2G Mobile Communication Systems 2G Review: GSM Services Architecture Protocols Call setup Mobility management Security HSCSD GPRS EDGE
References Jochen Schiller: Mobile Communications (German and English), Addison-Wesley, 2000 (most of the material covered in this chapter is based on the book) Michel Mouly, Marie-Bernadette Pautet: The GSM System for Mobile Communications. Telecom Pub, Juni 1992 Jörg Eberspaecher, u. a.: GSM Switching, Services and Protocols. John Wiley and Sons Ltd, 2001 Siegmund Redl, u. a.: GSM and Personal Communications Handbook. Artech House, 1998 Gunnar Heine: GSM Networks: Protocols, Terminology, and Implementation. Artech House Mobile Communications Library. Artech House Publishers, 1998 2
Public Land Mobile Network (PLMN) Definition: a network established and operated by an administration to provide land-based mobile telecommunications services to the public a PLMN may be regarded as an extension of a network (e.g. an ISDN) a PLMN consists of a collection of areas within a common numbering plan (e.g. same National Destination Code) and a common routing plan PLMNs are independent telecommunications entities Source: 3GPP 23.002-5.5.0 3
GSM: Mobile Services GSM offers several types of connections voice connections data connections short message service multi-service options (combination of basic services) Three service domains (a mobile model of ISDN) Bearer Services Teleservices Supplementary Services MS TE bearer services MT GSM-PLMN transit network source/ destination R, S (PSTN, ISDN) network (U, S, R) U m TE teleservices PLMN: Public Land Mobile Network PSTN: Public Switched Telephone Network ISDN: Integrated Services Digital Network MS: Mobile Station MT: Mobile Termination (radio-specific part) TE: Terminal 4
Bearer Services Telecommunication services to transfer data between access points Specification of services up to the terminal interface (OSI layers 1-3) Different data rates for voice and data (original standard) data service (circuit switched) synchronous: 2.4, 4.8 or 9.6 kbit/s asynchronous: 300-1200 bit/s data service (packet switched) > superseded by GPRS synchronous: 2.4, 4.8 or 9.6 kbit/s asynchronous: 300-9600 bit/s 5
Teleservices Telecommunication services that enable voice communication via mobile phones mobile telephony primary goal of GSM was to enable mobile telephony offering nearly ISDN quality (bandwidth of 7 khz); Today: Fullrate codec (FR 13kb/s), halfrate (HR-5.6kb/s), Enhanced Fullrate (EFR- 12.2kb/s) emergency number common number throughout Europe (112); mandatory for all service providers; free of charge; connection with the highest priority (preemption of other connections possible) multinumbering several ISDN phone numbers per user possible Non-Voice Teleservices group 3 fax voice mailbox (implemented in the GSM network) Short Message Service (SMS) alphanumeric data transmission to/from the mobile terminal using the signaling channel, thus allowing simultaneous use of basic services and SMS 6
Supplementary services Services in addition to the basic services cannot be offered stand-alone similar to ISDN services besides lower bandwidth due to the radio link may differ between different service providers, countries and protocol versions Important services call forwarding identification: forwarding of caller number suppression of number forwarding (CLIP, CLIR) automatic call-back conferencing with up to 7 participants locking of the mobile terminal (incoming or outgoing calls)... 7
Architecture of the GSM system GSM is a PLMN (Public Land Mobile Network) several providers setup mobile networks following the GSM standard within each country GSM system comprises 3 subsystems RSS (radio subsystem): covers all radio aspects MS (mobile station) BSS (base station subsystem) or RAN (radio access network) BTS (base transeiver station) BSC (base station controller) NSS (network and switching subsystem): call forwarding, handover, switching MSC (mobile services switching center) LR (location register): HLR and VLR OSS (operation subsystem): management of the network OMC (operation and maintenance centre) AuC (authentication centre) EIR (equipment identity register) 8
