Southern Methodist University Fall 2003 EETS 8316/NTU CC745-N Wireless Networks

#1EETS 8316/NTU TC 745, Fall 2003 ENGINEERINGSMU

Southern Methodist University Fall 2003

EETS 8316/NTU CC745-NWireless Networks

Lecture 4: GSM

Instructor: Jila Serajemail: [email protected]

http://www.engr.smu.edu/~jseraj/tel: 214-505-6303


Review

In the last meeting we discussed

Handoff, challenges, solutions

Anchor MSC, path optimization

North American Numbering Plan

Numbers in GSM network


Review, Handoff

Movement into a different cell requires MTSO to automatically transfer call to another base station without interruption

Two types of handoff, hard handoff and soft handoff

BSC decides on handoff in the first generation of mobile network

BSC together with handset decides on handoff, MAHO


Review, Handoff, cont..

Phases of handoff are: handoff decision, resource reservation, execution, clearing resources.

Handoff challenges are: Performing handoff before signal strength becomes too low, do not perform unnecessary handoff, resource allocation, inter-MSC/inter-system handoff, handset capabilities

Anchor MSC remains in the call



BS BS

Anchor MSC New Serving MSC PSTN

• What happens if we go back to the anchor MSC?• IS-41 has handoff back facility

• What if a third MSC gets involved?• Path minimization process



BS

BS

Anchor MSC Target MSC

Serving MSC

BS

PSTN

HANDTHIRD

FACDIR

FACRELR

FACDIRR

1

3

2

4

HANDTHIRDR

6

5

7

MSONCH

10

8FACREL9



BS

BS

Anchor MSC

MSC

BS

PSTN

Call Path after path minimization process

New Serving MSC


Review, Registration, cont..

Registration, Power up/down, periodical, New system, Call origination

MS Service Qualification—validation information (billing)

—Service profile information, features, restrictions…


Review, Roaming, cont..

MS Location Update occurs at registration, deregistration, new location area, new system

Deregistration is either triggered by mobile (power down registration), by MSC for inactivity, by HLR at registration in another MSC.


Review, Border Case

If registration happens in several MSC, HLR decides which one is valid.

If registration happens in several BS, MSC determines which one is valid


Review, Paging

Paging is used when there is a terminating call to a mobile station.

A termination call is routed towards gateway MSC, Gateway MSC consults HLR, HLR request paging from visiting MSC, visiting MSC pages the handset, when page response is received HLR is informed, HLR send the visiting MSC address to gateway MSC that routes the call to visiting MSC and the terminating call is established.


Review, Paging, cont..

If multiple MSC responds to the page request, HLR chooses the valid page response


Review, North American Numbering Plan

North American Numbering Plan consists of 10 digits, NPA-NXX-XXXX

There is no way for a switch to identify that a number belongs to a mobile subscriber, nor can it identify the network provider.

Mobile network provider “buy” a certain number series in each area for their users.

Therefore we can not bill a caller to a mobile user for the air usage. They do it in other countries!


Review, Primer on RF

The radio frequencies are grouped into bands.

Each set of bands are dedicated to different purposes by FCC

Each frequency is logically divided into time slots for communication between mobile station and the base station.

Some time slots are reserved for user traffic, such as voice and data and other for signaling purposes.


Review, Cellular DCCH Structure

DCCH

Reverse Forward

RACH SPACH BCCH SCF Reserved

PCH ARCH SMSCH FBCCH EBCCH SBCCH


GSM General Architecture

BSS

MSC

VLR

HLR

EIR

AUC

MTTE

MS

Um

A

PSTN

BSC

BTS BTS

OMC

NMC

ADC

OSS

BSS

MS

GSM Public land mobilenetwork (PLMN)

OSS: operation subsystemBSS: base station subsystemMS: mobile station

Abis


GSM

Several first generation analog cellular systems in Europe but incompatible - limited roaming

1987-1989 ETSI standards for pan-European Global System for Mobile Communications (GSM, originally Group Special Mobile) at 900 MHz—1992 GSM is launched

—1990-1993 Standards for Digital Cellular System at 1800 MHz (DCS 1800, recently renamed GSM 1800; US version is PCS 1900)


GSM, cont..

