Faculty of Computing,Engineering & Technology
Global System forMobile Communications
Personal Broadband Networks, PBN (CE74024-3)
Alison L GriffithsC203
[email protected]/alg1
2004
GSM
2
PBN (CE74024-3) 2004
Objectives
IntroductionGSM Network ArchitectureTiming & Power ControlGaussian Minimal Shift Keying ModulationTimeslots, Frames & Multiframes
GSM
3
PBN (CE74024-3) 2004
Introduction
GSM
4
PBN (CE74024-3) 2004
Origins of 2nd Generation Systems
Lessons that were nearly learned from 1GNeed for standardisation
Two contrasting approachesEurope
Because of European Union, decided to develop a pan-European standard for the next generation of mobile networks
ROWParticularly the US and countries in US sphere of influence allowed market forces to remain dominantJapan, far-east went in a different direction
GSM
5
PBN (CE74024-3) 2004
Origins of 2nd Generation Systems
EuropeIn 1982 groupe spéciale mobile (GSM) founded to develop next generation standardSoon renamed global system for mobile communicationsTasked the European Telecommunications Standards Institute (ETSI) with responsibility of specifying and maintaining the standard5,000 pages long the 1st version was released in 1991
GSM
6
PBN (CE74024-3) 2004
Origins of 2nd Generation Systems
USAOriginal AMPS analogue system upgraded to digital in 1991 (D-AMPS)US military had been using a secure system for some time, this was made commercially available in 1991 called Code Division Multiple Access(CDMA)
JapanOriginally developed the Japanese Digital Cellular (JDC) system in 1993Later renamed Personal Digital Cellular (PDC)
GSM
7
PBN (CE74024-3) 2004
Origins of 2nd Generation Systems
In Europe the frequency allocated for the new 2nd Generation systems was originally 900 MHzIn US no new spectrum was initially allocated for D-AMPS & CDMA both competing at 850 MHz, GSM was allocated at 1900 MHz (900 was owned by RAM Mobile for Mobitex)Soon realised that 900 MHz could not offer sufficient bandwidth in metropolitan areas
GSM
8
PBN (CE74024-3) 2004
Origins of 2nd Generation Systems
Again solution adopted was differentIn 1994, Europe allocated a new frequency, 1800 MHz (known as Digital Cellular System (DCS) 1800)
Used smaller cells and more efficient codecs
US companies had to concentrate on squeezing more out of the available bandwidth by improving the technology
Because of the standards based approach GSM became the dominant worldwide technology
GSM
9
PBN (CE74024-3) 2004
Origins of 2nd Generation Systems
GSM now used in over 190 countriesOver 400 different providers worldwideHas over 70% of world marketEstimated 800 million GSM users worldwideIn US
135 million CDMA107 million TDMA16 million GSM!!
Japan PDC has 60 million users
GSM
10
PBN (CE74024-3) 2004
TDMA vs CDMA
The major difference between the new 2G technologies was the access scheme1G had used FDMAInitially all 2G technologies were TDMA (before arrival of CDMA)
GSM
11
PBN (CE74024-3) 2004
GSM as a 2nd Generation System
GSM principally designed to service voiceData not seen as a major revenue generatorHowever, does provide limited data services3 categories of services defined
Bearer servicesTele servicesSupplementary services
GSM
12
PBN (CE74024-3) 2004
GSM Bearer Services
Original GSM allowed for 9600 bit/s non-voice servicesPermits transparent / non-transparent, synchronous or asynchronous data transmissionTransparent bearer services
Used only at the physical layerMay use FEC
Non-transparent bearer servicesUse services of the Transparent bearerUtilise link control for retransmission, etc
Uses the bearer services to interwork with PSTN, ISDN, X.25, etc
GSM
13
PBN (CE74024-3) 2004
GSM Tele Services
