GSM: Overview Formerly: Groupe Spéciale Mobile (founded 1982) Now: Global System for Mobile...
40
GSM: Overview Formerly: Groupe Spéciale Mobile (founded 1982) Now: Global System for Mobile Communication Pan-European standard (ETSI, European Telecommunications Standardisation Institute) 1
GSM: Overview Formerly: Groupe Spéciale Mobile (founded 1982) Now: Global System for Mobile Communication Pan-European standard (ETSI, European Telecommunications
GSM: Overview Formerly: Groupe Spciale Mobile (founded 1982)
Now: Global System for Mobile Communication Pan-European standard
(ETSI, European Telecommunications Standardisation Institute)
1
Slide 2
Architecture of the GSM system GSM is a PLMN (Public Land
Mobile Network) several providers setup mobile networks following
the GSM standard within each country Main Components MS (mobile
station) BS (base station) MSC (mobile switching center) LR
(location register) Subsystems RSS (Radio SubSystem): covers all
radio aspects, consist of BSS (BSC + several BTSs)and MS. NSS
(Network and Switching Subsystem): call forwarding, handover,
switching, comprising an MSC and associated registers. OSS
(Operation SubSystem): management of the network 2
Slide 3
GSM: Architecture Overview fixed network PSTN BSC MSC GMSC OMC,
EIR, AUC VLR HLR NSS with OSS RSS VLR BTS MS BSS Base Station
Sub-system BSC Base Station Controller HLR Home Location Register
BTS Base Transceiver Station VLR Visitor Location Register TRX
Transceiver AuC Authentication Centre MS Mobile Station MSC Mobile
Switching Center GMSC Gateway MSC EIR Equipment Identity Register
OMC Operations and Maintenance Centre PSTN Public Switched
Telephone Network 3
Slide 4
GSM: Architecture Overview 4 Core
Slide 5
GSM: elements and interfaces NSS MS BTS BSC GMSC IWF OMC BTS
BSC MSC A bis UmUm EIR HLR VLR A BSS PDN ISDN, PSTN RSS radio cell
MS AUC OSS signaling O Several interfaces are defined between
different parts of the system: 'A' interface between MSC and BSC
'Abis' interface between BSC and BTS 'Um' air interface between the
BTS (antenna) and the MS 5
Slide 6
UmUm A bis A BSS radio subsystem MS BTS BSC BTS BSC BTS network
and switching subsystem MSC fixed partner networks IWF ISDN PSTN
PSPDN CSPDN SS7 EIR HLR VLR ISDN PSTN GSM: system architecture BSC
BTS 6
Slide 7
System architecture: radio subsystem Components MS (Mobile
Station) BSS (Base Station Subsystem): consisting of BTS (Base
Transceiver Station): radio components including sender, receiver,
antenna - if directed antennas are used one BTS can cover several
cells BSC (Base Station Controller): switching between BTSs,
controlling BTSs, managing of network resources, mapping of radio
channels (U m ) onto terrestrial channels (A interface) Interfaces
U m : radio interface A bis : standardized, open interface with 16
kbit/s user channels A: standardized, open interface with 64 kbit/s
user channels UmUm A bis A BSS radio subsystem network and
switching subsystem MS BTS BSC MSC BTS BSC BTS MSC 7
Slide 8
Tasks of a BSS are distributed over BSC and BTS BTS comprises
radio specific functions BSC is the switching center for radio
channels 8
Slide 9
BSS Network Topologies Base stations are linked to the parent
BSC in one of several standard network topologies. The actual
physical link may be microwave, optical fiber or cable. 9 Chain:
cheap, easy to implement One link failure isolates several BTSs
Ring: Redundancy gives some protection if a link fails More
difficult to roll-out and extend - ring must be closed Star: most
popular configuration for first GSM systems Expensive as each BTS
has its own link One link failure always results in loss of
BTS
Slide 10
The Mobile Station The mobile station consists of: mobile
equipment (ME) subscriber identity module (SIM) The SIM stores
permanent and temporary data about the mobile, the subscriber and
the network, including: The International Mobile Subscribers
Identity (IMSI) MS ISDN number of subscriber Authentication key (K
i ) and algorithms for authentication check The mobile equipment
has a unique International Mobile Equipment Identity (IMEI), which
is used by the EIR. The IMEI may be used to block certain types of
equipment from accessing the network if they are unsuitable and
also to check for stolen equipment. The two parts of the mobile
station allow a distinction between the actual equipment and the
subscriber who is using it. 10
Slide 11
System architecture: Network and Switching Subsystem Components
