Embed Size (px)
Citation preview
Mobile Computing
GSM
GSM: System Architecture
Overview of GSM Network Infrastructure
BTS BSC MSC/VLR PSTN/ISDN
OMC HLR/AUC
Operations Terminal
Data Terminal
Mobile Stations
Radio sub-system
Network sub-system
PSTN/ISDN
X.25
MS
Um A-bis A SS 7
Network Interfaces
• “Um” radio interface MS BTS– Mechanism for radio transmission (FDMA, TDMA)
• A-bis interface – Wired PCM BTS BSC– Contains 16 to 64 connections
• A interface – Wired PCM– Circuit switched PCM-carrying 30 64 kbps connections BSC MSC
• O interface - X.25 link BSC OMC– Uses SS7 MSC PSTN/ISDN
GSMSub-Systems
• Radio Sub System (RSS)
• RSS = MS + BSS
• BSS = BTS+ BSC
• Network Sub System (NSS)
• NSS = MSC+ HLR + VLR + GMSC
• Operation Sub System
• OSS = EIR + AuC
GSM System Hieararchy
Location Area
MSC R.
.
.
.
.
.
GSM Network
MSC Region (PLMN)
Location Area
BSC BSC Location Area
.
.
.
.
.
..
MSC R.
Mobile Station (MS)• MS consists of following two components
• Mobile Equipment (ME) • Mobile Subscriber Identity Module (SIM)
– Removable plastic card– Stores Network Specific Data such as list of carrier
frequencies and current LAI.– Stores International Mobile Subscriber Identity (IMSI) + ISDN– Stores Personal Identification Number (PIN) & Authentication
Keys.– Also stores short messages, charging information, telephone
book etc.
• Allows separation of user mobility from equipment mobility
Base Transceiver Station (BTS)• One per cell• Consists of high speed transmitter and receiver• Its transmit power decides size of cell• Function of BTS
– Provides two channelsSignalling and Data Channel
– Performs error protection coding for the radio channel
Base Station Controller (BSC)• Controls multiple BTS • Functions of BSC
– Performs radio resource management– Assigns and releases frequencies and time slots for all the
MSs in its area– Reallocation of frequencies among cells– Hand over protocol is executed here
– Time and frequency synchronization signals to BTSs
– Time Delay Measurement and notification of an MS to BTS
– Power Management of BTS and MS
Mobile Switching Center (MSC)• Switching node of a PLMN• Registration, Authentication, location updating,
handovers and call routing• Mobility of subscribers
– Location registration of subscriber• There can be several MSCs in a PLMN
Gateway MSC (GMSC)
• Connects mobile network to a fixed network– Entry point to a PLMN
• Usually one per PLMN• Request routing information from the HLR and
routes the connection to the local MSC
HLR/VLR• HLR - Home Location Register
– For all users registered with the network, HLR keeps user profile. Logically only one HLR per PLMN
– Persistent storage of user data– MSCs exchange information with HLR – When MS registers with a new GMSC, the HLR sends the
user profile to the new MSC– Includes information like
• Current location of user• Authentication data• Service provisioning information• Power on status
HLR/VLR
• VLR - Visitor Location Register– VLR is responsible for a group of location areas,
typically associated with an MSC– Contains temporary information needed for call
control typically copied from HLR.– When subscriber enters a new MSC, VLR
associated with that MSC requests user info from corresponding HLR
AuC/EIR/OSS
• AuC: Authentication Center– is accessed by HLR to authenticate a user for service– Contains authentication and encryption keys for subscribers
• EIR: Equipment Identity Register– allows stolen or fraudulent mobile stations to be identified
• Operation subsystem (OSS): – Operations and maintenance center (OMC), network
management center (NMC), and administration center (ADC) work together to monitor, control, maintain, and manage the network
GSM Protocol Stack
CC SMS SS
MM
RR
LAPDm
radio
MS
LAPD LAPD
RR
radio A-lawPCM
LAPD LAPD
RR
A-lawPCM
A-lawPCM
CC SMS SS
MM
LAPD
MSC
A-lawPCM
BSCBTS
GSM Protocol Stack• Radio sublayer
– Multiplexing of bursts into TDMA frames– Synchronization with BTS– Modulation and encryption/decryption of data– Error detection/correction– Special Functions: VAD and CNG
• LAPDm– Signaling between GSM entities need upper layer– Light weight Link Access Procedure for D channel– Offers reliable data transfer over connections, re-sequencing of
frames, flow control
GSM Protocol Stack• Radio resource management (RR) sublayer
– Establishment, maintenance, and termination of radio channel connections
• Mobility management (MM) sublayer– Registration, authentication, and location tracking, Assignment of TMSI
• Call control (CC) sublayer– Establishment, maintenance, and termination of circuit-switched calls
• SMS– Allows message transfer
• SS– Supplementary Services like call forwarding, call redirection, multi party
communication etc
Discontinuous Transmission
• On an average speech actually lasts only 50% of the time.• So transmitter is kept off whenever there is no speech.• This reduces co-channel interference and saves battery
power.• Voice Activity Detector (VAD) is used at the transmitter,
and Comfort Noise Generation (CNG)is used at the receiver.