Voice encryptionMessaging (SMS, EMS, MMS)Basic data communication (eg Fax)High-quality voice delivery using 3.1 kHz bandwidthCodecs for voice and modemStandard free of charge emergency number, has highest priority, automatically connects to nearest emergency center
GSM
14
PBN (CE74024-3) 2004
GSM Supplementary Services
Similar to ISDN networksMay include
User identificationCall redirectionCall forwardingClosed User GroupsMulitparty calls
GSM
15
PBN (CE74024-3) 2004
GSM Architecture
Consists of three subsystems
GSM
16
PBN (CE74024-3) 2004
Radio Subsystem (RSS)
Comprises all radio specific entities…
GSM
17
PBN (CE74024-3) 2004
Radio Subsystem (RSS) (1)
MS
Mobile Station (MS, the phone)Comprises of all equipment needed for communication with GSM network
GSM
18
PBN (CE74024-3) 2004
Mobile Station (MS)
Consists ofSubscriber Identity Module (SIM)
Stores user-specific data– Card type– Subscription type & therefore which services user can/cannot
access– Personal Identification Number (PIN)– A PIN unblocking key (PUK) used if the SIM is locked
accidentally– Authentication key (Ki)– International mobile subscriber identity (IMSI) permanent– The cipher key (Kc) set once phone is logged on to network– Temporary mobile subscriber identity (TMSI) when user is
not on home network used with the Location area identification (LAI) to locate the user on any GSM network in the world
GSM
19
PBN (CE74024-3) 2004
Mobile Station (MS)
cont…Without the SIM only emergency calls are allowedInternational Mobile Equipment Identity (IMEI)
Unique ID for the device used for theft protection
For GSM 900 phone has transmit power of 2WFor GSM 1800, 1W due to smaller cellsApart from the phone interface MS may also consist of
Display, speaker, microphone, programmable keys, computer modem, IrDA, Bluetooth, etc
GSM
20
PBN (CE74024-3) 2004
Radio Subsystem (RSS) (2)
Base Transceiver Station (BTS)Comprises of all the radio equipment
AntennasSignal processorsAmplifiers BTS
GSM
21
PBN (CE74024-3) 2004
Base Station Transceiver (BTS)
BTS manages a radio cell
Using sectorizedantenna maymanage severalcellsGSM cell canbe anythingfrom 100m to35km
Radio Cell
BTS
GSM
22
PBN (CE74024-3) 2004
Radio Subsystem (RSS) (3)
MS
Radio Cell
BTS
MS and BTS are connected by the Um interface (ISDN U interface for mobile)
Um
GSM
23
PBN (CE74024-3) 2004
Radio Subsystem (RSS) (3)
Base Station Controller (BSC) manages a collection of BTS’s Abis
BSC
GSM
24
PBN (CE74024-3) 2004
Base Station Controller (BSC)
Reserves radio frequenciesHandles handover between BTS’sPerforms paging of MS’sMultiplexes the radio channels onto the fixed networkCommunicates with the BTS’s using the Abis interface
GSM
25
PBN (CE74024-3) 2004
BCS / BTS Tasks
Function BTS BSCManagement of radio channelsFrequency hoppingManagement of terrestrial channelsMapping of terrestrial onto radio channelsChannel coding and decodingRate adaptationEncryption and decryptionPagingUplink signal measurementTraffic measurementAuthenticationLocation registry, location updateHandover management
GSM
26
PBN (CE74024-3) 2004
Radio Subsystem (RSS) (4)
The BSC and its managed BTS’sand connected MS’s is called a Base Station Subsystem(BSS)
BSS
GSM
27
PBN (CE74024-3) 2004
Base Station Subsystem (BSS)
GSM networks consist of n BSS’sBSS performs all the necessary functions for maintaining a radio connection to a MS
Coding/decoding of voice trafficRate adaptation between the wireless and fixed network
GSM
28
PBN (CE74024-3) 2004
Network & Switching Subsystem (NSS)
“heart” of the GSM system [Schiller, 2002]
GSM
29
PBN (CE74024-3) 2004
NSS
Connects the wireless and fixed networks togetherPerforms handovers between BSS’sSupports
All functions necessary for worldwide localisation of usersCharging & accountingRoaming
Consists of switches and databases
GSM
30
PBN (CE74024-3) 2004
NSS (1)
MSC
