Upload
dalam-maharshi
View
224
Download
0
Embed Size (px)
Citation preview
7/28/2019 3. Gsm Networks
1/45
7/28/2019 3. Gsm Networks
2/45
7/28/2019 3. Gsm Networks
3/45
The GSM network also called Public Land Mobile Network (PLMN) is broadly
organized into three subsystems:
Base Station Subsystem (BSS)
Network Switching Subsystem (NSS)
Network Management Subsystem (NMS)
The three subsystems consist of different network elements (NE), each doing its own
task to provide desired services to the users.
7/28/2019 3. Gsm Networks
4/45
Following are the specified interfaces:
Um: MS - BTS (air or radio interface)
A: MSC BSC
Abis: BSC BTS (proprietary interface)
Ater: BSC TRAU (sometimes called Asub) (proprietary interface)
B: MSC VLR
C: MSC HLR
D: HLR VLR
E: MSC MSC
F: MSC EIR
G: VLR - VLR.
Home Location Register (HLR)
The HLR is the reference database for subscriber parameters. Various identificationnumbers and addresses are stored, as well as authentication
parameters. This information is entered into the database by the network provider
when a new subscriber is added to the system.
The parameters stored in the HLR are listed opposite: The HLR database contains the
master database of all the subscribers to a GSM PLMN.
The data it contains is remotely accessed by all the MSCs and the VLRs in the network
and, although the network may contain more than one HLR, there is only one
database record per subscriber - each HLR is therefore handling a portion of the total
7/28/2019 3. Gsm Networks
5/45
subscriber
database. The subscriber data may be accessed by either the IMSI or the MSISDN
number. The data can also be accessed by an MSC or a VLR in a different PLMN, to
allow inter-system and inter-country roaming.
Visitor Location Register (VLR)
The VLR contains a copy of most of the data stored at the HLR. It is, however,temporary data which exists for only as long as the subscriber is active in the
particular area covered by the VLR. The VLR database will therefore contain some
duplicate data as well as more precise data relevant to the subscriber remaining
within the VLR coverage. The additional data stored in the VLR is listed below: Mobile
status (busy/free/no answer etc.).
Location Area Identity (LAI).
Temporary Mobile Subscriber Identity (TMSI).
Mobile Station Roaming Number (MSRN).
The authentication center (AUC) is a function to authenticate each SIM card that
attempts to connect to the GSM core network-AUC stores the following information for each subscriber1. The IMSI number,2. The individual authentication key Ki,3. A version of A3 and A8 algorithm.
EIR-
The EIR contains one or several databases which store(s) the IMEIs used in
the GSM system . The mobile equipment may be classified as "white listed","grey listed" and "black listed" and therefore may be stored in three separate
lists. An IMEI may also be unknown to the EIR.
The EIR contains, as a minimum, a "white list" (Equipment classified as
"whitelisted").There is an optional implementation that may be used by the
operator to control access to the network by certain types of equipment or to
monitor lost or stolen handsets.
http://en.wikipedia.org/wiki/Authenticationhttp://en.wikipedia.org/wiki/SIM_cardhttp://en.wikipedia.org/wiki/SIM_cardhttp://en.wikipedia.org/wiki/Authentication7/28/2019 3. Gsm Networks
6/45
In GSM, the mobile phone is called Mobile Station (MS). The MS is a combination of
terminal equipment and subscriber data. The terminal equipment as such is called
ME (Mobile Equipment) and the subscriber's data is stored in a separate module
called SIM (Subscriber Identity Module).
Therefore, ME + SIM = MS.
7/28/2019 3. Gsm Networks
7/45
The Base Station Subsystem is responsible for managing the radio network, which is
the wireless part of mobile networks. Typically, one MSC contains several BSSs. A BSS
itself may cover a considerably large geographical area consisting of many cells (a cell
refers to an area covered by one or more frequency resources).
