Wireless Networks Part 1 - University of Pittsburghdtipper/2727/2727_Slides2.pdf · 2013-12-11 ·...
Transcript of Wireless Networks Part 1 - University of Pittsburghdtipper/2727/2727_Slides2.pdf · 2013-12-11 ·...
Wireless Networks Part 1Wireless Networks Part 1
David TipperAssociate ProfessorAssociate Professor
Department of Information Science and Telecommunications
University of Pittsburgh
[email protected]@mail.sis.pitt.eduhttp://www.sis.pitt.edu/~dtipper/2727.html
Slides 2Slides 2
Infsci 1073/Telcom 2727 2
Mobile Application Space
Device Network
Wireless Network
Transport Network
Content Network
Social Network
In application development need to understand characteristics of wireless network
Usually the bottleneck in terms of performance
Infsci 1073/Telcom 2727 3
Wireless NetworksWireless Networks
– Wireless Wide Area Networks (WWANs)• Cellular Networks :
– GSM, cdmaone (IS-95), UMTS, cdma2000 EVDO
• Satellite Networks: – Iridium, Globalstar, GPS, etc.
– Wireless Metro Area Networks (WMANs)• IEEE 802.16 WiMAX
– Wireless Local Area Networks (WLANs)• IEEE 802.11, a, b, g, etc. (infrastructure, ad hoc, sensor)
– Wireless Personal Area Networks (WPANs)• IEEE 802.15 (Bluetooth), IrDa, Zigbee, sensor, etc.
Infsci 1073/Telcom 2727 4
Wireless NetworksWireless Networks
IEEE 802.16100 MbpsMetro, suburb, campus 1-15 km
WMANs
IEEE 802.15 IrDa, BlueTooth, Zigbee
.1 – 1Mbps5-10 M around deviceWPANs
IEEE 80211a, b, g, etc.1-106 MbpsIn building, campus wide, subdivision wide,Range ~ 100 M per AP
WLANs
2G: GSM, cdmaone2.5G: GPRS, cdma 2000 1X-rtt3G: UMTS, cdma2000 1x-EDVO3.5G: HSPDA
2G: 9.6 – 45 Kbps,2.5G: 50 -300 Kbps3G : 50kbsp- 2Mbps 3.5G: .1 – 10 Mbps
National, Continent wideWWANs
StandardsTypical ThroughputGeographic CoverageNetwork
Infsci 1073/Telcom 2727 5
Common IssuesCommon Issues
•• Wireless Communication ChannelWireless Communication Channel– poor quality channel (noise , interference, etc, ) – coverage and data rate inconsistent– frequencies regulated– power levels regulated– security problems– Hidden terminal problem
• Mobility of devices– May need to track location and perform handoffs– Limited capabilities of devices– Power management of devices
Infsci 1073/Telcom 2727 6
Frequencies for Communication
• Frequency and wavelength: λ = c/f• Wavelength λ, speed of light c ≅ 3x108m/s, frequency f in Hz• VLF = Very Low Frequency UHF = Ultra High Frequency• LF = Low Frequency SHF = Super High Frequency• MF = Medium Frequency EHF = Extra High Frequency• HF = High Frequency UV = Ultraviolet Light• VHF = Very High Frequency• VHF-/UHF-ranges for mobile radio• SHF and higher for directed radio links, satellite communication• Wireless LANs use frequencies in UHF to SHF spectrum
1 Mm300 Hz
10 km30 kHz
100 m3 MHz
1 m300 MHz
10 mm30 GHz
100 μm3 THz
1 μm300 THz
visible lightVLF LF MF HF VHF UHF SHF EHF infrared UV
optical transmissioncoax cabletwisted pair
Infsci 1073/Telcom 2727 8
Frequency Allocations
Europe USA Japan
WWANS Licensed Spectrum FDD
Cellular: 453-457MHz, 463-467 MHz; PCS: 890-915 MHz, 935-960 MHz; 1710-1785 MHz, 1805-1880 MHz 3G: 1920-1996 MHz 2110-2186 MHz
Cellular 824-849 MHz, 869-894 MHz; PCS 1850-1910 MHz, 1930-1990 MHz;
Cellular 810-826 MHz, 940-956 MHz; 1429-1465 MHz, 1477-1513 MHz 3G 1918.1-1980 MHz 2110-2170 MHz
WLANS Unlicensed Spectrum TDD
IEEE 802.11 2400-2483 MHz 5.7-5.825 GHz HIPERLAN 1 5176-5270 MHz
IEEE 802.11 2400-2483 MHz (b, g) 5.7 – 5.825 GHz (a)
IEEE 802.11 2471-2497 MHz (b, g) 5.7-5.825 GHz (a)
WPANs Unlicensed Spectrum TDD
IEEE 802.15 (Bluetooth) 2400-2483 MHz
IEEE 802.15 2400-2483 MHz
IEEE 802.15 2471-2497 MHz
Infsci 1073/Telcom 2727 9
Frequencies for Communication
