1
GSM Mobility Management
Originals by: Rashmi Nigalye, Mouloud Rahmani, Aruna Vegesana, Garima Mittal, Fall 2001Prof. M. Veeraraghavan, Polytechnic University, New York
• GSM architecture overview– Network layout– Protocols– Addresses & identifiers
• Location management– Call delivery + location update– Security
• Handover management
2
GSM network layout
GSM Network (PLMN)
MSC region
MSC region
MSC region
Location area
BSC
BSCLocation area
BTS BTS
PLMN: Public Land Mobile Network
MSC: Mobile Switching Center
BTS: Base Transceiver Station
BSC: Base Station Controller
3
GSM network layout
BSC
MSCBSC
BTS
EIRHLR
AUCVLR
BTS
BTS
Um
AAbisE
B,C
OMC
GMSC
PSTN
ISDN
4
GSM MAP protocol
• GSM MAP similar to IS41 MAP• MAP uses Transactions Capabilities
Part (TCAP) of the SS7 stack • MAP functions:
– Updating of location information in VLRs
– Storing routing information in HLRs– Updating and supplementing user
profiles in HLRs– Handoff of connections between MSCs
5
What is a location area (LA)?
• A powered-on mobile is informed of an incoming call by a paging message sent over the PAGCH channel of a cell
• One extreme is to page every cell in the network for each call - a waste of radio bandwidth
• Other extreme is to have a mobile send location updates at the cell level. Paging cut to 1 cell, but large number of location updating messages.
• Hence, in GSM, cells are grouped into Location Areas – updates sent only when LA is changed; paging message sent to all cells in last known LA
6
Addresses and Identifiers
• International Mobile Station Equipment Identity (IMEI)– It is similar to a serial number. It is allocated by equipment
manufacturer, registered by network, and stored in EIR
• International Mobile Subscriber Identity (IMSI)
MCC MNC MSIN
MCC: Country CodeMNC: Mobile Network CodeMSIN: Mobile Subscriber Identification Number
When subscribing for service with a network, subscriber receives (IMSI) and stores it in the SIM (Subscriber Identity Module) card.
The HLR can be identified by a VLR/MSC from the IMSI.
7
Addresses and Identifiers
• Mobile Subscriber ISDN (MSISDN)– The “real telephone number”:
assigned to the SIM– The SIM can have several MSISDN
numbers for selection of different services like voice, data, fax
CC NDC SN
NDC: National Destination Code (NDC identifies operator); SN: Subscriber Number; CC: Country Code;Digits following NDC identifies the HLR
8
Addresses and Identifiers
• Mobile Station Roaming Number (MSRN)– It is temporary location dependent
ISDN number– It is assigned by local VLR to each MS
in its area.
CC NDC SN
9
Addresses and identifiers
• Temporary Mobile Subscriber Identity (TMSI)– It is an alias of the IMSI and is used in its place for
privacy.– It is used to avoid sending IMSI on the radio path.– It is an temporary identity that is allocated to an MS
by the VLR at inter-VLR registration, and can be changed by the VLR
– TMSI is stored in MS SIM card and in VLR.
10
TMSI, IMSI, MSRN and MSISDN
• Unlike MSISDN, IMSI is not known to the GSM user. The CC of MSISDN translates to an MCC of IMSI as follows, e.g, Denmark CC: 45 MCC: 238
• TMSI is used instead of IMSI during location update to protect privacy. As user moves, TMSI is used to send location update. Thus a third party snooping on the wireless link cannot track a user as he/she moves.
• MSRN is the routing number that identifies the current location of the called MS. – MSRN is temporary network identity assigned to a
mobile subscriber. – MSRN identifies the serving MSC/VLR.– MSRN is used for call delivery (calls incoming to an
MS).• MSISDN is the dialed number to reach a GSM user
11
Addresses and Identifiers
• Location Area ID (LAI)– CC: Country Code, MNC:Mobile Network
Code, LAC: Location Area Code– LAI is broadcast regularly by Base
Station on BCCH– Each cell is identified uniquely as
belonging to an LA by its LAI
CC MNC LAC
12
Location management
• Set of procedures to:– track a mobile user– find the mobile user to deliver it calls
• Current location of MS maintained by 2-level hierarchical strategy with HLRs and VLRs.
13
Ways to obtain MSRN
1. Obtaining at location update – MSRN for the MS is assigned at the time of each location update, and is stored in the HLR. This way the HLR is in a position to immediately supply the routing info (MSRN) needed to switch a call through to the local MSC.