BSC Functions-Connection establishment between MS and NSS
Mobility management
Statistical raw data collection
Air- and A-interface signalling support
BTS and TRAU Control
BTS Function-Air interface signallingCiphering
Speech processing (channel coding, interleaving, and burst
formatting)
Generation of alarms and statistics
Baseband/Radio frequency transformation
7/28/2019 3. Gsm Networks
8/45
The BSC:
allocates a channel for the duration of a call
maintains the call:
monitors quality
controls the power transmitted by the BTS or MS
generates a handover to another cell when requiredBTS :
The BTS contains the RF components that provide the air interface for a particularcell. This is the part of the GSM network which communicates with the MS. Theantenna is included as part of the BTS.Transceiver (TRX) Quite widely referred to as the driver receiver (DRX).DRX are either in the form of single (sTRU), double(dTRU) or a composite DoubleRadio Unit (DRU). It basically does transmission and reception of signals. Also doessending and reception of signals to/from higher network entities (like the base
station controller in mobile telephony)Power amplifier (PA) Amplifies the signal from DRX for transmission throughantenna; may be integrated with DRX.Combiner Combines feeds from several DRXs so that they could be sent out througha single antenna. Allows for a reduction in the number of antenna used.Duplexer For separating sending and receiving signals to/from antenna. Does
sending and receiving signals through the same antenna ports (cables to antenna).Antenna This is also considered a part of the BTS. Alarm extension system Collectsworking status alarms of various units in the BTS and extends them to operations and
http://en.wikipedia.org/wiki/Base_station_controllerhttp://en.wikipedia.org/wiki/Base_station_controllerhttp://en.wikipedia.org/wiki/Base_station_controllerhttp://en.wikipedia.org/wiki/Base_station_controller7/28/2019 3. Gsm Networks
9/45
maintenance (O&M) monitoring stations.Control function Control and manages the various units of BTS including anysoftware. On-the-spot configurations, status changes, software upgrades, etc. aredone through the control function.Baseband receiver unit (BBxx) Frequency hopping, signal DSP, etc.
7/28/2019 3. Gsm Networks
10/45
NSS, also known as core network, consists of network elements such as MSC, GMSC,
VLR, HLR, AC and EIR.
The main functions of NSS are listed below.
Call control
This is the most important functionality of network elements of NSS. Call control
identifies the subscriber, establishes a call and clears the connection after the
conversation is over.
Charging
This collects the charging information about a call such as the numbers of the caller
and the called subscriber, the time and type of the transaction, etc. This information
stored in the form of Charging Data Record (CDR) is then transferred to the Billing
Centre.
Mobility management
One of the most important tasks of mobile networks is to keep a track of subscriberslocation. As the subscriber moves from one place to another, the network is updated
about it. This is to ensure that the desired services are delivered to the subscriber
even when he is not at a fixed place. This is achieved with the help of mobility
management.
Signalling
This applies to interfaces with BSS and PSTN. All kinds of communication between
network elements happen over specific protocols defined in signalling.
Subscriber data handling
7/28/2019 3. Gsm Networks
11/45
This is the permanent data storage in the Home Location Register (HLR) and
temporary storage of relevant data in the Visitor Location Register (VLR). When a
person buys a subscription to mobile services, his data is permanently stored in HLR.
As he moves from one place to another, his subscription data is updated in
corresponding VLR.
7/28/2019 3. Gsm Networks
12/45
MSC is responsible for controlling calls in the mobile network. It identifies the origin
and destination of a call (mobile station or fixed telephone), as well as the type of a
call.
MSC is responsible for several important tasks, discussed below in details. .
Call control
MSC identifies the type of call, the origin, and the destination of a call. It also sets up,
supervises, and clears connections.
Initiation of paging
Paging is the process of locating a particular mobile station in case of a mobile
terminated call (a call to a mobile station).
Charging data collection
MSC generates CDRs (Charging Data Records), which contain information about the
subscribers usage of the network. It contains time of usage, duration, called party
address etc. These CDRs are forwarded to billing centre for processing.GMSC is used to connect the other PLMN.PSTN networks with the operator's
network. In addition, GMSC also handles the functionality of HLR interrogation, in
which it requests the HLR for MSRN for incoming calls. HLR in turn asks the
information from the respective VLR and provides the information to the GMSC.
