malicious external and internal geolocation spoofings, this worst case occurs at the probability \(P\) that is upper-bounded by \(P < d_{tr}/A\), where \(d\) is the diameter of the satellite beam, \(L\) is the total length of the boundary among policy regions, \(r\) is the proportion of satellite beams that intersect the satellite sub-point trajectory, and \(A\) is the total service area of all satellites. It implies that satellites with narrower radio beams (thus smaller \(d\)) or more homogeneous roaming policies (thus smaller \(L\)) will be less likely to experience this worst case. Of course, narrower radio beams may result in more satellite switching. However, it will not compromise network availability due to SN²’s follow-up radio access and ability to handle user mobility, as described in §4.1.

以上方案假设终端在表1中请求一项服务。如果它请求多项服务，SN² 将对每项服务分别执行上述流程进行独立授权，以防止服务被最严苛的要求所阻塞。

用户位置隐私保护 (User location privacy preservation):

SN² 没有为内部和外部攻击者创造新的旁路信道来追踪用户

• 对于内部攻击者，SN² 不会泄露比现有强制要求精确定位的方案 [74] 更准确的位置信息。相反，SN² 通过使用“足够好”的位置来决定用户服务策略，从而更有效地保护隐私
• 对于外部攻击者，他们无法通过SN² 追踪用户，因为§4.1中所有的定位信令都在终端本地进行测量。在服务授权时，所有信令在经过双向身份认证后都进行加密传输，外部攻击者无法窃听

方案分析 (Solution analysis):

SN² 为非阻塞式授权放宽了现有的漫游服务模型

大多数情况下，终端可以提前获得符合策略的卫星网络服务接入，无需强制要求高精度定位（例如，在GNSS不可用或受攻击时）。在罕见的最坏情况下（即边界场景2），SN² 确保其授权等待延迟不长于§3.3中的现有方案。

我们在附录A中证明，在任何恶意的外部和内部地理位置欺骗下，这种最坏情况发生的概率 \(P\) 的上界为 \(P < d_{tr}/A\)，其中 \(d\) 是卫星波束的直径，\(L\) 是策略区域间边界的总长度，\(r\) 是与卫星星下点轨迹相交的卫星波束比例，\(A\) 是所有卫星的总服务面积。这意味着，拥有更窄无线电波束（即更小的 \(d\)）或更同质化的漫游策略（即更小的 \(L\)）的卫星，将更不容易遇到这种最坏情况。当然，更窄的无线电波束可能导致更频繁的卫星切换，但这不会损害网络可用性，因为SN² 具备§4.1中所述的后续无线接入和处理用户移动性的能力。

System Implementation

We show how to incrementally implement SN 2 on top of existing direct-to-cell satellite network stacks, as shown in Figure 16. Our implementation comprises two modules:

Terminal-side network-oriented navigation: This module runs inside each regular phone/IoT’s baseband firmware. It offers runtime user geolocation and timing for satellite radio access in §4.1 and authentication in §4.2. For incremental deployability, we realize this module by reusing the standard 5G/4G initial cell selection procedure [75, 76] in each user terminal. To activate the satellite service, this procedure scans all available satellite cells, synchronizes to each cell by tracking its PSS/SSS signals, obtains this cell’s broadcast SIBs to gain its basic information, extracts each cell’s runtime ephemeris via SIB19 in 5G [17] or SIB31 in 4G [16], and selects one of these cells for access based on the terminal’s preference. In this process, our implementation reuses each satellite’s TDoAs from its PSS/SSS and ephemeris from its SIB19/SIB31 for network-oriented positioning in §4.1. It also integrates the GNSS results whenever available in an attack-resilient manner, as detailed in §4.1 and extracts the latest timing from these satellites’ SIB1s for authentication in §4.2. These operations and signalling are already available on baseband chips, and SN 2 reuses them at no additional computation and acceptable communication cost.

This implementation does not modify cellular signaling messages, thus retaining compatibility with existing 3GPP NTN. Its firmware-based realization makes it more resilient to selfish user manipulations: Except for phone/IoT vendors, most users cannot directly modify the baseband firmware. They can only spoof external GNSS to trick authorizations, which is mitigated by SN 2 ’s network-side module below.