• Frequency and wavelength: λ = c/f• Wavelength λ, speed of light c ≅ 3x108m/s, frequency f in Hz• VLF = Very Low Frequency UHF = Ultra High Frequency• LF = Low Frequency SHF = Super High Frequency• MF = Medium Frequency EHF = Extra High Frequency• HF = High Frequency UV = Ultraviolet Light• VHF = Very High Frequency• VHF-/UHF-ranges for cell phones• SHF and higher for directed radio links, satellite communication• WLANs, WMANs, use frequencies in UHF to SHF spectrum
1 Mm300 Hz
10 km30 kHz
100 m3 MHz
1 m300 MHz
10 mm30 GHz
100 μm3 THz
1 μm300 THz
visible lightVLF LF MF HF VHF UHF SHF EHF infrared UV
optical transmissioncoax cabletwisted pair
Infsci 1073/Telcom 2727 10
Licensed Vs. Unlicensed
More worldwide optionsHigher barriers for entrance
Coverage and quality inconsitentBetter coverage and quality
Fast RolloutGuaranteed access
UnlicensedLicensed
• Licensed Spectrum– need to buy right to use spectrum allocation in a specific geographic
location from the government (e.g., AM/FM radio) – Prevents interference – licensee can control signal quality
• Unlicensed spectrum – Anyone can operate in the spectrum (e.g. ISM band for WLANs) but must
maintain proper behavior in spectrum (max power level and frequency leakage, etc.)
– Can have interference problems
Infsci 1073/Telcom 2727 11
Frequency Allocations
Europe USA Japan
WWANs Licensed
Cellular: 453-457MHz, 463-467 MHz; PCS: 890-915 MHz, 935-960 MHz; 1710-1785 MHz, 1805-1880 MHz 3G: 1920-1996 MHz 2110-2186 MHz
Cellular 824-849 MHz, 869-894 MHz; PCS 1850-1910 MHz, 1930-1990 MHz;
Cellular 810-826 MHz, 940-956 MHz; 1429-1465 MHz, 1477-1513 MHz 3G 1918.1-1980 MHz 2110-2170 MHz
WMANs Licensed Unlicensed
IEEE 802.16 3.4-3.6 GHz SAME as WLANs
IEEE 802.16 2.5 – 2.6 GHz, 2.7-2.9GHz Same as WLANs
IEEE 802.16 4.8-5 GHz Same as WLANS
WLANs Unlicensed
IEEE 802.11 2400-2483 MHz 5.7-5.825 GHz HIPERLAN 1 5176-5270 MHz
IEEE 802.11 2400-2483 MHz (b, g) 5.7 – 5.825 GHz (a)
IEEE 802.11 2471-2497 MHz (b, g) 5.7-5.825 GHz (a)
WPANs Unlicensed
IEEE 802.15 2400-2483 MHz
IEEE 802.15 2400-2483 MHz
IEEE 802.15 2471-2497 MHz
Infsci 1073/Telcom 2727 12
Radio Communication Range
• Communication range is the geographic area covered by a single transmitter – often called a cell or the coverage area
• Ideal case a circular area where signal strong enough to communicate.
RSS
distance
Infsci 1073/Telcom 2727 13
Radio Signal propagation
• Received signal strength (RSS) influenced by– Fading – signal weakens with distance received power
proportional to 1/d² (d = distance between sender and receiver)– Frequency dependent fading – signal weakens with increase in f– Shadowing (no line of sight path)– reflection off of large obstacles– scattering at small obstacles– diffraction at edges
• Coverage area of a transmitter depends on local geography
reflection scattering diffractionshadowing
Infsci 1073/Telcom 2727 14
Multipath propagation
signal at sendersignal at receiver
• Time dispersion: signal is dispersed over time• interference with “neighbor” symbols, Inter Symbol Interference
(ISI)• The signal reaches a receiver directly and phase shifted• distorted signal depending on the phases of the different parts
•Signal can take many different paths between sender and receiver due to reflection, scattering, diffraction
Infsci 1073/Telcom 2727 15
Effects of mobility
• Time Variations in Signal Strength• Channel characteristics change over time and location
– signal paths change– different delay variations of different signal parts– different phases of signal parts
• quick changes in the power received (short term or fast fading)
• Additional changes in– distance to sender– obstacles further away
• slow changes in the average power received (long term fading)
long termfading
short term fadingt
power
Infsci 1073/Telcom 2727 16
Cell Coverage
• Effect of propagation and mobility effects is cell is not a circular in coverage and received signal strength and data rate will vary within cell.
