Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Network tap wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Asynchronous Transfer Mode wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Mobile Communications BZUPAGES.COM Instructor M. Naman Chaudhary MS(Multimedia and Communication) Muhammad Ali Jinnah University Islamabad Campus Wireless Telecommunication Networks: GSM and UMTS Jochen Schiller Downloaded from BZUPAGES.COM GSM: Overview GSM ( http://www.gsmworld.com/index.shtml ) formerly: Groupe Spéciale Mobile (founded 1982) now: Global System for Mobile Communication Pan-European standard (ETSI, European Telecommunications Standardization Institute) simultaneous introduction of essential services in three phases (1991, 1994, 1996) by the European telecommunication administrations (Germany: D1 and D2) seamless roaming within Europe possible today many providers all over the world use GSM (more than 184 countries in Asia, Africa, Europe, Australia, America) more than 970.8 million subscribers (Dec 2003) more than 73% of all digital mobile phones use GSM over 10 billion SMS (Short Message Service) per month in Germany, > 360 billion/year worldwide Performance characteristics of GSM (wrt. analog sys.) Communication mobile, wireless communication; support for voice and data services Total mobility international access, chip-card enables use of access points of different providers Worldwide connectivity one number, the network handles localization High capacity better frequency efficiency, smaller cells, more customers per cell High transmission quality high audio quality and reliability for wireless, uninterrupted phone calls at higher speeds (e.g., from cars, trains) Security functions access control, authentication via chip-card and PIN Disadvantages of GSM There is no perfect system!! no end-to-end encryption of user data no full ISDN bandwidth of 64 kbit/s to the user, no transparent Bchannel (ISDN bearer – ISDN channel that carries the main data) reduced concentration while driving electromagnetic radiation abuse of private data possible roaming profiles accessible high complexity of the system several incompatibilities within the GSM standards GSM: Mobile Services GSM offers several types of connections voice connections, data connections, short message service multi-service options (combination of basic services) Three service domains Bearer Services – data Telemetry Services – voice, short message service (SMS) Supplementary Services bearer services MS TE MT R, S GSM-PLMN Um transit network (PSTN, ISDN) tele services source/ destination network TE (U, S, R) Bearer Services Telecommunication services to transfer data between access points Specification of services up to the terminal interface (OSI layers 1-3) Different data rates for voice and data (original standard) data service (circuit switched) synchronous: 2.4, 4.8 or 9.6 kbit/s asynchronous: 300 - 1200 bit/s data service (packet switched) synchronous: 2.4, 4.8 or 9.6 kbit/s asynchronous: 300 - 9600 bit/s Today: data rates of approx. 50 kbit/s possible – will be covered later! Tele Services I Telecommunication services that enable voice communication via mobile phones All these basic services have to obey cellular functions, security measurements etc. Offered services mobile telephony primary goal of GSM was to enable mobile telephony offering the traditional bandwidth of 3.1 kHz Emergency number common number throughout Europe (112); mandatory for all service providers; free of charge; connection with the highest priority (preemption of other connections possible) Multinumbering several ISDN phone numbers per user possible Tele Services II Additional services Non-Voice-Teleservices group 3 fax voice mailbox (implemented in the fixed network supporting the mobile terminals) electronic mail (MHS, Message Handling System, implemented in the fixed network) ... Short Message Service (SMS) alphanumeric data transmission to/from the mobile terminal using the signaling channel, thus allowing simultaneous use of basic services and SMS Supplementary services Services in addition to the basic services, cannot be offered stand-alone Similar to ISDN services besides lower bandwidth due to the radio link May differ between different service providers, countries and protocol versions Important services identification: forwarding of caller number suppression of number forwarding automatic call-back conferencing with up to 7 participants locking of the mobile terminal (incoming or outgoing calls) ... Architecture of the GSM system GSM is a PLMN (Public Land Mobile Network) several providers setup mobile networks following the GSM standard within each country components MS (mobile station) BS (base station) MSC (mobile switching center) LR (location register) subsystems RSS (radio subsystem): covers all radio aspects NSS (network and switching subsystem): call