Download EE417 Communication Systems Engineering Section 2

Document related concepts

Asynchronous Transfer Mode wikipedia , lookup

IEEE 1355 wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

UMTS wikipedia , lookup

IEEE 802.11 wikipedia , lookup

Network tap wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Airborne Networking wikipedia , lookup

List of wireless community networks by region wikipedia , lookup

Transcript
EE424
Communication Systems
Engineering II
Section 3
• GSM Cellular Telephony Networks
– Introduction to Technology
– Network Structure
– GSM Air Interface
– GSM Channel Structure
– GSM Radio Resource,Mobility and Call © Liam Kilmartin
Dept. of Elec. Eng.,
Management
NUI, Galway
February 2000
– GSM Services
Cellular Networks
• The essential difference between a cellular
and fixed telephony network is that the
subscriber’s terminal (the Mobile Station MS) is not linked by a fixed physical
connection to the network
– Connection is a radio based wireless connection
• In order to support this terminal mobility
the geographic area which the mobile
network covers is subdivided into cells
Cells
• Each cell is serviced by a fixed radio
transmitter\receiver known as a “base station”
(BS) which is commonly located in the centre or
corner of a cell
• While often drawn as hexagonal in shape, real
cells have no defined shape. The actual area a cell
covers depends on many parameters:
–
–
–
–
Transmitter power
Terrain
Weather
Antenna directivity
Cells
• The area a cell covers typically varies from a
very small region in urban areas to quite large
regions (around 35 km radius in GSM) in rural
areas
– Balancing of subscriber’s and traffic between cells
• Cells are often classified as being:
–
–
–
–
Microcells
Macrocells
Umbrella cells
Selective (directional) cells
Frequency Spectrum
• Cellular networks operate within defined
frequency bands of the spectrum
• For example, GSM-900 utilises two 25
MHz bands
– 890-915 MHz (Uplink - MS to BS)
– 935-960 MHz (Downlink - BS to MS)
• These 25 MHz bands are subdivided into
124 carrier frequencies each spaced at
approximately 200 kHz (FDMA)
Frequency Spectrum
• Not all countries utilise the full 25 MHz and
within a country the full GSM band must be
subdivided among several network
operators
• Additional frequency spectrum is allocated
in most countries around 1800 MHz (GSM1800)
• In US, certain operators implement GSM
standard on a frequency band around 1900
MHz (GSM-1900)
Frequency Re-use
• In a given country with, say, two different
GSM networks will each use half the 124
(i.e. 62) GSM-900 carriers
• Clearly, even using TDMA technology this
is an extremely small number of carrier
frequencies to support a GSM network in a
complete country
• All cellular networks address this problem
by what is termed “frequency re-use”
Frequency Re-use
• Frequency re-use means that the same set of
carrier frequencies being used in one cell
can be re-used in the network in a different
cell
• However, the cells re-using the same
carriers must not be adjacent as they would
interfere with one another
• In practice, these cell must be distant from
one another
– Typical “re-use distance” is 2.5 to 3 times the
cell “radius”
Cell Clusters
• Cells in a cellular network are generally
“grouped” together into cell clusters
• Cellular networks are generally designed as
a repeated cluster pattern
• The number of cells in a cluster (typically
4,7, 12 or 21) is a trade-off between the
traffic capacity in the cluster and its
interference with the adjacent cluster of
cells (where the same frequencies will be
re-used)
Trunking
• In addition to frequency re-use, cellular network
utilise the concept of “trunking” to support a very
large number of subscribers using a much smaller
number of channels (i.e. carriers)
• This is achieved due to the fact that MS access to a
traffic channel in all cells is by demand assignment
– They must first negotiate with the network over a signalling
channel to gain access to a traffic channel for the duration
of a call
• As with all trunked systems, there is always the
possibility that subscriber’s will not be able to access
the network due to the limited number of traffic
channels available
GSM Cellular Standard
• All GSM networks and equipment conform to
a defined GSM standard issued by ETSI
