Upload
ursula-tate
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
PERSONAL COMMUNICATION PERSONAL COMMUNICATION SYSTEMS: SECOND SYSTEMS: SECOND
GENERATION (PART I: GSM)GENERATION (PART I: GSM)
Ian F. AkyildizIan F. Akyildiz
Broadband & Wireless Networking LaboratoryBroadband & Wireless Networking Laboratory
School of Electrical and Computer EngineeringSchool of Electrical and Computer Engineering
Georgia Institute of TechnologyGeorgia Institute of Technology
Tel: 404-894-5141; Fax: 404-894-7883 Tel: 404-894-5141; Fax: 404-894-7883
Email: [email protected]: [email protected]
Web: http://www.ece.gatech.edu/research/labs/bwnWeb: http://www.ece.gatech.edu/research/labs/bwn
2IFA’2004
Introduction to GSM:Introduction to GSM:Mobile Phone Subscribers Mobile Phone Subscribers WorldwideWorldwide
0
200
400
600
800
1000
1200
1996 1997 1998 1999 2000 2001 2002 year
Su
bsc
rib
ers
[mill
ion
] GSM total
TDMA total
CDMA total
PDC total
Analogue total
Total wireless
Prediction (1998)
3IFA’2004
Introduction to GSM: Introduction to GSM: Development of Mobile Development of Mobile Telecommunication SystemsTelecommunication Systems
1G 2G 3G2.5G
IS-95cdmaOne
IS-136TDMAD-AMPSGSMPDC
GPRS
IMT-DSUTRA FDD / W-CDMA
EDGE
IMT-TCUTRA TDD / TD-CDMA
cdma2000 1X
1X EV-DV(3X)
AMPSNMT
IMT-SCIS-136HSUWC-136
IMT-TCTD-SCDMA
CT0/1
CT2IMT-FTDECT
CD
MA
TD
MA
FD
MA
IMT-MCcdma2000 1X EV-DO
4IFA’2004
GSM OverviewGSM Overview
Several first generation analog cellular Several first generation analog cellular systems in Europe but incompatible - systems in Europe but incompatible - limited roaminglimited roaming
1987-1989 ETSI standards for pan-1987-1989 ETSI standards for pan-European Global System for Mobile European Global System for Mobile Communications (GSM, originally Group Communications (GSM, originally Group Spe’ciale Mobile 1982) at 900 MHzSpe’ciale Mobile 1982) at 900 MHz– 1992 GSM is launched1992 GSM is launched– 1990-1993 Standards for Digital Cellular 1990-1993 Standards for Digital Cellular
System at 1800 MHz (DCS 1800, System at 1800 MHz (DCS 1800, recently renamed GSM 1800; US version recently renamed GSM 1800; US version is PCS 1900)is PCS 1900)
IFA’2004
GSM: OverviewGSM: Overview
Simultaneous introduction of essential services Simultaneous introduction of essential services in three phases (1991, 1994, 1996) by the in three phases (1991, 1994, 1996) by the European telecommunication administrations European telecommunication administrations seamless roaming within Europe possible seamless roaming within Europe possible
Today many providers all over the world use Today many providers all over the world use GSM (more than 184 countries in Asia, Africa, GSM (more than 184 countries in Asia, Africa, Europe, Australia, America)Europe, Australia, America)
More than 747 million subscribersMore than 747 million subscribers More than 70% of all digital mobile phones useMore than 70% of all digital mobile phones use
GSMGSM
6IFA’2004
GSM, cont..GSM, cont..
Objectives:Objectives:– Broad offering of speech and data servicesBroad offering of speech and data services– Compatible with wireline networksCompatible with wireline networks– Automatic roaming and handoffAutomatic roaming and handoff– Highly efficient use of frequency spectrumHighly efficient use of frequency spectrum– Support for different types of mobile Support for different types of mobile
terminal equipment (e.g., cars, portable terminal equipment (e.g., cars, portable handsets) handsets)
– Digital signaling and transmissionDigital signaling and transmission– Low cost infrastructure and terminal Low cost infrastructure and terminal
equipmentequipment
7IFA’2004
GSM, cont..GSM, cont..
13 recommendations13 recommendations– R.00: PreambleR.00: Preamble– R.01: General structure of R.01: General structure of
recommendations, GSM overviewrecommendations, GSM overview– R.02: Service aspects: types of R.02: Service aspects: types of
servicesservices– R.03: Network aspects: architecture, R.03: Network aspects: architecture,
call routing, performance objectivescall routing, performance objectives– R.04: Mobile/base station interface R.04: Mobile/base station interface
and protocolsand protocols
8IFA’2004
GSM, cont..GSM, cont..
– R.05: Physical layer on radio path: multiple R.05: Physical layer on radio path: multiple access, channel coding, modulation, transmissionaccess, channel coding, modulation, transmission
– R.06: Speech coding aspectsR.06: Speech coding aspects– R.07: Terminal adaptors for mobile stationsR.07: Terminal adaptors for mobile stations– R.08: Base station and mobile switching center R.08: Base station and mobile switching center
(MSC) interface(MSC) interface– R.09: Interworking with PSTN and packet data R.09: Interworking with PSTN and packet data
networksnetworks– R.10: Service interworking, short message R.10: Service interworking, short message
serviceservice– R.11: Equipment specificationR.11: Equipment specification– R.12: Operation and maintenance, tariffs, traffic R.12: Operation and maintenance, tariffs, traffic
administrationadministration
9IFA’2004
GSM, cont..GSM, cont..