Objectives:

—Broad offering of speech and data services

—Compatible with wireline networks, eg, ISDN

—Automatic roaming and handoff

—Highly efficient use of frequency spectrum

—Support for different types of mobile terminal equipment (eg, cars, portable handsets)


GSM, cont..

Objectives:

—Digital signaling and transmission

—Low cost infrastructure and terminal equipment


GSM, cont..

13 recommendations—R.00: Preamble—R.01: General structure of

recommendations, GSM overview—R.02: Service aspects: types of

services—R.03: Network aspects: architecture,

call routing, performance objectives—R.04: Mobile/base station interface

and protocols


GSM, cont..

—R.05: Physical layer on radio path: multiple access, channel coding, modulation, transmission

—R.06: Speech coding aspects

—R.07: Terminal adaptors for mobile stations

—R.08: Base station and mobile switching center (MSC) interface

—R.09: Interworking with PSTN and packet data networks


GSM, cont..

—R.10: Service interworking, short message service

—R.11: Equipment specification

—R.12: Operation and maintenance, tariffs, traffic administration


GSM, cont..

Summary of features

Channel bandwidth 200 kHz

Multiple access TDMA

Users/carrier 8

Speech coding rate 13 kb/s

FEC coded speech rate 22.8 kb/s


GSM, cont..

Summary of service quality requirements

Speech intelligibility 90%

Max one-way delay 90 ms

Max handoff gap 150 ms if intercell

Time to alert mobile ofinbound cell

4 sec first attempt, 15 sec final attempt

Release time to callednetwork

2 sec

Connect time to callednetwork

4 sec


GSM General Architecture, cont..

Mobile station (MS) communicates to base stations through radio interface Um

Mobile termination (MT) supports physical channel between MS and base station (radio transmission, channel coding, speech coding)



Terminal equipment (TE), eg, telephone set. Contains terminal/user-specific data in form of smart card (subscriber identify module or SIM card), plugs into any GSM terminal like credit card and identifies user to network for personal mobility (in addition to terminal mobility) and security



Base station Subsystem (BSS) communicates with mobile switching center through network interface A

Base Transceiver Station (BTS) handles channel allocation, signaling, frequency hopping, handover initiation, etc.

BTS communicates with BSC using Abis interface



Base station controller (BSC) manages radio channels, paging, handoff for several BTSs

BSC communicates with MSC using A interface

Mobile switching center (MSC) is gateway to PSTN and packet data networks

Performs switching, paging functions, MS location updating, handoff control, etc.



Home location register (HLR) stores subscriber info and part of MS’s location info to route incoming calls to visitor location register (VLR) where mobile is roaming

VLR registers users roaming in its area and assigns roaming numbers



Authentication center (AUC) is accessed by HLR to authenticate a user for service. It contains authentication and encryption keys for subscribers

Equipment identity register (EIR) allows stolen or fraudulent mobile stations to be identified



Operation subsystem (OSS) contains: operations and maintenance center (OMC), network management center (NMC), and administration center (ADC) . These network elements work together to monitor, control, maintain, and manage the network


GSM Logical and Physical Channels

Um interface: various logical channels are mapped to physical channels

A physical channel is a timeslot with timeslot number in a sequence of TDMA frames

8 physical channels mapped onto 8 timeslots within TDMA frame per frequency carrier


GSM Physical Channels

::

Frequency 124

Frequency 2

Frequency 1 Ch 1

Timeslot 1

Ch 2 Ch 3 Ch 4 Ch 5 Ch 6 Ch 7 Ch 8

Ch 1 Ch 2 Ch 3 Ch 4 Ch 5 Ch 6 Ch 7 Ch 8

Ch 1 Ch 2 Ch 3 Ch 4 Ch 5 Ch 6 Ch 7 Ch 8

::