Mobile services switching center(MSC)
GSM
31
PBN (CE74024-3) 2004
Mobile Services Switching Center (MSC)
High-performance digital ISDN switchesSetup connections with other MSC’sConnect to the BSC’s over the A interfaceForm the fixed backbone of the GSM networkMSC usually manages a group of BSC’s in a geographical areaHandles
All signalling necessary for connection setup & releaseHandover between MSC’sAll supplementary services (eg call forwarding)
Uses SS7
GSM
32
PBN (CE74024-3) 2004
NSS (2)
Gateway MSC (GMSC)
MSC
GMSC
GSM
33
PBN (CE74024-3) 2004
Gateway MSC (GMSC)
Special node that handles connections to other fixed networks
PSTNISDN
Using special additional interworkingfunctions (IWF) can connect to public data networks such as X.25
GSM
34
PBN (CE74024-3) 2004
NSS (3)
Gateway MSC (GMSC) connects to fixed networks
IWF
PSTNISDNPDN
MSC
GMSC
GSM
35
PBN (CE74024-3) 2004
NSS (4)
Home location register (HLR) is the most important database in a GSM system
IWF
PSTNISDNPDN
GMSC
MSC
HLR
GSM
36
PBN (CE74024-3) 2004
Home Location Register (HLR)
Stores all relevant user data includingMobile Subscriber ISDN number (MSISDN)Details of subscription permissions
Call forwardingRoamingGPRS
Subscribers ISMIUsers location area (LA)Mobile subscriber roaming number (MSRN)User’s current VLR (see following) and MSCOnly 1 customer HLR record worldwideReal-time database has to provide data within certain time bounds
GSM
37
PBN (CE74024-3) 2004
NSS (5)
Visitor location register (VLR) associated with particular MSC
IWF
PSTNISDNPDN
GMSC
HLR
MSCVLR
GSM
38
PBN (CE74024-3) 2004
Visitor Location Register (VLR)
Dynamic real-time database that stores data on users in a particular LAassociated with the MSC
IMSIMSISDNHLR address
When new MS enters an LA controlled by the MSC the VLR copies data from user HLRNot uncommon for a VLR to hold data on 1million+ subscribers!
GSM
39
PBN (CE74024-3) 2004
Operation Subsystem (OSS)
Functions for network operation & maintenance
GSM
40
PBN (CE74024-3) 2004
OSS (1)
AuC
Authentication center (AuC)
GSM
41
PBN (CE74024-3) 2004
Authentication Center (AuC)
Due to the vulnerability of mobile networks to attack, GSM specification separates out the algorithms for key generation into a OSS network entityUsed by the HLR to authenticate a userMay be a securely partitioned part of the HLR
GSM
42
PBN (CE74024-3) 2004
OSS (2)
AuC
Operation and maintenance center (OMC) OMC
GSM
43
PBN (CE74024-3) 2004
Operation and Maintenance Center (OMC)
Monitors and controls all other network entitiesVia the O interface using SS7 with X.25Typically manages
Traffic monitoringStatus reportsSubscriber & security managementAccounting and billing
Uses the concept of telecommunications management network (TMN) specified by ITU-T
GSM
44
PBN (CE74024-3) 2004
OSS (3)
AuC
Equipment identity register (EIR) OMC
EIR
GSM
45
PBN (CE74024-3) 2004
Equipment Identity Register (EIR)
Database of all IMEI’s for the networkContains a blacklist of any MS that has been reported stolen or is currently lockedWhite list contains all valid MS’sGray list contains all MS’s that may not be functioning correctly
GSM
46
PBN (CE74024-3) 2004
GSM Network
GSM
47
PBN (CE74024-3) 2004
GSM Network interfaces
Aspects of the interconnection between the subsystems are controlled by different interfacesBetween the OMC and the other network components GSM specifies the O interface
This uses SS7 signalling to manage and control the network entities
Between the NSS and RSS is the A interface for communication between BSC’s and MSC’s, basically PCM-30 system multiplexing 30 x 64 bit channels at 2048 kbps using SS7
GSM
48
PBN (CE74024-3) 2004
GSM Network interfaces
Signalling between BSC’s and BTS’s is defined by the Abis interface
Transmission rates of 16 or 64kbps