GSM: overview NSS with OSS OMC, EIR, AUC HLR GMSC fixed network VLR MSC VLR MSC BSC BSC RSS BTS BTS BTS BSC: n:1 (tree) BSC MSC: n:1 (tree) MSC VLR: 1:1 MSC MSC : meshed network 9
GSM: elements and interfaces radio cell MS MS BSS RSS U m BTS radio cell MS Um Interface (MS and BTS): radio, air interface BTS A bis Abis Interface (BTS and BSC) BSC BSC A A Interface (BSC and MSC) MSC MSC NSS VLR HLR O VLR GMSC IWF signaling ISDN, PSTN PDN Interfaces B,...,H within NSS (between MSC, VLR and HLR) OSS EIR AUC OMC 10
Radio subsystem The Radio Subsystem (RSS) comprises the cellular mobile network up to the switching centers Components Base Station Subsystem (BSS): Base Transceiver Station (BTS) radio components including sender, receiver, antenna one BTS can cover several cells Base Station Controller (BSC) switching between BTSs, controlling BTSs, managing of network resources, mapping of radio channels (U m ) onto terrestrial channels (A interface) BSS = BSC + sum(bts) + interconnection Mobile Stations (MS) 11
Base Transceiver Station and Base Station Controller Tasks of a BSS are distributed over BSC and BTS BTS comprises radio specific functions of lower layers (PHY, MAC) BSC manages and controls the radio channels in the BTS and terrestrial channels to BTS and MSC Design Principle: central intelligence = BSC, dumb radio station = BTS Functions BTS BSC Management of radio channels X Frequency hopping (FH) X X Management of terrestrial channels X Mapping of terrestrial onto radio channels X Channel coding and decoding X Rate adaptation X Encryption and decryption X X Paging X X Uplink signal measurements X Traffic measurement X Authentication X Location registry, location update X Handover management X 12
GSM: cellular network segmentation of the area into cells possible radio coverage of the cell cell idealized shape of the cell use of several carrier frequencies not the same frequency in neighboring cells cell radius varies from some 100 m up to 35 km depending on user density, geography, transceiver power etc. hexagonal shape of cells is idealized (cells overlap, shapes depend on geography) if a mobile user changes cells -> handover of the connection to the neighbor cell 13
GSM: Air Interface FDMA (Frequency Division Multiple Access) / FDD (Frequency Division Duplex) Uplink 890 MHz 915 MHz 1 2 3... 123124 Downlink 935 MHz 960 MHz 1 2 3... 123124 200 khz frequency TDMA (Time Division Multiple Access) Downlink 1 2 3 4 5 6 7 8 Uplink 1 2 3 4 5 6 7 8 4,615 ms = 1250 bit time 14
GSM: Voice Coding Voice coding Channel coding Framing Modulation (GMSK) 114 bit/slot 114 + 42 bit GSM TDMA frame 1 2 3 4 5 6 7 8 4.615 ms GSM time-slot (normal burst) guard space tail user data S Training S user data tail 3 bits 57 bits 1 26 bits 1 57 bits 3 guard space 546.5 µs 577 µs Guard (8.25 bits): avoid overlap with other time slots (different time offset of neighboring slot) Training sequence: select the best radio path in the receiver and train equalizer Tail: needed to enhance receiver performance Flag S: indication for user data or control data 15
GSM hierarchy of frames hyperframe 0 1 2... 2045 2046 2047 3 h 28 min 53.76 s superframe 0 1 2... 48 49 50 0 1... 24 25 6.12 s traffic multiframe 0 1... 24 25 120 ms control multiframe 0 1 2... 48 49 50 235.4 ms frame 0 1... 6 7 slot burst 4.615 ms 577 µs traffic multiframe: 24 frames (22.8 kbps) used for traffic channel (user data), or fast signaling 1 frame (950 bps) used for slow signaling, 1 frame unused 16 o
Mobile station Terminal for the use of GSM services A mobile station (MS) comprises several functional groups MT (Mobile Termination): offers common functions used by all services the MS offers corresponds to the network termination (NT) of an ISDN access end-point of the radio interface (U m ) TA (Terminal Adapter): terminal adaptation, hides radio specific characteristics TE (Terminal Equipment): peripheral device of the MS, offers services to a user does not contain GSM specific functions SIM (Subscriber Identity Module): personalization of the mobile terminal, stores user parameters, and security algorithm TE TA MT R S U m 17