Summary of featuresSummary of features
Channel bandwidth 200 kHz
Multiple access TDMA
Users/carrier 8
Speech coding rate 13 kb/s
FEC coded speech rate 22.8 kb/s
10IFA’2004
GSM, cont..GSM, cont..
Summary of service quality Summary of service quality requirementsrequirements
Speech intelligibility 90%
Max one-way delay 90 ms
Max handoff gap 150 ms if intercell
Time to alert mobile ofinbound cell
4 sec first attempt, 15 sec final attempt
Release time to callednetwork
2 sec
Connect time to callednetwork
4 sec
11IFA’2004
GSM: GSM: Performance Performance CharacteristicsCharacteristics
Communication Communication – Mobile, wireless communication; support for voice and data Mobile, wireless communication; support for voice and data
servicesservices Total mobility Total mobility
– International access, chip-card enables use of access points International access, chip-card enables use of access points for different providersfor different providers
Worldwide connectivityWorldwide connectivity– One number, the network handles localizationOne number, the network handles localization
High capacity High capacity – Better frequency efficiency, smaller cells, more customers Better frequency efficiency, smaller cells, more customers
per cellper cell High transmission qualityHigh transmission quality
– High audio quality and reliability for wireless, uninterrupted High audio quality and reliability for wireless, uninterrupted phone calls at higher speeds (e.g., from cars, trains)phone calls at higher speeds (e.g., from cars, trains)
Security functions Security functions – Access control, authentication via chip-card and PINAccess control, authentication via chip-card and PIN
12IFA’2004
GSM: Mobile GSM: Mobile ServicesServices
GSM offers– Several types of connections
Voice connections, data connections, short message service– Multi-service options (combination of basic services)
Three service domains– Bearer Services– Telematic Services– Supplementary Services
13IFA’2004
Bearer ServicesBearer Services Telecommunication services to transfer data
between access points Different data rates for voice and data
(original standard)– Data service (circuit switched)
synchronous: 2.4, 4.8 or 9.6 kbit/sasynchronous: 300 - 1200 bit/s
– Data service (packet switched)synchronous: 2.4, 4.8 or 9.6 kbit/sasynchronous: 300 - 9600 bit/s
Today: data rates of approx. 50 kbit/s possible
14IFA’2004
Tele Services ITele Services I
Offered ServicesOffered Services– Mobile TelephonyMobile Telephony
primary goal of GSM was to enable primary goal of GSM was to enable mobile telephony offering the mobile telephony offering the traditional bandwidth of 3.1 kHz traditional bandwidth of 3.1 kHz
– Emergency Emergency Numbercommon number throughout Europe common number throughout Europe (112); mandatory for all service (112); mandatory for all service providers; free of charge; connection providers; free of charge; connection with the highest priority (preemption of with the highest priority (preemption of other connections possible)other connections possible)
15IFA’2004
Tele Services IITele Services II
Additional servicesAdditional services– Non-Voice-TeleservicesNon-Voice-Teleservices
FaxFaxVoice mailbox (implemented in the fixed Voice mailbox (implemented in the fixed
network supporting the mobile terminals)network supporting the mobile terminals)Electronic mail (MHS, Message Handling Electronic mail (MHS, Message Handling
System, implemented in the fixed network)System, implemented in the fixed network)
Short Message Service (SMS)Short Message Service (SMS)alphanumeric data transmission to/from the alphanumeric data transmission to/from the mobile terminal using the signaling channel, mobile terminal using the signaling channel, thus allowing simultaneous use of basic thus allowing simultaneous use of basic services and SMSservices and SMS
16IFA’2004
Supplementary Supplementary ServicesServices
May differ between different service May differ between different service providers, countries and protocol providers, countries and protocol versions versions
Important servicesImportant services– Identification: forwarding of caller numberIdentification: forwarding of caller number– Suppression of number forwardingSuppression of number forwarding– Automatic call-backAutomatic call-back– Conferencing with up to 7 participantsConferencing with up to 7 participants– Locking of the mobile terminal (incoming Locking of the mobile terminal (incoming
or outgoing calls)or outgoing calls)– ......
