2G Mobile Communication Systems - Startseite TU … · 2G Mobile Communication Systems ... Bearer Services Teleservices Supplementary Services GSM-PLMN transit network

2G Mobile Communication Systems

2G Review: GSM

Services

Architecture

Protocols

Call setup

Mobility management

Security

HSCSD

GPRS

EDGE

Cellular Communication Systems 2 Andreas Mitschele-Thiel, Jens Mückenheim Oct-14

Public Land Mobile Network (PLMN)

Definition:

a network established and operated by an administration to provide land-based mobile telecommunications services to the public

a PLMN may be regarded as an extension of a network (e.g. an ISDN)

a PLMN consists of a collection of areas within a common numbering plan (e.g. same National Destination Code) and a common routing plan

PLMNs are independent telecommunications entities

Source: 3GPP 23.002-5.5.0

o


GSM: Mobile Services

GSM offers

several types of connections

voice connections

data connections

short message service

multi-service options (combination of basic services)

Three service domains (a “mobile” model of ISDN)

Bearer Services

Teleservices

Supplementary Services

GSM-PLMN

transit

network

(PSTN, ISDN)

source/

destination

network

TE TE

bearer services

teleservices

R, S (U, S, R) Um

MT

MS

PLMN: Public Land Mobile Network

PSTN: Public Switched Telephone Network

ISDN: Integrated Services Digital Network

MS: Mobile Station

MT: Mobile Termination (radio-specific part)

TE: Terminal


Bearer Services

Telecommunication services to transfer data between access points

Specification of services up to the terminal interface (OSI layers 1-3)

Different data rates for voice and data (original standard)

data service (circuit switched)

synchronous: 2.4, 4.8 or 9.6 kbit/s

asynchronous: 300 - 1200 bit/s

data service (packet switched) –> superseded by GPRS

synchronous: 2.4, 4.8 or 9.6 kbit/s

asynchronous: 300 - 9600 bit/s


Teleservices

Telecommunication services that enable voice communication via mobile phones

mobile telephony primary goal of GSM was to enable mobile telephony offering nearly ISDN quality (bandwidth of 7 kHz);

Today: Fullrate codec (FR–13kb/s), halfrate (HR-5.6kb/s), Enhanced Fullrate (EFR-12.2kb/s)

emergency number common number throughout Europe (112); mandatory for all service providers; free of charge; connection with the highest priority (preemption of other connections possible)

multinumbering several ISDN phone numbers per user possible

Non-Voice Teleservices

group 3 fax

voice mailbox (implemented in the GSM network)

Short Message Service (SMS) alphanumeric data transmission to/from the mobile terminal using the signaling channel, thus allowing simultaneous use of basic services and SMS


Supplementary services

Services in addition to the basic services

cannot be offered stand-alone

similar to ISDN services besides lower bandwidth due to the radio link

may differ between different service providers, countries and protocol

versions

Important services

call forwarding

identification: forwarding of caller number

suppression of number forwarding (CLIP, CLIR)

automatic call-back

conferencing with up to 7 participants

locking of the mobile terminal (incoming or outgoing calls)

...


Architecture of the GSM system

GSM is a PLMN (Public Land Mobile Network)

several providers setup mobile networks following the GSM standard within each country

GSM system comprises 3 subsystems

RSS (radio subsystem): covers all radio aspects

MS (mobile station)

BSS (base station subsystem) or RAN (radio access network)

BTS (base transeiver station)

BSC (base station controller)

NSS (network and switching subsystem): call forwarding, handover, switching

MSC (mobile services switching center)

LR (location register): HLR and VLR

OSS (operation subsystem): management of the network

OMC (operation and maintenance centre)

AuC (authentication centre)

EIR (equipment identity register)


GSM: overview

fixed network

BSC

BSC

MSC MSC

GMSC

OMC, EIR,

AUC

VLR

HLR

NSS

with OSS

RSS

VLR

BTS BTS BTS BSC: n:1 (tree) BSC MSC: n:1 (tree) MSC – VLR: 1:1 MSC – MSC : meshed network


GSM: elements and interfaces

NSS

MS MS

BTS

BSC

GMSC

IWF

OMC

BTS

BSC

MSC MSC

Abis

Um

EIR

HLR

VLR VLR

A

BSS

PDN

ISDN, PSTN

RSS

radio cell

radio cell

MS

AUC OSS

signaling

O

Um Interface (MS and BTS): radio, air interface

Abis Interface (BTS and BSC)

Interfaces B,...,H within NSS (between MSC, VLR and HLR)

A Interface (BSC and MSC)

o


Radio subsystem

The Radio Subsystem (RSS) comprises the cellular mobile network up to the switching centers