(European Telecommunications Standard
Institute)
• GSM is a second generation or digital cellular
technology
– All transmissions (signalling as well as traffic speech) between MS and BS is by digital
modulation of frequency carrier
• Currently, the most widely used of several
second generation digital cellular telephony
standards
Justification for GSM
• GSM development started in the early
1980s to replace first generation (analogue)
cellular technology
• The proposed system had to meet certain
criteria
–
–
–
–
Good subjective speech quality
Low terminal and network equipment costs
Support of international roaming
Integration of various bearer, supplementary
and tele-services in a single mobile network
– Efficient use of available spectrum
Meeting these Criteria
• GSM has been very successful in meeting
all of these criteria
– Widely used in well over 100 countries
– Equipment costs are low
– Voice, data and new services available
• However,
– Still not a single “global” standard
– MS to BS bearer rates are still very slow for
non-voice services
• Third generation “global” standard UMTS
GSM Network Architecture
Mobile Station
• The MS consists of the mobile equipment
(terminal) and a smart card called the subscriber
identity module (SIM)
• It is the SIM card which contains all the
network relevant subscriber identity information
• SIM provides subscriber with personal mobility
rather than the terminal (as in first generation
systems)
• Access to SIM protected by security codes (PIN
and PUK codes)
Mobile Station
• Typical information stored on the SIM includes
– International Mobile Subscriber Identity Number
(IMSI) which is the unique identification of the
subscriber (not the same as their mobile phone number)
– Information used in authenticating the SIM when it
attempts to access the number
– Information indicating which bearer, supplementary
and tele-services the subscriber has access to
• The mobile equipment is also uniquely identified
by what is called the International Mobile
Equipment Identity (IMEI) but this is not of
particular importance to the “standard” operation
of the network
Base Station Sub-system
• The BSS consists of two parts:
– Base Station Controller (BSC)
– Several Base Transceiver Station (BTS)
• The BTS primarily consists of a number the radio
transmitter\receivers required to cover an individual cell plus
an functionality required to support traffic transmission over
the radio link (e.g. channel coding, speech coding,
encryption, RF modulation)
• The BSC is a more sophisticated device which manages the
radio links between the BSSs, under its control, and any MS
in the cells covered by the BSSs
– Allocation of channels to MS for calls
– Measuring and controlling transmitter power levels
• BTSs typically linked to BSC via microwave and fixed links
Network Subsystem
• The network sub-system primarily consists of a
network of telephone exchanges termed Mobile
Switching Centres (MSC)
– MSC interconnect using standard inter-exchange
TDM links
• In addition, however, it also includes equipment
to support the particular requirements of GSM
mobile “telephony network”
• A special MSC termed a Gateway MSC (GMSC)
is used to interconnect the GSM network with
other circuit and packet switched networks
Home Location Register
• The HLR is essentially a large database system
which is connected to, or integrated into, one or
many MSC in the network
• Every subscriber on a GSM network will have a
permanent entry in one of the HLR on their
“home” network
– Subscriber’s are nominally allocated to a particular
“home” HLR in a network
• The subscriber’s entry (identified by their IMSI)
in their “home” HLR contains important
information such as their current “location” in the
GSM network and the services which the
subscriber can access
Visitor Location Register
• Every MSC in the network will have a VLR
attached to it (typically integrated into MSC)
• The database will contain a temporary entry
for each MS that is currently within cells under
the “control” of that MSC
• When a new MS enters one of these cells, it
passes its IMSI to the VLR which then
accesses the HLR of that MS and downloads
some of its HLR data to the VLR
Visitor Location Register
• Once the VLR has this information, it can
seamlessly handle any call requests relating to