oMSC (Mobile Switching Center) oIWF (Interworking Functions) oISDN
(Integrated Services Digital Network) oPSTN (Public Switched
Telephone Network) oPSPDN (Packet Switched Public Data Net.) oCSPDN
(Circuit Switched Public Data Net.) Databases oHLR (Home Location
Register) oVLR (Visitor Location Register) oEIR (Equipment Identity
Register) network subsystem MSC fixed partner networks IWF ISDN
PSTN PSPDN CSPDN SS7 EIR HLR VLR ISDN PSTN 11
Slide 12
Network and switching subsystem NSS is the main component of
the public mobile network GSM switching, mobility management,
interconnection to other networks, system control Components Mobile
Services Switching Center (MSC) and GMSC controls all connections
via a separated network to/from a mobile terminal within the domain
of the MSC - several BSC can belong to a MSC Databases (important:
scalability, high capacity, low delay) Home Location Register (HLR)
central master database containing user data, permanent and semi-
permanent data of all subscribers assigned to the HLR (one provider
can have several HLRs) Visitor Location Register (VLR) local
database for a subset of user data, including data about all user
currently in the domain of the VLR 12
Slide 13
Mobile Switching Center The MSC (mobile switching center) plays
a central role in GSM switching functions additional functions for
mobility support management of network resources interworking
functions via Gateway MSC (GMSC) integration of several databases
Functions of a MSC specific functions for paging and call
forwarding termination of SS7 (signaling system no. 7) mobility
specific signaling location registration and forwarding of location
information provision of new services (fax, data calls) support of
short message service (SMS) generation and forwarding of accounting
and billing information MSC VLR 13
Slide 14
Gateway MSC A Gateway Mobile Switching Centre (GMSC) is a
device which routes traffic entering or exiting a mobile network to
the correct destination The GMSC accesses the networks HLR to find
the location of the required mobile subscriber A particular MSC can
be assigned to act as a GMSC The operator may decide to assign more
than one GMSC 14 fixed network MSC GMSC VLR HLR VLR
Slide 15
Visitor Location Register Each MSC has a VLR VLR stores data
temporarily for mobiles served by the MSC Information stored
includes: IMSI Mobile Station ISDN Number Mobile Station Roaming
Number Temporary Mobile Station Identity Local Mobile Station
Identity The location area where the mobile station has been
registered Supplementary service parameters 15 MSC VLR
Slide 16
Home Location Register Stores details of all subscribers in the
network, such as: Subscription information Location information:
mobile station roaming number, VLR, MSC International Mobile
Subscriber Identity (IMSI) MS ISDN number Tele-service and bearer
service subscription information Service restrictions Supplementary
services Together with the AuC, the HLR checks the validity and
service profile of subscribers Notice that the VLR stores the
current Location Area of the subscriber, while the HLR stores the
MSC/VLR they are currently under. This information is used to page
the subscriber when they have an incoming call. 16 HLR AuC
Slide 17
Operation subsystem The OSS (Operation Subsystem) enables
centralized operation, management, and maintenance of all GSM
subsystems Components Authentication Center (AUC) generates user
specific authentication parameters on request of a VLR
authentication parameters used for authentication of mobile
terminals and encryption of user data on the air interface within
the GSM system Equipment Identity Register (EIR) registers GSM
mobile stations and user rights stolen or malfunctioning mobile
stations can be locked and sometimes even localized. The EIR
controls access to the network by returning the status of a mobile
in response to an IMEI query Operation and Maintenance Center (OMC)
different control capabilities for the radio subsystem and the
network subsystem 17
Slide 18
Activities and Operations Main activities which the network
must carry out are: Switching mobile on (IMSI attach) Switching
mobile off (IMSI detach) Location updating Making a call (mobile
originated) Receiving a call (mobile terminated) Cell measurements
and handover 18 Base Station (BS) Mobile Station (MS) Mobility
management
Slide 19
IMSI Attach (Switch on) Mobile camps on to best serving BTS