2 3 4 5 6 7 8

TDMA frame = 4.615 ms


GSM Logical Channel Structure

CCH

TCH/F TCH/H

BCH CCCH DCCH

FCCH SCH BCCH PCH AGCH RACH

TCH CBCH

ACCH SDCCH

FACCHSACCH


GSM Logical Channels

3 groups of logical channels, TCH, CCH and CBCH

TCH is used to carry voice or data traffic

CCH is used for control functions

CBCH is used for broadcast functions


GSM Logical Channels, cont..

Logical traffic channels = full rate (TCH/F) at 22.8 kb/s or half rate (TCH/H) at 11.4 kb/s

Physical channel = full rate traffic channel (1 timeslot) or 2 half rate traffic channels (1 timeslot in alternating frames)

Full rate channel may carry 13 kb/s speech or data at 12, 6, or 3.6 kb/s

Half rate channel may carry 6.5 kb/s speech or data at 6 or 3.6 kb/s


GSM Logical Channels, cont..

CCH consists of 3 groups of logical control channels, BCH, CCCH and DCCH

BCH (broadcast channel): point-to-multipoint downlink only. Contains three sub-channels, BCCH, FCCH and SCH

—BCCH (broadcast control channel): send cell identities, organization info about common control channels, cell service available, etc


GSM Logical Channels

—FCCH (frequency correction channel): send a frequency correction data burst containing all zeros to effect a constant frequency shift of RF carrier

—SCH (synchronization channel): send TDMA frame number and base station identity code to synchronize MSs


GSM Logical Channels, cont…

CCCH (common control channel): Consists of three sub-channels, PCH, AGCH and RACH. This channels is used for paging and access

—PCH (paging channel): to page MSs

—AGCH (access grant channel): to assign MSs to stand-alone dedicated control channels for initial assignment

—RACH (random access channel): for MS to send requests for dedicated connections



DCCH (dedicated control channel): bi-directional point-to-point -- main signaling channels. Consist of two sub-channels, SDCCH and ACCH

—SDCCH (stand-alone dedicated control channel): for service request, subscriber authentication, equipment validation, assignment to a traffic channel



—SACCH consist of two sub-channels, SACCH and FACCH

•SACCH (slow associated control channel): for out-of-band signaling associated with a traffic channel, eg, signal strength measurements

•FACCH (fast associated control channel): for preemptive signaling on a traffic channel, eg, for handoff messages


OSI Model for SS7

TCAP MAPISUP INAPMUP OMAPLayer 4-7

SCCP

MTPLayer 3

Signaling link function, Signaling link physical requirementLayer 1-2


GSM Interfaces, cont..

RF

LAPD

MM

RRM

CM

RRM

RF

LAPD LAPD

RF

RRM

RF

LAPD LAPD

RF

SCCP

RF

LAPD

MM

RRM

CM

SCCP

Air InterfaceUm Abis A


GSM Protocol Layers

RF : Physical Layer

LAPD: Link Layer, ISDN protocol based

SCCP: Signal Connection Control Layer, part of link layer

RR: Radio Resource

MM: Mobility Management

CC: Call Control


GSM Network Layer

Network layer consists of 3 sublayers

Radio resource management (RR) sublayer—Establishment, maintenance, and termination of

radio channel connections

Mobility management (MM) sublayer—Registration, authentication, and location tracking

Call control (CC) sublayer—Establishment, maintenance, and termination of

circuit-switched calls


GSM Interfaces

MSC

AUC

Base Station SubsystemBSS

Switching System

BSSAP

VLR HLREIR

MAP

MAP

MAP

VLR

MAP


GSM Interfaces, cont…

MS

BTS

BSC

LAPD

Base Station SubsystemBSS

Switching System

BSSAP


GSM Numbers

International mobile station equipment identity (IMEI). IMEI= TAC + FAC + SNR + SP— TAC = Type Approval Code, 6 decimals

— FAC = Final Assembly Code, 6 decimals, assigned by manufacturer

— SNR = Serial Number, 6 decimals, assigned by manufacturer

— SP = Spare, 1 decimal place

EIR has while, black and optionally grey list.