that MS without reference to its HLR
• Once the MS moves from the area “controlled”
by the MSC, or is powered off, its VLR
information is removed
• Typically, a MS that is in a cell controlled by
its “home” MSC will have an entry in that
MSC’s VLR (even though the same data exists
in the HLR attached to that MSC)
Authentication Centre
• AuC is a further database which supports
certain aspect of network security
• In particular, it contains information, known
as a key, which is used to authenticate the
identity of a SIM when an attempt is made
by the SIM to access the network
• The same information is also involved in
the process by which the digital radio
transmissions to\from a mobile can be
encrypted
Equipment Identity Register
• The EIR is also involved in provide network
“security”
• It may also be used by a network to validate
the mobile equipment (IMEI) rather than the
SIM when it attempts to access the network
• The EIR is a database which contains a list
of stolen and\or terminals that have failed
GSM type approval tests
• Not widely used in many networks
Other Network Functions
• Additional functions that can be found in
GSM networks
–
–
–
–
–
Operations and Maintenance Centre (OMC)
Billing Centres
Voice Mail Service (VMS)
Short Messaging Service Centre (SMSC)
Cell Broadcast Centre (CBC)
• The role of some of these will be discussed
later
GSM Air Interface
• Previously outlined the FDMA nature of the air
interface, with potentially several frequency
carriers used in each cell
• Each frequency carrier also has a TDMA nature
• The TDMA frame length of approximately
8x0.577 ms consists of 8 timeslots (“burst”
periods) each nominally of a 156.25 bits duration
(270.8kbps)
• Therefore, each frequency carrier actually
supports 8 physical channels
• Typically, burst period 0 in each frame is typically
not used for traffic data but for signalling data
GSM Air Interface
• TDMA timing structure used by both the BS
and any transmitting MS in the cell is
defined by the “continuous” downlink
transmission from the BS
• The uplink and downlink frame structures
are deliberately offset from one another by
3 timeslots - Time Division Duplexing
(TDD)
– MS does not have to transmit and receive at the
same time - conservation of power/complexity
of RF circuitry
TDD Nature of GSM
Transmission
Physical Channels
• A single “Physical Channel” consists of one burst
period per TDMA frame on a specific FDMA
carrier
• However, the relationship between physical
channels and the data they contain is NOT simple
– For example, a specific burst period on a carrier is
NOT used to carry user traffic every frame
– For example, burst period N on a carrier has a different
meaning dependent on which frame it is in a 26 or 51
frame multi-frame
– Even more complex time-relationships exist on burst
periods used to carry control, or signalling,
information
Overview of GSM Timing
Structures
• 8 Burst Periods (576.9 ms) = 1 TDMA Frame
(4.615 ms)
• TDMA frames grouped into either:
– 26 TDMA frames (120 ms)
– 51 TDMA frames (235.4 ms)
to form a multi-frame (depending upon use of
burst periods - signalling or traffic)
• 51 x 26 frame multi-frames, or 26 x 51 frame
multi-frames form a super-frame (6.12 s)
• 2048 super-frames form a cryptographic hyperframe (3 hr 28 min 53 s)
Burst Transmission
• The timeslots are termed burst periods because
the GSM transmitter must transmit its data in a
short “burst” within the time slot
– Time slot (156.25 bits) is longer than transmitted
packet duration (up to 148 bits) - 8.25 bit
difference is a guard period
– Transmitter must ramp power up quickly at the
start of the period and ramp it down at the end of
the period
– Guard period is required (specifically in the uplink
direction) to allow for slight deviations in the
arrival times (synchronisation )of burst from
different MS using adjacent burst periods
Power Ramping Template for
GSM Transmitter
Types of Bursts
• Four different types used in GSM
depending on function of transmission
– Normal Burst (used in both MS and BS in most
cases)
– Frequency Correction Burst (transmitted by BS
to supply all MS with a frequency reference to
aid receiver carrier synchronisation)
– Synchronisation Burst (transmitted by BS to aid
MS “equalisation” circuits)
– Random Access Burst (transmitted by MS
