Post on 26-Aug-2014
transcript
Zainab ZaidiNetworks GroupNICTA
Zainab.Zaidi@nicta.com.au
Mobile Communications - GSM
Contents
• GSM Overview• Services• System architecture• GSM Channels• Call establishment• Handover• Security• Data services
– HSCSD (High-Speed Circuit Switched Data)– GPRS (General Packet Radio Service)– EDGE (Enhanced Data rates for Global Evolution)
Almost all slides contain material from Schiller, J., Mobile Communications, Addison Wesley
GSM: Overview
• Objective: – Seamless roaming within Europe(ETSI, European
Telecommunications Standardization Institute)• formerly: Groupe Spéciale Mobile (founded 1982), now:
Global System for Mobile Communication• Market share:
– 85% of global mobile subscribers use GSM and 3GSM (WCDMA) (March, 2007)
• Salient features:– Roaming– Security– Better transmission quality– Higher capacity– Device independence (SIM)
Example coverage of GSM networks (www.gsmworld.com)
T-Mobile (GSM-900/1800) Germany O2 (GSM-1800) Germany
AT&T (GSM-850/1900) USA Vodacom (GSM-900) South Africa
GSM frequency bands
Type Channels Uplink [MHz] Downlink [MHz]
GSM 850 (Americas)
128-251 824-849 869-894
GSM 900classicalextended
0-124, 955-1023124 channels+49 channels
876-915890-915880-915
921-960935-960925-960
GSM 1800 (DCS)
512-885 1710-1785 1805-1880
GSM 1900 (Americas, PCS)
512-810 1850-1910 1930-1990
GSM-Rexclusive
955-1024, 0-12469 channels
876-915876-880
921-960921-925
- Additionally: GSM 400 (also named GSM 450 or GSM 480 at 450-458/460-468 or 479-486/489-496 MHz- Please note: frequency ranges may vary depending on the country!- Channels at the lower/upper edge of a frequency band are typically not used
GSM: Mobile Services
• GSM offers– several types of connections
• voice connections, data connections, short message service– multi-service options (combination of basic services)
• Three service domains– Bearer or data Services (max data rate 9.6 kbits/s)– Telematic Services (voice, fax, SMS)– Supplementary Services (call forwarding, call redirection, etc.)
GSM-PLMNtransit
network(PSTN, ISDN)
source/destination
networkTE TE
bearer services
tele services
R, S (U, S, R)Um
MT
MS
Ingredients 1: Mobile Phones, PDAs & Co.
The visible but smallestpart of the network!
Ingredients 2: Antennas
Still visible – cause many discussions…
Ingredients 3: Infrastructure 1
Base Stations
Cabling
Microwave links
Ingredients 3: Infrastructure 2
Switching units
Data bases
Management
Monitoring
Not „visible“, but comprise the major part of the network (also from an investment point of view…)
GSM: elements and interfaces• components
– MS (mobile station)– BS (base station)– MSC (mobile switching
center)– LR (location register)
• subsystems– RSS (radio subsystem):
covers all radio aspects– NSS (network and
switching subsystem): call forwarding, handover, switching
– OSS (operation subsystem): management of the network
NSS
MS MS
BTS
BSC
GMSC
IWF
OMC
BTS
BSC
MSC MSC
Abis
Um
EIR
HLR
VLR VLR
A
BSS
PDN
ISDN, PSTN
RSS
radio cell
radio cell
MS
AUCOSS
signaling
O
System architecture: radio subsystem• Components
– MS (Mobile Station)– BSS (Base Station Subsystem):
consisting of• BTS (Base Transceiver Station):
sender and receiver• BSC (Base Station Controller):
controlling several transceivers
• Interfaces– Um : radio interface– Abis : standardized, open interface
with 16 kbit/s user channels
– A: standardized, open interface with 64 kbit/s user channels
Um
Abis
A
BSS
radiosubsystem
network and switchingsubsystem
MS MS
BTSBSC MSC
BTS
BTSBSC
BTSMSC
Mobile stationA mobile station (MS) comprises several functional groups
– MT (Mobile Terminal):• offers common functions used by all services the MS offers• corresponds to the network termination (NT) of an ISDN access• end-point of the radio interface (Um)
– TA (Terminal Adapter):• terminal adaptation, hides radio specific characteristics
– TE (Terminal Equipment):• peripheral device of the MS, offers services to a user• does not contain GSM specific functions
– SIM (Subscriber Identity Module):• personalization of the mobile terminal, stores user parameters
(PIN, PIN unblocking key, authentication key, IMSI)• Device is identified through IMEI (International mobile
equipment identity)
R S UmTE TA MT
System architecture: network and switching subsystem
Components MSC (Mobile Services Switching Center): IWF (Interworking Functions)
ISDN (Integrated Services Digital Network) PSTN (Public Switched Telephone Network) PSPDN (Packet Switched Public Data Net.) CSPDN (Circuit Switched Public Data Net.)