forwarding, handover, switching OSS (operation subsystem): management of the network GSM: overview OMC, EIR, AUC HLR NSS with OSS VLR MSC GMSC VLR fixed network MSC BSC BSC RSS GSM: elements and interfaces radio cell MS BSS MS Um radio cell MS BTS RSS BTS Abis BSC BSC A MSC NSS MSC VLR signaling VLR GMSC HLR IWF O OSS EIR AUC OMC ISDN, PSTN PDN GSM: system architecture radio subsystem MS network and switching subsystem fixed partner networks MS ISDN PSTN MSC Um BTS Abis BSC EIR SS7 BTS VLR BTS BTS BSS HLR BSC A MSC IWF ISDN PSTN PSPDN CSPDN System architecture: radio subsystem radio subsystem MS network and switching subsystem MS Components MS (Mobile Station) BSS (Base Station Subsystem): consisting of Um BTS Abis BTS BSC MSC BTS (Base Transceiver Station): sender and receiver BSC (Base Station Controller): controlling several transceivers Interfaces A BTS BTS BSS BSC MSC Um : radio interface Abis : standardized, open interface with 16 kbit/s user channels A: standardized, open interface with 64 kbit/s user channels System architecture: network and switching subsystem network subsystem fixed partner networks ISDN PSTN MSC MSC (Mobile Services Switching Center): IWF (Interworking Functions) EIR SS7 Components ISDN (Integrated Services Digital Network) PSTN (Public Switched Telephone Network) PSPDN (Packet Switched Public Data Net.) CSPDN (Circuit Switched Public Data Net.) HLR Databases VLR MSC IWF ISDN PSTN PSPDN CSPDN HLR (Home Location Register) VLR (Visitor Location Register) EIR (Equipment Identity Register) Radio subsystem The Radio Subsystem (RSS) comprises the cellular mobile network up to the switching centers Components Base Station Subsystem (BSS): Base Transceiver Station (BTS): radio components including sender, receiver, antenna - if directed antennas are used one BTS can cover several cells Base Station Controller (BSC): switching between BTSs, controlling BTSs, managing of network resources, mapping of radio channels (Um) onto terrestrial channels (A interface) BSS = BSC + sum(BTS) + interconnection Mobile Stations (MS) GSM: cellular network segmentation of the area into cells possible radio coverage of the cell cell idealized shape of the cell use of several carrier frequencies not the same frequency in adjoining cells cell sizes vary from some 100 m up to 35 km depending on user density, geography, transceiver power etc. hexagonal shape of cells is idealized (cells overlap, shapes depend on geography) if a mobile user changes cells handover of the connection to the neighbor cell Example coverage of GSM networks (www.gsmworld.com) T-Mobile (GSM-900/1800) Berlin Vodafone (GSM-900/1800) e-plus (GSM-1800) O2 (GSM-1800) Base Transceiver Station and Base Station Controller Tasks of a BSS are distributed over BSC and BTS BTS comprises radio specific functions BSC is the switching center for radio channels Functions Management of radio channels Frequency hopping (FH) Management of terrestrial channels Mapping of terrestrial onto radio channels Channel coding and decoding Rate adaptation Encryption and decryption Paging Uplink signal measurements Traffic measurement Authentication Location registry, location update Handover management BTS X X X X X X BSC X X X X X X X X X X Mobile station Terminal for the use of GSM services A mobile station (MS) comprises several functional groups MT (Mobile Terminal): offers common functions used by all services the MS offers corresponds to the network termination (NT) of an ISDN access end-point of the radio interface (Um) TA (Terminal Adapter): terminal adaptation, hides radio specific characteristics TE (Terminal Equipment): peripheral device of the MS, offers services to a user does not contain GSM specific functions SIM (Subscriber Identity Module): personalization of the mobile terminal, stores user parameters TE TA R MT S Um Network and switching subsystem NSS is the main component of the public mobile network GSM switching, mobility management, interconnection to other networks, system control Components Mobile Services Switching Center (MSC) controls all connections via a separated network to/from a mobile terminal within the domain of the MSC - several BSC can belong to a MSC Databases (important: scalability, high capacity, low delay) Home Location Register (HLR) central master database containing user data, permanent and semi-permanent data of all subscribers assigned to the HLR (one provider can have several HLRs) Visitor Location Register (VLR) local database for a subset of user data, including data about all user currently in the domain of the VLR Mobile Services Switching Center The MSC (mobile switching center) plays a central role in GSM switching functions additional functions for mobility support management of network resources interworking functions via Gateway MSC (GMSC) integration of several databases Functions of a MSC specific functions for paging and call