Components

Base Station Subsystem (BSS)

Base Transceiver Station (BTS)

radio components including sender, receiver, antenna

one BTS can cover several cells

Base Station Controller (BSC)

switching between BTSs,

controlling BTSs,

managing of network resources,

mapping of radio channels (Um) onto terrestrial channels (A interface)

BSS = BSC + sum(BTS) + interconnection

Mobile Stations (MS)


Base Transceiver Station and Base Station Controller

Tasks of a BSS are distributed over BSC and BTS

BTS comprises radio specific functions of lower layers (PHY, MAC)

BSC manages and controls the radio channels in the BTS and terrestrial

channels to BTS and MSC

Design Principle: “central intelligence” = BSC, “dumb radio station” = BTS

Functions BTS BSC

Management of radio channels X

Frequency hopping (FH) X X

Management of terrestrial channels X

Mapping of terrestrial onto radio channels X

Channel coding and decoding X

Rate adaptation X

Encryption and decryption X X

Paging X X

Uplink signal measurements X

Traffic measurement X

Authentication X

Location registry, location update X

Handover management X


possible radio coverage of the cell

idealized shape of the cell cell

segmentation of the area into cells

GSM: cellular network

use of several carrier frequencies

not the same frequency in neighboring cells

cell radius varies from some 100 m up to 35 km depending on user density, geography, transceiver power etc.

hexagonal shape of cells is idealized (cells overlap, shapes depend on geography)

if a mobile user changes cells -> handover of the connection to the neighbor cell


GSM: Air Interface

FDMA (Frequency Division Multiple Access) / FDD (Frequency Division Duplex)

123 124 . . .

890 MHz 915 MHz

123 124 . . .

935 MHz 960 MHz

200 kHz

Uplink Downlink

frequency

TDMA (Time Division Multiple Access)

time

Downlink

8 7 6 5 4 3 2 1

4,615 ms

= 1250 bit

Uplink

8 7 6 5 4 3 2 1


Framing Modulation

(GMSK)

GSM: Voice Coding

Voice coding Channel coding

Framing Modulation

(GMSK)

114 bit/slot 114 + 42 bit

Guard (8.25 bits): avoid overlap with other time slots (different time offset of neighboring slot)

Training sequence: select the best radio path in the receiver and train equalizer

Tail: needed to enhance receiver performance

Flag S: indication for user data or control data

1 2 3 4 5 6 7 8

GSM TDMA frame

GSM time-slot (normal burst)

4.615 ms

546.5 µs 577 µs

tail user data Training S guard

space S user data tail guard

space

3 bits 57 bits 26 bits 57 bits 1 1 3


GSM hierarchy of frames

0 1 2 2045 2046 2047 ... hyperframe

0 1 2 48 49 50 ...

superframe

0 1 6 7 ... frame

burst

slot

577 µs

4.615 ms

120 ms

6.12 s

3 h 28 min 53.76 s

traffic multiframe

0 1 24 25 ...

0 1 2 48 49 50 ... 235.4 ms control multiframe

0 1 24 25 ...

traffic multiframe: 24 frames (22.8 kbps) used for traffic channel (user data), or fast signaling

1 frame (950 bps) used for slow signaling, 1 frame unused

o


Mobile station

Terminal for the use of GSM services

A mobile station (MS) comprises several functional groups

MT (Mobile Termination):

offers common functions used by all services the MS offers

corresponds to the network termination (NT) of an ISDN access

end-point of the radio interface (Um)

TA (Terminal Adapter):

terminal adaptation, hides radio specific characteristics

TE (Terminal Equipment):

peripheral device of the MS, offers services to a user

does not contain GSM specific functions

SIM (Subscriber Identity Module):

personalization of the mobile terminal, stores user parameters, and security algorithm

R S Um

TE TA MT

o


Network and switching subsystem (NSS)

NSS is the main component of the public mobile network GSM

switching, mobility management, interconnection to other networks, system control

Components

Mobile Services Switching Center (MSC) controls all connections via a separated network to/from a mobile terminal within the domain of the MSC - several BSC can belong to a MSC

Databases (important: scalability, high capacity, low delay)

Home Location Register (HLR) central master database containing user data, permanent and semi-permanent data of all subscribers assigned to the HLR (one provider can have several HLRs)

Visitor Location Register (VLR) local database for a subset of user data, including data about all user currently in the domain of the VLR