Network-side navigation validation: This module realizes the on-demand non-blocking authorization in §4.3. It runs inside the cellular core network (AMF in 5G [19] or MME in 4G [18]) on the ground station or inside each satellite [77, 78]. Upon receiving the terminal’s initial registration request for satellite 5G/4G access, this module requests this terminal’s location by initiating the standard Timing Advance Report procedure [17, 39]. Together with this user terminal’s roaming policy and its serving satellite’s runtime beam location, it follows §4.3 to check if the terminal’s reported location conforms to any service requirements in Table 1. If true, this module accepts this terminal’s registration requests, authorizes satisfactory services, and notifies unsatisfactory services that the terminal should refine its localization accuracy for later access. Otherwise, it rejects the terminal’s request with the error cause #78: “PLMN not allowed to operate at the present UE location” [18, 19].

我们展示如何在现有的直连蜂窝卫星网络协议栈之上，以增量方式实现SN²，如图16所示。我们的实现包含两个模块：

终端侧面向网络的导航 (Terminal-side network-oriented navigation):

该模块运行于每个常规手机/物联网设备的 基带固件 中。它为§4.1节所述的卫星无线接入和§4.2节所述的认证功能提供实时的用户地理位置和授时信息。为实现增量可部署性，我们通过复用每个用户终端中标准的5G/4G 初始小区选择流程 [75, 76] 来实现此模块。为激活卫星服务，该流程会扫描所有可用的卫星小区，通过跟踪其主/辅同步信号（PSS/SSS）与每个小区同步，获取该小区的广播系统信息块（SIB）以获得其基本信息，通过5G中的SIB19 [17] 或4G中的SIB31 [16] 提取每个小区的实时星历，并根据终端偏好选择其中一个小区进行接入。在此过程中，我们的实现复用了来自每个卫星PSS/SSS信号的到达时间差（TDoAs）以及来自其SIB19/SIB31的星历，以进行§4.1节所述的面向网络的定位。它还以一种抗攻击的方式（详见§4.1）集成了可用的GNSS结果，并从这些卫星的SIB1中提取最新的时间信息，用于§4.2节的认证。这些操作和信令在基带芯片上均已可用，SN² 在复用它们时，没有增加额外的计算开销，通信成本也在可接受范围内。

此实现没有修改蜂窝信令消息，因此保持了与现有3GPP非地面网络（NTN）的兼容性。其基于固件的实现方式使其更能抵御自私用户的操纵：除了手机/物联网设备厂商，大多数用户无法直接修改基带固件。他们只能通过欺骗外部GNSS来试图欺骗授权过程，而这可以通过下述SN²的网络侧模块来缓解。

网络侧导航验证 (Network-side navigation validation):

该模块实现了§4.3节所述的按需、非阻塞式授权。它运行在蜂窝核心网（5G中的AMF [19] 或4G中的MME [18]）内部，可以部署在地面站或每颗卫星上 [77, 78]。在收到终端发起的卫星5G/4G接入初始注册请求后，该模块会通过启动标准的时间提前量报告流程（Timing Advance Report procedure）[17, 39] 来请求该终端的位置信息。结合该用户终端的漫游策略及服务卫星实时的波束位置，它遵循§4.3节的逻辑来检查终端上报的位置是否符合表1中的任何服务要求。如果符合，该模块将接受此终端的注册请求，授权满足条件的服务，并通知那些不满足条件的服务需要终端优化其定位精度以便后续接入。否则，它将以错误码#78：“PLMN（公共陆地移动网络）不允许在当前UE（用户设备）位置运行” [18, 19] 拒绝终端的请求。

Evaluation

We start with assessing SN 2 ’s overall network availability, reliability and security improvement over state-of-the-arts in §6.1. Then we quantify its benefit and cost for satellite radio link access (§6.2), network service authentication (§6.3) and authorization (§6.4).