when “first” attempting to transmit to a BS in a
cell)
GSM Burst Types
Role of Bits in Bursts
• Training sequence\synchronisation sequence is a
defined patterned used to aid receiver equaliser
circuitry (to compensate for radio channel
impulse response and multi-path propagation)
• Tail bits (TB) are “useless” bits transmitted as
transmitter ramps up\down power
• Encrypted bits contain encrypted data (signalling
or user traffic) being conveyed over radio link
– In normal burst, 1 bit in each of two 58 bit blocks of
normal burst are “stealing bits” used to indicate if the
encrypted date have been “stolen” to contain
signalling information rather than user traffic bits
Random Access Burst and
Maximum GSM Cell Size
• The Random Access Burst is much shorter than
the normal burst as it is transmitted by an MS
when it is unaware of its “distance” from the BS
• It can receive the BS transmission and hence
deduce (and synchronise to) the air interface
TDMA frame structure BUT the received BS will
have been delayed by an unknown time in
propagating from the BS to the MS
– This unknown time t =MS distance from BS(r)/speed
of light(c)
Random Access Burst and
Maximum GSM Cell Size
• The maximum cell “radius” (rmax) is defined by the
condition where the MS is located at this distance
from the BS and the MS transmits a Random Access
Burst
• The end of the burst must still arrive at the BS
before the end of the burst period
– The MS does not know it is the start of the burst period for
tmax=rmax/c after the actual start
– It then transmits the burst of 88 bits which will be delayed a
further time tmax before arriving back at the BS
– Clearly, tmax +88 bits/270bps +tmax =576.9ms
– Therefore, rmax= 37,646m=37.6 km
Other Air Interface Issues
• A number of other GSM air interface issues should
be examined:
–
–
–
–
–
Timing Advance
Power Control
Discontinuous Transmission
Discontinuous Reception
Frequency Hopping
• All of these may, or may not, be implemented in
particular GSM networks but are included in the
GSM specification (and hence must be implemented
on all GSM MS) as an aid in minimising
interference and maximising MS power usage
Timing Advance
• Clearly, it is vital that the burst transmission from MS
in a cell arrive within the bounds of the burst period
allocated to that MS
• This is made difficult as the MS may be moving and
hence the propagation delay between MS and BS can
vary
• BS monitors the arrival position of a MS burst in the
allocated burst period
• It must then “inform” the MS to either “advance” or
“retreat” their timing to ensure than subsequent burst
arrive well within the bounds of their allocated burst
period
• The BS continuously performs this task while a
communication “session” is in progress with an MS
Adaptive Power Control
• As well as monitoring the timing situation, the BS also
performs power measurements on the signal it receives from
the MS
• BS can “instruct” the MS to either increase or decrease its
transmitter power level in order to ensure that the MS is
transmitting at only the maximum power necessary such that
the BS can receive it
– Conservation of battery life
• The MS can also monitor the power it receives from the BS
during its allocated burst period and instruct the BS to
increase\decrease the transmitter power during that burst
period - Also minimises co-channel interference
• Both of these will occur continuously while an MS is in a
communication session with a BS
Possible Power Profile of GSM
BTS
Discontinuous Transmission
• In order to help maximise MS battery life and minimising
co-channel interference, GSM MS and BS only transmit
normal burst containing speech “information” in their
allocated burst period, during a call, if the mobile user is
actually speaking
• DTX utilises a Voice Activity Detector (VAD) in the MS
software which analyses the incoming speech samples to
distinguish between speech and background noise
• At the other end of the radio link, “comfort noise” is
injected during periods of DTX so that the listener does
not hear “dead silence”
Discontinuous Reception
• The MS does not have to continuously
monitor the transmissions being emitted
from the BS either during calls or when idle
(in case of incoming call requests)
• This means that the MS can “power down”
its reception circuitry except during the