VAD
• Background noise is stationary over relatively long periods.• Measure the deviations from the spectral characteristics of the background noise.
CNG
• Comfort noise characteristics are matched to the transmitted noise.
Air Interface: MS to BTS• Uplink/Downlink of 25MHz
– 890 -915 MHz for Up link– 935 - 960 MHz for Down link
• Combination of frequency division and time division multiplexing
– FDMA– 124 channels of 200 kHz
– TDMA– Burst
• Modulation used Gaussian Minimum Shift Keying (GMSK)
Number of channels in GSM
• Freq. Carrier: 200 kHz• TDMA: 8 time slots per freq carrier
• No. of carriers = 25 MHz / 200 kHz = 125• Max no. of user channels = 125 * 8 = 1000
• Considering guard bands = 124 * 8 = 992 channels
TDMA Bursts in GSM
•The normal burst (NB): Used to carry information on traffic and control channels, except for RACH. It contains 116 encrypted bits.•The frequency correction burst (FB): Used for frequency synchronization of the mobile. The contents of this burst are used to calculate an unmodulated, sinusoidal oscillation, onto which the synthesizer of the mobiles is clocked.•The synchronization burst (SB): Used for time synchronization of the mobile. It contains a long training sequence and carries the information of a TDMA frame number. •The access burst (AB): Used for random access and characterized by a longer guard period (256 ms) to allow for burst transmission from a mobile that does not know the correct timing advance at the first access to a network (or after handover). •The dummy burst (DB): Transmitted as a filler in unused timeslots of•the carrier; does not carry any information but has the same format as•a normal burst (NB).
TDMA Bursts in GSM
142 fixed bits 33
339data
39data
364 bitTraining seq
8.25
3 326 bitTraining seq
8.25
8.25
841 bitTraining seq
36 data 3 68.25
FB
SB
DummyBurst
Access
Burst
Fig.
Normal Burst
Tail bit
Stealing Flags
357 Data bits
26 bitTraining seq
57 Data bits
38.25Bit GP
Logical Channels
Note: These logical channels are then mapped onto Physical channels.
A GSM Physical channel comprises a particular timeslot on a given freq. Channel.
Note: These logical channels are then mapped onto Physical channels.
A GSM Physical channel comprises a particular timeslot on a given freq. Channel.
BCH :• Broadcast Control Channel (BCCH)• Frequency Correction Channel (FCCH)• Synchronization Channel (SCH)
CCH :• Random Access Channel (RACH)• Paging Channel (PCH)
D/ACCH• Stand-alone Dedicated Control Channel (SDCCH)• Slow Associated Control Channel (SACCH)
Signalling channel contd. ....
1 2 73 4 5 6 8
1 2 73 4 5 6 8
Delay
Downlink
Uplink
So the MS does not have to Transmit and Receive at the same time instance!
Reasons for Simple Transceiver Hardware
1) Uplink and downlink are separated in frequency
2) Gap of 3 slots in uplink and downlink slots
Adaptive Frame Synchronization
Timing Advance:
• MS advances its burst transmission by a time corresponding to round trip time.• The delay is quantiled as a 6 bit number. => 64 steps (0-63); each step advances the Timing by one bit duration ie 3.7 s.• 64 steps allows compensation over a maximum propagation time of 31.5 bit periods ie 113.3 s ( => a maximum distance of ~ 35 km)
Timing Advance : How it works.