Mobile sends IMSI to MSC MSC/VLR is updated in HLR Subscriber data
including current location area is added to local VLR MSC and HLR
carry out authentication check - challenge and response using K i
Optionally EIR checks for status of mobile (white/grey/black) 19
MSC VLR BSC HLR AuC EIR
Slide 20
IMSI Detach (Switch off) Mobile informs MSC it is switching off
HLR stores last location area for mobile VLR records that mobile is
no longer available on network Mobile powers down 20 MSC VLR BSC
HLR AuC
Slide 21
Location Updates Automatic Location Update when mobile moves to
new location area Periodic Location Update checks that mobile is
still attached to network Updates location area in VLR If move is
to a new MSC/ VLR then HLR is informed 21 MSC VLR BSC HLR AuC BSC
MSC VLR BSC
Slide 22
Mobile Terminated Call PSTN calling station GMSC HLR VLR BSS
MSC MS 12 3 4 5 6 7 89 10 1112 13 16 10 11 1415 17 1: calling a GSM
subscriber 2: forwarding call to GMSC 3: signal call setup to HLR
4, 5: request (Mobile station roaming number)MSRN from VLR 6:
forward responsible MSC to GMSC 7: forward call to current MSC 8,
9: get current status of MS 10, 11: paging of MS 12, 13: MS answers
14, 15: security checks 16, 17: set up connection 22
Slide 23
Mobile Originated Call PSTN GMSC VLR BSS MSC MS 1 2 65 34 9 10
78 1, 2: connection request 3, 4: security check 5-8: check
resources (free circuit) 9-10: set up call 23
Network Area 25 With the mobility of a subscriber handover
occurs. As mobile moves around it monitors signal strength and
quality from neighbor cells BSS determines when handover should
occur, based on cell measurements and traffic loading on neighbor
cells. A subscriber outside of their PLMN service area may access
their normal service with a roaming agreement.
Slide 26
4 types of handover 1: within a cell (from a channel to
another) 2: within the same location area (from a cell to another
under the control of the same BSC) 3: within the same MSC/VLR
service area (under the same MSC control) 4: within the PLMN
service area(from one MSC to another) From PLMN service area to
another PLMN (operator): Roaming MSC BSC BTS MS 1 234 26
Slide 27
Handover decision I Many handover strategies prioritize
handover requests over call initiation requests when allocating
unused channel in a cell site. Since having a call abruptly
terminated while in a middle of a conversation is more annoying
than being blocked occasionally on a new call attempt. Guard
channel concept :a fraction of the total available channels is
reserved exclusively for handover requests from ongoing calls which
may be handed off onto the cell. Handover must be performed
successfully and as infrequently as possible, and be imperceptible
to the users. Def: Dwell time is the time over which a call may be
maintained within a cell, without handover. Depends on (signal
propagation, interference, distance between MS and BS, speed, etc.)
27 receive level BTS old receive level BTS new MS HO_MARGIN BTS old
BTS new Actual measured power Average of measured power
Slide 28
Handover decision II 28
Slide 29
Umbrella Cell High speed MS pass through the coverage area of a
cell within a matter of seconds, whereas pedestrian MS may never
need a handoff during a call. Umbrella cell: provide large coverage
area to high speed MS while providing small coverage area to MS
travelling at low speed. 29 Large Umbrella cell (Macrocell) for
high speed traffic Small microcells for slow speed traffic
Slide 30
Handover procedure in GSM HO access BTS old BSC new measurement
result BSC old Link establishment MSC MS measurement report HO
decision HO required BTS new HO request resource allocation ch.
activation ch. activation ack HO request ack HO command HO complete
clear command clear complete 30
Slide 31
Roaming Allows subscriber to travel to different network areas,
different operators networks, different countries - keeping the
services and features they use at home. Billing is done through
home network operator, who pays any other serving operator
involved. Requires agreements between operators on charge rates,
methods of payments etc. Clearing house companies carry out data
validation on roamer data records, billing of home network
operators and allocation of payments. 31
Slide 32
Security issues Authentication: Procedure of verifying the
authenticity of an entity (user, terminal, network, network
element). In other words, is the entity the one it claims to be?