7/28/2019 3. Gsm Networks
13/45
VLR is a database that contains information about subscribers which are currently in
its service area.
HLR maintains a permanent database of the subscribers. For instance, the subscriber
identity numbers and the subscribed services can be found here. In addition to the
fixed data, HLR also keeps track of the current location of its customers in the form of
VLR address.
The EIR is used for security reasons.The EIR is responsible for IMEI checking (checking
the validity of the mobile equipment).
Authentication Centre provides security information to the network, so that we can
verify the SIM cards (authentication between the mobile station and the VLR), and
cipher information transmitted in the air interface (between the MS and the Base
Transceiver Station)).
7/28/2019 3. Gsm Networks
14/45
Network Management Subsystem (NMS) is the third subsystem of the GSM network
in addition to Network Switching Subsystem (NSS) and Base Station Subsystem (BSS),
which we have already discussed. The purpose of NMS is to monitor various functions
and elements of the network. This subsystem can often be referred to as OSS as well.
The functions of NMS can be divided into three categories:
Fault management
Configuration management
Performance management
These functions cover the whole of GSM network elements from the level of
individual BTSs, up to MSCs and HLRs
7/28/2019 3. Gsm Networks
15/45 1
Operations and Maintenance Centre (OMC)The OMC provides a central point from which to control and monitor the other networkentities (i.e. base stations, switches, database, etc) as well as monitor the quality ofservicebeing provided by the network. At present, equipment manufacturers have their own OMCswhich are not compatible in
every aspect with those of other manufacturers. This is particularly the case between radiobase station equipment suppliers, where in some cases the OMC is a separate e item andDigital Switching equipment suppliers, where the OMC is an integral, butzfunctionally separate, part of the hardware.
There are two types of OMC these are:OMC (R)OMC controls specifically the Base Station System.OMC (S)OMC controls specifically the Network Switching System.The OMC should support
the following functions as per ITSTS recommendations:The OMC supports the following network management functions:
Event Management - General functions of the OMC include operator input and output
messages, application input commands, and application output reports.
Fault Management - The OMC provides fault management such as diagnostics and alarms forthe MSC and BSS
Security Management It provides an extensive range of features to ensure that access tothe OMC functions is restricted to relevant personnel.Configuration Management Configuration Management allows the operator to adopt thenetwork to the changing traffic requirements.Performance Management Supports data collection such as traffic data, handovers,statistics, plant measurements, and volume data
7/28/2019 3. Gsm Networks
16/45
7/28/2019 3. Gsm Networks
17/45
As UMTS has new standards for the Radio Access Network (RAN), new names have been
given for the UTRAN interfaces.
The particularity of these interfaces is that they are fully standardized, even the one
between the RNC and the node Bs.
Uu interface (UMTS User interface)This interface is used between the node B and the UE. It is dependent on the technology
used on the radio (it can be W-CDMA or TD/CDMA for example).
Iub interface (Interface UMTS node B)
This is between RNC and node B. It is used to connect RNC and node B from different
manufacturers because it is standardized (it is not like the Abis in GSM).
Iu interface (Interface UMTS)
This is between core network and access network. The Core Network can be connected
to different access networks using it (equivalent to the A interface in GSM).
The Iu interface is split into:
Iu CS (Circuit Switched) for the circuit domain
Iu PS (Packet Switched) for the packet domain
Iur interface (Interface UMTS RNCs)
This interface between the RNCs has been defined to support specific functions such as
handover without having the Core Network involved
7/28/2019 3. Gsm Networks
18/45
7/28/2019 3. Gsm Networks
19/45
UMTS networks are designed to offer a wide range of multimedia services. A
consequence of more variable services is that the core network must offer
more efficient and flexible transport options than the Release 99 network
does.An MSC is responsible for:
Bearer control and bearer management
Call control
Service provisioning
Beginning with UMTS Release 4, call control and bearer control and
management are separated.
The UMTS Release 99 network elements MSC/VLR, and GMSC are substituted
by the network entities MSC-Server, GMSC-Server and CS-MGW (Circuit
Switched Media Gateway).