2. Obtaining on a per call basis – This case requires that the HLR has at least an identification for the currently responsible VLR. When routing info is requested from the HLR, it first has to obtain the MSRN from the VLR. This MSRN is assigned on a per call basis, i.e. each call involves a new MSRN assignment
14
Routing information: case when MSRN is selected per call by
VLR/MSC
• If MSRN is allocated to each subscriber visiting at an MSC, then the number of MSRNs required is large. If instead, an MSRN is allocated only when a call is to be established, then the number of MSRNs is roughly equal to number of circuits at MSC – a much smaller number – hence MSRNs typically allocated per call by VLR/MSC
MSISDN
GMSC
HLR
MSI
SDN
MSC/VLR
MSR
N
IMSI
MSR
N
MSISDNIMSI, VLR number
MSRN
15
Call routing to a mobile station: case when HLR returns MSRN
GMSC
BSC
BSC
EIR
HLR
AUCVLR
MSCBTS
BTS
BTS
LA 1
LA 2
ISDN1
MS
1
MSISDN
6
TMSI
4
MSRN
3
MSRN
2
MSISDN
7
TMSI
7
TMSI
7
TMSI
8
TMSI
5
MSRN
MSC
16
Messages exchanged: call delivery
PSTNGMSC
HLR VLR
Target
MSC
Originating Switch
GMSC HLR VLR
Target MSC
1. ISUP IAM2. MAP_SEND_ROUTING_INFO
3. MAP_PROVIDE_ROAMING_NUMBER
4. MAP_PROVIDE_ROAMING_NUMBER_ack
5. MAP_SEND_ROUTING_INFO_ack
6. ISUP IAM
1
2 3
45
6
17
Find operation in GSM
• ISDN switch recognizes from the MSISDN that the call subscriber is a mobile subscriber. Therefore, forward the call to the GMSC of the home PLMN (Public Land Mobile Network)
• GMSC requests the current routing address (MSRN) from the HLR using MAP
• By way of MSRN the call is forwarded to the local MSC
• Local MSC determines the TMSI of the MS (by querying VLR) and initiates the paging procedure in the relevant LA
• After MS responds to the page the connection can be switched through.
18
GSM security
• Authentication• What signed response (SRES) are you able
to derive from the input challenge RAND by applying the A3 algorithm with your personal key Ki (Ki is per subscriber)?
equal?
RAND (128bit)
SRES
A3 algorithm
Ki
SRES
A3 algorithm
Ki
MS
RAND
network
19
GSM security
• Encryption• Digital technology – easy to encrypt voice data• A5 derives a ciphering sequence of 114 bits for each
burst independently • XOR 114 bits of a radio burst with 114 bits of a
ciphering sequence generated by A5
A5 algorithm
Kc (64 bits)MS frame number(22 bits)
A5 algorithm
BTSKc frame number
S2(114) ciphering S2 decipheringS1
ciphering
S1(114)
deciphering
20
Key management
• Ciphering key Kc is generated using algorithm A8 in the same manner as SRES (from RAND and Ki)
• Each time a mobile station is authenticated the MS and network compute the ciphering key Kc by running algorithm A8 with the same inputs RAND and Ki as for SRES
• Ciphering with Kc applies only when the network knows the identity of the subscriber it is talking to.– Bootstrap period during which network does not know
who the subscriber is• Up to and including the first message carrying the non-
ambiguous subscriber identity is carried in the clear (unencrypted)
– Protection: use TMSI instead of IMSI when possible – TMSI should be exchanged during protected signaling (ciphered) procedures
21
Location registration
• MS has to register with the PLMN to get communication services
• Registration is required for a change of PLMN• MS has to report to current PLMN with its IMSI and receive
new TMSI by executing Location Registration process.• The TMSI is stored in SIM, so that even after power on or off,
there is only normal Location Update.• If the MS recognizes by reading the LAI broadcast on BCCH
that it is in new LA, it performs Location Update to update the HLR records.
• Location update procedure could also be performed periodically, independent of the MS movement.
• The difference in Location Registration and Location Update is that in location update the MS has already been assigned a TMSI.
22
Location registrationMS BSS/MSC VLR HLR AUC
IMSI Ki
A3 & A8
=
Generate TMSI
Loc.Upd.Req
(IMSI,LAI)Upd Loc.Area
(IMSI,LAI)Aut.Par.Req Auth.Info.Req
(IMSI)
(RAND)
Authenticate(IMSI,Kc,
RAND,SRES)
Aut. Info.
(IMSI)
(RAND)
Authentic. Req (IMSI,Kc, RAND,SRES)
Auth.Info
Auth.Resp.
(SRES)(SRES)
Auth.Resp
Update Location
(IMSI,MSRN)
SRES
RANDKi
Kc SRES
Contd...
23
(…contd) Location registration.
MS BSS/MSC VLR HLR AUC
A5
Generate TMSI
(Kc)
Start Ciph.