forwarding termination of SS7 (signaling system no. 7) mobility specific signaling location registration and forwarding of location information provision of new services (fax, data calls) support of short message service (SMS) generation and forwarding of accounting and billing information Operation subsystem The OSS (Operation Subsystem) enables centralized operation, management, and maintenance of all GSM subsystems Components Authentication Center (AUC) generates user specific authentication parameters on request of a VLR authentication parameters used for authentication of mobile terminals and encryption of user data on the air interface within the GSM system Equipment Identity Register (EIR) registers GSM mobile stations and user rights stolen or malfunctioning mobile stations can be locked and sometimes even localized Operation and Maintenance Center (OMC) different control capabilities for the radio subsystem and the network subsystem GSM - TDMA/FDMA 935-960 MHz 124 channels (200 kHz) downlink 890-915 MHz 124 channels (200 kHz) uplink higher GSM frame structures time GSM TDMA frame 1 2 3 4 5 6 7 8 4.615 ms GSM time-slot (normal burst) guard space tail 3 bits user data S Training S user data 57 bits 1 26 bits 1 57 bits guard tail space 3 546.5 µs 577 µs GSM - TDMA/FDMA GSM time-slot (normal burst) Tail are all set to 0 and can be used to enhance the receiver performance. The training sequence is used to adapt the parameters and select the strongest signal. A flag S indicates whether the data field contains user or network control data. GSM bursts A normal burst for data transmission A frequency correction burst allows the MS to correct the local oscillator to avoid interference A synchronization burst with an extended training sequence synchronizes the MS with BTS in time. An access burst is used for the initial connection setup. A dummy burst is used if no data is available for a slot. GSM – Logical channels and frame hierarchy GSM specifies two basic groups of logical channels: Traffic channels (TCH): GSM uses a TCH to transmit user data. Control channels (CCH): CCHs are used to control medium access, allocation of traffic channels or mobility management. Broadcast control channel (BCCH):A BTS uses this channel to signal information such as the cell identifier, options, and frequencies to all MSs within a cell. Common control channel (CCCH): All information regarding connection setup between MS and BS is exchanged via the CCCH. Dedicated control channel (DCCH): Before a MS established a TCH with the BTS, it uses DCCH for signaling. Logical frame hierarchy 26 frame multi-frame 26 multi-frames + 51 frames or 51 multiframes + 26 frames 2048 superframe hyperframe GSM hierarchy of frames hyperframe 0 1 2 2045 2046 2047 3 h 28 min 53.76 s ... superframe 0 1 0 2 ... 1 48 ... 49 24 50 6.12 s 25 multiframe 0 1 ... 0 1 24 2 120 ms 25 ... 48 49 50 235.4 ms frame 0 1 ... 6 7 4.615 ms slot burst 577 µs GSM protocol layers for signaling Um Abis MS A BTS BSC MSC CM CM MM MM RR RR’ BTSM RR’ BTSM LAPDm LAPDm LAPD LAPD radio radio PCM PCM 16/64 kbit/s BSSAP BSSAP SS7 SS7 PCM PCM 64 kbit/s / 2.048 Mbit/s Mobile Terminated Call (Wired phone call) 1: calling a GSM subscriber 2: forwarding call to GMSC 3: signal call setup to HLR 4, 5: request MSRN from VLR 6: forward responsible MSC to GMSC 7: forward call to current MSC 8, 9: get current status of MS 10, 11: paging of MS 12, 13: MS answers 14, 15: security checks 16, 17: set up connection HLR 4 5 3 6 calling station 1 PSTN 2 GMSC 10 7 VLR 8 9 14 15 MSC 10 13 16 10 BSS BSS BSS 11 11 11 11 12 17 MS Mobile Originated Call 1, 2: connection request 3, 4: security check 5-8: check resources (free circuit) 9-10: set up call VLR 3 4 6 PSTN 5 GMSC 7 MSC 8 2 9 MS 1 10 BSS MTC/MOC MS MTC BTS MS MOC BTS paging request channel request channel request immediate assignment immediate assignment paging response service request authentication request authentication request authentication response authentication response ciphering command ciphering command ciphering complete ciphering complete setup setup call confirmed call confirmed assignment command assignment command assignment complete assignment complete alerting alerting connect connect connect acknowledge connect acknowledge data/speech exchange data/speech exchange 4 types of handover GSM handover: Intra-cell: A new frequency needs to be arranged by BSC because of interference. Inter-cell, intra-BSC handover: The mobile station moves from one cell to another. The BSC performs a handover. Inter-BSC, intra-MSC handover: The handover is controlled by the MSC. Inter MSC handover: Both MSCs perform the handover together. 