Data integrity: The property that data has not been altered in an
unauthorised manner. Confidentiality: The property that information
is not made available to unauthorised individuals, entities or
processes. Anonymity: Preventing unencrypted transmission of user
ID information such as IMSI number over the air interface. 32
Slide 33
Security in GSM Security services access control/authentication
user SIM (Subscriber Identity Module): secret PIN (personal
identification number) SIM network: challenge response method
confidentiality voice and signaling encrypted on the wireless link
(after successful authentication) anonymity temporary identity TMSI
(Temporary Mobile Subscriber Identity) is given to the user after
switching on which use IMSI. newly assigned at each new location
update (LUP) encrypted transmission 3 algorithms specified in GSM
A3 for authentication (secret, open interface) A5 for encryption
(standardized) A8 for key generation (secret, open interface)
secret: A3 and A8 available via the Internet network providers can
use stronger mechanisms 33
Slide 34
GSM - authentication A3 RANDKiKi 128 bit SRES* 32 bit A3
RANDKiKi 128 bit SRES 32 bit SRES* =? SRES SRES RAND SRES 32 bit
mobile network SIM AuC MSC SIM K i : individual subscriber
authentication keySRES: signed response 34
Slide 35
GSM - key generation and encryption A8 RANDKiKi 128 bit K c 64
bit A8 RANDKiKi 128 bit SRES RAND encrypted data mobile network
(BTS) MS with SIM AC BTS SIM A5 K c 64 bit A5 MS data cipher key
35
Slide 36
GSM: Mobile Services GSM offers several types of connections
voice connections, data connections, short message service
multi-service options (combination of basic services) Three service
domains offered to the end user: Telematic Services: service
completely defined including terminal equipment functions -
telephony and various data services. Bearer Services: basic data
transmission capabilities - protocols and functions not defined
Supplementary Services. 36
Slide 37
Tele Services I Telecommunication services that enable voice
communication via mobile phones All these basic services have to
obey cellular functions, security measurements etc. Offered
services mobile telephony primary goal of GSM was to enable mobile
telephony offering the traditional bandwidth of 3.1 kHz Emergency
number - mandatory for all service providers -free of charge
-connection with the highest priority (preemption of other
connections possible) -Emergency calls can override any locked
state the phone may be in -May be initiated from a mobile without a
SIM - common number throughout Europe (112) -If the national
emergency code is used the SIM must be present Multinumbering
several ISDN phone numbers per user possible 37
Slide 38
Tele Services II Additional services Non-Voice-Teleservices
group 3 fax voice mailbox (implemented in the fixed network
supporting the mobile terminals) electronic mail (MHS, Message
Handling System, implemented in the fixed network) Short Message
Service (SMS) alphanumeric data transmission to/from the mobile
terminal using the signaling channel, thus allowing simultaneous
use of basic services and SMS DTMF - Dual Tone Multi-Frequency -
used for control purposes remote control of answering machine,
selection of options. Cell Broadcast - short text messages sent by
the operator to all users in an area, e.g. to warn of road traffic
problems, accidents 38
Slide 39
Bearer Services Telecommunication services to transfer data
between access points Specification of services up to the terminal
interface (OSI layers 1-3) Different data rates for voice and data
(original standard) data service (circuit switched) synchronous:
2.4, 4.8 or 9.6 kbit/s asynchronous: 300 - 1200 bit/s data service
(packet switched) synchronous: 2.4, 4.8 or 9.6 kbit/s asynchronous:
300 - 9600 bit/s 39
Slide 40
Supplementary services Services in addition to the basic
services, cannot be offered stand-alone Similar to ISDN services
besides lower bandwidth due to the radio link May differ between
different service providers, countries and protocol versions
Important services identification: forwarding of caller number
suppression of number forwarding automatic call-back conferencing
with up to 7 participants locking of the mobile terminal (incoming
or outgoing calls)... 40