7/28/2019 3. Gsm Networks
20/45
7/28/2019 3. Gsm Networks
21/45
Beginning with UMTS Release 4, call control and bearer control and management are
separated. The UMTS Release 99 network elements MSC, VLR, and GMSC are
substituted by the network entities MSC-Server, GMSC-Server and CS-MGW (circuit
switched Media Gateway Function). This allows for higher efficiency and more
flexible bearer solutions.
7/28/2019 3. Gsm Networks
22/45
The mobile switching center(MSC) is the primary service delivery node for
GSM/CDMA, responsible forrouting voice calls and SMS as well as other
services (such as conference calls, FAX and circuit switched data).
The MSC sets up and releases the end-to-end connection, handles mobility
and hand-over requirements during the call and takes care of charging and
real time pre-paid account monitoring.
In the GSM mobile phone system, in contrast with earlier analogue services,
fax and data information is sent directly digitally encoded to the MSC. Only at
the MSC is this re-coded into an "analogue" signal (although actually this will
almost certainly mean sound encoded digitally as PCM signal in a 64-kbit/s
timeslot, known as a DS0 in America).
There are various different names for MSCs in different contexts which reflects
their complex role in the network, all of these terms though could refer to the
same MSC, but doing different things at different times.
http://en.wikipedia.org/wiki/Routing_in_the_PSTNhttp://en.wikipedia.org/wiki/Pulse-code_modulationhttp://en.wikipedia.org/wiki/DS0http://en.wikipedia.org/wiki/DS0http://en.wikipedia.org/wiki/Pulse-code_modulationhttp://en.wikipedia.org/wiki/Routing_in_the_PSTN7/28/2019 3. Gsm Networks
23/45
The subscriber has to be located and identified to provide him/her with the
requested services. In order to understand how we are able to serve the subscribers,
it is necessary to identify the main interfaces, the subsystems and network elements
in the GSM network, as well as their functions.
7/28/2019 3. Gsm Networks
24/45
The IMEI number is used by the GSM network to identify valid devices and therefore
can be used for stopping a stolen phone from accessing the network in that country.
For example, if a mobile phone is stolen, the owner can call his or her network
provider and instruct them to "ban" the phone using its IMEI number. This renders
the phone useless on that network, whether or not the phone's SIM is changed.
However, the phone can be used on other networks.
http://en.wikipedia.org/wiki/GSMhttp://en.wikipedia.org/wiki/Mobile_phonehttp://en.wikipedia.org/wiki/Subscriber_Identity_Modulehttp://en.wikipedia.org/wiki/Subscriber_Identity_Modulehttp://en.wikipedia.org/wiki/Mobile_phonehttp://en.wikipedia.org/wiki/GSM7/28/2019 3. Gsm Networks
25/45
International Mobile Subscribers Identity ( IMSI ) :
Network Identity Unique to a MS
The International Mobile Subscriber Identity (IMSI) is the primary identity of
the subscriber within the mobile network and is permanently assigned
to that subscriber.
The IMSI can be maximum of 15 digits.
MCC = MOBILE COUNTRY CODE=3 digit
MNC = MOBILE NETWORK CODE=2 digit
MSIN = MOBILE STATION IDENTITY NUMBER=11 digit
IMSI is also stored in the VLR for temporary registration.
The "Temporary Mobile Subscriber Identity" (TMSI) is the identity that is most
commonly sent between the mobile and the network. TMSI is randomlyassigned by the VLR to every mobile in the area, the moment it is switched on.
The number is local to a location area, and so it has to be updated each time
the mobile moves to a new geographical area.
The network can also change the TMSI of the mobile at any time. And it
normally does so, in order to avoid the subscriber from being identified, and
tracked by eavesdroppers on the radio interface. This makes it difficult to
trace which mobile is which, except briefly, when the mobile is just switched
on, or when the data in the mobile becomes invalid for one reason or another.
http://en.wikipedia.org/wiki/VLRhttp://en.wikipedia.org/wiki/Network_interfacehttp://en.wikipedia.org/wiki/Network_interfacehttp://en.wikipedia.org/wiki/VLR7/28/2019 3. Gsm Networks
26/45
At that point, the global "international mobile subscriber identity" (IMSI) must be
sent to the network. The IMSI is sent as rarely as possible, to avoid it being identified
and tracked.