• Diversity techniques are used to improve wireless channel data rate and combat propagation/mobility problems– Error control coding, interleaving, power adjustment, antenna
diversity, etc.– Lower the effective data rate well below the channel rate!
Infsci 1073/Telcom 2727 17
Wireless WANs
• Based on Cellular concept:• provide wireless coverage to a geographic area with a set of slightly overlapping cells. Use a set of low power radio stations to provide coverage, each cell has different set of frequencies or codes, support handoff of mobile from one cell to another, trackmobile for incoming call
cell
Cell coverage, size and actually shape depends on local geography, powerlevel, cell site height, antenna type, etc.
Hexagonal idealized cell shape
Infsci 1073/Telcom 2727 18
Cellular Concept
Proposed by Bell Labs 1971 Geographic Service divided into smaller “cells”
Neighboring cells do not use same set of frequencies to prevent interference
Often approximate coveragearea of a cell by a idealizedhexagon
Increase system capacityby frequency reuse.
Infsci 1073/Telcom 2727 19
Cell Design - Reuse Pattern
• Example: cell cluster size K = 7, frequency reuse factor = 1/7, assume have T = 490 total traffic channels, N = T/K = 70 channels per cell
B
A
E
C
D
G
F
B
A
E
C
D
G
F
B
A
E
C
D
G
F
Assume T = 490 total channels,K = 7, N = 70 channels/cell
Clusters are replicated M=3 times
System capacity = 3x490 = 1470 total channels
Infsci 1073/Telcom 2727 20
Frequency Reuse
SITE A SITE BRSSI, dBm
C/I
Distance
r
d
-60
-90
-120
Infsci 1073/Telcom 2727 21
Sectoring
43
52
16
75
5
5
55
5
12
32
13
120 sectoring
120o sectoring reduces number of interferers from 6 to 2
Infsci 1073/Telcom 2727 22
Multiple Access Techniques
• MA determines how users share channel in a cell• FDMA (frequency division multiple access)
– separate spectrum into non-overlapping frequency bands– assign a certain frequency to a transmission channel between a
sender and a receiver– different users share use of the medium by transmitting on non-
overlapping frequency bands at the same time• TDMA (time division multiple access):
– assign a fixed frequency to a transmission channel between a sender and a receiver for a certain amount of time (users share a frequency channel in time slices)
• CDMA (code division multiple access): – assign a user a unique code for transmission between sender and
receiver, users transmit on the same frequency at the same time
Infsci 1073/Telcom 2727 23
Frequency division multiple access
time
frequ
ency
Infsci 1073/Telcom 2727 24
Time Division Multiple Access
time
frequ
ency
frameslot
Infsci 1073/Telcom 2727 25
Code Division Multiple Access
time
frequency
code
Infsci 1073/Telcom 2727 26
CDMA
• Code Division Multiple Access– Narrowband message signal is multiplied by very large bandwidth
spreading signal using direct sequence spread spectrum– All users can use same carrier frequency and may transmit
simultaneously– Each user has own unique access spreading codeword which is
approximately orthogonal to other users codewords– Receiver performs time correlation operation to detect only specific
codeword, other users codewords appear as noise due to decorrelation
– Cocktail party example
Infsci 1073/Telcom 2727 27
CDMA Properties: Near-Far Problem
• A CDMA receiver cannot successfully despread the desired signal in a high multiple-access-interference environment
Base station
• Unless a transmitter close to the receiver transmits at power lower than a transmitter farther away, the far transmitter cannot be heard
• Mobile transmit so that power levels are equal at base station
• Power control must be used to mitigate the near-far problem
Infsci 1073/Telcom 2727 28
• CDMA Main Advantages– resistant to narrow band
interference – resistant to multipath fading
and ISI – no hard limit on number of
users (soft capacity)– As number of users on a
frequency increase the interference level increases and BER increases for all users
– With proper limits all frequencies can be used in every cell
CDMA Capacity
10 20 30 40 50 60
.1
.01
.001
.0001
Erro
r pro
babi
lity
users
BER of CDMA system with 128 cps.