17IFA’2004
Architecture of the GSM Architecture of the GSM SystemSystem
GSM is a PLMN (Public Land Mobile Network)GSM is a PLMN (Public Land Mobile Network)– Several providers setup mobile networks Several providers setup mobile networks
following the GSM standard within each countryfollowing the GSM standard within each country– ComponentsComponents
MS (Mobile Station)MS (Mobile Station)BS (Base Station)BS (Base Station)MSC (Mobile Switching Center)MSC (Mobile Switching Center)LR (Location Register)LR (Location Register)
– SubsystemsSubsystemsRSS (Radio Subsystem): covers all radio aspectsRSS (Radio Subsystem): covers all radio aspectsNSS (Network and Switching Subsystem): call forwarding, NSS (Network and Switching Subsystem): call forwarding,
handover, switchinghandover, switchingOSS (Operation Subsystem): management of the networkOSS (Operation Subsystem): management of the network
18IFA’2004
GSM: GSM: Architecture Architecture OverviewOverview
Fixed Network(PSTN)
BSC
BSC
MSC MSC
GMSC
OMC, EIR, AUC
VLR
HLRNSSwith OSS
RSS
VLR
19IFA’2004
GSM: Reference GSM: Reference ArchitectureArchitecture
Radio Subsystem (RSS)
20IFA’2004
GSM General GSM General ArchitectureArchitecture
BSS
MSC
VLR
HLR
EIR
AUC
MTTE
MS
Um
A
PSTN
BSC
BTS BTS
OMC
NMC
ADC
OSS
BSS
MS
GSM Public Land MobileNetwork (PLMN)
OSS: Operation SubsystemBSS: Base Station SubsystemMS: Mobile Station (Mobile User)
Abis
IFA’2004
System System Architecture: Architecture: Radio SubsystemRadio Subsystem
Components– MS (Mobile Station)– BSS (Base Station Subsystem):
consisting ofBTS (Base Transceiver
Station):sender and receiver
BSC (Base Station Controller):controlling several transceivers
Interfaces– Um : radio interface– Abis : standardized, open
interface with 16 kbit/s user channels
– A: standardized, open interface with 64 kbit/s user channels
Um
Abis
A
BSS
RadioSubsystem
Network and SwitchingSubsystem
MS MS
BTSBSC MSC
BTS
BTSBSC
BTSMSC
22IFA’2004
GSM General Architecture, GSM General Architecture, cont..cont..
Mobile station (MS) communicates to Mobile station (MS) communicates to base stations through radio interface base stations through radio interface UmUm
Mobile termination (MT) supports Mobile termination (MT) supports physical channel between MS and base physical channel between MS and base station (radio transmission, channel station (radio transmission, channel coding, speech coding)coding, speech coding)
23IFA’2004
GSM General Architecture, GSM General Architecture, cont..cont..
Terminal equipment (TE), e.g., telephone set.
Contains terminal/user-specific data in form of smart card (subscriber identify module or SIM card), plugs into any GSM terminal like credit card and identifies user to network for personal mobility (in addition to terminal mobility) and security
24IFA’2004
GSM General Architecture, GSM General Architecture, cont..cont..
Base station Subsystem (BSS) communicates with mobile switching center through network interface A
Base Transceiver Station (BTS) handles channel allocation, signaling, frequency hopping, handover initiation, etc.
BTS communicates with BSC using Abis interface
25IFA’2004
GSM General Architecture, GSM General Architecture, cont..cont..
Base station controller (BSC) manages radio channels, paging, handoff for several BTSs
BSC communicates with MSC using A interface
Mobile switching center (MSC) is gateway to PSTN and packet data networks
Performs switching, paging functions, MS location updating, handoff control, etc.
26IFA’2004
GSM General Architecture, GSM General Architecture, cont..cont..
Home location register (HLR) stores Home location register (HLR) stores subscriber info and part of MS’s subscriber info and part of MS’s location info to route incoming calls location info to route incoming calls to visitor location register (VLR) to visitor location register (VLR) where mobile is roamingwhere mobile is roaming
VLR registers users roaming in its VLR registers users roaming in its area and assigns roaming numbersarea and assigns roaming numbers
27IFA’2004
GSM General Architecture, GSM General Architecture, cont..cont..
Authentication center (AUC) is Authentication center (AUC) is accessed by HLR to authenticate a accessed by HLR to authenticate a user for service. user for service.
It contains authentication and It contains authentication and encryption keys for subscribersencryption keys for subscribers
Equipment identity register (EIR) Equipment identity register (EIR) allows stolen or fraudulent mobile allows stolen or fraudulent mobile stations to be identified stations to be identified
28IFA’2004
GSM General Architecture, GSM General Architecture, cont..cont..
Operation subsystem (OSS) Operation subsystem (OSS) contains: Operations and contains: Operations and Maintenance Center (OMC), Network Maintenance Center (OMC), Network Management Center (NMC), and Management Center (NMC), and Administration Center (ADC). Administration Center (ADC).