Databases HLR (Home Location Register) VLR (Visitor Location Register) EIR (Equipment Identity Register)
networksubsystem
MSC
MSC
fixed partnernetworks
IWF
ISDNPSTN
PSPDNCSPDN
SS
7
EIR
HLR
VLR
ISDNPSTN
Network and switching subsystem
• NSS is the main component of the public mobile network GSM– switching, mobility management, interconnection to other
networks, system control• Components
– Mobile Services Switching Center (MSC)controls all connections via a separated network to/from a mobile terminal within the domain of the MSC - several BSC can belong to a MSC
– Databases (important: scalability, high capacity, low delay)• Home Location Register (HLR)
central master database containing user data, permanent and semi-permanent data of all subscribers assigned to the HLR (one provider can have several HLRs)
• Visitor Location Register (VLR)local database for a subset of user data, including data about all user currently in the domain of the VLR
Mobile Services Switching Center
• The MSC (mobile switching center) plays a central role in GSM
– switching functions– additional functions for mobility support– management of network resources– interworking functions via Gateway MSC (GMSC)– integration of several databases
• Functions of a MSC– specific functions for paging and call forwarding– termination of SS7 (signaling system no. 7)– mobility specific signaling– location registration and forwarding of location information– provision of new services (fax, data calls)– support of short message service (SMS)– generation and forwarding of accounting and billing information
Operation subsystem
• The OSS (Operation Subsystem) enables centralized operation, management, and maintenance of all GSM subsystems
• Components– Authentication Center (AUC)
• generates user specific authentication parameters on request of a VLR • authentication parameters used for authentication of mobile terminals
and encryption of user data on the air interface within the GSM system
– Equipment Identity Register (EIR)• registers GSM mobile stations and user rights• stolen or malfunctioning mobile stations can be locked and sometimes
even localized– Operation and Maintenance Center (OMC)
• different control capabilities for the radio subsystem and the network subsystem
1 2 3 4 5 6 7 8
higher GSM frame structures
935-960 MHz124 channels (200 kHz)downlink
890-915 MHz124 channels (200 kHz)uplink
frequ
ency
time
GSM TDMA frame
GSM time-slot (normal burst)
4.615 ms
546.5 µs577 µs
tail user data TrainingSguardspace S user data tail
guardspace
3 bits 57 bits 26 bits 57 bits1 1 3
GSM - TDMA/FDMA
Some questions
• Raw data rate per carrier?• Data rate per carrier?• Data rate per user (1 slot in
a frame)?• For higher data rate user,
what can be done?• Uplink and Downlink
frequencies are 45 MHz apart, do we need a full duplex receiver?
• One frequency band might suffer in frequency selective fading, what to do?
Answers:• 270 Kbits/s (148 bits/546.5
µs)• 200 Kbits/s (114/(546.5 or
577 µs))• 25 Kbits/s (excluding FEC ~
22.8Kbits/s)• Use multiple slots – logical
channels• Uplink and downlink TDM
channels are shifted by 3 slots
• Frequency hopping
Traffic channels
• Full rate (TCH-F)– 22.8 Kbits/s– Standard voice codes, full rate is 13 Kbits/s– Rest of the bits are used for error correction
• Half rate (TCH-H)– 11.4 Kbits/s– Doubles the capacity of system, how? At the expense of
what?– Half rate codec 5.6 Kbits/s
• Data transmission– TCH/F4.8 (4.8 Kbits/s) Why the data rate is low?– TCH/F9.6 (9.6 Kbits/s)– TCH/F14.4 (14.4 Kbits/s)
Control Channels
• Broadcast channels (0th time slot)– Broadcast control channel
• Cell/network ID• Channel characteristics and availability
– Frequency correction channel• To synchronize local oscillators of MS
– Synchronization channel• Correction of individual path delay
• Common control channels (0th time slot if not used by broadcast)– Paging channel– Random access channel– Access grant channel
Control channels II
• Dedicated control channels (any time slot except 0th)– Slow associated control channelTTTTTTTTTTTTSTTTTTTTTTTTTS….