Infsci 1073/Telcom 2727 29
CDMA Capacity
• The effect of more users in a cell on frequency is to degrade the channel for everyone – can be thought off as decreasing the usable cell size
Infsci 1073/Telcom 2727 30
Cell Breathing
• Cell breaths in & out with changing load– Cells shrink during peak hours, expand during off-peak hours
Infsci 1073/Telcom 2727 31
Generations of Cellular SystemsGenerations of Cellular Systems
•• 1G systems (1G systems (AnalogAnalog voice) all used FDMAvoice) all used FDMA•• Main 2G Systems Main 2G Systems
Global System for Mobile (GSM) use TDMAGlobal System for Mobile (GSM) use TDMA
ISIS--95 (95 (cdmaonecdmaone) uses CDMA) uses CDMA
2.5 G systems build on 2G to provide data service 2.5 G systems build on 2G to provide data service
•• 3G Systems3G Systems–– Universal Mobile Universal Mobile TecommTecomm System (UMTS)System (UMTS)
–– cdmacdma 2000 1x2000 1x--EVDO EVDO
–– Both use Both use cdmacdma -- packet datapacket data
Infsci 1073/Telcom 2727 32
Cellular Network Architecture
• Cell : Area covered by 1 radio tower unit (base station) • Cellular Systems:
• provide wireless coverage to a geographic area with a set of slightly overlapping cells. Use a set of low power radio stations to provide coverage, each cell has different set of frequencies or codes, support handoff of mobile from one cell to another, trackmobile for incoming call
cell
Cell coverage, size and actually shape depends on local geography, powerlevel, cell site height, antenna type, etc.
Hexagonal idealized cell shape
Infsci 1073/Telcom 2727 33
Cellular Network Architecture
Public Switched Telephone Network
BSC BSC
MSC MSC
GMSCHLR
Wired or Backhaul network
Wireless (radio)part
VLRVLR
AUC
• Cellular Network Components• Mobile Station (Terminal) – handset• Base Station (cell site)• Base Station Controller (BSC)• Mobile Switching Center (MSC)•Gateway MSC (interface to wired phone)• Home Location Register (HLR)• Visitor Location Register (VLR)• Authentication register (AUC) • HLR/VLR/AUC databases to track, bill and authentic users
Base Station
Infsci 1073/Telcom 2727 34
• Worldwide market
Cell Phone MarketCell Phone Market
• Stratification of market• Teenage• Safety/children• Business – low end• Business – high end• Families• Luxury
• Improvements in • microelectronics, • signal processing• display technology
• Smaller devices greater functionality merger with other portable devices or accessories
Infsci 1073/Telcom 2727 35
Base StationsBase Stations
• Base Station (BS)Provides radio channels between mobile units and network
Pico-cells : (indoor – 0-.5 Km) support 8-20 channels
micro-cells: (outdoor – 0-1 Km), macro-cells: (1-30 Km)
Infsci 1073/Telcom 2727 36
Base StationsBase Stations
• Base Transceiver Station (BTS) - houses radio units
Infsci 1073/Telcom 2727 37
Base Station ControllerBase Station Controller
• Base Station Controller (BSC)Manages a cluster of BS, channel assignment, handoff, power control, some switching, etc
Infsci 1073/Telcom 2727 38
Mobile Switching CenterMobile Switching Center
• Mobile Switching Center (MSC) (MTSO)
– Provides switching functions , coordinates location tracking, call delivery, handoff, interfaces to HLR,VLR, AUC, etc..
– Size of central office switch
Infsci 1073/Telcom 2727 39
HLR/VLRHLR/VLR• Home Location Register (HLR)
– Specialized database server contains billing info, service profile and general location of a mobile user (one per service provider or one per section of country)
– Visitor Location Register (VLR) similar to HLR contains location of users and their service profile of all users in a metro type area (one per MSC)
Infsci 1073/Telcom 2727 40
Mobility Management• Location Area (LA)
– Divide coverage into non-overlapping groups of cells – Assign each LA a unique id– Location Area ID is periodically broadcast by each cell– As a mobile moves/turns phone on – it listens to location area
id – depending on the approach – it may perform a location update/authentication procedure to provide it’s location to VLR and possibly HLR
• Two level database hierarchy HLR/VLR– HLR points to VLR where mobile located– VLR entry points to LA where mobile last located
• In large networks may have HLR split among regions with aggregate info cross region
LocationArea 1
LocationArea 2
LocationArea 3
Infsci 1073/Telcom 2727 41
Location Area and Cell Identification Parameter
MNC – Mobile Network CodeIdentifies the GSM operator within the country. In AMPS system the network code is the system ID (SID)
LAC – Location Area CodeDefines a location area, which consists of a group of cells.Each MNC will have several LACs.
CI – Cell IdentityUniquely identifies a cell in a location area.