我们首先在§6.1中评估SN²相较于现有先进技术方案在网络可用性、可靠性与安全性方面的整体提升。随后，我们分别在卫星无线链路接入（§6.2）、网络服务认证（§6.3）和授权（§6.4）方面，对其带来的效益和成本进行量化分析。

Experimental setup: We follow §5 to prototype SN 2 and set up our testbed, as shown in Figure 17. We prototype SN 2 with Amarisoft Callbox NR-4-U Ultimate, a COTS 3GPP NTN software protocol stack suite for direct-to-cell satellite network experimentation. This suite realizes full-stack 3GPP-R17/18 IoT/NR-NTN protocols in 5G/4G and standard-compliant LEO satellite RF channel emulators. As shown in Figure 18, we approximate the real LEO satellite channel by adjusting channel parameters (e.g., RSRP and SNR) to be consistent with our measurement data from operational direct-tocell satellite network deployments. We use one Amarisoft node with a GNSS antenna to emulate user terminals with SN 2 , and another Amarisoft node to emulate the SN 2 -powered satellite and core network driven by operational satellites’ public ephemeris [68]. We also test various COTS direct-to-cell devices with real satellites (Figure 17b), including the iPhone 15 (with GlobalStar), Iridium Go[79] and Iridium 9555 phone[80] (with Iridium).

We evaluate SN 2 ’s network availability, reliability, and security against various external/internal attacks, including GNSS jamming/spoofing, direct-to-cell satellite spoofing, and selfish user-side location manipulations. For external attacks, our experiments test the GNSS jamming and spoofing using gps-sdr-sim [81] in USRP B210 as a GNSS satellite signal emulator. We follow the real-world GNSS unreliability statistics [27, 28, 45–47] to mirror real conditions. We also use the Amarisoft node to emulate fake NTN satellites to validate SN 2 ’s resistance to spoofing on direct-to-cell satellites. For internal selfish users, we use the above GNSS spoofer to spoof their geolocations to manipulate network-side authorizations.

实验设置：

我们遵循§5构建了SN²的原型并搭建了我们的测试平台，如图17所示。我们使用 Amarisoft Callbox NR-4-U Ultimate 来构建SN²的原型，这是一个用于直连蜂窝卫星网络实验的商用现成品（COTS）3GPP NTN软件协议栈套件。该套件实现了5G/4G网络中完整的3GPP-R17/18物联网/NR-NTN协议栈，并包含了符合标准的LEO卫星射频信道模拟器。如图18所示，我们通过调整信道参数（例如，RSRP和SNR），使其与我们从在轨运行的直连蜂窝卫星网络部署中获取的测量数据保持一致，从而近似模拟真实的LEO卫星信道。我们使用一个配备了GNSS天线的Amarisoft节点来模拟搭载了SN²的用户终端，并使用另一个Amarisoft节点来模拟由在轨运行卫星的公开星历 [68] 驱动、并支持SN²的卫星和核心网。我们还使用了多种商用现成品直连蜂窝设备与真实卫星进行了测试（图17b），包括iPhone 15（使用GlobalStar网络）、Iridium Go [79] 和Iridium 9555手机 [80]（使用Iridium网络）。

我们评估了SN²在应对各种外部/内部攻击时的网络可用性、可靠性和安全性，这些攻击包括GNSS干扰/欺骗、直连蜂窝卫星欺骗以及自私用户侧的位置操纵。对于外部攻击，我们的实验使用搭载在USRP B210上的 gps-sdr-sim [81] 作为GNSS卫星信号模拟器，来测试GNSS干扰和欺骗。我们遵循真实世界的GNSS不可靠性统计数据 [27, 28, 45–47] 以反映真实情况。我们还使用Amarisoft节点来模拟伪冒的NTN卫星，以验证SN²对直连蜂窝卫星欺骗的抵御能力。对于内部自私用户，我们使用上述GNSS欺骗器来伪造其地理位置，以操纵网络侧的授权过程。

We compare SN 2 with the following standardized and operational satellite network solutions:

(1) 3GPP-NTN, which is the baseline [9–19]. It relies on GNSS for radio access, authentication, and authorization as described in §3.

(2) Globalstar, which enables emergency SoS services for Apple iPhones in specific countries [4]. It relies on GNSS to localize the iPhone and validate whether it resides in the serviceable areas.

(3) Iridium, which offers direct-tocell satellite messaging and voice services. Most of its user terminals, such as Iridium GO! [79], rely on GNSS for network access. Some Iridium terminals, such as Iridium 9555 satellite phone [80], use Doppler/delay-based localization [82], which will also be compared with SN 2 in the following experiments.