periods when it must “listen” to the BS
transmission
• This helps conserve MS battery life
Frequency Hopping
• GSM standard does include a “slow”
frequency hopping capability for FDMA
carriers in order to counteract the effect of
frequency dependent distortion of carriers
(e.g. multi-path fading) on quality of link
– Frequency “hops” every TDMA frame
• Many networks do not implement frequency
hopping in BS but ALL MS must
• BS must “inform” all MS of the frequency
hopping algorithm being implemented in
that cell
GSM Channel Structure
• We have already introduced the physical channels
used in GSM, namely 8 burst periods per frame on
an FDMA carrier
• We have also seen the need for the transmission of
two distinct types of information between MS and
BS, namely control (signalling) and user traffic
information
• This leads to the concept of two types of channels:
– Traffic Channel (TCH) used to convey user traffic
information
– Control Channels (CCH) used to convey signalling
information between MS and network
GSM Channel Structure
• Typically, burst period 0 in a frame is used (in both
directions) as a CCH
• Remaining seven burst periods in the TDMA are
“nominally” TCHs
• However, this simple picture is not the complete
picture
• We have already seen that the normal burst in a burst
period which carries TCH can be “stolen” to carry
specific types of “urgent” signalling information
– Up to four consecutive frames can be stolen for this Fast
Associated Control Channel (FACCH)
GSM Channel Structure
• For example, the 26 channel multi-frame structure
applies to burst periods used as TCH
• In this multi-frame structure,
– In frames 0 to 11, the burst period acts as a TCH
– In frame 12, it acts as a means of transmitting specific type of
control information (Slow Associated Control Channel SACCH)
– In frames 13 to 24, it again acts as a TCH
– In frame 25, it is actually unused to allow the MS to do other
tasks
• Similarly, the 51 frame multi-frame used on burst
period carrying certain CCH (e.g. burst period 0) is
used in a similarly manner to separate when different
“types” of signalling information (or channels) are
Logical Channels
• The GSM standard not only specifies then
“when” of different channels in that different
types of information is transmitted in different
burst periods, frames, multi-frames superframes etc.
• It also distinguish the “why” of the information
under the phrase of “logical channels”
• For example, it is not sufficient to identify
between TCH and CCH.
• The GSM standard identifies the different types
of CCH and TCH that are used
Control Channels
• There are four important different classes of
control channels defined:
–
–
–
–
Broadcast Channels (BCH)
Common Control Channels (CCCH)
Dedicated Control Channels (DCCH)
Associated Control Channels (ACCH)
• Each class is further subdivided to identify
specific “logical channels”
• The mapping of these “logical” channels onto
“physical” channels is quite complex but some
examples have already been mentioned
Broadcast Channels
• Broadcast channels are transmitted by the base
station to convey “information” to ALL MS in
the cell
• Three different “logical” BCH exist:
– Broadcast Control Channel (BCCH) conveys all
information required by the MS to access and
identify the network - transmitted in burst period 0
on only one (non-hopping) carrier in a cell
– Synchronisation Channel (SCH) contains the
synchronisation burst when transmitted
– Frequency Correction Channel (FCCH) contains
the frequency correction burst when transmitted
Common Control Channels
• CCH are shared among all MS in a cell and are used
in setting up calls from either the MS or network
side
• Three different types of CCH are defined:
– Paging Channel (PCH) is used by the BS to alert MS to
an incoming call
– Random Access Channel (RACH) is used by MS when it
attempts to request access to the network
• Access by MS in a slotted Aloha manner using Random Access
Burst
– Access Grant Channel (AGCH) is used by BS to tell MS
which DCH to use after it has sent a message over the
RACH
Dedicated Control Channels
• The Standalone Dedicated Control
Channels (SDCCH) are allocated to specific
mobiles to exchange information with the
network for a specific duration
• A typical use of the SDCCH would be to
exchange signalling relating to a call set up