1 2 3 4 5 6 7
(Sent by BS on
down link)
1 2 3 4 5 6 7 8
(received by BS on up link)
(received by MS on down link)
(Sent by MS on up link)
|||||
8
1 2 3 4 5 6 7
8
1 2 3 4 5
6 7 8
||||
One wayPropagationdelay
||||||
|
|
|
|
||| |
||
Two way propagation delay
In the GSM cellular mobile phone standard, timing advance value corresponds to the length of time a signal from the mobile phone takes to reach the base station. GSM uses TDMA technology in the radio interface to share a single frequency between several users, assigning sequential timeslots to the individual users sharing a frequency. Each user transmits periodically for less than one-eighth of the time within one of the eight timeslots. Since the users are various distances from the base station and radio waves travel at the finite speed of light, the precise time at which the phone is allowed to transmit a burst of traffic within a timeslot must be adjusted accordingly. Timing Advance (TA) is the variable controlling this adjustment.
Technical Specifications 3GPP TS 05.10 and TS 45.010 describe the TA value adjustment procedures. The TA value is normally between 0 and 63, with each step representing an advance of one bit period (approximately 3.69 microseconds). With radio waves traveling at about 300,000,000 meters per second (that is 300 meters per microsecond), one TA step then represents a change in round-trip distance (twice the propagation range) of about 1,100 meters. This means that the TA value changes for each 550-meter change in the range between a mobile and the base station. This limit of 63 × 550 meters is the maximum 35 kilometers that a device can be from a base station and is the upper bound on cell placement distance.
GSM: Identification• Identification of Mobile Subscriber
• International Mobile Subscriber Identity (IMSI)• Temporary MSI (TMSI)• Mobile Subscriber ISDN number (MSISDN)• Mobile Station Roaming Number (MSRN)
• Identification of Mobile Equipment• International Mobile Station Equipment
Identification (IMEI)
• Identification of Location• Location Area Identifier (LAI)• Cell Identifier (CI)
IMSI• International Mobile Subscriber Identity• Stored in SIM, not more than 15 digits
– 3 digits for Mobile Country Code (MCC)– 2 digits for Mobile Network Code (MNC)
» It uniquely identifies the home GSM PLMN of the mobile subscriber.
– Not more than 10 digits for National Mobile Subscriber Identity Number(MSIN)
» The first 3 digits identify the logical HLR-ID of the mobile subscriber
• MNC+MSIN makes National Mobile Station Identity (NMSI)
TMSI and LMSI• Temporary Mobile Subscriber Identity
• Has only local and temporal significance• Is assigned by VLR and stored there only• Is used in place of IMSI for security reasons• Together with LAI & TMSI uniquely
identifies a subscriber• Local Mobile Subscriber Identity
• Is an additional searching key given by VLR• It is also sent to HLR
• Both are assigned in an operator specific way
MSISDN• “real telephone number” of a MS• It is stored centrally in the HLR • MS can have several MSISDNs depending on SIM• It follows international ISDN numering plan
• Country Code (CC): upto 3 decimal places• National Destination Code (NDC): 2-3 decimal places• Subscriber Number (SN) : maximal 10 decimal places
– MSISDN = CC + NDC + SN
– Example - +91 98 25 6 68888 (CC NDC OPCode Level Code SubId)
IMEI & EIR• International Mobile Station Equipment Identity
• Uniquely identifies mobile equipment internationally• IMEI = TAC + FAC + SNR + SP
• Type Approval Code: 6 decimal places centrally assigned
• Final Assembly Code: 6 decimal places assigned by manufacturer
• Serial Number: 6 decimal places assigned by manufacturer
• Spare : 1decimal place• Is registered by the Network operator and stored in Equipment
Identity Register (EIR)
MSRN• Mobile Station Roaming Number• Temporary location-dependent on ISDN number• Calls are routed to MS by using MSRN• Is assigned by locally responsible VLR to each MS in its
area• Is done either at each registration or when HLR
requests it for setting up a connection for incoming call
• Is done in such a way that current MSC can be determined from it
• Structure same as that of MSISDN
LAI
• Location Area Identifier of an LA of a PLMN • Based on international ISDN numering plan
• Country Code (CC): 3 decimal digits• Mobile Network Code (MNC): 2 decimal
digits• Location Area Code (LAC) : maximum 5
decimal digits• Is broadcast regularly by the BTS on
broadcast channel
Cell Identifier (CI)
• Within LA, individual cells are uniquely identified with Cell Identifier (CI).