GSM Numbers

International mobile station equipment identity (IMEI). IMEI= TAC + FAC + SNR + SP— TAC = Type Approval Code, 6 decimals

— FAC = Final Assembly Code, 6 decimals, assigned by manufacturer

— SNR = Serial Number, 6 decimals, assigned by manufacturer

— SP = Spare, 1 decimal place

EIR has while, black and optionally grey list


GSM Numbers, cont…

International mobile Subscriber Identity (IMSI). Stored on the SIM (Subscriber Identity Module) card. IMSI is obtained at the time of subscription. IMSI is not made public.

IMSI = MCC + MNC + MSIN

MCC = Mobile Country Code, 3 decimals

MNC = Mobile Network Code, 2 decimals



MSIN = Mobile Subscriber Identification Number, maximum 10 decimal digits

Mobile Station ISDN number (MSISDN), is the real phone number of the subscriber. Stored in HLR and on SIM card

MSISDN = CC + NDC + SN

CC = Country Code, up to 3 decimals



NDC = National Destination Code, typically 2-3 decimals

SN = Subscriber Number, maximum 10 decimals.

Mobile Station Roaming Number (MSRN), same format as MSISDN. A temporary location dependent ISDN number.

Is assigned in two cases, at registration or at call set up.



Location Area Identity (LAI). Regularly sent on BCCH LAI = CC + MNC + LAC,

LAC = Location Area Code, max 5 decimals (<FFFFhex).

Temporary Mobile Subscriber Identity (TMSI). Stored only in the VLR and SIM card. Consists of 4*8 bits excluding value FFFF FFFFhex



TMSI has only local meaning and can be defines according to operator’s specifications.

LAI + TMSI uniquely identifies the user, I.e. IMSI is no longer needed for ongoing communication


GSM Numbers, cont..

Local Mobile Subscriber Identity (LMSI). Created in VLR and stored in HLR.

Like TMSI is operator defined.

Used in communication with VLR to speed the search for mobile records.

Speed is essential to achieve short call setup times.



Global Cell Id = LAI + CI

CI = Cell id, unique id within the LAI. Maximum 2*8 bits

Base Transceiver Station Identity Code (BSIC) = NCC + BCC



BSIC is broadcast periodically by the base station on the synchronization channel.

NCC = Network Color Code, 3 bits

BCC = Base Station Color Code, 3 bits


GSM Roaming From Another PLMN

VLR registers users roaming in its area

—Recognizes mobile station is from another PLMN

—If roaming is allowed, VLR finds the mobile’s HLR in its home PLMN

—VLR constructs a global title from IMSI to allow signaling from VLR to mobile’s HLR via public telephone network


GSM Roaming, cont...

VLR registers users roaming in its area

—VLR generates a mobile subscriber roaming number (MSRN) used to route incoming calls to mobile station

—MSRN is sent to mobile’s HLR


GSM Roaming, cont…

VLR contains

—MSRN

—TMSI

—Location area where mobile station has registered

—Info for supplementary services (if any)

—IMSI

—HLR or global title

—Local identity for mobile station (if any)


GSM Security

3 security problems: unauthorized access, privacy from eavesdropping, protection of subscriber identity/location

Unauthorized (fraudulent) access

—GSM handsets must be presented with a subscriber identity module (SIM)

—SIM must be validated with personal identification number (PIN)


GSM Security, cont…

Unauthorized (fraudulent) access

—SIM also stores subscriber authentication key, authentication algorithm, cipher key generation algorithm, encryption algorithm

—During registration (when roaming), mobile station receives “challenge” and uses authentication key and authentication algorithm to generate “challenge response” to verify user’s identity



Privacy from eavesdropping

—Temporary encryption key is used for privacy of data, signaling, and voice

—Info is encrypted before transmission



Anonymity of users

—Supported by temporary mobile subscriber ID (TMSI)

—When registered, mobile station sends globally-unique international mobile subscriber ID (IMSI) to network

—Network assigns TMSI for use during call - IMSI is not sent over radio link



Anonymity of users

—Only network and mobile station know true identity

—New TMSI is assigned when roam into new area


GSM Security, cont..