4 types of handover 1 MS BTS 2 3 4 MS MS MS BTS BTS BTS BSC BSC BSC MSC MSC Handover decision receive level BTSold receive level BTSold HO_MARGIN MS MS BTSold BTSnew Handover procedure MS BTSold BSCold measurement measurement report result MSC HO decision HO required BSCnew BTSnew HO request resource allocation ch. activation HO command HO command HO command HO request ack ch. activation ack HO access Link establishment clear command clear command clear complete clear complete HO complete HO complete Security in GSM Security services access control/authentication user SIM (Subscriber Identity Module): secret PIN (personal identification number) SIM network: challenge response method confidentiality voice and signaling encrypted on the wireless link (after successful authentication) anonymity temporary identity TMSI (Temporary Mobile Subscriber Identity) newly assigned at each new location update (LUP) encrypted transmission 3 algorithms specified in GSM A3 for authentication (“secret”, open interface) A5 for encryption (standardized) A8 for key generation (“secret”, open interface) “secret”: • A3 and A8 available via the Internet • network providers can use stronger mechanisms GSM - authentication SIM mobile network Ki RAND 128 bit AC RAND 128 bit RAND Ki 128 bit 128 bit A3 A3 SIM SRES* 32 bit MSC SRES* =? SRES SRES SRES 32 bit Ki: individual subscriber authentication key 32 bit SRES SRES: signed response GSM - key generation and encryption MS with SIM mobile network (BTS) Ki AC RAND 128 bit RAND 128 bit RAND 128 bit A8 cipher key BSS Ki 128 bit SIM A8 Kc 64 bit Kc 64 bit data A5 encrypted data SRES data MS A5 Data services in GSM I Data transmission standardized with only 9.6 kbit/s advanced coding allows 14,4 kbit/s not enough for Internet and multimedia applications HSCSD (High-Speed Circuit Switched Data) mainly software update on MS and MSC to split a traffic stream into several streams. bundling of several time-slots to get higher AIUR (Air Interface User Rate) (e.g., 57.6 kbit/s using 4 slots, 14.4 each) advantage: ready to use, constant quality, simple disadvantage: channels blocked for voice transmission AIUR [kbit/s] 4.8 9.6 14.4 19.2 28.8 38.4 43.2 57.6 TCH/F4.8 1 2 3 4 TCH/F9.6 TCH/F14.4 1 1 2 3 4 2 3 4 Data services in GSM II GPRS (General Packet Radio Service) packet switching using free slots only if data packets ready to send (e.g., 50 kbit/s using 4 slots temporarily) standardization 1998, introduction 2001 advantage: one step towards UMTS, more flexible disadvantage: more investment needed (new hardware) GPRS network elements GSN (GPRS Support Nodes): GGSN and SGSN GGSN (Gateway GSN) SGSN (Serving GSN) interworking unit between GPRS and PDN (Packet Data Network) supports the MS (location, billing, security) GR (GPRS Register) user addresses GPRS user data rates in kbit/s Coding scheme 1 slot 2 slots 3 slots 4 slots 5 slots 6 slots 7 slots 8 slots CS-1 9.05 18.2 27.15 36.2 45.25 54.3 63.35 72.4 CS-2 13.4 26.8 40.2 53.6 67 80.4 93.8 107.2 CS-3 15.6 31.2 46.8 62.4 78 93.6 109.2 124.8 CS-4 21.4 42.8 64.2 85.6 107 128.4 149.8 171.2 Examples for GPRS device classes Class Receiving slots Sending slots Maximum number of slots 1 1 1 2 2 2 1 3 3 2 2 3 5 2 2 4 8 4 1 5 10 4 2 5 12 4 4 5 GPRS quality of service Reliability class Lost SDU probability Duplicate SDU probability 1 2 3 10-9 10-4 10-2 10-9 10-5 10-5 Delay class 1 2 3 4 Out of sequence SDU probability 10-9 10-5 10-5 Corrupt SDU probability 10-9 10-6 10-2 SDU size 128 byte SDU size 1024 byte mean 95 percentile mean 95 percentile < 0.5 s < 1.5 s <2s <7s <5s < 25 s < 15 s < 75 s < 50 s < 250 s < 75 s < 375 s unspecified GPRS architecture and interfaces SGSN Gn BSS MS Um SGSN Gb Gn HLR/ GR MSC VLR EIR PDN GGSN Gi GPRS protocol architecture MS BSS Um SGSN Gb Gn GGSN apps. IP/X.25 IP/X.25 SNDCP LLC RLC MAC RLC MAC BSSGP FR radio radio GTP LLC GTP UDP/TCP UDP/TCP BSSGP IP IP FR L1/L2 L1/L2 SNDCP Gi DECT DECT (Digital European Cordless Telephone) standardized by ETSI (ETS 300.175-x) for cordless telephones standard describes air interface between base-station and mobile phone DECT has been renamed for international marketing reasons into „Digital Enhanced Cordless Telecommunication“ Characteristics frequency: 1880-1990 MHz channels: 120 full duplex duplex mechanism: TDD (Time Division Duplex) with 10 ms frame length multiplexing scheme: FDMA with 10 carrier frequencies, TDMA with 2x 12 slots modulation: digital, Gaußian Minimum Shift Key (GMSK) power: 10 mW average (max. 250 mW) range: approx. 