These network elements work These network elements work together to monitor, control, together to monitor, control, maintain, and manage the networkmaintain, and manage the network
IFA’2004
System Architecture: System Architecture: Network and Switching Network and Switching SubsystemSubsystem
ComponentsComponents– MSCMSC (Mobile Services (Mobile Services
Switching Center):Switching Center):
– ISDNISDN (Integrated Services (Integrated Services Digital Network)Digital Network)
– PSTNPSTN (Public Switched (Public Switched Telephone Network)Telephone Network)
DatabasesDatabases– HLRHLR (Home Location (Home Location
RRegister)egister)– VLRVLR (Visitor Location (Visitor Location
RRegister)egister)– EIREIR (Equipment Identity (Equipment Identity
Register)Register)
networksubsystem
fixed partnernetworks
MSC
MSC ISDNPSTN
SS
7
EIR
HLR
VLR
ISDNPSTN
30IFA’2004
Radio SubsystemRadio Subsystem
The Radio Subsystem (RSS) comprises the The Radio Subsystem (RSS) comprises the cellular mobile network up to the cellular mobile network up to the switching centersswitching centers
ComponentsComponents– Mobile Stations (MS)Mobile Stations (MS)
– Base Station Subsystem (BSS):Base Station Subsystem (BSS):Base Transceiver Station (BTS): radio components Base Transceiver Station (BTS): radio components
including sender, receiver, antenna - if directed antennas including sender, receiver, antenna - if directed antennas are used one BTS can cover several cellsare used one BTS can cover several cells
Base Station Controller (BSC): switching between BTSs, Base Station Controller (BSC): switching between BTSs, controlling BTSs, managing of network resources, controlling BTSs, managing of network resources, mapping of radio channels (Umapping of radio channels (Umm) onto terrestrial channels ) onto terrestrial channels (A interface)(A interface)
BSS = BSC + sum(BTS) + interconnectionBSS = BSC + sum(BTS) + interconnection
31IFA’2004
Mobile StationMobile Station Terminal for the use of GSM servicesTerminal for the use of GSM services
A mobile station (MS) comprises two elements:A mobile station (MS) comprises two elements:– ME (Mobile Equipment):ME (Mobile Equipment):
Peripheral device of the MS, offers services to a userPeripheral device of the MS, offers services to a userSpeaker, microphone, keypad, and radio modemSpeaker, microphone, keypad, and radio modemUsually subsidized by the service provider to encourage Usually subsidized by the service provider to encourage
new subscribersnew subscribers– SIM (Subscriber Identity Module):SIM (Subscriber Identity Module):
Smart card issued at subscription timeSmart card issued at subscription timePersonalization of the mobile terminal, stores user Personalization of the mobile terminal, stores user
parameters such as address and type of serviceparameters such as address and type of serviceCalls are directed to the SIM rather than the terminalCalls are directed to the SIM rather than the terminalStores short messages Stores short messages Carries a PIN number that needs to be verified to make Carries a PIN number that needs to be verified to make
the information on the card available to the user.the information on the card available to the user.
32IFA’2004
Base Station Base Station SubsystemSubsystem
Base Transceiver Station and Base Station ControllerBase Transceiver Station and Base Station Controller– Tasks of a BSS are distributed over BSC and BTSTasks of a BSS are distributed over BSC and BTS– BTS comprises radio specific functionsBTS comprises radio specific functions– BSC is the switching center for radio channelsBSC is the switching center for radio channels
Functions BTS BSCManagement of radio channels XFrequency hopping (FH) X XManagement of terrestrial channels XMapping of terrestrial onto radio channels XChannel coding and decoding XRate adaptation XEncryption and decryption X XPaging X XUplink signal measurements XTraffic measurement XAuthentication XLocation registry, location update XHandover management X
IFA’2004
possible radio coverage of the cell
idealized shape of the cell
cell
segmentation of the area into cells
GSM: Cellular GSM: Cellular NetworkNetwork
– use of several carrier frequencies– not the same frequency in adjoining cells– cell sizes vary from some 100 m up to 35 km depending
on user density, geography, transceiver power etc.– hexagonal shape of cells is idealized (cells overlap,
shapes depend on geography)– if a mobile user changes cells
handover of the connection to the neighbor cell
34IFA’2004
Network and Switching Network and Switching SubsystemSubsystem
NSS is the main component of the public NSS is the main component of the public mobile network GSMmobile network GSM– Switching, mobility management, Switching, mobility management,
interconnection to other networks, interconnection to other networks, system controlsystem control
ComponentsComponents– Mobile Services Switching Center (MSC)Mobile Services Switching Center (MSC)
Controls all connections via a Controls all connections via a separated network to/from a mobile separated network to/from a mobile terminal within the domain of the MSC terminal within the domain of the MSC - several BSC can belong to a MSC- several BSC can belong to a MSC
35IFA’2004
Network and Switching Network and Switching SubsystemSubsystem
– Databases (important: scalability, high capacity, low Databases (important: scalability, high capacity, low delay)delay)Home Location Register (HLR):Home Location Register (HLR): central master central master
database containing user data, permanent and semi-database containing user data, permanent and semi-permanent data of all subscribers assigned to the permanent data of all subscribers assigned to the HLR (one provider can have several HLRs)HLR (one provider can have several HLRs)
Visitor Location Register (VLR):Visitor Location Register (VLR): local database for a local database for a subset of user data, including data about all user subset of user data, including data about all user currently in the domain of the VLRcurrently in the domain of the VLR
Equipment Identity Register (EIR):Equipment Identity Register (EIR): registers GSM registers GSM mobile stations and user rights. Stolen or mobile stations and user rights. Stolen or malfunctioning mobile stations can be locked and malfunctioning mobile stations can be locked and sometimes even localized.sometimes even localized.
36IFA’2004
Network and Switching Network and Switching SubsystemSubsystem
– Authentication Center (AUC)Authentication Center (AUC)Generates user specific authentication Generates user specific authentication
parameters on request of a VLR parameters on request of a VLR Authentication parameters used for Authentication parameters used for
authentication of mobile terminals and authentication of mobile terminals and encryption of user data on the air interface encryption of user data on the air interface within the GSM system within the GSM system
37IFA’2004
Mobile Service Switching Mobile Service Switching CenterCenter
The MSC (mobile switching center) plays a central role in GSM– switching functions– additional functions for mobility
support– management of network resources– interworking functions via Gateway
MSC (GMSC)– integration of several databases
38IFA’2004
Mobile Service Switching Mobile Service Switching CenterCenter
Functions of a MSC– specific functions for paging and call
forwarding– termination of SS7 (signaling system no.