• It is maximum 2*8 bits• LAI + CI = Global Cell Identity
Outgoing call setup
– User keys in the number and presses send – Mobile transmits request on uplink signaling channel– If network can process the call, BS sends a channel
allocation message– Network proceeds to setup the connection
• Network activity:– MSC determines current location of target mobile using HLR,
VLR and by communicating with other MSCs– Source MSC initiates a call setup message to MSC covering
target area
Incoming call setup
– Target MSC initiates a paging message– BSs forward the paging message on downlink
channel in coverage area– If mobile is on (monitoring the signaling channel), it
responds to BS– BS sends a channel allocation message and informs
MSC• Network activity:
– Network completes the two halves of the connection
GSM call routing1. MSISDN
2. MSISDN
VLRHLR
AUCEIR
GMSC/IWF
MSC
BSC
BSC
BTS
BTS
BTS
ISDN
3. MSRN
4. MSRN
5. MSRN
6. TMSI
7. TMSI
7. TMSI
7. TMSI
8. TMSI
LA2
LA1
MS
MS
44
Handover and Roaming
Handover
Roaming
MSC MSC
HLR
VLR AC
HLR
VLR AC
GSM roaming• VLR registers users roaming in its area
– Recognizes mobile station is from another PLMN (IMSI Attach)
– If roaming is allowed, VLR finds the mobile’s HLR in its home PLMN
– Sends location update to new MSC and then to parent HLR.– VLR generates a mobile subscriber roaming number
(MSRN) used to route incoming calls to mobile station– MSRN is sent to mobile’s HLR
GSM roaming
• VLR contains– MSRN– TMSI– Location area where mobile station has registered– Info for supplementary services (if any)– IMSI– HLR or global title– Local identity for mobile station (if any)
GSM roaming Example• Assume user’s (A) Mobile No is +919825668990 (Hutch Gujarat)• Case 1 (User roaming in Mumbai)
– Somebody from fixed phone dials the above number.– The call will be switched at PSTN network and routed to Hutch network in
GJ. The Hutch MSC looks at the HLR and knows that user is in a cellular nw in mumbai. So the call is forwarded to Mumbai. MSC in mumbai will refer the VLR to locate that user. Also informs Hutch MSC/HLR about the MSRN. Charging info is also forwarded once the call is over. Caller Pays for long distance call.
• Case 2 (User roaming in Mumbai)– User A wants to call some one in mumbai– The call will be switched at MSC Mumbai network. MSC in mumbai will
refer the VLR to locate that user. Charging info is also forwarded once the call is over. But pays for local calling charge.
GSM roaming Example• Case 3 (2 Users (‘A’ and ‘B’) roaming in Mumbai)
– User ‘A’ wants to call user ‘B’– The call will be routed to local Hutch MSC in GJ. The Hutch MSC looks at
the HLR and knows that user ‘B’ is in a cellular nw in mumbai. So the call is routed back to Mumbai. MSC in mumbai will refer the VLR to locate that user. Charging info for both user is also forwarded once the call is over. Caller and Callee Pays for long distance call.
– Optimization is possible.