Mobile network codeunique to eachoperatorin a country
Location AreasDefine group of cells
Cell IdentityUnique to each cell
Infsci 1073/Telcom 2727 42
Mobility Management• Mobility Management involves two main tasks to
support mobile receiving incoming calls and roaming
• Location Registration/update– Mobile informs network of location using reverse
control channels– May include an authentication step here as well
• Paging – Network informs mobile of incoming call– Broadcast over group of cells (paging area) on forward
control channels• Tradeoff: registration/updating and paging
Infsci 1073/Telcom 2727 43
Location Registration
• Location Registration involves signaling to VLR and possible HLR
• Two Types of Location Registration1. Intra – VLR ( LAs attached to same VLR)
• Only change LA id in VLR ( local signaling)• Target ITU-T location update time ≤ 2 sec
2. Inter –VLR ( LAs attached to different VLR)• must signal HLR to update VLR pointer• Target ITU-T Location update time ≤ 4 sec
Infsci 1073/Telcom 2727 44
VLR(New)
HLR
VLR(Old)
MSC(Old)
MSC(New)BSC
BSC
Location Area (New)
Location Area (Old)
1
1 1
1
2
34
44
5
1. The MS sends the Location Update request to the VLR (new) via the BSS and MSC.
2. The VLR sends a Location Update message to the HLR serving the MS which includes the address of the VLR (new) and the IMSI of the MS. This updating of the HLR is not required if the new LA is served by the same VLR as the old LA.
3. The service and security related data for the MS is downloaded to the new VLR.
4. The MS is sent an acknowledgement of successful location update.
5. The HRL requests the old VLR to delete data relating to the relocated MS.
Inter-VLR Location update in GSM
Infsci 1073/Telcom 2727 45
Call Processing
BS1
• Each Cell or sector of a cell has two types of channels• Control channels for call setup and mobile registration
• Fixed set of channels/time slots/codes/ scanned by mobile when turned on in a cell – locks on to control channel with strongest signal
• Traffic channels for carrying data/voice
• Calls are of two types• Mobile Originating Calls (MOC)
• mobile places call• Mobile Terminating Calls (MTC)
• mobile receives call
Infsci 1073/Telcom 2727 46
MOC Calling from MS
MSC
Setup Request on control channel Fetches subscriber infofrom VLR to process call, acks caller
Dial calledparty Call Proceeding
Allocates trunk +radio channel
Radio channel
Ack
Tune toTraffic channel
freq/time slot/code
Complete Call connectedthrough PSTNAlerting
Connect
Connect ack
Alerts callerCalled party picks up
Call can proceed
Infsci 1073/Telcom 2727 47
Mobile Terminated Call Example
PSTNcallingstation GMSC
HLR VLR
BSSBSSBSS
MSC
MS
1 2
3
45
6
7
8 9
10
11 12
1316
10 10
11 11 11
14 15
17
• Assume a mobile has registered it’s location with VLR and HLR
• 1: calling a mobile subscriber• 2: forwarding call to GMSC• 3: signal call setup to HLR• 4, 5: request status from VLR• 6: forward responsible
MSC to GMSC• 7: forward call to • serving MSC• 8, 9: get current status and
LAI of MS• 10, 11: Paging of MS• 12, 13: MS answers• 14, 15: security checks• 16, 17: set up connection
Infsci 1073/Telcom 2727 48
Handoff Management
• Call in progress Mobility management• Radio Mobility ( Handoff or Handover) ( BSC or MSC)
– Based on air interface standard– Hard Handoff ( break before make) (GSM, AMPS)– Soft Handoff ( make before break) (cdmaone, cdma200 UMTS)– Mobile Assisted Handoff (MAHO) (GSM)– Moible controlled handoff (WLANs)
• Handoff measurement: major decision-making stages– Identify the need– Identify the candidate– Evaluate the candidates– Select a target cell
Infsci 1073/Telcom 2727 49
Handoff decision
received signal strengthBS1
received signal strengthBS2
MS MS
HO_MARGINReceiver sensitivity
distance
BS1BS2
Weak signal level
Infsci 1073/Telcom 2727 50
• Handoff measurement: major decision-making stages– Identify the need– Identify the candidate– Evaluate the candidates– Select a target cell
+ Note Need to reroute connection in wired network.