7)– mobility specific signaling– location registration and forwarding of
location information– provision of new services (fax, data calls)– support of short message service (SMS)– generation and forwarding of accounting
and billing information
39IFA’2004
Mechanisms to Support Mechanisms to Support MobilityMobility
RegistrationRegistration– Performed as soon as the mobile unit is Performed as soon as the mobile unit is
powered onpowered on Call establishmentCall establishment
– Performed when the user initiates or Performed when the user initiates or receives a callreceives a call
HandoverHandover– Performed when the MS needs to change Performed when the MS needs to change
its connection point to the networkits connection point to the network SecuritySecurity
– Protects from fraud and eavesdroppingProtects from fraud and eavesdropping
40IFA’2004
Registration Registration ProcedureProcedure
As we turn on an MS, it passively As we turn on an MS, it passively synchronizes to the frequency, and frame synchronizes to the frequency, and frame timings of the closest BS to get ready for timings of the closest BS to get ready for information exchange.information exchange.
The MS then listens to advertisements The MS then listens to advertisements from the BS regarding system and cell from the BS regarding system and cell identity to determine its location in the identity to determine its location in the network.network.
If the current location is not the same, If the current location is not the same, the MS initiates a registration procedure.the MS initiates a registration procedure.
41IFA’2004
Registration Procedure: Registration Procedure: MS turned on in a New MSC MS turned on in a New MSC AreaArea
1-4: A radio channel is established between the MS and BSS to process 1-4: A radio channel is established between the MS and BSS to process the registrationthe registration
5-8: The NSS authenticates the MS5-8: The NSS authenticates the MS 9-11: A TMSI (Temporary Mobile Subscriber Identity) is assigned and 9-11: A TMSI (Temporary Mobile Subscriber Identity) is assigned and
updates are made in the VLR and HLRupdates are made in the VLR and HLR 12: The temporary radio channel is released.12: The temporary radio channel is released.
42IFA’2004
Call Establishment: Call Establishment: Mobile Originated CallMobile Originated Call
1-5: Similar to 1-5: Similar to registration procedureregistration procedure
6-7: Ciphering to 6-7: Ciphering to protect against protect against eavesdroppingeavesdropping
8-15: Similar 8-15: Similar procedure as in POTS procedure as in POTS (Plain Old Telephone (Plain Old Telephone Service), except for Service), except for the additional traffic the additional traffic channel assignment channel assignment procedure (10-11)procedure (10-11)
43IFA’2004
Mobile Originated Mobile Originated CallCall
PSTN GMSC
VLR
BSS
MSC
MS1
2
6 5
3 4
9
10
7 8
1, 2: connection 1, 2: connection
request request 3, 4: security 3, 4: security checkcheck 5-8: check 5-8: check resources resources (free circuit) (free circuit) 9-10: set up call9-10: set up call
44IFA’2004
Call Establishment: Call Establishment: Mobile Terminated Mobile Terminated CallCall
After dialing, the PSTN directs the call to the MSC of the After dialing, the PSTN directs the call to the MSC of the destination addressdestination address
The MSC requests routing information from the HLRThe MSC requests routing information from the HLR Since the MS is in another area, the address of the new MSC is Since the MS is in another area, the address of the new MSC is
given to the original MSC. It contacts the new MSC.given to the original MSC. It contacts the new MSC. The VLR of the new MSC initiates a paging procedure in all BSS The VLR of the new MSC initiates a paging procedure in all BSS
under the control of the new MSCunder the control of the new MSC After a reply from the MS, a link is established for communication.After a reply from the MS, a link is established for communication.
45IFA’2004
Mobile Terminated Mobile Terminated CallCall
1: calling a GSM subscriber1: calling a GSM subscriber 2: forwarding call to GMSC2: forwarding call to GMSC 3: signal call setup to HLR3: signal call setup to HLR 4, 5: request MSRN from 4, 5: request MSRN from VLRVLR 6: forward responsible 6: forward responsible MSC to GMSC MSC to GMSC 7: forward call to current 7: forward call to current MSCMSC 8, 9: get current status of 8, 9: get current status of MSMS 10, 11: paging of MS10, 11: paging of MS 12, 13: MS answers12, 13: MS answers 14, 15: security checks14, 15: security checks 16, 17: set up connection16, 17: set up connection
PSTNcallingstation
GMSC
HLR VLR
BSSBSSBSS
MSC
MS
1 2
3
4
5
6
7
8 9
10
11 12
1316
10 10
11 11 11
14 15
17
46IFA’2004
Handoff (Handover in Handoff (Handover in Europe)Europe)
Two typesTwo types– Internal: between BTSs that belong to the Internal: between BTSs that belong to the