A key use of the TMSI is in paging a mobile. "Paging" is the one-to-one
communication between the mobile and the base station. The most important use of
broadcast information is to set up channels for "paging". Every cellular system has abroadcast mechanism to distribute such information to a plurality of mobiles.
Size of TMSI is 4 octet with full hex digits and can't be all 1 because the SIM uses 4
octets with all bits equal to 1 to indicate that no valid TMSI is available[1]
http://en.wikipedia.org/wiki/International_Mobile_Subscriber_Identityhttp://en.wikipedia.org/wiki/Broadcastinghttp://en.wikipedia.org/wiki/TMSIhttp://en.wikipedia.org/wiki/TMSIhttp://en.wikipedia.org/wiki/Broadcastinghttp://en.wikipedia.org/wiki/International_Mobile_Subscriber_Identity7/28/2019 3. Gsm Networks
27/45
7/28/2019 3. Gsm Networks
28/45
In order to provide a temporary number to be used for routing, the HLR
requests the current MSC/VLR to allocate a MSRN to the called subscriber and
to return it.
All data exchanged between the GMSC HLR MSC/VLR for the purpose of
interrogation is sent over the SS7 signaling network.
7/28/2019 3. Gsm Networks
29/45
The Authentication Centre generates information that can be used for all security
purposes during one transaction. This information is called an authentication triplet.
The Um authentication procedure is detailed in GSM 04.08 Section 4.3.2 and GSM
03.20 Section 3.3.1 and summarized here:
The network generates a 128 bit random value, RAND.
The network sends RAND to the MS in the MM Authentication Request message.
The MS forms a 32-bit hash value called SRES by encrypting RAND with an algorithm
called A3, using Ki as a key. SRES = A3(RAND,Ki). The network performs an identical
SRES calculation.
The MS sends back its SRES value in the RR Authentication Response message.
The network compares its calculated SRES value to the value returned by the MS. If
they match, the MS is authenticated.
Both the MS and the network also compute a 64-bit ciphering key, Kc, from RAND and
Ki using the A8 algorithm. Kc = A8(RAND,Ki). Both parties save this value for later usewhen ciphering is enabled.
Note that this transaction always occurs in the clear, since the ciphering key is not
established until after the transaction is started.
7/28/2019 3. Gsm Networks
30/45
Authentication Centre (AUC)
The AUC is a processor system, it performs the authentication function.
It will normally be co-located with the Home Location Register (HLR) as it will be
required
to continuously access and update, as necessary, the system subscriber records. The
AUC/HLR centre can be co-located with the MSC or located remote from the MSC.
The authentication process will usually take place each time the subscriber
initializes on
the system.
7/28/2019 3. Gsm Networks
31/45
Authentication
Process
To discuss the authentication process we will assume that the VLR has all the
information required to perform that authentication process (Kc, SRES and RAND). If
this information is unavailable, then the VLR would request it from the HLR/AUC.
1. Triples (Kc, SRES and RAND) are stored at the VLR.
2. The VLR sends RAND via the MSC and BSS, to the MS (unencrypted).
3. The MS, using the A3 and A8 algorithms and the parameter Ki stored on the MS
SIM card, together with the received RAND from the VLR, calculates the values of
SRES and Kc.
4. The MS sends SRES unencrypted to the VLR
5. Within the VLR the value of SRES is compared with the SRES received from the
mobile. If the two values match, then the authentication is successful.
6. If cyphering is to be used, Kc from the assigned triple is passed to the BTS.7. The mobile calculates Kc from the RAND and A8 and Ki on the SIM.
8. Using Kc, A5 and the GSM hyper-frame number, encryption between the MS and
the BSS can now occur over the air interface.
Note: The triples are generated at the AUC by:
RAND = Randomly generated number.
SRES = Derived from A3 (RAND, Ki).
Kc = Derived from A8 (RAND, Ki).