Finally, GSM specifies the Um interface between the MS and the BTS
This comprises of many of the fundamental concepts we have previously discussed
SDMA, FDMA, TDMA, etc
GSM
49
PBN (CE74024-3) 2004
The Um interface
GSM uses SDMA between cells with each MS assigned to a BTSFDD is used to separate the uplink and downlink channels
GSM 900Uplink 890 – 915Downlink 935 – 960
GSM 1800Uplink 1710 – 1785Downlink 1805 – 1880
GSM 1900Uplink 1850 – 1910Downlink 1930 - 1990
GSM
50
PBN (CE74024-3) 2004
The Um interface
Uses combination of FDAM and TDMA to access the radio mediaFor example in GSM 900
124 channels 200 kHz wide (FDMA) for uplink/downlinkOnly channels 2 to 123 are used due to technical limitations32 channels are used by the network for management, etcLeaving 90 channels for MS to actually use for calls/data etcEach BTS manages 1 organisational channel and n(typically 10 user channels)
GSM
51
PBN (CE74024-3) 2004
The Um interface
GSM 900 cont…Each of the 248 channels is partitioned by time using TDMAEach TDMA frame is 4.615 ms longEach frame contains 8 GSM time slotsEach slot represents 577 µsTherefore each TDM channel occupies the 200 kHz channel for 577 µs every 4.615 ms
GSM
52
PBN (CE74024-3) 2004
The Um interface
GSM 900 cont…Data is transmitted in bursts, ETSI specifies 5 categories
normal burst – user & signalling datafrequency correction burst – used by the MS to correct its oscillation to avoid interference from adjacent channelssynchronization burst – for syncing BTS and MSaccess burst – used during connection set-updummy burst – used when no data is being transmitted
GSM
53
PBN (CE74024-3) 2004
The Um interface
GSM 900 cont…Normal burst
Of the 577 µs available for a normal burst, 30.5 is used as the guard space to avoid overlapping bursts (enough to contain 148bits of data)Each TDM channel has raw data rate of approx 33.8 kbits/sTotal throughput for the 8 slots is 270 kbits/s
GSM
54
PBN (CE74024-3) 2004
GSM TDM Slot
tail – usually 0’sTraining – used to assist receiver to allow it to adapt to current propagation characteristicsS flag – used to indicate if the associated data field contains user or network data
GSM
55
PBN (CE74024-3) 2004
The Um interface cont…
GSM 900 cont…Each time frame is shifted in time three slots
Eg if BTS sends data at time t0 in one slot of the downlink, the MS accesses slot 1 of the uplink at t0 + 3 x 577µs
Because of the specified FDM and TDM schemes, GSM and MS does not need to be full-duplex as MS switches between uplink and downlink GSM transmitters are relatively simple and low costFinally frequency hopping may be done between switching from uplink to downlink after each frame
GSM
56
PBN (CE74024-3) 2004
Objectives
Understanding:GSM ChannelsGSM protocol stackRoamingHandoverSecurityCall Setup
GSM
57
PBN (CE74024-3) 2004
GSM Logical Channels
Specifies two basic groupsTraffic channels (TCH)Control channels (CCH)
GSM
58
PBN (CE74024-3) 2004
Traffic Channels
Used to transmit dataOriginally two categories
full-rate TCH (TCH/F)– Data rate of 22.8 kbps– Used originally due to low performance codecs– Required 13kbps for voice– Recent improvement is enhanced full-rate (EFR) which requires
12.2kbpshalf-rate TCH (TCH/H)
– Data rate 5.6 kbps– Doubles capacity of the network– Lowers voice quality
3G systems use adaptive multi-rate traffic (AMR) channelsAdditional categories have been defined, for example TCH/F4.8, TCH/F9.6Basically these just have different coding and error correction schemes
GSM
59
PBN (CE74024-3) 2004
Control Channels
Used to control medium accessThree main groups have been defined
Broadcast Control Channel (BCCH)Common Control Channel (CCCH)Dedicated Control Channel (DCCH)
There are subgroups within the main groups!