same BSSssame BSSs– External: between two different BSSs External: between two different BSSs
controlled by the same MSCcontrolled by the same MSC Sometimes there are handoffs between BSSs that Sometimes there are handoffs between BSSs that
are controlled by two different MSCs (the old MSC are controlled by two different MSCs (the old MSC continues to handle call management)continues to handle call management)
Reasons to handoff: Reasons to handoff: – Signal strength deterioration at the edge of a Signal strength deterioration at the edge of a
cellcell– Traffic balancing (to easy traffic congestion)Traffic balancing (to easy traffic congestion)
47IFA’2004
Handoff DecisionHandoff Decision
receive levelBTSold
receive levelBTSold
MS MS
Hysteresis MARGIN
BTSold BTSnew
48IFA’2004
Handoff ProcedureHandoff ProcedureMobile-assisted HandoffMobile-assisted Handoff
49IFA’2004
Handoff ProcedureHandoff Procedure
HO access
BTSold BSCnew
measurementresult
BSCold
Link establishment
MSCMSmeasurementreport
HO decision
HO required
BTSnew
HO request
resource allocation
ch. activation
ch. activation ackHO request ackHO commandHO commandHO command
HO completeHO completeclear commandclear command
clear complete clear complete
50IFA’2004
Security in GSMSecurity in GSM Security Services (Features)Security Services (Features)
– Access Control/Authentication (Identity Authentication)Access Control/Authentication (Identity Authentication)User is assigned SIM (Subscriber Identity Module) at the User is assigned SIM (Subscriber Identity Module) at the
subscription time which contains subscription time which contains * IMSI: International Mobile Subscriber Identity* IMSI: International Mobile Subscriber Identity * Individual Subscriber Authentication Key (Secret PIN) * Individual Subscriber Authentication Key (Secret PIN)
(Personal Identification Number) (Personal Identification Number) * and the Authentication Algorithm (Challenge response * and the Authentication Algorithm (Challenge response
method)method)– Identity ConfidentialityIdentity Confidentiality
voice and signaling encrypted on the wireless link (after voice and signaling encrypted on the wireless link (after successful authentication)successful authentication)
– User Data Confidentiality (Privacy/Anonymity)User Data Confidentiality (Privacy/Anonymity)temporary identity TMSI temporary identity TMSI
(Temporary Mobile Subscriber Identity)(Temporary Mobile Subscriber Identity)newly assigned at each new location update (LUP)newly assigned at each new location update (LUP)encrypted transmissionencrypted transmission
51IFA’2004
Security in GSMSecurity in GSM 3 algorithms specified in GSM3 algorithms specified in GSM
– A3 for authentication (“secret”)A3 for authentication (“secret”)– A5 for encryption (standardized)A5 for encryption (standardized)– A8 for key generation (“secret”)A8 for key generation (“secret”)
A5 uses a key of 128 bits, and the “response to A5 uses a key of 128 bits, and the “response to the challenge” is 32 bits long – not very securethe challenge” is 32 bits long – not very secure
Key information is not shared between systems: Key information is not shared between systems: – A triple consisting of the random number used in A triple consisting of the random number used in
challenge, challenge response, and the data encryption challenge, challenge response, and the data encryption key are exchanged between the VLR and the HLR. key are exchanged between the VLR and the HLR.
– The VLR verifies if the response generated by the MS is The VLR verifies if the response generated by the MS is the same. the same.
52IFA’2004
Security in GSMSecurity in GSM Service Request authentication procedure includes:Service Request authentication procedure includes: * Mobile transmitting its Temporary IMSI (TIMSI)* Mobile transmitting its Temporary IMSI (TIMSI) * Network replying with a randomly generated number (RAND)* Network replying with a randomly generated number (RAND) * Mobile computes the Signed Response (SRES) using the* Mobile computes the Signed Response (SRES) using the authentiction algorithm, the key (which is a function of theauthentiction algorithm, the key (which is a function of the frame number) and RAND, and sends the SRES back to theframe number) and RAND, and sends the SRES back to the networknetwork * Network compares the SRES from the mobile with its * Network compares the SRES from the mobile with its computation of the SRES and authenticates a user or not.computation of the SRES and authenticates a user or not.
Privacy is provided by a Temporary Mobile Subscription Identity Privacy is provided by a Temporary Mobile Subscription Identity (TMSI) valid during its binding to a VLR and computed after the (TMSI) valid during its binding to a VLR and computed after the authentication procedure.authentication procedure.
