2G Mobile Communication Systems - TU Ilmenau

2G Mobile Communication Systems 2G Review: GSM

Services Architecture Protocols Call setup Mobility management Security

HSCSD

GPRS

EDGE

UMTS Networks 2Oliver Waldhorst, Jens Mückenheim Oct-11

References

Jochen Schiller: Mobile Communications (German and English), Addison-Wesley, 2000(most of the material covered in this chapter is based on the book)

Michel Mouly, Marie-Bernadette Pautet: The GSM System for Mobile Communications. Telecom Pub, Juni 1992

Jörg Eberspaecher, u. a.: GSM Switching, Services and Protocols. John Wiley and Sons Ltd, 2001

Siegmund Redl, u. a.: GSM and Personal Communications Handbook. Artech House, 1998

Gunnar Heine: GSM Networks: Protocols, Terminology, and Implementation. Artech House Mobile Communications Library. Artech House Publishers, 1998


Public Land Mobile Network (PLMN)

Definition:

a network established and operated by an administration to provide land-based mobile telecommunications services to the public

a PLMN may be regarded as an extension of a network (e.g. an ISDN)

a PLMN consists of a collection of areas within a common numbering plan (e.g. same National Destination Code) and a common routing plan

PLMNs are independent telecommunications entities

Source: 3GPP 23.002-5.5.0


GSM: Mobile Services

GSM offers several types of connections

voice connections data connections short message service

multi-service options (combination of basic services)Three service domains (a “mobile” model of ISDN) Bearer Services Teleservices Supplementary Services

GSM-PLMNtransit

network(PSTN, ISDN)

source/destination

networkTE TE

bearer services

teleservices

R, S (U, S, R)Um

MT

MS

PLMN: Public Land Mobile NetworkPSTN: Public Switched Telephone NetworkISDN: Integrated Services Digital Network

MS: Mobile StationMT: Mobile Termination (radio-specific part)TE: Terminal


Bearer Services

Telecommunication services to transfer data between access pointsSpecification of services up to the terminal interface (OSI layers 1-3) Different data rates for voice and data (original standard) data service (circuit switched)

synchronous: 2.4, 4.8 or 9.6 kbit/s asynchronous: 300 - 1200 bit/s

data service (packet switched) –> superseded by GPRS synchronous: 2.4, 4.8 or 9.6 kbit/s asynchronous: 300 - 9600 bit/s


Teleservices

Telecommunication services that enable voice communication via mobile phones mobile telephony

primary goal of GSM was to enable mobile telephony offering nearly ISDN quality (bandwidth of 7 kHz); Today: Fullrate codec (FR–13kb/s), halfrate (HR-5.6kb/s), Enhanced Fullrate (EFR-

12.2kb/s)

emergency numbercommon number throughout Europe (112); mandatory for all service providers; free of charge; connection with the highest priority (preemption of other connections possible)

multinumberingseveral ISDN phone numbers per user possible

Non-Voice Teleservices group 3 fax voice mailbox (implemented in the GSM network) Short Message Service (SMS)

alphanumeric data transmission to/from the mobile terminal using the signaling channel, thus allowing simultaneous use of basic services and SMS


Supplementary services

Services in addition to the basic services cannot be offered stand-alone similar to ISDN services besides lower bandwidth due to the radio link may differ between different service providers, countries and protocol

versions

Important services call forwarding identification: forwarding of caller number suppression of number forwarding (CLIP, CLIR) automatic call-back conferencing with up to 7 participants locking of the mobile terminal (incoming or outgoing calls) ...


Architecture of the GSM system

GSM is a PLMN (Public Land Mobile Network) several providers setup mobile networks following the GSM standard

within each country

GSM system comprises 3 subsystems

RSS (radio subsystem): covers all radio aspectsMS (mobile station) BSS (base station subsystem) or RAN (radio access network)

BTS (base transeiver station) BSC (base station controller)

NSS (network and switching subsystem): call forwarding, handover, switchingMSC (mobile services switching center) LR (location register): HLR and VLR

OSS (operation subsystem): management of the networkOMC (operation and maintenance centre) AuC (authentication centre) EIR (equipment identity register)


GSM: overview

fixed network

BSC

BSC

MSC MSC

GMSC

OMC, EIR, AUC

VLR

HLRNSSwith OSS

RSS

VLR

BTS BTSBTS BSC: n:1 (tree)BSC MSC: n:1 (tree)MSC – VLR: 1:1MSC – MSC : meshed network