GSM
60
PBN (CE74024-3) 2004
Broadcast Control Channels
Used by the BTS’s to signal information to the MS’s
Cell ID’sCell options (frequency hopping patterns, etc)Available frequencies
Subchannel groups includeFrequency Correction Channel (FCCH)Synchronisation Channel (SCH)
All BCCH’s are unidirectional
GSM
61
PBN (CE74024-3) 2004
Common Control Channels
Used for information exchange during connection set-up
For Mobile Terminated Calls (MTC) BTS uses a paging channel (PCH)For Mobile Originated Calls (MTO) MS uses the random access channel (RACH) this is a shared channel for all MS’s in a cellBTS uses an access grant channel (AGCH) to signal to MS to go to a specific TCH or SDCCH (see Dedicated Control Channels) to continue call set-up
All CCCH’s are unidirectional
GSM
62
PBN (CE74024-3) 2004
Dedicated Control Channels
If MS does not have a TCH open with the BTS it can open a stand-alone dedicated control channel (SDCCH) low data rate channel for signalling eg authentication data, registration, etc to allow it to set-up a TCHEvery TCH and SDCCH has an associated slow associated dedicated control channel (SACCH) used to exchange system data such as power levels and channel qualityIf a TCH exists then a fast associated control channel (FACCH) is used, commonly for cell handovers during calls
GSM
63
PBN (CE74024-3) 2004
Multiplexing Control Channels
GSM specifies a specific sequence for transmitting TCH/SACCH data12 slots of TCH followed by 1 SACCH followed by another 12 slots of TCH followed by an used slotThe combination of these 26 slots occurs on all GSM TDMA TCH framesThe combination of 26 of these frames is called a traffic multiframeSignalling data is combined into 51 TDMA frames called a control multiframeThese two are then multiplexed into superframeswhich in turn are multiplexed into hyperframes(2,715,648 TDMA frames with a duration of approx 3.5 hours!)
GSM
64
PBN (CE74024-3) 2004
Overview of GSM Protocol Stacks
GSM
65
PBN (CE74024-3) 2004
Overview of GSM Protocol Stacks
GSM
66
PBN (CE74024-3) 2004
Overview of GSM Protocol Stacks
RadioControls the burstsSynchronisation with the BTS
Including delay correction (ie different delays, called round trip times RTT due to proximity of MS to BTS)
Idle channel detectionDownlink channel qualityEncryption/decryption between MS and BTS*Channel codingError detection/correctionVoice Activity Detection (VAD)Comfort Noise (CN)
GSM
67
PBN (CE74024-3) 2004
Overview of GSM Protocol Stacks
GSM
68
PBN (CE74024-3) 2004
Overview of GSM Protocol Stacks
LAPDm and LAPDLink access procedure for the D-channel, used in ISDN
m is lightweight version which does not perform error detection/correction at the air interfaceUsed to ensure reliability of connection (similar to HDLC on conventional computer networks)
Segmentation/reassembly of dataack/nack of data transfer
GSM
69
PBN (CE74024-3) 2004
Overview of GSM Protocol Stacks
GSM
70
PBN (CE74024-3) 2004
Overview of GSM Protocol Stacks
RRRadio resource managementRR split between BTS and BSC using BTS management (BTSM)Responsible for channel
SetupMaintenanceRelease
GSM
71
PBN (CE74024-3) 2004
Overview of GSM Protocol Stacks
GSM
72
PBN (CE74024-3) 2004
Overview of GSM Protocol Stacks
MMMobility ManagementHandles
RegistrationAuthenticationIdentificationLocation updatesProvisioning of
– Temporary Mobile Subscriber Identity TMSI for insertion into the VLR
GSM
73
PBN (CE74024-3) 2004
Overview of GSM Protocol Stacks
GSM
74
PBN (CE74024-3) 2004
Overview of GSM Protocol Stacks
CMCall ManagementContains three entities
Call Control (CC)– Point-to-point connection between two end-points
Short Message Service (SMS)– Uses SDCCH and SACCH (if no signalling data is sent)
Supplementary Service (SS)– Forwarding, etc
Responsible for in-band tones called dual tone multiple frequency (DTMF)