• Forward channel: current control information (power level etc.)• Reverse channel: received signal quality• Also used for SMS
– Fast associated control channel• For urgent messages (Handover etc.)• Can take many traffic channels
– Stand-alone dedicated control channels• Signaling data before TCH assignment• Also used for SMS
Mobile Terminated Call
PSTNcallingstation GMSC
HLR VLR
BSSBSSBSS
MSC
MS
1 2
3
45
6
7
8 9
10
11 12
1316
10 10
11 11 11
14 15
17
• 1: calling a GSM subscriber• 2: forwarding call to GMSC• 3: signal call setup to HLR• 4, 5: request MSRN (Mobile
subscriber roaming no.) from VLR
• 6: forward responsible MSC to GMSC
• 7: forward call to • current MSC• 8, 9: get current status of MS• 10, 11: paging of MS• 12, 13: MS answers• 14, 15: security checks,
selection of TMSI (Temporary mobile subscriber identity)
• 16, 17: set up connection
Mobile Originated Call
PSTN GMSC
VLR
BSS
MSC
MS1
2
6 53 4
9
10
7 8
• 1, 2: connection request• 3, 4: security check• 5-8: check resources (free
circuit)• 9-10: set up call
GSM Operations
From Rappaport, T. S., Wireless Communications, Prentice Hall
Security in GSM• Security services
– access control/authentication• user SIM (Subscriber Identity Module): secret PIN (personal
identification number)• SIM network: challenge response method
– confidentiality• voice and signaling encrypted on the wireless link (after
successful authentication)– anonymity
• temporary identity TMSI (Temporary Mobile Subscriber Identity)
• newly assigned at each new location update (LUP)• encrypted transmission
• 3 algorithms specified in GSM– A3 for authentication (“secret”, open interface)– A5 for encryption (standardized)– A8 for key generation (“secret”, open interface)
“secret”:• A3 and A8 available via the Internet• network providers can use stronger mechanisms
GSM - authentication
A3
RANDKi
128 bit 128 bit
SRES* 32 bit
A3
RAND Ki
128 bit 128 bit
SRES 32 bit
SRES* =? SRES SRES
RAND
SRES32 bit
mobile network SIM
AC
MSC
SIM
Ki: individual subscriber authentication key SRES: signed response
GSM - key generation and encryption
A8
RANDKi
128 bit 128 bit
Kc
64 bit
A8
RAND Ki
128 bit 128 bit
SRES
RAND
encrypteddata
mobile network (BTS) MS with SIM
AC
BSS
SIM
A5
Kc
64 bit
A5MS
data data
cipherkey
4 types of handover
• Typical cell radius: 35 Km in countryside, 100’s m in cities
MSC MSC
BSC BSCBSC
BTS BTS BTSBTS
MS MS MS MS
12 3 4
Handover decision
• Average signal strength is used instead of instantaneous values• HO_Margin or hysteresis level to reduce the pingpong effect
receive levelBTSold
receive levelBTSold
MS MS
HO_MARGIN
BTSold BTSnew
Disadvantages of GSM
• There is no perfect system!!• no end-to-end encryption of user data• no full ISDN bandwidth of 64 kbit/s to the user, no
transparent B-channel
• reduced concentration while driving• electromagnetic radiation
• abuse of private data possible• roaming profiles accessible
• high complexity of the system• several incompatibilities within the GSM standards
Data transmission in GSM
• Data channels– TCH/F4.8 (4.8 Kbits/s) – TCH/F9.6 (9.6 Kbits/s)– TCH/F14.4 (14.4 Kbits/s)
• Why the data rate is low (TCH-F:22.8Kbits/s)?– TCH/F4.8 (1/3 convolutional code with added tail bits– TCH/F9.6 & TCH/F14.4 (1/2 convolutional code, bit period
is small in F14.4)• Good enough for SMS, fax, etc. but not enough for
Internet and multimedia applications
Data services in GSM I• HSCSD (High-Speed Circuit Switched Data)
– bundling of several time-slots to get higher AIUR (Air Interface User Rate)(e.g., 57.6 kbit/s using 4 slots, 14.4 each)
– mainly software update– advantage: ready to use, constant quality, simple– disadvantage: channels blocked for voice
transmission (circuit-switched)AIUR [kbit/s] TCH/F4.8 TCH/F9.6 TCH/F14.4
4.8 19.6 2 1
14.4 3 119.2 4 228.8 3 238.4 443.2 357.6 4
Data services in GSM II
• GPRS (General Packet Radio Service)– packet switching– using free slots only if data packets ready to send
(e.g., 50 kbit/s using 4 slots temporarily)– standardization 1998, introduction 2001– advantage: one step towards UMTS, more flexible– disadvantage: more investment needed (new