Associated Control Channels
• Two types of ACH which have already been
mentioned:
– Slow ACH (SACCH) which is transmitted in
the TCH burst period once every TCH multiframe and is used for signalling of a non-urgent
nature relating to the call (e.g. supplementary
service and call related requests)
– Fast ACH (FACCH) which is formed by
“stealing” up to four consecutive TCH bursts
(frames) to convey “urgent” signalling
information (e.g. handover, power control,
timing advance)
Logical TCHs
• TCH are also classified accord to the type
of traffic that they are carrying
• The main ones are:
– TCH/F : Full rate speech codec traffic channel
(1 per burst period)
– TCH/H : Half rate speech codec traffic channel
(2 per burst period)
– TCH/n : n (e.g. 9.6, 4.8) kbps data traffic
channel (1 per burst period)
GSM Speech Codecs
• Three types of speech codec used
– Full Rate Codec
– Half Rate Codec
– Enhanced Full Rate (EFR) Codec
• The Full Rate codec buffers 20 ms (160
samples) worth of 8kHz sampled speech
and develops a mathematical model used to
predict the 20 ms of speech
• The parameters of this model are encoded
using 260 bits (every 20 ms yields 13 kbps)
GSM Speech Codecs
• Channel coding and interleaving is used to
protect the bits (as with all types of TCH
contents) which are then split into smaller blocks
for transmission in a normal burst every frame
• Half rate codec is not widely used but was
proposed in order to encode speech at 6.5 kbps
and hence double capacity of each burst period
• EFR codec is a more sophisticated compression
algorithm encoding speech at 13 kbps but at a
higher quality (particularly for non-voice signals)
Network Support for MS
Operation
• Comprehensive examination of the air interface which
provides a wireless communication channel between
MS and network (via the BSS)
• To support terminal mobility and roaming,the network
must provide a standardised means by which MS
registration, authentication, call routing and location
updating are carried
• All of these require a significant amount of signalling
between the MS and various parts of the network
• Already examined the means by which various types of
signalling channels
Network Support for MS
Operation
• A data link protocol (LAPDm – mobile) ensures reliable
data link of the wireless signalling channels
• Within network, signalling messages are passed between
entities using a CCS protocol called Signalling System
No.7 (SS7)
• Layer 3 of the GSM stack is formed of three sub-layers
– Radio Resource (RR) Management
– Mobility Management (MM)
– Connection Management (CM)
• MS software implements all three sub-layers but
different devices in the networks implement the other
end of the three network sub-layers
Radio Resource Management
• RR sub-layer is concerned with the establishment,
maintenance and termination of the link (radio and
possibly fixed) between an MS and the MSC to support
calls
• MS, BSS and MSC are involved are the main
components of the network involved
• RR sub-layer session is initiated by the MS either by:
– MS initiating a RR session to set up an outgoing call
– MS responding to a paging messaging to support an incoming
call
• RR sub-layer has responsibility for management of radio
features such as power control, timing advance, DTX,
DRX and Handover
Call Handover
• Fundamentally important function to support seamless
terminal mobility
• Allows MS to continue a call in progress while moving
between different cells in the network
– Support of the call is handed over to a different BTS to ensure
continuity of the call as the MS moves
• The procedures and operation of handover are one of the
most important function of the RR sub-layer
• Handover is normally by MS or MSC (to distribute traffic
or loading more evenly in a cell or cell cluster)
Call Handover
• An MS with a call in progress continuously monitors the
strength (quality) of signals (in the BCH) received from
up to 16 “neighbouring” cells
• List of the six best “possible” candidate cells for
handover is transmitted to the BSC (and MSC) once
every second
• MSC may initiate call handover under limited
circumstances as a means of load or traffic balancing
• The four types of Handover involve transferring support
of the call between:
– Traffic channels in the same cell