Network and switching subsystem (NSS) NSS is the main component of the public mobile network GSM switching, mobility management, interconnection to other networks, system control Components Mobile Services Switching Center (MSC) controls all connections via a separated network to/from a mobile terminal within the domain of the MSC - several BSC can belong to a MSC Databases (important: scalability, high capacity, low delay) Home Location Register (HLR) central master database containing user data, permanent and semipermanent data of all subscribers assigned to the HLR (one provider can have several HLRs) Visitor Location Register (VLR) local database for a subset of user data, including data about all user currently in the domain of the VLR 18
Operation subsystem The OSS (Operation Subsystem) enables centralized operation, management, and maintenance of all GSM subsystems Components Authentication Center (AUC) generates user-specific authentication parameters on request of a VLR authentication parameters used for authentication of mobile terminals and encryption of user data on the air interface within the GSM system Equipment Identity Register (EIR) registers GSM mobile stations and user rights stolen or malfunctioning mobile stations can be locked and sometimes even localized Operation and Maintenance Center (OMC) different control capabilities for the radio subsystem and the network subsystem 19
Basic Functions in GSM Systems Connection Setup Handover Location management Roaming Authentication
Connection Setup & Radio Resource Assignment BS BSC MSC 21
Mobile Terminated Call (MTC) 1: calling a GSM subscriber 2: forwarding call to GMSC 3: signal call setup to HLR 4, 5: request MSRN from VLR 6: forward responsible MSC to GMSC 7: forward call to current MSC calling station 8, 9: get current status of MS 10, 11: paging of MS 12, 13: MS answers 14, 15: security checks 16, 17: set up connection PSTN 1 2 BSS HLR 3 6 GMSC 10 7 4 5 BSS VLR 8 9 14 15 10 MSC 11 12 17 MS 13 16 10 BSS 11 11 11 22
Mobile Originated Call (MOC) 1, 2: connection request 3, 4: security check 5-8: check resources (free circuit) 9-10: set up call VLR PSTN 6 5 GMSC 7 8 3 4 MSC 2 9 MS 1 10 BSS 23
Handover The problem: Change the cell while communicating Reasons for handover: Quality of radio link deteriorates Communication in other cell requires less radio resources Supported radius is exceeded (e.g. Timing advance in GSM) Overload in current cell Maintenance Link quality cell 1 cell 2 cell 1 cell 2 Handover margin (avoid ping-pong effect) Link to cell 1 Link to cell 2 time 24
4 types of handover 1 2 3 4 MS MS MS MS BTS BTS BTS BTS BSC BSC BSC (Anchor) MSC MSC intra-cell handover: reason: quality, interference inter-cell handover/intra BSS: within same BSS, handled by BSC (reason mobility, receipt level, power budget, load) inter-cell handover/inter BSS: between BSC at the same MSC inter-cell handover/inter MSC: between BSC of different MSCs Anchor MSC: the initial MSC, which started the connection, keeps control GMSC 25
GSM: Handover Principle Before X During X After X BS BS BS BS BS BS Hard handover, make before break Mobile assisted handoff/handover (MOHA): MS sends regular measurement reports to network (own cell, neighbor cells, every 480 ms) Network (old BSC) decides upon handover (when, target cell) Network (old BSC) sets up new communication path Network (old BSC) instructs the MS to execute handover 26
Handover procedure (change of BSC) Make-before-break strategy MS measurement report BTS old measurement result BSC old MSC BSC new BTS new HO decision HO required HO request resource allocation ch. activation HO command HO command HO command HO access HO request ack ch. activation ack make Link establishment clear command clear complete clear command clear complete HO complete HO complete break 27
Security in GSM Security service System was designed with a moderate level of security to authenticate the subscriber using a pre-shared key and challenge-response. access control/authentication user SIM (Subscriber Identity Module): secret PIN (personal identification number) SIM network: challenge response method no authentication of network! confidentiality voice and signaling encrypted on the wireless link (after successful authentication) anonymity temporary identity TMSI (Temporary Mobile Subscriber Identity) newly assigned at each new location update encrypted transmission 3 algorithms specified in GSM A3 for authentication ( secret, open interface) A5 for encryption (standardized) A8 for key generation ( secret, open interface) secret : A3 and A8 available in the Internet network providers can use stronger mechanisms 28
