Download - Mobile Comms 1

Transcript
Page 1: Mobile Comms 1

Zainab ZaidiNetworks GroupNICTA

[email protected]

Mobile Communications - GSM

Page 2: Mobile Comms 1

Contents

• GSM Overview• Services• System architecture• GSM Channels• Call establishment• Handover• Security• Data services

– HSCSD (High-Speed Circuit Switched Data)– GPRS (General Packet Radio Service)– EDGE (Enhanced Data rates for Global Evolution)

Almost all slides contain material from Schiller, J., Mobile Communications, Addison Wesley

Page 3: Mobile Comms 1

GSM: Overview

• Objective: – Seamless roaming within Europe(ETSI, European

Telecommunications Standardization Institute)• formerly: Groupe Spéciale Mobile (founded 1982), now:

Global System for Mobile Communication• Market share:

– 85% of global mobile subscribers use GSM and 3GSM (WCDMA) (March, 2007)

• Salient features:– Roaming– Security– Better transmission quality– Higher capacity– Device independence (SIM)

Page 4: Mobile Comms 1

Example coverage of GSM networks (www.gsmworld.com)

T-Mobile (GSM-900/1800) Germany O2 (GSM-1800) Germany

AT&T (GSM-850/1900) USA Vodacom (GSM-900) South Africa

Page 5: Mobile Comms 1

GSM frequency bands

Type Channels Uplink [MHz] Downlink [MHz]

GSM 850 (Americas)

128-251 824-849 869-894

GSM 900classicalextended

0-124, 955-1023124 channels+49 channels

876-915890-915880-915

921-960935-960925-960

GSM 1800 (DCS)

512-885 1710-1785 1805-1880

GSM 1900 (Americas, PCS)

512-810 1850-1910 1930-1990

GSM-Rexclusive

955-1024, 0-12469 channels

876-915876-880

921-960921-925

- Additionally: GSM 400 (also named GSM 450 or GSM 480 at 450-458/460-468 or 479-486/489-496 MHz- Please note: frequency ranges may vary depending on the country!- Channels at the lower/upper edge of a frequency band are typically not used

Zzaidi
DCS Digital Cellular Service
Page 6: Mobile Comms 1

GSM: Mobile Services

• GSM offers– several types of connections

• voice connections, data connections, short message service– multi-service options (combination of basic services)

• Three service domains– Bearer or data Services (max data rate 9.6 kbits/s)– Telematic Services (voice, fax, SMS)– Supplementary Services (call forwarding, call redirection, etc.)

GSM-PLMNtransit

network(PSTN, ISDN)

source/destination

networkTE TE

bearer services

tele services

R, S (U, S, R)Um

MT

MS

Zzaidi
MS Mobile stationTE Terminal network independentMT Mobile termination performs all network specific tasks, medium access, coding etc.GSM-PLMN GSM Public land mobile networkISDN Integrated services digital networkPSTN public switched telephone networkS interface for data transmissionR interface also defined for some terminals, all of them are defined in ISDN
Page 7: Mobile Comms 1

Ingredients 1: Mobile Phones, PDAs & Co.

The visible but smallestpart of the network!

Page 8: Mobile Comms 1

Ingredients 2: Antennas

Still visible – cause many discussions…

Page 9: Mobile Comms 1

Ingredients 3: Infrastructure 1

Base Stations

Cabling

Microwave links

Page 10: Mobile Comms 1

Ingredients 3: Infrastructure 2

Switching units

Data bases

Management

Monitoring

Not „visible“, but comprise the major part of the network (also from an investment point of view…)

Page 11: Mobile Comms 1

GSM: elements and interfaces• components

– MS (mobile station)– BS (base station)– MSC (mobile switching

center)– LR (location register)

• subsystems– RSS (radio subsystem):

covers all radio aspects– NSS (network and

switching subsystem): call forwarding, handover, switching

– OSS (operation subsystem): management of the network

NSS

MS MS

BTS

BSC

GMSC

IWF

OMC

BTS

BSC

MSC MSC

Abis

Um

EIR

HLR

VLR VLR

A

BSS

PDN

ISDN, PSTN

RSS

radio cell

radio cell

MS

AUCOSS

signaling

O

Zzaidi
A interface upto 30 64 Kbit/s connectionsO interface uses X.25 (WAN standard) to exchange management dataBTS Base Transceiver stationAbis interface consists of 16 or 64 Kbits/s connectionsGMSC Gateway MSCPDN public data network e.g. X.25IWF interworking functions provide additional functions to connect to PDNOMC Operation and maintainance centre (health monitoring using specific standard protocols over X.25)AuC Authentication centre foruser authenticationEIR Equipment identity register stores all IMEI, balcklist of stolen MSIMEI Internatonal mobile equipment identity
Page 12: Mobile Comms 1