IMSI (on the SIM CARD) IMSI (on the SIM CARD) 15 digits 15 digits * MCC (Mobile Country Code) (3 digits)* MCC (Mobile Country Code) (3 digits) * MNC (Mobile Network Code) (2 digits)* MNC (Mobile Network Code) (2 digits) * MSIN (Mobile Subscriber Identifier) (2 digits)* MSIN (Mobile Subscriber Identifier) (2 digits) * NMSI (Network Mobil Subscriber Identifier) (2 digits)* NMSI (Network Mobil Subscriber Identifier) (2 digits)
53IFA’2004
The GSM Protocol The GSM Protocol ArchitectureArchitecture
54IFA’2004
GSM Protocol StackGSM Protocol Stack Layer 1: Physical layerLayer 1: Physical layer
– A and A-bis interfaces follow the ISDN A and A-bis interfaces follow the ISDN standard with 64 kbps digital data per voice standard with 64 kbps digital data per voice useruser
– The new physical later in GSM is for the UThe new physical later in GSM is for the Umm air air interfaceinterface
– Specifies how the voice and data are Specifies how the voice and data are formatted into packets and sent through the formatted into packets and sent through the radio channelradio channel
– Specifies radio modem details, structure of Specifies radio modem details, structure of traffic and control packets in the airtraffic and control packets in the air
– Modulation and coding techniques, power Modulation and coding techniques, power control methodology, and time control methodology, and time synchronization approaches which enable synchronization approaches which enable establishment and maintenance of channelsestablishment and maintenance of channels
55IFA’2004
Physical Packets Physical Packets BurstsBursts
Normal Burst (NB)Normal Burst (NB)– 3 tail bits (TBs) at the beginning and end (gap time)3 tail bits (TBs) at the beginning and end (gap time)– 8.25 bits of gap period8.25 bits of gap period– Two sets of 58 bits (116) encrypted bits: 114 bits of Two sets of 58 bits (116) encrypted bits: 114 bits of
data and two flags to indicate user traffic or signaling data and two flags to indicate user traffic or signaling and controland control
– 26-bit training sequence for the equalizers26-bit training sequence for the equalizers Frequency-correction burst (FB)Frequency-correction burst (FB)
– Broadcasted by the BSs. The MS uses it to synchronize Broadcasted by the BSs. The MS uses it to synchronize with the master clock in the systemwith the master clock in the system
Synchronization burst (SB)Synchronization burst (SB)– Forwarded by the BTS. The MS uses it for training of Forwarded by the BTS. The MS uses it for training of
the equalizer, learning of network identity and to the equalizer, learning of network identity and to synchronize the time slots synchronize the time slots
Random access burst (RAB)Random access burst (RAB)– Use by the MS to access the BS as it registers to the Use by the MS to access the BS as it registers to the
networknetwork
IFA’2004
1 2 3 4 5 6 7 8
935-960 MHz124 channels (200 kHz) Downlink
890-915 MHz124 channels (200 kHz) Uplink
frequ
ency
time
GSM TDMA Frame
GSM Time-Slot (normal burst)
4.615 ms
577 µs
tail user data TrainingSguardspace S user data tail
guardspace
3 bits 57 bits 26 bits 57 bits1 1 3
GSM – TDMA/FDMAGSM – TDMA/FDMA((124 Frequencies; in each Freq there are 8 channels 124 Frequencies; in each Freq there are 8 channels (time slots))(time slots))
Each TDM channel occupies the 200 kHz carrier for 577 ms every 4.615 ms
Each channel is separated in time via a frame
Each frame is subdivided into 8 GSM time-slots
Each slot represents a physical TDM channel and lasts for 577 µs
57IFA’2004
GSM Physical ChannelsGSM Physical Channels
::
Frequency 124
Frequency 2
Frequency 1 Ch 1
Timeslot 1
Ch 2 Ch 3 Ch 4 Ch 5 Ch 6 Ch 7 Ch 8
Ch 1 Ch 2 Ch 3 Ch 4 Ch 5 Ch 6 Ch 7 Ch 8
Ch 1 Ch 2 Ch 3 Ch 4 Ch 5 Ch 6 Ch 7 Ch 8
::
2 3 4 5 6 7 8
TDMA frame = 4.615 ms
58IFA’2004
GSM-ChannelsGSM-Channels
The total RF Spectrum (~50 MHz) is The total RF Spectrum (~50 MHz) is located in 890-915 MHz (upstream) and located in 890-915 MHz (upstream) and 935 – 960MHz (downstream)935 – 960MHz (downstream)
This spectrum is divided into 124 RF This spectrum is divided into 124 RF carriers of 200KHz.carriers of 200KHz.
The offset of the upstream/downstream The offset of the upstream/downstream pairing is fixed 45 MHz.pairing is fixed 45 MHz.
Each RF carrier is further divided into 8 Each RF carrier is further divided into 8 time slots (TDMA)-physical channelstime slots (TDMA)-physical channels
There is no pre-assignment of any There is no pre-assignment of any channels to a specific and exclusive use.channels to a specific and exclusive use.
59IFA’2004
GSM-ChannelsGSM-Channels
For a given channel the uplink F_u For a given channel the uplink F_u and downlink F_d frequency can be and downlink F_d frequency can be obtained from obtained from
F_u = 890.2 + 0.2 (N-1) MHzF_u = 890.2 + 0.2 (N-1) MHz F_d = 935.2 + 0.2 (N-1) MHzF_d = 935.2 + 0.2 (N-1) MHz
with N = 1,2,…, 124.with N = 1,2,…, 124.
60IFA’2004
GSM-Channel & FramesGSM-Channel & Frames
When an MS is assigned to an information When an MS is assigned to an information channel, a radio channel and a timeslot are channel, a radio channel and a timeslot are also assigned.also assigned.
Radio channels are assigned in frequency pairs Radio channels are assigned in frequency pairs (one for the uplink and other for the downlink).(one for the uplink and other for the downlink).
Each pair of radio channels supports up to 8 Each pair of radio channels supports up to 8 simultaneous calls.simultaneous calls.
Thus, the GSM can support up to 992 Thus, the GSM can support up to 992 simultaneous users with full rate speech coder.simultaneous users with full rate speech coder.
This number can be doubled to 1984 with half This number can be doubled to 1984 with half rate speech coder.rate speech coder.
61IFA’2004
GSM Hierarchy of Frame GSM Hierarchy of Frame StructureStructure
Hyperframe (=2048 superframes=2,715,648 frames=21,725,184slots)
0 1 2 2045 2046 2047...
0 1 2 48 49 50...