– BTS controlled by the same BSC
– BTS controlled by different BSC but “belonging” to the same
MSC
– BTS controlled by different BSC
Types of Call Handover
• The first two are termed “internal handovers” are controlled
by the RR software on the controlling BSC without
reference to the MSC
• The last two are termed “external handovers” are handled
by the RR software on the controlling MSC, possibly in
communication with the new controlling MSC
• The call remains routed through the original “anchor MSC”
and it DOES remain responsible for most aspects of call
support
– New controlling MSC’s, the “relay MSC”, primary responsibility
is to support any future inter-BSC handovers
Handover Decision Algorithms
• “Minimum Acceptable Performance” algorithm
only allows handover to be considered if
increasing the MS transmitter signal power (under
instruction from BSS) does not result in an
improvement in quality of signal received
– Very simple and commonly used but can result in cell
boundary “smearing” as a MS continues to transmit at
peak power even after moving into area covered (at
lower power) by another BTS
• “Power Budget” algorithm allows handover to
initiated if the link (signal) quality can be
maintained by another BTS at the same, or lower,
power
– Far more complicated to implement but much reduced
co-channel interference implications
Mobility Management
• Mobility Management uses the RR sub-layer (to
maintain a signalling link) and its primary functions
are to support :
– terminal mobility
– aspects of security
– Authentication
• Primary role is to support a mechanism by which
the network “knows” the “location” of a poweredon MS in order to efficiently route calls to that
mobile
• To this end, the network of cells is divided into
“location areas” which are typically a group of cell
clusters controlled by the same MSC
Location Updating
• A powered on MS is informed of an incoming call by a
signalling message
• This must be transmitted in the Paging channel of the cell
the MS is in
• In practice it is transmitted in ALL the cells of the “location
area” the MS in currently in
– Smaller “location areas” result is much higher signalling traffic as
MS move around
– Larger “location areas” result “excessive” paging of MS on
incoming calls
• MS must update certain network elements of its location :
–
–
–
–
When it first powers on (known as IMSI attach)
When it moves from one “location area” to a new one
At regular timed intervals while powered on
When it powers off (known as IMSI detach)
Location Updating Procedures
• Location updating involves MSCs, HLR and VLR
• When an MS switches on, or moves into a new
location area, it must inform the network of this
• MS informs the MSC\VLR controlling the area of
the “location area” it is in
• The VLR then informs the HLR of the MS (by an
SS7 signalling message) that it should be
interrogated if any incoming calls need to be
routed to the MS
• HLR verifies that the MS is allowed access and
sends to the VLR all information from its records
need to support calls to\from that MS
• HLR also informs the “old” VLR the MS was
registered on to cancel its database entry
Location Updating Procedures
• MS must also send regular (at a network defined
interval) location updating messages to the
network
• Failure to do so (such as when an MS goes out of
coverage) results in that MS being marked as “out
of reach\de-activate” thus resulting in their VLR
entry being cancelled
• Similar operation occurs when the IMSI
“detaches” when the MS is powered off (rather
than going out of coverage)
Authentication Procedure
• Authentication procedure carried out at beginning
of each access by MS to network
• AuC and SIM implement the A3 authentication
algorithm with the same random number
generated by AuC
• Both entities carry out the algorithm with the
subscriber’s secret key
• SIM transmits the result of the algorithm back to
AuC which compares it to its own result to
authenticate SIM access
• Secret key is stored on SIM and in AuC but
NEVER transmitted
Security Procedures - Encryption
• Already examined possible role or EIR to provide
mobile equipment security
• Encryption of all transmissions over air interface
is also an option
• Using random number and key used in
authentication, a ciphering key can be generated
using the A8 algorithm by both ends of the air