System architecture: radio subsystem• Components

– MS (Mobile Station)– BSS (Base Station Subsystem):

consisting of• BTS (Base Transceiver Station):

sender and receiver• BSC (Base Station Controller):

controlling several transceivers

• Interfaces– Um : radio interface– Abis : standardized, open interface

with 16 kbit/s user channels

– A: standardized, open interface with 64 kbit/s user channels

Um

Abis

A

BSS

radiosubsystem

network and switchingsubsystem

MS MS

BTSBSC MSC

BTS

BTSBSC

BTSMSC

Page 13: Mobile Comms 1

Mobile stationA mobile station (MS) comprises several functional groups

– MT (Mobile Terminal):• offers common functions used by all services the MS offers• corresponds to the network termination (NT) of an ISDN access• end-point of the radio interface (Um)

– TA (Terminal Adapter):• terminal adaptation, hides radio specific characteristics

– TE (Terminal Equipment):• peripheral device of the MS, offers services to a user• does not contain GSM specific functions

– SIM (Subscriber Identity Module):• personalization of the mobile terminal, stores user parameters

(PIN, PIN unblocking key, authentication key, IMSI)• Device is identified through IMEI (International mobile

equipment identity)

R S UmTE TA MT

Zzaidi
IMSI Internation mobile subscriber identity
Page 14: Mobile Comms 1

System architecture: network and switching subsystem

Components MSC (Mobile Services Switching Center): IWF (Interworking Functions)

ISDN (Integrated Services Digital Network) PSTN (Public Switched Telephone Network) PSPDN (Packet Switched Public Data Net.) CSPDN (Circuit Switched Public Data Net.)

Databases HLR (Home Location Register) VLR (Visitor Location Register) EIR (Equipment Identity Register)

networksubsystem

MSC

MSC

fixed partnernetworks

IWF

ISDNPSTN

PSPDNCSPDN

SS

7

EIR

HLR

VLR

ISDNPSTN

Zzaidi
SS7 Standard signaling 7 for connecting MSCs, connection establishment, routing etc.P/CSPDN Packet/ccircuit switched PDN
Page 15: Mobile Comms 1

Network and switching subsystem

• NSS is the main component of the public mobile network GSM– switching, mobility management, interconnection to other

networks, system control• Components

– Mobile Services Switching Center (MSC)controls all connections via a separated network to/from a mobile terminal within the domain of the MSC - several BSC can belong to a MSC

– Databases (important: scalability, high capacity, low delay)• Home Location Register (HLR)

central master database containing user data, permanent and semi-permanent data of all subscribers assigned to the HLR (one provider can have several HLRs)

• Visitor Location Register (VLR)local database for a subset of user data, including data about all user currently in the domain of the VLR

Page 16: Mobile Comms 1

Mobile Services Switching Center

• The MSC (mobile switching center) plays a central role in GSM

– switching functions– additional functions for mobility support– management of network resources– interworking functions via Gateway MSC (GMSC)– integration of several databases

• Functions of a MSC– specific functions for paging and call forwarding– termination of SS7 (signaling system no. 7)– mobility specific signaling– location registration and forwarding of location information– provision of new services (fax, data calls)– support of short message service (SMS)– generation and forwarding of accounting and billing information

Page 17: Mobile Comms 1

Operation subsystem

• The OSS (Operation Subsystem) enables centralized operation, management, and maintenance of all GSM subsystems

• Components– Authentication Center (AUC)

• generates user specific authentication parameters on request of a VLR • authentication parameters used for authentication of mobile terminals

and encryption of user data on the air interface within the GSM system

– Equipment Identity Register (EIR)• registers GSM mobile stations and user rights• stolen or malfunctioning mobile stations can be locked and sometimes

even localized– Operation and Maintenance Center (OMC)

• different control capabilities for the radio subsystem and the network subsystem

Page 18: Mobile Comms 1

1 2 3 4 5 6 7 8

higher GSM frame structures

935-960 MHz124 channels (200 kHz)downlink

890-915 MHz124 channels (200 kHz)uplink

frequ

ency

time

GSM TDMA frame

GSM time-slot (normal burst)

4.615 ms

546.5 µs577 µs

tail user data TrainingSguardspace S user data tail

guardspace

3 bits 57 bits 26 bits 57 bits1 1 3

GSM - TDMA/FDMA

Page 19: Mobile Comms 1

Some questions

• Raw data rate per carrier?• Data rate per carrier?• Data rate per user (1 slot in

a frame)?• For higher data rate user,

what can be done?• Uplink and Downlink

frequencies are 45 MHz apart, do we need a full duplex receiver?