Ciph.Mod.Com.
Message MKc
Kc(M)
Ins.Subsc.Data
(IMSI)
Forw. New TMSI
(TMSI)Subs.Dat.Ins.Ack
Loc.Upd.Accept
(IMSI)Loc.Upd.Accept
Ciph.Mod.Kc(M)
A5
Kc(M)Kc
M
TMSI Realloc.Ack
TMSI Realloc.Cmd.
TMSI.Ack
Loc.Upd.Accept can be combined
New TMSI is received by MS
(TMSI Reallocation) in ciphering mode.
24
Location updateMS BSS/MSC VLR HLR AUC
IMSI, TMSIKi, Kc, LAI
Start ciphering.
Authentication
Loc.Upd.Req
(TMSI,LAI)Update Loc.Area
(TMSI,LAI)
Update Location
(IMSI,MSRN)
Generate TMSI
Start ciphering
(Kc) IMSI
Insert Subscriber. data
Subs. Data Insert Ack(contd..)
25
(..contd) Location update.
MS BSS/MSC VLR HLR AUC
(IMSI)
Auth.Info.Req
(IMSI,Kc, RAND,SRES)
Auth.Info
Start ciphering.
Forward new TMSI
Auth. Para. Req
Loc. Upd. Acept
Loc. Upd. Acept
TMSI AckTMSI Reallocation
Complete
TMSI Realloc. Cmd.
(TMSI)
Auth. Info.
(IMSI,Kc, RAND,SRES)
(IMSI)
(IMSI)
Loc. Upd. Acept
26
Types of handover (same as “handoff”)
• There are four different types of handover in the GSM system. Handover involves transferring a call between: – Channels (time slots) in the same cell – Cells (Base Transceiver Stations) under the
control of the same Base Station Controller (BSC),
– Cells under the control of different BSCs, but belonging to the same Mobile services Switching Center (MSC), and
– Cells under the control of different MSCs.
27
Attributes of radio-link handover
• Hard handover• MAHO• Backward• COS selection scheme: static
– Cross-over switch: anchor switch
28
Handover (MAHO)
• Handovers are initiated by the BSS/MSC (as a means of traffic load balancing).
• During its idle time slots, the mobile scans the Broadcast Control Channel of up to 16 neighboring cells, and forms a list of the six best candidates for possible handover, based on the received signal strength.
• This information is passed to the BSC and MSC, at least once per second, and is used by the handover algorithm.
29
Handover procedures in GSM
BSC
MSC-A
BSC
MSC-B
BTS 1
BTS 3
BTS 2
BSC
MSC-C
BTS 3
Connection route
1
2
34
5
6
7
8
8
9
30
Inter MSC basic handover MS/BSS 1 MSC-A
Handover required
HA Indication
MSC-B VLR-B
Radio chan. AckHandover report
MS/BSS 2
Allocate Handover number
RLC
ANS
REL
End Signal
HB Indication
HB Confirm
Handover report
Perform Handover
IAM
ACM
Send End Signal
End of Call
31
Subsequent handover from MSC-B to MSC-A
MS/BSS 1 MSC-A
HB Indication
HB Confirm
MSC-B
VLR-B
Subseq. Handover
Acknowledge
MS/BSS 2
RLC
REL
End Signal
HA Required
HA Indication
Handover report
Perform subsequent
Handover
End of Call
32
Subsequent handover from MSC-B to MSC-C
MSC-A
MSC-C
Perform Handover
Radio chan. Ack.
MSC-B
Allocate Handover
Number
MS
IAM
ACM
HA RequestPerform subsequent
Handover
VLR-C
Send Handover report
HB Indication(Contd…)
33
(…contd) Subsequent handover from MSC-B to MSC-C
MSC-A
MSC-C
Send End Signal
Handoff Report
MSC-B MS
REL
RLC
HA IndicationPerform subsequent
Acknowledge
HB Confirm
ANS
MSC-B VLR-B
End Signal
34
Abbreviations
• ISC: International switching center• OMC: Operations and maintenance center• GMSC: Gateway switching center • MSC: Mobile switching center • VLR: Visitor location register• HLR: Home Location register • EIR: Equipment Identification register• AUC: Authentication center• BSC: Base station controller• BTS: Base transceiver station• MS: Mobile subscriber• TMSI: Temporary Mobile Subscriber Identity• IMSI: International Mobile Subscriber Identity
35
References
• The GSM Sytem for Mobile communications by Mouly & Pautet
• Wireless and Mobile Network Architectures by Yi-Bing Lin & Imrich Chlamtac
• Wireless Personal Communications Systems by Dr. Goodman
• GSM Switching, Services and Protocols by Jorg Eberspacher and Hans-Jorg Vogel