A3 = From 1 of 16 possible algorithms defined on allocation of IMSI and
7/28/2019 3. Gsm Networks
32/45
creation of SIM card.
A8 = From 1 of 16 possible algorithms defined on allocation of IMSI and
creation of SIM card.
Ki = Authentication key, assigned at random together with the versions of
A3 and A8.
The first time a subscriber attempts to make a call, the full authentication processtakes
place.
However, for subsequent calls attempted within a given system control time period,
or
within a single system providers network, authentication may not be necessary, as
the
data generated during the first authentication will still be available
7/28/2019 3. Gsm Networks
33/45
In cryptography, a cipher (or cypher) is an algorithm for performing encryption or
decryption a series of well-defined steps that can be followed as a procedure. An
alternative, less common term is encipherment. In non-technical usage, a cipher is
the same thing as a code; however, the concepts are distinct in cryptography.
http://en.wikipedia.org/wiki/Cryptographyhttp://en.wikipedia.org/wiki/Algorithmhttp://en.wikipedia.org/wiki/Encryptionhttp://en.wikipedia.org/wiki/Decryptionhttp://en.wikipedia.org/wiki/Code_(cryptography)http://en.wikipedia.org/wiki/Code_(cryptography)http://en.wikipedia.org/wiki/Decryptionhttp://en.wikipedia.org/wiki/Encryptionhttp://en.wikipedia.org/wiki/Algorithmhttp://en.wikipedia.org/wiki/Cryptography7/28/2019 3. Gsm Networks
34/45
Ciphering is used across the air interface to provide traffic and signalling encryption.
When the authentication procedure has been completed successfully, the BTS and
the mobile station are ready to start the ciphering procedure for further signalling
and speech / data transmission.
The speech of the user, the TDMA frame number (Time Division Multiple Access) and
the ciphering key, Kc, are processed by the ciphering algorithm (A5), which produces
the coded speech signal.
7/28/2019 3. Gsm Networks
35/45
7/28/2019 3. Gsm Networks
36/45 3
7/28/2019 3. Gsm Networks
37/45 3
7/28/2019 3. Gsm Networks
38/45
Location Update Sequence:
1. A location update is initiated by the mobile when it detects that it has
entered a new location area. The location area is transmitted on the BCCH
as the LAI. The mobile will be assigned an SDCCH by the BSS, the location
updating procedure will be carried out using this channel.
2. Once the SDCCH has been assigned the mobile transmits a Location
Update Request message. This message is received by the MSC which
then sends the new LAI and the current mobile TMSI number to the VLR.
The information will also be sent to the HLR if the mobile has not
previously been updated on the network.
3. Authentication and ciphering may now take place if required.
4. The VLR will now assign a new TMSI for the mobile, this number will be
sent to the MSC using the Forward New TMSI message. The VLR will
now initiate the Location Update Accept message which will transmitthe new TMSI and LAI to the mobile.
5. Once the mobile has stored both the TMSI and the LAI on its SIM card it
will send the TMSI Reallocate Complete message to the MSC. The MSC
will then send the TMSI Ack message to the VLR to confirm that the
location update has been completed.
6. The SDCCH will then be released by the mobile.
3
7/28/2019 3. Gsm Networks
39/45
Paging
The PCH carries service notifications (pages) to specific mobiles sent by the network.
A mobile station that is camped to a BTS monitors the PCH for these notifications
sent by the network.
3
7/28/2019 3. Gsm Networks
40/45
The MS assists the handover decision process by performing certain measurements.
When the MS is engaged in a speech conversation, a portion of the TDMA frame is
idle while the rest of the frame is used for uplink (BTS receive) and downlink
(BTS transmit) timeslots.
During the idle time period of the frame, the MS changes radio channel frequency
and monitors and measures the signal level of the six best neighbor cells.
Measurements which feed the handover decision algorithm are made at both ends of
the radio link.
3
7/28/2019 3. Gsm Networks
41/45 3
7/28/2019 3. Gsm Networks
42/45 3
7/28/2019 3. Gsm Networks
43/45 3
7/28/2019 3. Gsm Networks
44/45 3
7/28/2019 3. Gsm Networks
45/45