• One frequency band might suffer in frequency selective fading, what to do?

Answers:• 270 Kbits/s (148 bits/546.5

µs)• 200 Kbits/s (114/(546.5 or

577 µs))• 25 Kbits/s (excluding FEC ~

22.8Kbits/s)• Use multiple slots – logical

channels• Uplink and downlink TDM

channels are shifted by 3 slots

• Frequency hopping

Page 20: Mobile Comms 1

Traffic channels

• Full rate (TCH-F)– 22.8 Kbits/s– Standard voice codes, full rate is 13 Kbits/s– Rest of the bits are used for error correction

• Half rate (TCH-H)– 11.4 Kbits/s– Doubles the capacity of system, how? At the expense of

what?– Half rate codec 5.6 Kbits/s

• Data transmission– TCH/F4.8 (4.8 Kbits/s) Why the data rate is low?– TCH/F9.6 (9.6 Kbits/s)– TCH/F14.4 (14.4 Kbits/s)

Page 21: Mobile Comms 1

Control Channels

• Broadcast channels (0th time slot)– Broadcast control channel

• Cell/network ID• Channel characteristics and availability

– Frequency correction channel• To synchronize local oscillators of MS

– Synchronization channel• Correction of individual path delay

• Common control channels (0th time slot if not used by broadcast)– Paging channel– Random access channel– Access grant channel

Page 22: Mobile Comms 1

Control channels II

• Dedicated control channels (any time slot except 0th)– Slow associated control channelTTTTTTTTTTTTSTTTTTTTTTTTTS….

• Forward channel: current control information (power level etc.)• Reverse channel: received signal quality• Also used for SMS

– Fast associated control channel• For urgent messages (Handover etc.)• Can take many traffic channels

– Stand-alone dedicated control channels• Signaling data before TCH assignment• Also used for SMS

Page 23: Mobile Comms 1

Mobile Terminated Call

PSTNcallingstation GMSC

HLR VLR

BSSBSSBSS

MSC

MS

1 2

3

45

6

7

8 9

10

11 12

1316

10 10

11 11 11

14 15

17

• 1: calling a GSM subscriber• 2: forwarding call to GMSC• 3: signal call setup to HLR• 4, 5: request MSRN (Mobile

subscriber roaming no.) from VLR

• 6: forward responsible MSC to GMSC

• 7: forward call to • current MSC• 8, 9: get current status of MS• 10, 11: paging of MS• 12, 13: MS answers• 14, 15: security checks,

selection of TMSI (Temporary mobile subscriber identity)

• 16, 17: set up connection

Page 24: Mobile Comms 1

Mobile Originated Call

PSTN GMSC

VLR

BSS

MSC

MS1

2

6 53 4

9

10

7 8

• 1, 2: connection request• 3, 4: security check• 5-8: check resources (free

circuit)• 9-10: set up call

Page 25: Mobile Comms 1

GSM Operations

From Rappaport, T. S., Wireless Communications, Prentice Hall

Page 26: Mobile Comms 1

Security in GSM• Security services

– access control/authentication• user SIM (Subscriber Identity Module): secret PIN (personal

identification number)• SIM network: challenge response method

– confidentiality• voice and signaling encrypted on the wireless link (after

successful authentication)– anonymity

• temporary identity TMSI (Temporary Mobile Subscriber Identity)

• newly assigned at each new location update (LUP)• encrypted transmission

• 3 algorithms specified in GSM– A3 for authentication (“secret”, open interface)– A5 for encryption (standardized)– A8 for key generation (“secret”, open interface)

“secret”:• A3 and A8 available via the Internet• network providers can use stronger mechanisms