GSM: elements and interfaces

NSS

MS MS

BTS

BSC

GMSC

IWF

OMC

BTS

BSC

MSC MSC

Abis

Um

EIR

HLR

VLR VLR

A

BSS

PDN

ISDN, PSTN

RSS

radio cell

radio cell

MS

AUCOSS

signaling

O

Um Interface (MS and BTS):radio, air interface

Abis Interface (BTS and BSC)

Interfaces B,...,H within NSS (between MSC, VLR and HLR)

A Interface (BSC and MSC)


Radio subsystem

The Radio Subsystem (RSS) comprises the cellular mobile network up to the switching centers

Components Base Station Subsystem (BSS):

Base Transceiver Station (BTS) radio components including sender, receiver, antenna one BTS can cover several cells

Base Station Controller (BSC) switching between BTSs, controlling BTSs, managing of network resources, mapping of radio channels (Um) onto terrestrial channels (A

interface)BSS = BSC + sum(BTS) + interconnection

Mobile Stations (MS)


Base Transceiver Station and Base Station Controller

Tasks of a BSS are distributed over BSC and BTS BTS comprises radio specific functions of lower layers (PHY, MAC) BSC manages and controls the radio channels in the BTS and terrestrial

channels to BTS and MSC Design Principle: “central intelligence” = BSC, “dumb radio station” = BTS

Functions BTS BSCManagement of radio channels XFrequency hopping (FH) X XManagement of terrestrial channels XMapping of terrestrial onto radio channels XChannel coding and decoding XRate adaptation XEncryption and decryption X XPaging X XUplink signal measurements XTraffic measurement XAuthentication XLocation registry, location update XHandover management X


possible radio coverage of the cell

idealized shape of the cellcell

segmentation of the area into cells

GSM: cellular network

use of several carrier frequencies not the same frequency in neighboring cells cell radius varies from some 100 m up to 35 km depending on

user density, geography, transceiver power etc. hexagonal shape of cells is idealized (cells overlap, shapes depend

on geography) if a mobile user changes cells

-> handover of the connection to the neighbor cell


GSM: Air Interface

FDMA (Frequency Division Multiple Access) / FDD (Frequency Division Duplex)

1 2 3 123124. . .

890 MHz 915 MHz

1 2 3 123124. . .

935 MHz 960 MHz

200 kHz

Uplink Downlink

frequency

TDMA (Time Division Multiple Access)

time

Downlink

87654321

4,615 ms = 1250 bit

Uplink

87654321


Framing Modulation(GMSK)

GSM: Voice Coding

Voice coding Channelcoding

Framing Modulation(GMSK)

114 bit/slot114 + 42 bit

Guard (8.25 bits): avoid overlap with other time slots (different time offset of neighboring slot)Training sequence: select the best radio path in the receiver and train equalizerTail: needed to enhance receiver performanceFlag S: indication for user data or control data

1 2 3 4 5 6 7 8

GSM TDMA frame

GSM time-slot (normal burst)

4.615 ms

546.5 µs577 µs

tail user data TrainingSguardspace S user data tail

guardspace

3 bits 57 bits 26 bits 57 bits1 1 3


GSM hierarchy of frames

0 1 2 2045 2046 2047...hyperframe

0 1 2 48 49 50...superframe

0 1 6 7...frame

burstslot

577 µs

4.615 ms

120 ms

6.12 s

3 h 28 min 53.76 s

traffic multiframe

0 1 24 25...

0 1 2 48 49 50... 235.4 mscontrol multiframe

0 1 24 25...

traffic multiframe: 24 frames (22.8 kbps) used for traffic channel (user data), or fast signaling1 frame (950 bps) used for slow signaling, 1 frame unused

o


Mobile station

Terminal for the use of GSM servicesA mobile station (MS) comprises several functional groups MT (Mobile Termination):

offers common functions used by all services the MS offers corresponds to the network termination (NT) of an ISDN access end-point of the radio interface (Um)

TA (Terminal Adapter): terminal adaptation, hides radio specific characteristics

TE (Terminal Equipment): peripheral device of the MS, offers services to a user does not contain GSM specific functions

SIM (Subscriber Identity Module): personalization of the mobile terminal, stores user parameters, and

security algorithm

R S UmTE TA MT


Network and switching subsystem (NSS)

NSS is the main component of the public mobile network GSM switching, mobility management, interconnection to other networks,

system control

Components

Mobile Services Switching Center (MSC)controls all connections via a separated network to/from a mobile terminal within the domain of the MSC - several BSC can belong to a MSC