hardware)
GPRS user data rates in kbit/s
Coding scheme
1 slot 2 slots
3 slots
4 slots
5 slots
6 slots
7 slots
8 slots
CS-1 9.05 18.1 27.15 36.2 45.25 54.3 63.35 72.4CS-2 13.4 26.8 40.2 53.6 67 80.4 93.8 107.2CS-3 15.6 31.2 46.8 62.4 78 93.6 109.2 124.8CS-4 21.4 42.8 64.2 85.6 107 128.4 149.8 171.2
GPRS coding schemesSchem
ePDU Size
BCS USF Tail bits
Convolutional coder
Punctured
Effective
rate(bits) (bits) (bits) Input Outpu
tbits Input/
456CS-1 184 40 0 4 228 456 0 0.5
CS-2 271 16 3 4 294 588 132 0.64
CS-3 315 16 3 4 338 676 220 0.74
CS-4 431 16 9 - - 456 0 1
Radio block: 456 bits in 4 slots, 1 slot in 1 frame (114bits/slot)
GPRS architecture• GPRS network elements
– GSN (GPRS Support Nodes): GGSN and SGSN– GGSN (Gateway GSN)
• interworking unit between GPRS and PDN (Packet Data Network)
– SGSN (Serving GSN)• supports the MS (location, billing,
security)– GR (GPRS Register)
• user addresses
GPRS architecture and interfaces
MS BSS GGSNSGSN
MSC
Um
EIR
HLR/GR
VLR
PDN
Gb Gn Gi
SGSN
Gn
Serving GPRS Support Node (SGSN)• at same hierarchical level as MSC• delivers packets to MS within its service area• queries HLRs for profile data of GPRS subscribers• detects new GPRS mobile stations in a given
service area• processes registration of new MSs and keeps a
record of their location
Gateway GPRS Support Node (GGSN)• used as interface to external packet-switched
networks• connected to SGSN via an IP-based GPRS
backbone network• maintains routing information that is necessary to
tunnel the Protocol Data Units (PDUs) to the SGSNs that service particular mobile stations
• one or more GGSNs may support multiple SGSNs
GPRS Network Enhancements
• Base Station System (BSS):– must be enhanced to recognize and send user data to the
SGSN that is serving the area• Home Location Register (HLR):
– must be enhanced to register GPRS user profiles and– respond to queries originating from SGSNs regarding
these profiles• MSC/VLR:
– optionally enhanced to coordinate GPRS and non-GPRS e.g. combined location updates, SGSN paging for GSM calls
GPRS Network Operations
• For GPRS user, network is connectionless HOWEVER, a network connection must be established for each transaction, and released once the transaction is completed
• GPRS attach request from MS to begin a transaction
• GPRS detach request from MS to end a transaction
• Attach/detach requests are infrequent e.g. daily
GPRS operations II
• User Registration associates the MS ID with the user address– In home area, HLR is enhanced to reference GPRS data– Outside home area, dynamically allocated records are
references in VLRs• Authentication - via GSM mobility management
protocols• Call Admission Control determines resources for
QoS• Routing is performed by the GSNs on a hop-by-
hop basis, using the destination address– Routing tables are maintained by the GSNs using the GTP
layer
EDGE (Enhanced Data rate for GSM Evolution)• Uses GSM/GPRS, but with higher-level
modulation (8-PSK instead of GMSK)• Radio link control is also enhanced for
better transmission quality– Link adaptation– Adaptive transmission rate
• Allows up to 48 kbps per timeslot,• 384 kbps using 8 time slots
Comparison of EDGE and GSM frame
GSM time-slot (normal burst)
546.5 µs577 µs
tail user data TrainingSguardspace S user data tail
guardspace
3 bits 57 bits 26 bits 57 bits1 1 3
Basic data rate : (12/13).1/8.114/0.577 = 22.8 kbps
Basic data rate : (12/13).1/8.116/0.577 = 23.2 ksymbols/s = 69.6 kbps
EDGE time-slot
EDGE coding schemesScheme Effective
rateData
rate/slot (kbps)
CS-1 0.5 11.4CS-2 0.64 14.5CS-3 0.74 16.9CS-4 1 22.8PCS-1 0.33 22.8PCS-2 0.49 34.3PCS-3 0.59 41.3PCS-4 0.74 51.6PCS-5 0.82 57.4PCS-6 1 69.6
•Modulation•CS GMSK•PCS 8-PSK
•Convolutional code•CS 1/2•PCS 1/3
EDGE link quality control
• Link adaptation– Coding scheme is chosen according to the link quality
feedback
• Adaptive transmission rate– Start with the highest rate code – If transmission is unsuccessful, use lower rate for re-
transmission by puncturing more bits
Reference
• Mobile communications by J. Schiller, Chapter 4