Page 27: Mobile Comms 1

GSM - authentication

A3

RANDKi

128 bit 128 bit

SRES* 32 bit

A3

RAND Ki

128 bit 128 bit

SRES 32 bit

SRES* =? SRES SRES

RAND

SRES32 bit

mobile network SIM

AC

MSC

SIM

Ki: individual subscriber authentication key SRES: signed response

Page 28: Mobile Comms 1

GSM - key generation and encryption

A8

RANDKi

128 bit 128 bit

Kc

64 bit

A8

RAND Ki

128 bit 128 bit

SRES

RAND

encrypteddata

mobile network (BTS) MS with SIM

AC

BSS

SIM

A5

Kc

64 bit

A5MS

data data

cipherkey

Page 29: Mobile Comms 1

4 types of handover

• Typical cell radius: 35 Km in countryside, 100’s m in cities

MSC MSC

BSC BSCBSC

BTS BTS BTSBTS

MS MS MS MS

12 3 4

Page 30: Mobile Comms 1

Handover decision

• Average signal strength is used instead of instantaneous values• HO_Margin or hysteresis level to reduce the pingpong effect

receive levelBTSold

receive levelBTSold

MS MS

HO_MARGIN

BTSold BTSnew

Page 31: Mobile Comms 1

Disadvantages of GSM

• There is no perfect system!!• no end-to-end encryption of user data• no full ISDN bandwidth of 64 kbit/s to the user, no

transparent B-channel

• reduced concentration while driving• electromagnetic radiation

• abuse of private data possible• roaming profiles accessible

• high complexity of the system• several incompatibilities within the GSM standards

Page 32: Mobile Comms 1

Data transmission in GSM

• Data channels– TCH/F4.8 (4.8 Kbits/s) – TCH/F9.6 (9.6 Kbits/s)– TCH/F14.4 (14.4 Kbits/s)

• Why the data rate is low (TCH-F:22.8Kbits/s)?– TCH/F4.8 (1/3 convolutional code with added tail bits– TCH/F9.6 & TCH/F14.4 (1/2 convolutional code, bit period

is small in F14.4)• Good enough for SMS, fax, etc. but not enough for

Internet and multimedia applications

Page 33: Mobile Comms 1

Data services in GSM I• HSCSD (High-Speed Circuit Switched Data)

– bundling of several time-slots to get higher AIUR (Air Interface User Rate)(e.g., 57.6 kbit/s using 4 slots, 14.4 each)

– mainly software update– advantage: ready to use, constant quality, simple– disadvantage: channels blocked for voice

transmission (circuit-switched)AIUR [kbit/s] TCH/F4.8 TCH/F9.6 TCH/F14.4

4.8 19.6 2 1

14.4 3 119.2 4 228.8 3 238.4 443.2 357.6 4

Page 34: Mobile Comms 1

Data services in GSM II

• GPRS (General Packet Radio Service)– packet switching– using free slots only if data packets ready to send

(e.g., 50 kbit/s using 4 slots temporarily)– standardization 1998, introduction 2001– advantage: one step towards UMTS, more flexible– disadvantage: more investment needed (new

hardware)

Page 35: Mobile Comms 1

GPRS user data rates in kbit/s

Coding scheme

1 slot 2 slots

3 slots

4 slots

5 slots

6 slots

7 slots

8 slots

CS-1 9.05 18.1 27.15 36.2 45.25 54.3 63.35 72.4CS-2 13.4 26.8 40.2 53.6 67 80.4 93.8 107.2CS-3 15.6 31.2 46.8 62.4 78 93.6 109.2 124.8CS-4 21.4 42.8 64.2 85.6 107 128.4 149.8 171.2

Page 36: Mobile Comms 1

GPRS coding schemesSchem

ePDU Size

BCS USF Tail bits

Convolutional coder

Punctured

Effective

rate(bits) (bits) (bits) Input Outpu

tbits Input/

456CS-1 184 40 0 4 228 456 0 0.5

CS-2 271 16 3 4 294 588 132 0.64

CS-3 315 16 3 4 338 676 220 0.74

CS-4 431 16 9 - - 456 0 1

Radio block: 456 bits in 4 slots, 1 slot in 1 frame (114bits/slot)

Zzaidi
BCS Block check sequence coding (detect errors not corrected by convolutional codes)USF uplink state flag- indicate stations in a block - used for multiplexing different usersSDU Service data unitRLC Radio link control
Page 37: Mobile Comms 1