Databases (important: scalability, high capacity, low delay) Home Location Register (HLR)

central master database containing user data, permanent and semi-permanent data of all subscribers assigned to the HLR (one provider can have several HLRs)

Visitor Location Register (VLR)local database for a subset of user data, including data about all user currently in the domain of the VLR


Operation subsystem

The OSS (Operation Subsystem) enables centralized operation, management, and maintenance of all GSM subsystems

Components

Authentication Center (AUC) generates user-specific authentication parameters on request of a VLR authentication parameters used for authentication of mobile terminals

and encryption of user data on the air interface within the GSM system

Equipment Identity Register (EIR) registers GSM mobile stations and user rights stolen or malfunctioning mobile stations can be locked and sometimes

even localized

Operation and Maintenance Center (OMC) different control capabilities for the radio subsystem and the network

subsystem

Basic Functions in GSM Systems

Connection Setup Handover Location management Roaming Authentication


Connection Setup & Radio Resource Assignment

BSBSC MSC


Mobile Terminated Call (MTC)

PSTNcallingstation GMSC

HLR VLR

BSSBSSBSS

MSC

MS

1 2

3

4

5

6

7

8 9

10

11 12

1316

10 10

11 11 11

14 15

17

1: calling a GSM subscriber2: forwarding call to GMSC3: signal call setup to HLR4, 5: request MSRN from VLR6: forward responsible

MSC to GMSC7: forward call to

current MSC8, 9: get current status of MS10, 11: paging of MS12, 13: MS answers14, 15: security checks16, 17: set up connection


Mobile Originated Call (MOC)

PSTN GMSC

VLR

BSS

MSC

MS1

2

6 5

3 4

9

10

7 8

1, 2: connection request3, 4: security check5-8: check resources (free circuit)9-10: set up call


Handover

The problem:Change the cell while communicating

Reasons for handover: Quality of radio link

deteriorates Communication in other cell

requires less radio resources Supported radius is

exceeded (e.g. Timing advance in GSM)

Overload in current cell Maintenance

Link

qua

lity

Link to cell 1 Link to cell 2 time

cell 1

cell 2

Handover margin (avoid ping-pong effect)

cell 1 cell 2


4 types of handover

(Anchor)MSC MSC

BSC BSCBSC

BTS BTS BTSBTS

MS MS MS MS

12 3 4

• intra-cell handover: reason: quality, interference• inter-cell handover/intra BSS: within same BSS, handled by BSC (reason

mobility, receipt level, power budget, load)• inter-cell handover/inter BSS: between BSC at the same MSC• inter-cell handover/inter MSC: between BSC of different MSCs• Anchor MSC: the initial MSC, which started the connection, keeps control

GMSC


X

BSBS

Before

X

BSBS

During

X

BSBS

After

GSM: Handover Principle

„Hard“ handover, „make before break“ Mobile assisted handoff/handover (MOHA):

MS sends regular measurement reports to network (own cell, neighbor cells, every 480 ms) Network (old BSC) decides upon handover (when, target cell) Network (old BSC) sets up new communication path Network (old BSC) instructs the MS to execute handover


Handover procedure (change of BSC)

HO access

BTSold BSCnew

measurementresult

BSCold

Link establishment

MSCMSmeasurementreport

HO decisionHO required

BTSnew

HO request

resource allocationch. activation

ch. activation ackHO request ackHO commandHO commandHO command

HO completeHO completeclear commandclear command

clear complete clear complete

„Make-before-break“ strategy

make

break


Security in GSM

Security service System was designed with a moderate level of security to authenticate the

subscriber using a pre-shared key and challenge-response. access control/authentication

user SIM (Subscriber Identity Module): secret PIN (personal identification number)

SIM network: challenge response method no authentication of network!

confidentiality voice and signaling encrypted on the wireless link (after successful authentication)

anonymity temporary identity TMSI

(Temporary Mobile Subscriber Identity) newly assigned at each new location update encrypted transmission

3 algorithms specified in GSM A3 for authentication (“secret”, open interface) A5 for encryption (standardized) A8 for key generation (“secret”, open interface)

“secret”:• A3 and A8

available in the Internet

• network providers can use stronger mechanisms


GSM - authentication

A3

RANDKi

128 bit 128 bit

RAND

SRES* =? SRES

A3

RAND Ki

128 bit 128 bit

SRES 32 bit

SRES

Authentication Request (RAND)