old
new(1)
(2)
anchor point
Handoffs
Infsci 1073/Telcom 2727 51
Soft Handoff
• If a mobile terminal moves away from a base station and continues to increase its transmit power to maintain contact with base station – at edge of cell will need to handoff to adjacent cell
• In soft handoff a mobile terminal is required to track the signals from all neighboring base stations– It will communicate with multiple base stations simultaneously
for a short while before deciding on the final candidate– This is possible because of the RAKE receiver and frequency
reuse of 1– Not all handoffs will be soft!– Note soft handoff reduces system capacity as mobile tying up
2 traffic channels
Infsci 1073/Telcom 2727 52
CDMA System Concepts: Soft Handovers
• Mobile located in the area of overlap of multiple base stations • Transmission:
– Uplink: No difference– Downlink: BSC/MSC sends out a copy of the same packet/frame to
each base station
• Reception:– Uplink: Each base station
demodulates packet, BSC/MSC picks the “better packet” (macro-diversity combining)
– Downlink: The mobile combines the signals using a Rake receiver (micro-diversity combining)
• Two power control loops• Two traffic channels
BSC
Infsci 1073/Telcom 2727 55
2.5 G Systems
• 2G Systems provide slow speed circuit switched data service (charged by minute)– 9.6 Kbps – 14.4 Kbps
• 2.5G– Attempt to improve data services from 2G and build
customer base for wireless data service– Two main standards: GPRS, EDGE, cdma 2000 1x-
RTT– Mislabeled as 3G– Basically overlay network of data service on 2G
networks (voice still circuit switched)– Max data rate 57 Kbps – 300 Kbps– Typical data rates 30-50 Kbps – similar to dialup
modem service
Infsci 1073/Telcom 2727 56
What is GPRS?• GPRS stands for General Packet Radio
Service• Standard developed by ETSI and 3GPP• An intermediate step (2+ or 2.5G) in the
evolution from 2G to 3G• Overlay on top of GSM physical layer and
network entities• Provides packet-switched capability to
GSM networks• Connects GSM networks to IP networks• Theoretical maximum data rate of 171.2
Kbps• “Always connected” access• Spectrum efficiency– radio resources
used only when actually sending or receiving data
Infsci 1073/Telcom 2727 57
GPRS
• Overlay on top of GSM physical layer and network entities• Extends data capabilities of GSM (2.5 G solution)
– provides connection to external packet data networks through theGSM infrastructure
– packet switching– Uses free TDMA slots only if data packets ready to send
(e.g., 171 kbit/s using 8 slots temporarily)– no hardware changes to the BTS/BSC!
• The physical layer is the same as GSM – Forward error correction and indication of uncorrectable code
words using GSM convolutional coder• Architecture includes new components in wired part of network
– GGSN – Gateway GPRS support Node– SGSN – Serving GPRS support Node– Packet Control Unit
Infsci 1073/Telcom 2727 58
CoreNetwork
GSM Evolution
VisitorLocationregister
MobileSwitching
Center
HomeLocationregister
GatewayMSC
SGSN GGSNPCU
GSMGSM GPRSGPRS
BaseStation
Controller
Voice
Data
Infsci 1073/Telcom 2727 59
Third Generation Cellular
• ITU vision of 3G– Spectrum: 1885-2025 MHz and 2110-2200 MHz worldwide– Multiple radio environments (phone should switch seamlessly
among cordless, cellular, satellite)– Wide range of existing and new services - esp. data, Internet,
multimedia - data rates up to 2 Mb/s• Target data rates for 3G
– Vehicular: 144 kbps– Pedestrian: 384 kbps– Indoor /stationary: 2.048 Mbps roadmap > 10 Mbps later
• Support for packet switching and asymmetric data rates
• Devices always on and provide seamless moving from one environment and data rate to another
Infsci 1073/Telcom 2727 60
3G Requirements
Pico-cellMicro-cellMacro-cell
In-BuildingUrban
SuburbanGlobalSatellite
Seamless End to End Service with different data rates
up to 2Mbpsup to 384 kbpsup to 144 kbps
Infsci 1073/Telcom 2727 61
UMTS
• ETSI proposed GSM/NA-TDMA /GPRS evolution under name Universal Mobile Telecom. Services (UMTS)
• Most of 3G licenses in Europe required operator to deploy a UMTS system covering x% of population by a specific date y– Germany: 25% of population by 12/03, 50% by 12/05– Norway: 80% of population by 12/04– In many countries operators have asked for a and received delay