interface link
• Ciphering keyed used to encrypt the 114 bits
(2x57 bits) of data in each normal burst
• Bits are de-ciphered at other end of air interface
Security Procedures - TMSI
• Security for the IMSI, particularly, over the air
interface is vital (to prevent any possibility of cloning)
• Another aspect of security is minimise how often the
IMSI is transmitted across the air interface
• The IMSI is only transmitted across the air interface, in
signalling messages, during the very first exchange of
signalling messages at the start of a network access by
an MS
• Network responds to access attempt with a signalling
message containing a Temporary Mobile Subscriber
Identity Number (TMSI)
• The TMSI identifies the MS in all subsequent
signalling messages transmitted across the air interface
during that communication session
Communication Management
• CM sub-layer is responsible for call control and
supplementary and teleservice management
• Call Control (CC) responsibility relate to the
establishment, invoking of additional services and
releasing of a call
• Initiation of outgoing calls from mobile is easily
handled by MSC\VLR using information
regarding MS downloaded from HLR
• Routing of incoming calls to an MS needs to be
examined in a little more detail
MS Terminated Call
• A caller to an MS (from say a fixed network) dials
the Mobile subscriber ISDN (MSISDN) number
which has been allocated to that subscriber
– Contains country code and national destination code
(NDC) which identify mobile network
– Remaining digits identify the subscriber (and
specifically their HLR)
• Call is routed to the Gateway MSC (GMSC)
– GMSC is capable of interrogating the HLR for the
destination MS (as determined by analysis of the
dialled MSISDN number) over SS7 signalling network
MS Terminated Call
• HLR interrogates the VLR where the MS is
“located” over the SS7 signalling network which
returns a (temporary) Mobile Station Roaming
Number to the HLR
• This MSRN is returned to the GMSC and allows it
to set up a speech circuit for the call as far as the
MSC to which the VLR is attached
• When the call reaches that MSC, the VLR
translates the received MSRN back to the IMSI of
the destination MS
• The MSC then instructs the require BTS to page
the MS in all the cells in its current “location area”
GSM Supplementary Services
• Comprehensive set of supplementary
services defined in GSM
–
–
–
–
–
–
Call Forwarding\Hold\Waiting\Barring
Conference Call
Calling Line ID (Restriction)
Connected Line ID (Restriction)
Closed User Groups
Advice of Charge
GSM Teleservices
• Wide range of Teleservices
–
–
–
–
–
Telephony
Group 3 Fax Service
Voice\Fax Mail
Short Messaging Service (SMS)
Cell Broadcast Service (CBS)
• Delivered over various speech and data bearer services
• Data services can be transparent or utilise a comprehensive
data link layer protocol (Radio Link Protocol (RLP)
• Data\Fax services utilise a digital bearer service and hence
do NOT have a modem at the MS
– Network (MSC) requires a inter-working function (IWF) (i.e. a
modem bank) to allow inter-working with non-ISDN terminals
(e.g. PSTN)
Short Messaging Service
• SMS allows 160 character messages to be sent to
specific subscriber(s)
• Messages are transmitted to\received by MS over
signalling channels
• All incoming short messages are processed by the
Short Messaging Service Centre (SMSC)
• Messages stored (for a certain duration) on SMSC
if desired recipient MS is powered off
• SMSC will receive messages from:
– GSM subscribers
– Voice or modem (DTMF) equipped Messaging Bureau
– Internet
Cell Broadcast
• Uni-directional messaging service
controlled by a Cell Broadcast Centre
(CBC)
• Messages of up to 93 characters delivered to
MS over signalling channel
• Messages can be broadcast to all the MS is
specific geographic areas
New Data Services
• Two new GSM data (bearer) services have been
standardised
– High Speed Circuit Switched Data Service (HSCD)
– General Packet Radio Service (GPRS)
• Current data bearer services only offer up to 9.6
kbps
• HSCD allows a high speech data connection by
allocating multiple (up to 7) burst periods on a
carrier to an MS
• GPRS provides a high speed (> 100 kbps) packet
switched service to MS by dynamically utilising
unused burst periods over the air interface