GSM - authentication K i RAND 128 bit 128 bit AuC A3 Challenge-Response: Authentication center provides RAND to Mobile AuC generates SRES using Ki of subscriber and RAND via A3 Mobile (SIM) generates SRES using Ki and RAND Mobile transmits SRES to network (MSC) network (MSC) compares received SRES with one generated by AuC SRES* 32 bit RAND mobile network Authentication Request (RAND) RAND K i 128 bit 128 bit A3 SIM SRES 32 bit MSC SRES* =? SRES Authentication Response (SRES 32 bit) SRES K i : individual subscriber authentication key SRES: signed response 29
GSM - key generation and encryption Ciphering: Data sent on air interface ciphered for security A8 algorithm used to generate cipher key A5 algorithm used to cipher/decipher data Ciphering Key is never transmitted on air MS with SIM K i RAND RAND RAND K i AuC 128 bit 128 bit 128 bit 128 bit SIM A8 A8 cipher key K c 64 bit mobile network (BTS) K c 64 bit BTS A5 data encrypted data SRES data A5 MS 30
2G+: GSM Evolution Limits of GSM limited capacity at the air interface: data transmission standardized with only 9.6 kbit/s advanced coding allows 14,4 kbit/s not enough for Internet and multimedia applications => EDGE inappropriateness for bursty and non-symmetrical data traffic => GPRS Extensions HSCSD (High-Speed Circuit Switched Data) GPRS (General Packet Radio Service) EDGE (Enhanced Data Rate for GSM Evolution) EGPRS (EDGE und GPRS) GERAN (GSM Interface to UMTS) 31
HSCSD (High-Speed Circuit Switched Data) continuous use of multiple time slots for a single user (on a single carrier frequency) asynchronous allocation of time slots between DL and UL gain: net data rate up to 115,2 kbps (allocation of all 8 traffic channels) Downlink 1 2 3 4 5 6 7 8 1 2 Uplink 1 2 3 4 5 6 7 8 1 2 mainly software update additional HW needed if more than 3 slots are used 32
GPRS (General Packet Radio Service) Introducing packet switching in the network Using shared radio channels for packet transmission over the air: multiplexing multiple MS on one time slot flexible (also multiple) allocation of timeslots to MS (scheduling by PCU Packet Control Unit in BSC or BTS) Multiplexing Multislot capability TS carrier 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 using free slots only if data packets are ready to send (e.g., 115 kbit/s using 8 slots temporarily) standardization 1998, introduction 2001 advantage: first step towards UMTS, flexible data services 33
GPRS architecture and interfaces SGSN connection-oriented packet switched core G n MS BSS SGSN GGSN PDN / Internet U m G b G n G i MSC HLR/ GR VLR EIR 34
EDGE (Enhanced Data Rates for GSM Evolution) Enhanced spectral efficiency depends on: Size of frequency band Duration of usage Level of interference with others (power) Near-far problem EDGE Technology: EDGE can carry data speeds up to 236.8 kbit/s for 4 timeslots (theoretical maximum is 473.6 kbit/s for 8 timeslots) Adaptation of modulation depending on quality of radio path GMSK (GSM standard 1 bit per symbol) 8-PSK (3 bits per symbol) Adaptation of coding scheme (redundancy) depending on quality of radio path (9 coding schemes) Gain: data rate (gross) up to 69,2 kbps (compare to 22.8 kbps for GSM) complex extension of GSM! NodeB UE 1 UE 2 35
2G to 3G Evolution: GSM - GPRS - UMTS Transmission ATM based ISDN GSM RAN controller MSC GSM Core (Circuit switched) GMSC GSM HLR AuC EIR 36
2G to 3G Evolution: GSM - GPRS - UMTS Transmission ATM based ISDN GSM RAN controller MSC GSM Core (Circuit switched) GMSC GSM+GPRS HLR AuC EIR SGSN GPRS Core (Packet Switched) GGSN Internet 37
2G to 3G Evolution: GSM - GPRS UMTS R99 GSM RAN controller MSC Transmission ATM based GSM Core (Circuit switched) GSM+GPRS+UMTS R99 HLR AuC EIR GMSC ISDN UTRAN Radio network controller SGSN GPRS Core (Packet Switched) GGSN Internet 38
2G to 3G Evolution: GSM - GPRS - UMTS R5 - IMS GERAN GSM RAN controller GERAN + UMTS R5 + IMS UTRAN Radio network controller SGSN Transmission IP based GPRS 3G Core Core (Packet Switched) GGSN Internet 39