50 m in buildings, 300 m open space DECT system architecture reference model D4 D3 VDB D2 PA PA PT FT local network PT HDB D1 global network FT local network DECT layers I Physical layer modulation/demodulation generation of the physical channel structure with a guaranteed throughput controlling of radio transmission channel assignment on request of the MAC layer detection of incoming signals sender/receiver synchronization collecting status information for the management plane MAC layer maintaining basic services, activating/deactivating physical channels multiplexing of logical channels e.g., C: signaling, I: user data, P: paging, Q: broadcast segmentation/reassembly error control/error correction DECT layers II Data link control layer creation and keeping up reliable connections between the mobile terminal and basestation two DLC protocols for the control plane (C-Plane) connectionless broadcast service: paging functionality Lc+LAPC protocol: in-call signaling (similar to LAPD within ISDN), adapted to the underlying MAC service several services specified for the user plane (U-Plane) null-service: offers unmodified MAC services frame relay: simple packet transmission frame switching: time-bounded packet transmission error correcting transmission: uses FEC, for delay critical, time-bounded services bandwidth adaptive transmission „Escape“ service: for further enhancements of the standard DECT layers III Network layer similar to ISDN (Q.931) and GSM (04.08) offers services to request, check, reserve, control, and release resources at the basestation and mobile terminal resources necessary for a wireless connection necessary for the connection of the DECT system to the fixed network main tasks call control: setup, release, negotiation, control call independent services: call forwarding, accounting, call redirecting mobility management: identity management, authentication, management of the location register DECT reference model C-Plane U-Plane signaling, interworking application processes network layer data link control management OSI layer 3 data link control OSI layer 2 medium access control physical layer OSI layer 1 close to the OSI reference model management plane over all layers several services in C(ontrol)- and U(ser)plane DECT time multiplex frame 1 frame = 10 ms 12 down slots slot 0 0 sync A: network control B: user data X: transmission quality 25.6 kbit/s simplex bearer 32 kbit/s 31 0 0 419 guard 420 bit + 52 µs guard time („60 bit“) in 0.4167 ms D field A field 12 up slots 387 B field 63 0 protected mode unprotected mode 319 0 X field 3 DATA C DATA C DATA C DATA C 64 16 64 16 64 16 64 16 DATA Enhancements of the standard Several „DECT Application Profiles“ in addition to the DECT specification GAP (Generic Access Profile) standardized by ETSI in 1997 assures interoperability between DECT equipment of different manufacturers (minimal requirements for voice communication) enhanced management capabilities through the fixed network: Cordless Terminal Mobility (CTM) DECT DECT DECT basestation Common Portable Part Air Interface fixed network GAP DECT/GSM Interworking Profile (GIP): connection to GSM ISDN Interworking Profiles (IAP, IIP): connection to ISDN Radio Local Loop Access Profile (RAP): public telephone service CTM Access Profile (CAP): support for user mobility TETRA - Terrestrial Trunked Radio Trunked radio systems many different radio carriers assign single carrier for a short period to one user/group of users taxi service, fleet management, rescue teams interfaces to public networks, voice and data services very reliable, fast call setup, local operation TETRA - ETSI standard formerly: Trans European Trunked Radio offers Voice+Data and Packet Data Optimized service point-to-point and point-to-multipoint ad-hoc and infrastructure networks several frequencies: 380-400 MHz, 410-430 MHz FDD, DQPSK group call, broadcast, sub-second group-call setup TDMA structure of the voice+data system hyperframe 0 1 2 ... 57 58 59 61.2 s 15 16 17 1.02 s multiframe 0 1 2 ... CF frame 0 0 1 slot 2 3 509 56.67 ms 14.17 ms Control Frame UMTS and IMT-2000 Proposals for IMT-2000 (International Mobile Telecommunications) UWC-136 (Universal Wireless Consortium (US)), cdma2000 (based on IS95), WP-CDMA (Wideband packet-CDMA) UMTS (Universal Mobile Telecommunications System) from ETSI UMTS UTRA (was: UMTS, now: Universal Terrestrial Radio Access) enhancements of GSM EDGE (Enhanced Data rates for GSM Evolution): GSM up to 384 kbit/s CAMEL (Customized Application for Mobile Enhanced Logic) – intelligent network support VHE (virtual Home Environment) fits into GMM (Global Multimedia Mobility) initiative from ETSI GMM provides an architecture to integrate mobile and fixed terminals, different access networks, and several core transport networks. requirements for UMTS and UTRA min. 144 kbit/s rural (goal: 384 kbit/s) min. 384 kbit/s suburban (goal: 512 kbit/s) up to 2 Mbit/s urban Frequencies for IMT-2000 1850 1900 ITU allocation (WRC 1992) Europe China 1950 IMT-2000 GSM DE 1800 CT GSM 1800 Japan T D D North America 1900 T D D MSS 2000 2200 MHz MSS UTRA MSS FDD IMT-2000 MSS cdma2000 MSS W-CDMA MSS 1950 2100 2150 IMT-2000 cdma2000 MSS W-CDMA PCS 1850 2050 MSS UTRA MSS FDD IMT-2000 PHS 2000 rsv. 2050 2100 2150 MSS 2200 MHz UMTS and IMT-2000 IMT-2000 family IMT-DS: The direct spread technology comprises wideband CDMA (WCDMA) systems. It consists of UTRA-FDD in Europe and FOMA (Freedom of Mobile Multimedia Access in Japan developed by 3GPP (3rd Generation