GPRS architecture• GPRS network elements

– GSN (GPRS Support Nodes): GGSN and SGSN– GGSN (Gateway GSN)

• interworking unit between GPRS and PDN (Packet Data Network)

– SGSN (Serving GSN)• supports the MS (location, billing,

security)– GR (GPRS Register)

• user addresses

Page 38: Mobile Comms 1

GPRS architecture and interfaces

MS BSS GGSNSGSN

MSC

Um

EIR

HLR/GR

VLR

PDN

Gb Gn Gi

SGSN

Gn

Page 39: Mobile Comms 1

Serving GPRS Support Node (SGSN)• at same hierarchical level as MSC• delivers packets to MS within its service area• queries HLRs for profile data of GPRS subscribers• detects new GPRS mobile stations in a given

service area• processes registration of new MSs and keeps a

record of their location

Page 40: Mobile Comms 1

Gateway GPRS Support Node (GGSN)• used as interface to external packet-switched

networks• connected to SGSN via an IP-based GPRS

backbone network• maintains routing information that is necessary to

tunnel the Protocol Data Units (PDUs) to the SGSNs that service particular mobile stations

• one or more GGSNs may support multiple SGSNs

Page 41: Mobile Comms 1

GPRS Network Enhancements

• Base Station System (BSS):– must be enhanced to recognize and send user data to the

SGSN that is serving the area• Home Location Register (HLR):

– must be enhanced to register GPRS user profiles and– respond to queries originating from SGSNs regarding

these profiles• MSC/VLR:

– optionally enhanced to coordinate GPRS and non-GPRS e.g. combined location updates, SGSN paging for GSM calls

Page 42: Mobile Comms 1

GPRS Network Operations

• For GPRS user, network is connectionless HOWEVER, a network connection must be established for each transaction, and released once the transaction is completed

• GPRS attach request from MS to begin a transaction

• GPRS detach request from MS to end a transaction

• Attach/detach requests are infrequent e.g. daily

Page 43: Mobile Comms 1

GPRS operations II

• User Registration associates the MS ID with the user address– In home area, HLR is enhanced to reference GPRS data– Outside home area, dynamically allocated records are

references in VLRs• Authentication - via GSM mobility management

protocols• Call Admission Control determines resources for

QoS• Routing is performed by the GSNs on a hop-by-

hop basis, using the destination address– Routing tables are maintained by the GSNs using the GTP

layer

Page 44: Mobile Comms 1

EDGE (Enhanced Data rate for GSM Evolution)• Uses GSM/GPRS, but with higher-level

modulation (8-PSK instead of GMSK)• Radio link control is also enhanced for

better transmission quality– Link adaptation– Adaptive transmission rate

• Allows up to 48 kbps per timeslot,• 384 kbps using 8 time slots

Zzaidi
MSK is a binary FSK with smaller spacing between frequency assigned to 0 and 1 - compact spectrumGMSK - MSK with Gaussian pulse shape - better spectral efficiency
Page 45: Mobile Comms 1

Comparison of EDGE and GSM frame

GSM time-slot (normal burst)

546.5 µs577 µs

tail user data TrainingSguardspace S user data tail

guardspace

3 bits 57 bits 26 bits 57 bits1 1 3

Basic data rate : (12/13).1/8.114/0.577 = 22.8 kbps

Basic data rate : (12/13).1/8.116/0.577 = 23.2 ksymbols/s = 69.6 kbps

EDGE time-slot

Zzaidi
guard time of EDGE is in microsecondseach guard time of GPRS = 15.25 microseconds
Page 46: Mobile Comms 1

EDGE coding schemesScheme Effective

rateData

rate/slot (kbps)

CS-1 0.5 11.4CS-2 0.64 14.5CS-3 0.74 16.9CS-4 1 22.8PCS-1 0.33 22.8PCS-2 0.49 34.3PCS-3 0.59 41.3PCS-4 0.74 51.6PCS-5 0.82 57.4PCS-6 1 69.6

•Modulation•CS GMSK•PCS 8-PSK

•Convolutional code•CS 1/2•PCS 1/3

Page 47: Mobile Comms 1

EDGE link quality control

• Link adaptation– Coding scheme is chosen according to the link quality

feedback

• Adaptive transmission rate– Start with the highest rate code – If transmission is unsuccessful, use lower rate for re-

transmission by puncturing more bits

Page 48: Mobile Comms 1

Reference

• Mobile communications by J. Schiller, Chapter 4