我们将SN²与以下标准化和在轨运行的卫星网络方案进行比较：

(1) 3GPP-NTN： 这是基准方案 [9–19]。如§3所述，它依赖GNSS进行无线接入、认证和授权。

(2) Globalstar： 该系统为特定国家的Apple iPhone提供紧急SOS服务 [4]。它依赖GNSS来定位iPhone，并验证其是否位于服务覆盖区域内。

(3) Iridium： 该系统提供直连蜂窝卫星短信和语音服务。其大多数用户终端，如Iridium GO! [79]，依赖GNSS进行网络接入。部分Iridium终端，如Iridium 9555卫星电话 [80]，则使用一种基于多普勒/延迟的定位方法 [82]，我们将在后续实验中也将其与SN²进行比较。

6.1 ~ 6.4

实验细节 + 实验结果 tldr

Related Work

Satellite networks have recently gained considerable traction from industry and academia. This leads to various applaudable technological advances, such as metasurface for satellite [83, 84], physical topology designs [85, 86], link-layer scheduling [87–89] and handover [90, 91], network-layer routing [92–95], network function refactoring [77, 78], in-orbit edge computing [96–98], security and privacy [53, 99–106], and operational practice [107–110]. Despite so, these works focus on satellite network functions only and ignore their reliance on external services. Instead, our work takes a first step to dive into this cross-technology over-reliance’s impacts on satellite network availability and resiliency.

From a more general perspective, our work is under the big umbrella of integrated communication and navigation in the satellite context. But different from prior efforts on resource optimization [111–113], navigation accuracy boost [48–50], or cost reduction [112] in this direction, this work contributes a new benefit: enhanced network availability and resiliency via “fate-sharing.” This interdisciplinary method resolves new issues that existing works on satellite navigation [48–50] or networking [53, 99, 100, 104] alone cannot tackle.

近年来，卫星网络获得了工业界与学术界的广泛关注，催生了诸多值得称赞的技术进步，例如用于卫星的超表面技术 [83, 84]、物理拓扑设计 [85, 86]、链路层调度 [87–89] 与切换 [90, 91]、网络层路由 [92–95]、网络功能重构 [77, 78]、在轨边缘计算 [96–98]、安全与隐私 [53, 99–106] 以及运营实践 [107–110]。尽管如此，这些工作仅聚焦于卫星网络内部的功能，而忽略了其对外部服务的依赖性。与之不同，我们的工作首次深入探究了这种 跨技术过度依赖 对卫星网络可用性与弹性的影响。

从更宏观的视角来看，我们的工作属于卫星领域的 通信与导航一体化 这一宏大框架。但与该方向上先前致力于资源优化 [111–113]、导航精度提升 [48–50] 或成本降低 [112] 的研究不同，本项工作贡献了一项新的效益：通过“命运共享”（fate-sharing）原则来 增强网络可用性与弹性 。这种跨学科的方法解决了现有单一的卫星导航 [48–50] 或网络 [53, 99, 100, 104] 研究无法独立应对的新问题。

Conclusion

This paper presents SN 2 , a network-oriented self-navigation scheme for highly available, reliable, and secure direct-to-cell satellite network services. SN 2 relaxes existing direct-to-cell satellite networks’ cross-technology overreliance on external GNSS that is prone to be out-of-service and inaccurate. Its built-in navigation complements GNSS to offer “good enough” geolocation and timing for network functions. In a broader context, SN 2 shows that the proper function layout and refactoring are vital to the resiliency of satellite networks. SN 2 aligns with the recent fusion of network communication and navigation, but extends it from the perspective of network availability and resiliency. This method is in concert with the classic “fate-sharing” principle in networked system designs. We hope our lessons can inspire more efforts in this direction for resilient 6G and beyond from space.

本文提出了SN²，一种面向网络的自导航方案，旨在实现高可用、高可靠且高安全的直连蜂窝卫星网络服务。SN² 缓解了现有直连蜂窝卫星网络对外部全球导航卫星系统（GNSS）的跨技术过度依赖，而GNSS常因服务中断和精度不足而不可靠。其内置的导航功能可对GNSS形成补充，为网络功能提供“足够好”的地理位置和授时信息。

在更宏观的背景下，SN² 的研究表明，合理的功能布局与重构对于卫星网络的弹性（resiliency）至关重要。SN² 顺应了近年来通信与导航融合的趋势，并从网络可用性与弹性的新视角对该趋势进行了扩展。该方法与网络系统设计中经典的“命运共享”（fate-sharing）原则一脉相承。我们希望本研究的经验能为构建面向太空的弹性化6G及未来网络激发更多此方向的研究工作。