4 types of handover
4 types of handover
MSC MSC
BSC BSCBSC
BTS BTS BTSBTS
MS MS MS MS
12 3 4
Handover decision
receive levelBTSold
receive levelBTSold
MS MS
HO_MARGIN
BTSold BTSnew
Handover procedure
HO access
BTSold BSCnew
measurementresult
BSCold
Link establishment
MSCMSmeasurementreport
HO decision
HO required
BTSnew
HO request
resource allocation
ch. activation
ch. activation ackHO request ackHO commandHO commandHO command
HO completeHO completeclear commandclear command
clear complete clear complete
GSM handoffs• Intra-BSS: if old and new BTSs are attached to
same base station– MSC is not involved
• Intra-MSC: if old and new BTSs are attached to different base stations but within same MSC
• Inter-MSC: if MSCs are changed
GSM Intra-MSC handoff1. Mobile station monitors signal quality and determines
handoff is required, sends signal measurements to serving BSS
2. Serving BSS sends handoff request to MSC with ranked list of qualified target BSSs
3. MSC determines that best candidate BSS is under its control
4. MSC reserves a trunk to target BSS5. Target BSS selects and reserves radio channels for new
connection, sends Ack to MSC6. MSC notifies serving BSS to begin handoff, including new
radio channel assignment
GSM Intra-MSC handoff7. Serving BSS forwards new radio channel assignment to
mobile station8. Mobile station retunes to new radio channel, notifies
target BSS on new channel9. Target BSS notifies MSC that handoff is detected10. Target BSS and mobile station exchange messages to
synchronize transmission in proper timeslot11. MSC switches voice connection to target BSS, which
responds when handoff is complete12. MSC notifies serving BSS to release old radio traffic
channel
GSM Inter-MSC handoff 1. MS sends signal measurements to serving BSS2. Serving BSS sends handoff request to MSC3. Serving MSC determines that best candidate BSS is under
control of a target MSC and calls target MSC4. Target MSC notifies its VLR to assign a TMSI5. Target VLR returns TMSI6. Target MSC reserves a trunk to target BSS7. Target BSS selects and reserves radio channels for new
connection, sends Ack to target MSC8. Target MSC notifies serving MSC that it is ready for
handoff
GSM Inter-MSC handoff9. Serving MSC notifies serving BSS to begin handoff, including
new radio channel assignment10. Serving BSS forwards new radio channel assignment to
mobile station11. Mobile station retunes to new radio channel, notifies target
BSS on new channel12. Target BSS notifies target MSC that handoff is detected13. Target BSS and mobile station synchronize timeslot14. Voice connection is switched to target BSS, which responds
when handoff is complete15. Target MSC notifies serving MSC16. Old network resources are released
Security in GSM• Security services
– access control/authentication• user SIM (Subscriber Identity Module): secret PIN (personal
identification number)
• SIM network: challenge response method
– confidentiality• voice and signaling encrypted on the wireless link (after successful
authentication)
– anonymity• temporary identity TMSI
(Temporary Mobile Subscriber Identity)
• newly assigned at each new location update (LUP)
• encrypted transmission
• 3 algorithms specified in GSM– A3 for authentication (“secret”, open interface)– A5 for encryption (standardized)– A8 for key generation (“secret”, open interface)
“secret”:• A3 and A8 available via the Internet• network providers can use stronger mechanisms
GSM - authentication
A3
RANDKi
128 bit 128 bit
SRES* 32 bit
A3
RAND Ki
128 bit 128 bit
SRES 32 bit
SRES* =? SRES SRES
RAND
SRES32 bit
mobile network SIM
AC
MSC
SIM
Ki: individual subscriber authentication key SRES: signed response
GSM - key generation and encryption
A8
RANDKi
128 bit 128 bit
Kc
64 bit
A8
RAND Ki
128 bit 128 bit
SRES
RAND
encrypteddata
mobile network (BTS) MS with SIM
AC
BSS
SIM
A5
Kc
64 bit
A5MS
data data
cipherkey
GSM Summary
Uplink frequencies 890-915 MHz
Downlink frequencies 935-960 MHz
Total GSM bandwidth 25 MHz up + 25 MHz down
Channel bandwidth 200 kHz
Number of RF carriers 124
Multiple access TDMA
Users/carrier 8
Number of simul. users 992
Speech coding rate 13 kb/s
FEC coded speech rate 22.8 kb/s
GSM 900 and GSM 1800
GSM 900 GSM 1800Frequency band 890-915 MHz
935-960 MHz1710-1785 MHz1805-1880 MHz
Border spacing 25 MHz 75 MHzDuplex spacing 45 MHz 95 MHzCarrier spacing 200 kHz 200 kHzCarriers 124 374Timeslots per carrier 8 8Multiple access TDMA/FDMA TDMA/FDMATypical cell range <300m – 35 km <100m – 15 kmHandset Power 0.8 & 8 W 0.25 & 1 W