• Estimate 2.5 Billion euros to deploy a 5000 base station UMTS system
• WCDMA is the radio interface (UMTS Radio Access)– Two modes:
• FDD: separate uplink/downlink frequency bands with constant frequency offset between them
• TDD: uplink/downlink in same band but time-shares transmissions in each direction
Infsci 1073/Telcom 2727 62
WCDMA (UMTS)
• UMTS has a complete system architecture – As in GSM emphasis on standardized interfaces
• mix and match equipment from various vendors– Base stations are asynchronous from each other– Simple evolution from GPRS – allows one to reuse
some of the GPRS backhaul equipment – Supports inter-mode handoff – FDD to TDD– Supports intersystem handoff
• WCDMA to GPRS , or WCDMA to GSM– Wide range of data rates due to CDMA with variable
spreading, coding and modes• Varying user bit rate is mapped to variable power and spreading• Different services can be mixed on a single carrier for a user
Infsci 1073/Telcom 2727 63
Evolution Path to 3G
GSM
2G systems2G systems
GPRS UMTS(WCDMA)
EDGE
3G systems3G systems2.5G systems2.5G systems
CDMA2000 1x
CDMA2000 1EVIS-95
CDMA
PDCNA-TDMA
Infsci 1073/Telcom 2727 64
Core Network
GSM GPRS UMTS Evolution
VisitorLocationRegister
MobileSwitching
Center
HomeLocationRegister
GatewayMSC
3GSGSN
3GGGSN
UMTSUMTSGSMGSM GPRSGPRS
RadioNetwork
Controller
RadioNetwork
Controller
Voice
data
Infsci 1073/Telcom 2727 65
2G System IS-95 (cdmaone)
• Cdmaone• 2G system• Voice
14.Kbps or variable rate 9.6 Kbps
• Data 14.4 Kbps
• 1.25 MHz carrier
• 64 Walsh codes per carrier
Infsci 1073/Telcom 2727 66
Cdma2000 – 1X RTT
Infsci 1073/Telcom 2727 67
1xEVDO -- Data Only on some carriers
IS-2000
IPBTS
IS-2000
IPBTS
IP BSC IPRouter
PDSN HomeAgent
IPFirewall
IPRouter
Internet
PrivataData
Network
IP BTS - IP Base Transceiver StationIP BSC - IP Base Station ControllerAAA - Authentication, Authorization, and AccountingPDSN - Packet Data Serving NodeHome Agent - Mobile IP Home Agent
AAA
RADIUS over UDP/IP
Infsci 1073/Telcom 2727 68
Nextgen MSC ?
1XEVDV -- IP Data and Voice
Packet switched voice
P ST NS IP
P ro xy
SIP
SIP
SGW
SS7
MGCF(Softswitch)
SCTP/IP
H.248 (Maybe MGCP)
MGW
Circuit switched voice
PDSN +Router
AAA H o m eAg en t
Internet
IPFirewall
IPRouter
PrivataData
Network
IS-2000
IPBTS
SIP Proxy – Session Initiation Protocol Proxy Server
MGCF – Media Gateway Control Function
SGW – Signaling Gateway (SS7)
MGW – Media Gateway (Voice)
IS-2000
IPBTS
IP BSC
Infsci 1073/Telcom 2727 69
Systems Comparison CDMA 2000 WCDMA GSM IS-95
Physical Channel
1 to N x 1.25 MHz channels DL, UL 3.75 MHz
5 ΜΗz 200 kHz 1.23 MHz
Modulation OQPSK QPSK GMSK OQPSK
Channel rate N x 1.288 Mcps in downlink, 3.6864 Mcps uplink
3.84 Mcps 270.833kbs 1,228.8kcps
Modulation Efficiency (b/s/Hz)
1 .768 1.4 1.0
Infsci 1073/Telcom 2727 70
Systems Comparison CDMA 2000 WCDMA GSM IS-95
Power Control
800 Hz up and down link
1500 Ηz up and down link
2Hz 800 Hz uplink
Base Station Synch
Yes using GPS No No Yes, using GPS
Load Based Scheduling
Somewhat with coding and multiple carriers
Yes variable Spreading and coding, TDD mode
Voice only Voice only
System standard
Air only at this time
Complete System
Complete System
Air only
Security Spread Spectrum + AAA IP (eventually)
F1-F9 algorithms + USIM card
A3, A5, A8 algorithm + SIM card
Spread Spectrum + optional CAVE
Infsci 1073/Telcom 2727 71
I’mGetting600 KB
I’mGetting200 KB
I’mGetting2 MB
I’mGetting300 KB
I’mGetting64 KB
• Contention (users and traffic)• Signal Strentgh (obstacles)• Coverage (shadows)
3G WWANs have varying data rates
Infsci 1073/Telcom 2727 72
Application Should Adapt to Data Rate
Push adverts; buddy notifications still get sent. User can make limited requests that are better fulfilled when full service becomes available again
SMS alerts
Ordinary, baseline, text-driven and map-driven service with basic advertisements
28 kbps
For user drill-downs into a tourist application, the system will attempt to return highest quality data (images, audio, etc.) and switch back to low grade if not possible
40-600 kbps (variable)
High-quality, color, animated advertisements sent to user, possibly with some audio streaming available. Images could be accessed when looking at restaurants, attractions, etc.