Partnership Project). IMT-TC: The time code technology uses time-division CDMA (TD-CDMA). It consists of UTRA-TDD in Europe and TD-synchronous CDMA (TDSCDMA) in China developed by 3GPP. IMT-MC: The multi-carrier technology comprises cdma2000 developed by 3GPP2. IMT-SC: The single carrier technology comprises the enhancement of the US TDMA, UWC-136. It applies EDGE (Enhanced Data Rates for Global Evolution) developed by 3GPP/UWCC. IMT-FT: The frequency time technology comprises an enhanced version of DECT developed by ETSI. IMT-2000 family Interface for Internetworking IMT-2000 Core Network ITU-T (Telecomm.) GSM (MAP) Initial UMTS (R99 w/ FDD) IMT-2000 Radio Access ITU-R (Radiocomm.) ANSI-41 (IS-634) IP-Network Flexible assignment of Core Network and Radio Access IMT-DS IMT-TC IMT-MC IMT-SC IMT-FT (Direct Spread) (Time Code) (Multi Carrier) (Single Carrier) (Freq. Time) UTRA FDD (W-CDMA) 3GPP UTRA TDD (TD-CDMA); TD-SCDMA 3GPP cdma2000 UWC-136 (EDGE) UWCC/3GPP DECT 3GPP2 ETSI The main driving forces are 3GPP (European and Japanese) and 3GPP2 (Qualcomm and CDMA). Licensing Example: UMTS in Germany, 18. August 2000 UTRA-FDD: Uplink 1920-1980 MHz Downlink 2110-2170 MHz duplex spacing 190 MHz 12 channels, each 5 MHz UTRA-TDD: 1900-1920 MHz, 2010-2025 MHz; 5 MHz channels Coverage: 25% of the population until 12/2003, 50% until 12/2005 Sum: 50.81 billion € UMTS releases and standardization UMTS releases and standardization Release 99: It describes the new radio access technologies UTRA-FDD and UTRA-TDD, and standardizes the use of a GSM/GPRS network as core. This enables a cost effective migration from GSM to UMTS. It is currently deployed. Release 4: It introduces quality of service in the fixed network plus several execution environment. Release 5: It specifies a different core network. The GSM/GPRS based network will be replaced by an almost all-IP-core. Release 6: 3GPP is currently working on release 6 (release 7). UMTS architecture (Release 99 used here!) UTRAN (UTRA Network) Cell level mobility Radio Network Subsystem (RNS) Encapsulation of all radio specific tasks UE (User Equipment) CN (Core Network) Inter system handover Location management if there is no dedicated connection between UE and UTRAN Uu UE Iu UTRAN CN UMTS domains and interfaces Home Network Domain Zu Cu USIM Domain Mobile Equipment Domain Uu Access Network Domain Iu Serving Network Domain Yu Transit Network Domain Core Network Domain User Equipment Domain Infrastructure Domain User Equipment Domain Assigned to a single user in order to access UMTS services Infrastructure Domain Shared among all users Offers UMTS services to all accepted users UMTS domains and interfaces Universal Subscriber Identity Module (USIM) Functions for encryption and authentication of users Located on a SIM inserted into a mobile device Mobile Equipment Domain Functions for radio transmission User interface for establishing/maintaining end-to-end connections Access Network Domain Access network dependent functions Core Network Domain Access network independent functions Serving Network Domain Network currently responsible for communication Home Network Domain Location and access network independent functions UMTS radio interface - Spreading and scrambling of user data Constant chipping rate of 3.84 Mchip/s Different user data rates supported via different spreading factors (# of chips/bit) higher data rate: less chips per bit and vice versa User separation via unique, quasi orthogonal (their cross-correlation should be almost zero) scrambling codes users are not separated via orthogonal spreading codes much simpler management of codes: each station can use the same orthogonal spreading codes precise synchronization not necessary as the scrambling codes stay quasiorthogonal data1 data2 data3 data4 data5 spr. code1 spr. code2 spr. code3 spr. code1 spr. code4 scrambling code1 sender1 scrambling code2 sender2 OVSF (Orthogonal Variable Spreading Factor) coding 1,1,1,1,1,1,1,1 ... 1,1,1,1 1,1,1,1,-1,-1,-1,-1 1,1 1,1,-1,-1,1,1,-1,-1 1,1,-1,-1,-1,-1,1,1 1 X ... 1,1,-1,-1 X,X 1,-1,1,-1,1,-1,1,-1 X,-X ... 1,-1,1,-1 1,-1,1,-1,-1,1,-1,1 SF=n SF=2n 1,-1 1,-1,-1,1,1,-1,-1,1 ... 1,-1,-1,1 1,-1,-1,1,-1,1,1,-1 SF=1 SF=2 SF=4 SF=8 UTRA-FDD (W-CDMA) UTRA-FDD (W-CDMA) The FDD mode for UTRA uses wideband CDMA (W-CDMA) with direct sequence spreading. Uplink and downlink use different frequencies. Uplink (1920 ~ 1980 MHz) and downlink (2110 – 2170 MHz). Time slots are not used for user separation but to support periodic functions. Each time slot is 38,400 chips/s x 10 ms x 1/15 = 2560 chips (≈2/3 ms). The occupied bandwidth per W-CDMA channel is 4.4 to 5 MHz. In Germany, the FDD spectrum was sold over 50 billion Euros. The provide higher data rates, the infrastructure should be improved: Twice as many base stations as GSM (500 m cell diameters) Typical UTRA-FDD uplink data rates Dedicated physical data channel (DPDCH) Dedicated physical control channel (DPCCH) Conveys control data for the physical layer and uses the constant spreading factor 256. Dedicated physical channel (DPCH) conveys user or signaling data The downlink time multiplexes control and user data. Physical random access channel (PRACH) Used for coordinating medium access on the uplink. 