Authentication Response (SRES 32 bit)

mobile network

AuC

MSC

SIM

Ki: individual subscriber authentication key SRES: signed response

SRES* 32 bit

Challenge-Response:• Authentication center provides RAND to Mobile• AuC generates SRES using Ki of subscriber and

RAND via A3• Mobile (SIM) generates SRES using Ki and RAND• Mobile transmits SRES to network (MSC)• network (MSC) compares received SRES with one

generated by AuC


GSM - key generation and encryption

A8

RANDKi

128 bit 128 bit

Kc64 bit

A8

RAND Ki

128 bit 128 bit

SRES

RAND

encrypteddata

mobile network (BTS)

MS with SIM

AuC

BTS

SIM

A5

Kc64 bit

A5MS

data data

cipherkey

Ciphering:• Data sent on air interface ciphered for security• A8 algorithm used to generate cipher key• A5 algorithm used to cipher/decipher data• Ciphering Key is never transmitted on air


2G+: GSM Evolution

Limits of GSM limited capacity at the air interface:

data transmission standardized with only 9.6 kbit/s advanced coding allows 14,4 kbit/s not enough for Internet and multimedia applications => EDGE

inappropriateness for bursty and non-symmetrical data traffic => GPRS

Extensions HSCSD (High-Speed Circuit Switched Data) GPRS (General Packet Radio Service) EDGE (Enhanced Data Rate for GSM Evolution) EGPRS (EDGE und GPRS) GERAN (GSM Interface to UMTS)


HSCSD (High-Speed Circuit Switched Data)

continuous use of multiple time slots for a single user

(on a single carrier frequency)

asynchronous allocation of time slots between DL and UL

gain: net data rate up to 115,2 kbps (allocation of all 8 traffic channels)

mainly software update

additional HW needed if more than 3 slots are used

Uplink

Downlink

71 2 3 84 5 6 1 2

71 2 3 84 5 6 1 2


GPRS (General Packet Radio Service)

Introducing packet switching in the network Using shared radio channels for packet transmission over the air:

multiplexing multiple MS on one time slot flexible (also multiple) allocation of timeslots to MS

(scheduling by PCU Packet Control Unit in BSC or BTS)

using free slots only if data packets are ready to send (e.g., 115 kbit/s using 8 slots temporarily)

standardization 1998, introduction 2001 advantage: first step towards UMTS, flexible data services

carrierTS0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7

Multiplexing Multislot capability


connection-orientedpacket switched core

GPRS architecture and interfaces

MS BSS GGSNSGSN

MSC

Um

EIR

HLR/GR

VLR

PDN /Internet

Gb Gn Gi

SGSN

Gn


EDGE (Enhanced Data Rates for GSM Evolution)

Enhanced spectral efficiency depends on: Size of frequency band Duration of usage Level of interference with others (power)

EDGE Technology: EDGE can carry data speeds up to 236.8 kbit/s for 4

timeslots (theoretical maximum is 473.6 kbit/s for 8 timeslots)

Adaptation of modulation depending on quality of radio path GMSK (GSM standard – 1 bit per symbol) 8-PSK (3 bits per symbol)

Adaptation of coding scheme (redundancy) depending on quality of radio path (9 coding schemes)

Gain: data rate (gross) up to 69,2 kbps (compare to 22.8 kbps for GSM)

complex extension of GSM!

NodeB

UE 1

UE 2

Near-far problem


2G to 3G Evolution: GSM - GPRS - UMTS

GSMRAN

Base station

Base stationcontroller

Base station

Base station

MSC

ISDN

GSM Core (Circuit switched)

HLRAuCEIR

GMSC

TransmissionATM based

GSM


2G to 3G Evolution: GSM - GPRS - UMTS

GPRS Core (PacketSwitched)

SGSN

GGSN

Inter-net

GSMRAN

Base station


Base station

Base station

MSC

ISDN


HLRAuCEIR

GMSC


GSM+GPRS


2G to 3G Evolution: GSM - GPRS – UMTS R99


SGSN

GGSN

Inter-net

GSMRAN

Base station


Base station

Base station

UTRAN

Radio networkcontroller

Base station Base station

Base station

MSC

ISDN


HLRAuCEIR

GMSC


GSM+GPRS+UMTS R99


2G to 3G Evolution: GSM - GPRS - UMTS R5 - IMS


SGSN

GGSN

Inter-net

GSMRAN

Base station


Base station

Base station

UTRAN

Radio networkcontroller

Base station Base station

Base station

TransmissionIP based

3G Core

GERANGERAN + UMTS R5 + IMS

Documents

2G Mobile Communication Systems - TU Ilmenau