Eg Tone services such as PIN identification for answering machinesThese tones cannot be sent over voice channel as codec will distort them
GSM
75
PBN (CE74024-3) 2004
Overview of GSM Protocol Stacks
GSM
76
PBN (CE74024-3) 2004
Overview of GSM Protocol Stacks
PCM64 kbps for voice16 kbps for data multiplexed to 64 kbps
SS7See lecture on SS7
Base Station Subsystem Application Part (BSSAP) may also be used for control of a BSS by an MSC
GSM
77
PBN (CE74024-3) 2004
Roaming
Major feature of GSM is automatic world wide location of users using the same phone numberHLR always contains data about MS locationAs soon as user moves location, HLR transmits data to appropriate VLRChanging VLR’s without interruption in service is called roaming
GSM
78
PBN (CE74024-3) 2004
Roaming
To locate MS requiresMobile Station ISDN number (MSISDN)
Consists of– country code (CC)– National Destination Code (NDC) usually the number of the network
provider– Subscriber number (SN) the phone number allocated to the SIM
International Mobile Subscriber Identity (IMSI)Consists of
– Mobile country code (MCC)– Mobile network code (MNC)– Mobile Subscriber Identification Number (MSIN)
Temporary Mobile Subscriber Identity (TMSI)Used to hide the IMSI over the air interface to protect their identity
Mobile Station Roaming Number (MSRN)Temporary address generated by the VLR containing the Visitor country code (VCC) and Visitor National Destination Code (VNDC)
GSM
79
PBN (CE74024-3) 2004
Handover
Crossing from one cell to another requires that the network update user location data, etc. Process is called handoverGSM aims at maximum handover duration of 60msTwo primary reasons for handover
Network cannot guarantee QOS due to distance from current BTSLoading on one BTS may necessitate transfer to another, load balancing
GSM
80
PBN (CE74024-3) 2004
Handover
BTS and MS perform periodic tests on the quality of uplink & downlink (approx every 0.5s) called Mobile Assisted Handover (MAHO)The values are compared to a handover margin (HO_MARGIN)Dependent upon difference between the current value and the HO_MARGIN handover decision is made by the BSCMSC is notified and it manages the connection to the new BSC/BTSMS has to drop existing connection once new one is established
GSM
81
PBN (CE74024-3) 2004
GSM Security
Original specification identified three security algorithms
A3 – used for authenticationA5 – used for encryptionA8 – used to generate cipher key
Only A5 was published by the ETSIIn 1998 A3/A8 leaked on the Internet, transpired that the claimed 64bit key used for cipher frequently only used 54bitsNetwork providers may add additional layers of securityOnly BTS to MS is encrypted
GSM
82
PBN (CE74024-3) 2004
Call setup – MS terminated (MTC)
PSTNPSTN GMSC
HLR
VLR
MSC
1 User dials mobile number
2 Fixed network identifies target as mobile & contacts the network via the gateway
GMSC identifies the targets HLR & signals call setup
After HLR checks subscriber data, it contacts VLR for current MSRN
HLR passes the MS’s current MSC to the GMSC
GMSC forwards call setup to MSC
MSC requests current MS status from VLR
Initiates paging in all cells in its LA
BTS’s transmit paging call to MS
If MS available, MSC requests VLR to set security. VLR returns all clear for connection to be established
3
4
5
6
7
8
9
10
1 2 3
4
5
6
7
BSSBSS
BSS
8
MS
9
10
GSM
83
PBN (CE74024-3) 2004
Call setup – MS Originated (MOC)
NetworkNetwork
VLR
MSC
1 MS transmits request for connection
2 Request forwarded to MSC
MSC checks subscriber services with VLR
MSC checks available resources throughout network & if all are available sets up connection.
Target may be:-Serviced by same MSC-Serviced by MSC on same network-Another network (mobile or fixed)
3
43
BSSBSS
BSS
2
MS
1
4