0 1 24 25...
Superframe (=51 multiframes))
0 1 24 25...
0 1 2 48 49 50...
0 1 6 7...
Multiframe (traffic or control multiframes)
Frame: 8 burst of time slots
burstslot
577 µs
4.615 ms
120 ms
235.4 ms
6.12 s
3 h 28 min 53.76 s
62IFA’2004
GSM Logical Channel GSM Logical Channel StructureStructure
CCH
TCH/F TCH/H
BCH CCCH DCCH
FCCH SCH BCCH PCH AGCH RACH
TCH CBCH
ACCH SDCCH
FACCHSACCH
63IFA’2004
GSM Channel TypesGSM Channel Types
3 groups of logical (i.e., Virtual Circuits) 3 groups of logical (i.e., Virtual Circuits) channels, TCH, CCH and CBCH, which are channels, TCH, CCH and CBCH, which are realized on top of physical channels.realized on top of physical channels.
TCH (Traffic Channel)TCH (Traffic Channel) To carry voice or data traffic of the usersTo carry voice or data traffic of the users CCH (Control Channel) CCH (Control Channel) For control and signaling functionsFor control and signaling functions CBCH (Cell Broadcast Channel) CBCH (Cell Broadcast Channel) For broadcast functions from a service For broadcast functions from a service
center to a MS in a cell areacenter to a MS in a cell area..
64IFA’2004
GSM Logical GSM Logical ChannelsChannels
Traffic (TCH) Channels:Traffic (TCH) Channels: Two-way, carrying voice and dataTwo-way, carrying voice and data
– Full-rate traffic channels (TCH/F)Full-rate traffic channels (TCH/F)– Half-rate traffic channels (TCH/H) Half-rate traffic channels (TCH/H)
– Full rate channel may carry 13 kb/s Full rate channel may carry 13 kb/s speech or data at 12, 6, or 3.6 kb/s speech or data at 12, 6, or 3.6 kb/s
– Half rate channel may carry 6.5 kb/s Half rate channel may carry 6.5 kb/s speech or data at 6 or 3.6 kb/sspeech or data at 6 or 3.6 kb/s
65IFA’2004
GSM Logical Channels, GSM Logical Channels, cont..cont..
CCH consists of 3 groups of logical control channels, BCH, CCCH and DCCH
BCH (Broadcast Channel): Point-to-multipoint downlink only. Contains three sub-channels, BCCH, FCCH and SCH
– BCCH (Broadcast Control Channel): Used by the BTS to broadcast synchronization Used by the BTS to broadcast synchronization
parameters, available services, and cell ID.parameters, available services, and cell ID. I.o.w. sending cell identities, organization
info about common control channels, cell service available, etc.
66IFA’2004
GSM Logical GSM Logical ChannelsChannels
– FCCH (Frequency Correction Channel): An MS uses it to synchronize its carrier An MS uses it to synchronize its carrier
frequency and bit timing.frequency and bit timing.
– SCH (Synchronization Channel): Used by the BTS to broadcast frame Used by the BTS to broadcast frame
synchronization signals to all MSs;synchronization signals to all MSs; I.o,w., send TDMA frame number and
base station identity code to synchronize MSs.
67IFA’2004
GSM Logical Channels, GSM Logical Channels, cont…cont…
CCCH (Common Control Channel) One way: Consists of three sub-channels, PCH, AGCH and RACH.
These channels are used for paging and access
- PCH (Paging Channel): Used by BTS to page the MSUsed by BTS to page the MS
– AGCH (Access Grant Channel): to assign MSs to stand-alone dedicated control
channels for initial assignment; Used by the MS to Used by the MS to access the BTS for call establishmentaccess the BTS for call establishment
– RACH (Random Access Channel): for MS to send requests for dedicated connections; for the or the acknowledgement from the BTS to the MS after a successful acknowledgement from the BTS to the MS after a successful attempt by MS using RCH.attempt by MS using RCH.
68IFA’2004
GSM Logical Channels, GSM Logical Channels, cont…cont…
DCCH (Dedicated Control Channel): bi-directional point-to-point -- main signaling channels. Consist of two sub-channels, SDCCH and ACCH– SDCCH (Stand-alone dedicated
control channel): for service request, subscriber
authentication, equipment validation, assignment to a traffic channel; Call establishment and mobility Call establishment and mobility managementmanagement
69IFA’2004
GSM Logical Channels, GSM Logical Channels, cont…cont…
– ACCH consists of two sub-channels, SACCH ACCH consists of two sub-channels, SACCH and FACCHand FACCHSACCH (slow associated control channel):SACCH (slow associated control channel):
for out-of-band signaling associated with a for out-of-band signaling associated with a traffic channel, e.g., signal strength traffic channel, e.g., signal strength measurements; measurements; Assigned to each TCH and SDCCH. Assigned to each TCH and SDCCH. Used to exchange parameters between the BTS and the MS Used to exchange parameters between the BTS and the MS to maintain the link.to maintain the link.
FACCH (fast associated control channel):FACCH (fast associated control channel): for for preemptive signaling on a traffic channel, preemptive signaling on a traffic channel, e.g., for handoff messages; e.g., for handoff messages; Used to support fast Used to support fast transitions in the channel when SACCH is not adequate.transitions in the channel when SACCH is not adequate.