Operation subsystem

The OSS (Operation Subsystem) enables centralized operation,

management, and maintenance of all GSM subsystems

Components

Authentication Center (AUC)

generates user-specific authentication parameters on request of a VLR

authentication parameters used for authentication of mobile terminals

and encryption of user data on the air interface within the GSM system

Equipment Identity Register (EIR)

registers GSM mobile stations and user rights

stolen or malfunctioning mobile stations can be locked and sometimes

even localized

Operation and Maintenance Center (OMC)

different control capabilities for the radio subsystem and the network

subsystem

Basic Functions in GSM Systems

Connection Setup

Handover

Location management

Roaming

Authentication


Connection Setup & Radio Resource Assignment

BS BSC MSC


Mobile Terminated Call (MTC)

PSTN calling

station GMSC

HLR VLR

BSS BSS BSS

MSC

MS

1 2

3

4

5

6

7

8 9

10

11 12

13

16 10 10

11 11 11

14 15

17

1: calling a GSM subscriber

2: forwarding call to GMSC

3: signal call setup to HLR

4, 5: request MSRN from VLR

6: forward responsible MSC to GMSC

7: forward call to

current MSC

8, 9: get current status of MS

10, 11: paging of MS

12, 13: MS answers

14, 15: security checks

16, 17: set up connection


Mobile Originated Call (MOC)

PSTN GMSC

VLR

BSS

MSC

MS 1

2

6 5

3 4

9

10

7 8

1, 2: connection request

3, 4: security check

5-8: check resources (free circuit)

9-10: set up call


Handover

The problem:

Change the cell while communicating

Reasons for handover:

Quality of radio link deteriorates

Communication in other cell requires less radio resources

Supported radius is exceeded (e.g. Timing advance in GSM)

Overload in current cell

Maintenance

Lin

k q

ualit

y

Link to cell 1 Link to cell 2 time

cell 1

cell 2

Handover margin (avoid ping-pong effect)

cell 1 cell 2


4 types of handover

(Anchor)

MSC MSC

BSC BSC BSC

BTS BTS BTS BTS

MS MS MS MS

1 2 3 4

• intra-cell handover: reason: quality, interference

• inter-cell handover/intra BSS: within same BSS, handled by BSC (reasons: mobility, receipt level, power budget, load)

• inter-cell handover/inter BSS: between BSC at the same MSC

• inter-cell handover/inter MSC: between BSC of different MSCs

(Anchor MSC: the initial MSC, which started the connection, keeps control)

GMSC


X

BS BS

Before

X

BS BS

During

X

BS BS

After

GSM: Handover Principle

“Hard” handover, “make before break” Mobile assisted handoff/handover (MOHA):

MS sends regular measurement reports to network (own cell, neighbor cells, every 480 ms) Network (old BSC) decides upon handover (when, target cell) Network (old BSC) sets up new communication path Network (old BSC) instructs the MS to execute handover


Handover procedure (change of BSC)

HO access

BTSold BSCnew

measurement

result

BSCold

Link establishment

MSC MS

measurement

report

HO decision

HO required

BTSnew

HO request

resource allocation

ch. activation

ch. activation ack HO request ack

HO command HO command

HO command

HO complete HO complete

clear command clear command

clear complete clear complete

„Make-before-break“ strategy

make

break


Security in GSM

Security service

System was designed with a moderate level of security to authenticate the subscriber using a pre-shared key and challenge-response.

access control/authentication user SIM (Subscriber Identity Module): secret PIN (personal identification

number)

SIM network: challenge response method

no authentication of network!

confidentiality

voice and signaling encrypted on the wireless link (after successful authentication)

anonymity

temporary identity TMSI (Temporary Mobile Subscriber Identity)

newly assigned at each new location update

encrypted transmission

3 algorithms specified in GSM

A3 for authentication (“secret”, open interface)

A5 for encryption (standardized)

A8 for key generation (“secret”, open interface)

“secret”:

• A3 and A8

available in the

Internet

• network providers

can use stronger

mechanisms


GSM - authentication

A3

RAND Ki

128 bit 128 bit

RAND

SRES* =? SRES

A3

RAND Ki

128 bit 128 bit

SRES 32 bit

SRES

Authentication Request (RAND)

Authentication Response (SRES 32 bit)

mobile network

AuC

MSC

SIM

Ki: individual subscriber authentication key SRES: signed response

SRES* 32 bit

Challenge-Response: • Authentication center provides RAND to Mobile

• AuC generates SRES using Ki of subscriber and

RAND via A3

• Mobile (SIM) generates SRES using Ki and RAND

• Mobile transmits SRES to network (MSC)

• network (MSC) compares received SRES with one

generated by AuC


GSM - key generation and encryption

A8

RAND Ki

128 bit 128 bit

Kc

64 bit

A8

RAND Ki

128 bit 128 bit

SRES

RAND

encrypted

data

mobile network (BTS)