64 144 384 User data rate [kbit/s] 12.2 (voice) DPDCH [kbit/s] 60 240 480 960 DPCCH [kbit/s] 15 15 15 15 Spreading 64 16 8 4 UMTS FDD frame structure Radio frame 10 ms 0 1 2 ... 12 13 14 Time slot 666.7 µs Pilot TFCI FBI TPC uplink DPCCH 2560 chips, 10 bits 666.7 µs uplink DPDCH Data W-CDMA • 1920-1980 MHz uplink • 2110-2170 MHz downlink • chipping rate: 3.840 Mchip/s • soft handover • QPSK • complex power control (1500 power control cycles/s) • spreading factors: Uplink: 4-256; Downlink:4-512 2560 chips, 10*2k bits (k = 0...6) 666.7 µs Data1 TPC TFCI Data2 Pilot downlink DPCH DPDCH DPCCH DPDCH DPCCH 2560 chips, 10*2k bits (k = 0...7) Slot structure NOT for user separation but synchronisation for periodic functions! FBI: Feedback Information TPC: Transmit Power Control TFCI: Transport Format Combination Indicator DPCCH: Dedicated Physical Control Channel DPDCH: Dedicated Physical Data Channel DPCH: Dedicated Physical Channel UE in UTRA-FDD (W-CDMA) A UE has to perform the following steps during the search for a cell after power on: Primary synchronization: A UE has to synchronize with the help of a 256 chip primary synchronization code. Secondary synchronization: This defines the group of scrambling codes. Identification of the scrambling code: the UE tries all scrambling codes within the group of codes to find the right code with the help of a correlator. After these three steps the UE can receive all further data over a broadcast channel. UTRA-TDD (TD-CDMA) UTRA-TDD (TD-CDMA) Separates up and downlink in time using a frame structure similar to FDD. 15 slots with 2560 chips per slot for a radio frame with a duration of 10 ms. The chipping rate is 3.84 Mchips/s. TDD frame can be symmetrical or asymmetrical. The switching points is used to indicate the switching between up and downlink. At least one slot must be allocated for the uplink and downlink respectively. UTRA TDD occupies 5 MHz bandwidth per channel. Germany paid less than 300 million Euros. It is unclear to what extend this system will be deployed. The coverage per cell is less than using UTRA-FDD. UEs must not move too fast (like WLANs). UMTS TDD frame structure (burst type 2) Radio frame 10 ms 666.7 µs 0 1 2 Time slot Data Midample 1104 chips 256 chips 2560 chips ... Data GP 1104 chips 12 13 14 Traffic burst GP: guard period 96 chips Midample is used for tranning and channel estimation. TD-CDMA • 2560 chips per slot • spreading: 1-16 • symmetric or asymmetric slot assignment to UpLink/DownLink (min. 1 per direction) • tight synchronisation needed • simpler power control (100-800 power control cycles/s) UTRA architecture UTRA architecture Radio network subsystems (RNS) Radio network controller (RNC) controls several node Bs over the interface (Iub) and is connected with the core network (CN) over Iu. The interface Iur is the interface for connecting two RNCs. Each node B can control several antennas which make a radio cell. The mobile device, user equipment (UE), can be connected to one or more antennas. Core network The circuit switched domain (CSD) comprises the classical circuit switched services and connects to the RNS via the IuCS. The packet switched domain (PSD) uses the GPRS components SGSN and GGSN and connects to the RNS via the IuPS. UTRAN architecture RNS UE Node B RNC: Radio Network Controller RNS: Radio Network Subsystem Iub RNC Iu UTRAN comprises several RNSs Node B can support FDD or TDD or both Node B CN Iur Node B Iub Node B RNC Node B RNS RNC is responsible for handover decisions requiring signaling to the UE Cell offers FDD or TDD UTRAN RNC functions Call admission control Congestion control Radio channel encryption/decryption ATM switching and multiplexing, protocol conversion - Radio network configuration Channel quality measurements Macro diversity Radio resource control Radio carrier control – bearer setup and release Data transmission over the radio interface Channel allocation (coding) Outer loop power control (FDD and TDD) Handover control and RNS relocation (moving) Management - System information including current load, current traffic, error states UTRAN Components Node B The name node B was chosen during standardization until a new and better name was found. The main task is the inner loop power control to mitigate near-far effect. Measures connection qualities and signal strengths. Supports a special case of handover (soft-handover). User Equipment (UE) The UE performs signal quality measurements, inner loop power control, spreading and modulation, and rate matching. (counterpart of a