56 kbps
The buyer can hold an online video conference with a sales assistant specialist and view product videos before buying the product
300 kbps
Full-quality video clips for local cinema can be streamed to the user. Product advertisements can be viewed (e.g., for a nearby store )
2 Mbps
Level of service for multimedia-based location-based serviceData rate available
Infsci 1073/Telcom 2727 73
Security in WWANs
Rad
io L
evel
Net
wor
k Le
vel
Man
agem
ent L
evel
Mobile Station
Point ofAccess
Radio NetworkController
MSCMobile
SwitchingCenter
HLRVLR AuC OMC ERVisitor Location Register
Home Location Register
Authentication Center
Operation & Maintenance Center
Equipment Register
RNC RNC
The InternetThe
Internet
Infsci 1073/Telcom 2727 74
Security Threats
• The biggest security threat to cell phones was fraud– Telcos lost several million dollars in fraud especially
with the analog cell phones– Problem of cloned phones reduced with the advent of
digital cellular• The second biggest threat was eavesdropping
– Analog phones were easy to tap using RF scanners– Problem has reduced with digital cellular
• New threat– Technology is becoming cheap– Easy to masquerade as the network
Infsci 1073/Telcom 2727 75
Security in 2G Digital Cellular
• To eliminate fraud– Strong entity authentication– Share a master key between the cell phone and the
authentication center– Use Challenge Response (C-R) protocols
• To eliminate eavesdropping– Derive an encryption key using the master key– Use the encryption key to encrypt all voice
transmissions– Example GSM standard
Infsci 1073/Telcom 2727 76
Security in GSM• Security services
– access control/authentication• user ⌫ SIM (Subscriber Identity Module): secret PIN (personal identification
number)• SIM ⌫ network: challenge response method
– confidentiality• voice and signaling encrypted on the wireless link (after successful
authentication)– anonymity
• temporary identity TMSI (Temporary Mobile Subscriber Identity)
• newly assigned at each new location update (LUP)• encrypted transmission
• 3 algorithms specified in GSM– A3 for authentication (“secret”, open interface)– A5 for encryption (standardized)– A8 for key generation (“secret”, open interface)
“secret”:• A3 and A8 available via the Internet• network providers can use stronger mechanisms
Infsci 1073/Telcom 2727 78
Authentication and Encoding
Mobile Station Base Station Controller
ServiceSwitching
Point
RadioControl
Point
VLR
A Interface
Speech and data in clear
Signaling in clearEncodedSpeech,Data, andSignaling
RAND
SRES
Kc
A5
Basetransceiver
station
SRES
RANDKi
A3
A8
Kc
A5
EncodedSpeechData andSignalingSpeech and Data
Signaling in Clear
Infsci 1073/Telcom 2727 79
Authentication Procedure in GSM
MS MSC
AUC
SRES
RAND
SRES
Ki
A3COMPARES SRES VALUES RECEIVED
FROM AUC AND MOBILE STATION
IF IDENTICAL THEN MS IS AUTHENTICATED
RAND, SRES
A3
SRES
RandomNumberRAND
IMSI (1)
IMSI (X) Ki(X)
Ki(1): :
SRES Signed Response 32 bitA3 Authentication AlgorithmKi 128-bit subscriber key unique to each subscriberRAND 128-bit random number
Infsci 1073/Telcom 2727 80
Encryption Procedure in GSM
MS MSC
AUC
Kc to BTS
RAND
Kc
Ki
A8SEND RAND TO MOBILE STATION AND Kc
TOBSC FOR CIPHERING
RAND, Kc
A8
Kc
RandomNumberRAND
IMSI (1)
IMSI (X) Ki(X)
Ki(1): :
Kc 64 bit Ciphering KeyA8 Ciphering AlgorithmKi 128-bit subscriber key unique to each subscriberRAND 128-bit random number
Infsci 1073/Telcom 2727 81
Confidentiality in 2G Cellular Networks
Voice, signaling and datainformation
64 bitsA5GSM
Voice information−Voice PrivacyMark
Data information32 bitsORYX
Signaling information• number dialed• short messages (paging)• DTMF tones
64 bitsCMEA
IS-136 IS-95
−−−AMPS
Protected dataKey sizeAlgorithmSystems
Infsci 1073/Telcom 2727 82
3G Cellular Systems
• Based on 2G security structure– Authentication of subscribers using challenge/response– Subscriber identity confidentiality (TMSI)– Authentication of user to mobile device by use of a PIN – Radio interface encryption
• New Features– Mutual entity authentication
• The MS can authenticate the network– Larger key sizes
• Use 128 bit key size– Stronger encryption/authentication/key generation algorithms
• Based on AES• Milenage and Kasumi in UMTS
– Integrity check for signaling messages• Message authentication codes are used
– Encryption extended farther back into wired network • (prevents eavesdropping on microwave relays)
Infsci 1073/Telcom 2727 83
Summary
• Consider basic wireless network issues– Frequencies, radio coverage, etc.
• Looked at WWAN (cellular networks)– Structure– Call setup– Handoff– Evolution– Security
• Impact on Applications