MS with SIM

AuC

BTS

SIM

A5

Kc

64 bit

A5

MS

data data

cipher

key

Ciphering: • Data sent on air interface ciphered for security • A8 algorithm used to generate cipher key • A5 algorithm used to cipher/decipher data • Ciphering Key is never transmitted on air


2G+: GSM Evolution

Limits of GSM

limited capacity at the air interface:

data transmission standardized with only 9.6 kbit/s

advanced coding allows 14,4 kbit/s

not enough for Internet and multimedia applications

=> EDGE

inappropriateness for bursty and non-symmetrical data traffic

=> GPRS

Extensions

HSCSD (High-Speed Circuit Switched Data)

GPRS (General Packet Radio Service)

EDGE (Enhanced Data Rate for GSM Evolution)

EGPRS (EDGE und GPRS)

GERAN (GSM Interface to UMTS)


HSCSD (High-Speed Circuit Switched Data)

continuous use of multiple time slots for a single user

(on a single carrier frequency)

asynchronous allocation of time slots between DL and UL

gain: net data rate up to 115,2 kbps (allocation of all 8 traffic channels)

mainly software update

additional HW needed if more than 3 slots are used

Uplink

Downlink

7 1 2 3 8 4 5 6 1 2

7 1 2 3 8 4 5 6 1 2


GPRS (General Packet Radio Service)

Introducing packet switching in the network

Using shared radio channels for packet transmission over the air:

multiplexing multiple MS on one time slot

flexible (also multiple) allocation of timeslots to MS (scheduling by PCU Packet Control Unit in BSC or BTS)

using free slots only if data packets are ready to send (e.g., 115 kbit/s using 8 slots temporarily)

standardization 1998, introduction 2001

advantage: first step towards UMTS, flexible data services

carrier TS

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7

Multiplexing Multislot capability


connection-oriented packet switched core

GPRS architecture and interfaces

MS BSS GGSN SGSN

MSC

Um

EIR

HLR/

GR

VLR

PDN /

Internet

Gb Gn Gi

SGSN

Gn

o


EDGE (Enhanced Data Rates for GSM Evolution)

Enhanced spectral efficiency depends on:

Size of frequency band

Duration of usage

Level of interference with others (power)

EDGE Technology:

EDGE can carry data speeds up to 236.8 kbit/s for 4 timeslots (theoretical maximum is 473.6 kbit/s for 8 timeslots)

Adaptation of modulation depending

on quality of radio path GMSK (GSM standard – 1 bit per symbol)

8-PSK (3 bits per symbol)

Adaptation of coding scheme (redundancy) depending

on quality of radio path (9 coding schemes)

Gain: data rate (gross) up to 69,2 kbps (compare to 22.8 kbps for GSM)

complex extension of GSM!

NodeB

UE 1

UE 2

Near-far problem


2G to 3G Evolution: GSM - GPRS - UMTS

GSM

RAN

Base station

Base station controller

Base station

Base station

MSC

ISDN

GSM Core (Circuit switched)

HLR AuC EIR

GMSC

TransmissionATM based

GSM


2G to 3G Evolution: GSM - GPRS - UMTS

GPRS Core (Packet Switched)

SGSN

GGSN

Inter-net

GSM

RAN

Base station


Base station

Base station

MSC

ISDN


HLR AuC EIR

GMSC


GSM+GPRS


2G to 3G Evolution: GSM - GPRS – UMTS R99


SGSN

GGSN

Inter-net

GSM

RAN

Base station


Base station

Base station

UTRAN

Radio network controller

Base station Base station

Base station

MSC

ISDN


HLR AuC EIR

GMSC


GSM+GPRS+UMTS R99


2G to 3G Evolution: GSM - GPRS - UMTS R5 - IMS


SGSN

GGSN

Inter-net

GSM

RAN

Base station


Base station

Base station

UTRAN

Radio network controller

Base station Base station

Base station

TransmissionIP based

3G Core

GERAN GERAN + UMTS R5 + IMS


References

Jochen Schiller: Mobile Communications (German and English), Addison-Wesley, 2000

(most of the material covered in this chapter is based on the book)

Michel Mouly, Marie-Bernadette Pautet: The GSM System for Mobile Communications. Telecom Pub, Juni 1992

Jörg Eberspaecher, u. a.: GSM Switching, Services and Protocols. John Wiley and Sons Ltd, 2001

Siegmund Redl, u. a.: GSM and Personal Communications Handbook. Artech House, 1998

Gunnar Heine: GSM Networks: Protocols, Terminology, and Implementation. Artech House Mobile Communications Library. Artech House Publishers, 1998

Documents

2G Mobile Communication Systems - Startseite TU … · 2G Mobile Communication Systems ... Bearer Services Teleservices Supplementary Services GSM-PLMN transit network