node B). The UE has to cooperate during handover and cell selection, performs encryption and decryption. (RNC) The UE has to implement mobility management. (CN) Core network The Core Network (CN) and thus the Interface Iu, are separated into two logical domains: Circuit Switched Domain (CSD) Circuit switched service including signaling Resource reservation at connection setup GSM components (MSC, GMSC, VLR) IuCS Packet Switched Domain (PSD) GPRS components (SGSN, GGSN) IuPS Release 99 uses the GSM/GPRS network and adds a new radio access! Helps to save a lot of money … Much faster deployment Not as flexible as newer releases (5, 6) Core network: architecture with 3G RNS and 2G BSS VLR BTS Abis BSS BSC Iu MSC GMSC PSTN Node BTSB IuCS AuC EIR HLR GR Node B Iub Node B RNC SGSN GGSN Gn Node B RNS IuPS Gi CN Core network: protocols with 3G RNS and 2G BSS VLR MSC GSM-CS backbone RNS GMSC PSTN/ ISDN GGSN PDN (X.25), Internet (IP) HLR RNS Layer 3: IP Layer 2: ATM Layer 1: PDH, SDH, SONET UTRAN SGSN GPRS backbone (IP) SS 7 CN UMTS protocol stacks (user plane) UE Uu UTRAN IuCS 3G MSC apps. & protocols Circuit switched RLC MAC RLC MAC radio radio UE Packet switched apps. & protocols IP, PPP, … PDCP Uu SAR SAR AAL2 AAL2 ATM ATM UTRAN IuPS 3G SGSN Gn IP tunnel 3G GGSN IP, PPP, … GTP RLC RLC GTP UDP/IP MAC MAC AAL5 AAL5 L2 L2 radio radio ATM ATM L1 L1 PDCP GTP UDP/IP UDP/IP GTP UDP/IP UMTS protocol stacks Circuit Switched Domain (CSD) Radio link control (RLC) Segmentation and reassembly (SAR) ATM Adaptation Layer 2 (AAL2) Asynchronous Transfer Mode (ATM) Packet Switched Domain (PSD) Packet Data Convergence Protocol (PDCP) GPRS Tunneling Protocol (GTP) Handover Hard handover UTRA-TDD can only use this type. Switching between TDD cells is done between the slots of different frames at a certain point in time. Inter frequency handover (changing the carrier frequency) is a hard handover. All inter system handover are hard handovers in UMTS (to and from GSM or IMT-2000 systems). During a compressed mode which enables a UE to listen into GSM or other frequency bands, the spreading factor can be lowered or less data is sent before and after the break in transmission. Soft handover: In CDMA they use macro diversity. A UE receiving data from different antennas at the same time makes a handover soft. Support of mobility: macro diversity Multicasting of data via several physical channels Enables soft handover FDD mode only Downlink UE Node B Node B RNC CN The RNC splits the data stream and forwards it to different nodes B. It allows simultaneous transmission of data via different cells. The UE combines the received data again. Different spreading codes in different cells Uplink The UE sends its data which is then received by several Node Bs. Reconstruction of data at Node B, SRNC (Serving RNC) or DRNC (Drift RNC) Support of mobility: handover From and to other systems (e.g., UMTS to GSM) This is a must as UMTS coverage will be poor in the beginning RNC controlling the connection is called SRNC (Serving RNC) RNS offering additional resources (e.g., for soft handover) is called Drift RNC (DRNC) End-to-end connections between UE and CN only via Iu at the SRNS Change of SRNC requires change of Iu Initiated by the SRNC Controlled by the RNC and CN Node B Iub UE CN SRNC Node B Iur DRNC Iub Iu Example handover types in UMTS/GSM UE1 Node B1 UE2 UE3 UE4 RNC1 Iu Node B2 Iur Iub Node B3 RNC2 3G MSC2 BTS BSC 2G MSC3 Abis 3G MSC1 A Intra-node B, intra-RNC – UE1 moves from one antenna, soft handover Inter-node B, intra-RNC – UE2 moves from node B1 to node B2, soft handover Inter-RNC – UE3 moves from node B2 to node B3, Intra-RNC – soft handover, Inter-RNC – hard handover. Inter-MSC – MSC2 takes over and perform a hard handover Inter-system – UE4moves from a 3G UMTS network into a 2G GSM network, hard handover. Handover Intra-node B, intra-RNC Inter-node B, intra-RNC UE3 moves from node B2 to node B3 Inter-MSC UE2 moves from node B1 to node B2 Inter-RNC UE1 moves from one antenna MSC2 takes over and perform a handover Inter-system UE4moves from a 3G UMTS network into a 2G GSM network. UMTS services (originally) Data transmission service profiles Service Profile High Interactive MM High MM Bandwidth Transport mode 128 kbit/s Circuit switched 2 Mbit/s Packet switched Medium MM 384 kbit/s Circuit switched Switched Data 14.4 kbit/s Circuit switched Simple Messaging 14.4 kbit/s Packet switched Voice Bidirectional, video telephone Low coverage, max. 6 km/h asymmetrical, MM, downloads SMS successor, E-Mail 16 kbit/s Circuit switched Virtual Home Environment (VHE) Enables access to personalized data independent of location, access network, and device Network operators may offer new services without changing the network Service providers may offer services based on components which allow the automatic adaptation to new networks and devices Integration of existing IN services