Fetched triplets are stored in VLR—Every call uses up one triplet (discarded)

—Another set must be fetched when exhausted

Visited system

Registration requestIMSI/TMSI identifies user, LAI points to old VLR,requests data toauthenticate user

IMSI/TMSI + LAI

Subscriber data

Old VLR


Assignment

Wireless personal communications, Chapter 7

Rappaport what pages



Visited system

Challenge

Requests tripletsfrom home system,chooses a tripletCalculates

responseby authen-

ticationalgorithm

Challenge response Compares to storedresponse in triplet, registration successfulif matches

New TMSI

Acknowledge

Assigns new TMSI



Visited system

Registrationcancel

Location update

AcknowledgeHLR

Old VLR


GSM Handoffs

3 types of handoffs

—Intra-BSS: if old and new BTSs are attached to same base station

•MSC is not involved

—Intra-MSC: if old and new BTSs are attached to different base stations but within same MSC

—Inter-MSC: if MSCs are changed


GSM Intra-MSC Handoff

Mobile station monitors signal quality and determines handoff is required, sends signal measurements to serving BSS

Serving BSS sends handoff request to MSC with ranked list of qualified target BSSs

MSC determines that best candidate BSS is under its control (assumed here)

MSC reserves a trunk to target BSS


GSM Intra-MSC Handoff, cont..

Target BSS selects and reserves radio channels for new connection, sends Ack to MSC

MSC notifies serving BSS to begin handoff, including new radio channel assignment

Serving BSS forwards new radio channel assignment to mobile station

Mobile station re-tunes to new radio channel, notifies target BSS on new channel


GSM Intra-MSC Handoff, cont..

Target BSS notifies MSC that handoff is detected

Target BSS and mobile station exchange messages to synchronize transmission in proper timeslot

MSC switches voice connection to target BSS, which responds when handoff is complete

MSC notifies serving BSS to release old radio traffic channel


GSM Inter-MSC Handoff

Mobile station monitors signal quality and determines handoff is required, sends signal measurements to serving BSS

Serving BSS sends handoff request to MSC with ranked list of qualified target BSSs

Serving MSC determines that best candidate BSS is under control of a target MSC (assumed here) and calls target MSC through PSTN


GSM Inter-MSC Handoff, cont..

Target MSC notifies its VLR to assign a TMSI

Target VLR returns TMSI

Target MSC reserves a trunk to target BSS

Target BSS selects and reserves radio channels for new connection, sends Ack to target MSC

Target MSC notifies serving MSC that it is ready for handoff



Serving MSC notifies serving BSS to begin handoff, including new radio channel assignment

Serving BSS forwards new radio channel assignment to mobile station

Mobile station re-tunes to new radio channel, notifies target BSS on new channel

Target BSS notifies target MSC that handoff is detected



Target BSS and mobile station exchange messages to synchronize transmission in proper timeslot

Voice connection is switched to target BSS, which responds when handoff is complete

Target MSC notifies serving MSC

Old network resources are released


Reading Suggestion

Wireless Communications: Principles and Practice, Rappaport, sections 2.1

Wireless personal communications systems, Goodman, Chapter 7

Southern Methodist University Fall 2003 EETS 8316/NTU CC745-N Wireless Networks

Documents

Transcript of Southern Methodist University Fall 2003 EETS 8316/NTU CC745-N Wireless Networks