View
237
Download
5
Category
Preview:
Citation preview
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.1
Mobile Communications
Chapter 4: Wireless
Telecommunication Systems
Market
GSM
Overview
Services
Sub-systems
Components
GPRS
DECT Not a part if this course!
TETRA Not a part if this course!
w-cdma (rel 99), IMT2000
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.2
1946 – First commercial mobile radio-telephone service by Bell and AT&T
in Saint Louis, USA. Half duplex
1973 – First handheld cellular phone
– Motorola.
1978 – First cellular net in Bahrein
1979 – NMT at 450MHz (Scandinavian countries)
1992 – Start of GSM
It all started like this
The first car mounted radio telephone – 1921
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.3
Basic Definitions
• Forward Link, Downlink, Downstream
• The path from the network or base station to the mobile
• GSM terminology uses “Downlink”
• CDMA, AMPS and TDMA use “Forward Link”
• Most wireline technologies use “Downstream”
• Reverse Link, Uplink, Upstream
• The path from the mobile to the network or base station
• GSM terminology uses “Uplink”
• CDMA, AMPS and TDMA use “Reverse Link”
• Most wireline technologies use “Upstream”
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.4
Duplex Techniques
Frequency channels
time
time
Forward Link
Reverse Link
Reverse Link
Reverse Link
Forward Link
Forward Link FDD
TDD
Frequency Division Duplex (FDD), Time Division Duplex (TDD)
GSM
UMTS
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.5
GSM
1982 The GSM group was formed
1986 Field trials in France
1987 TDMA was chosen as access method
1988 Memorandum of understanding -18 countries
1991 Phase I specifications published
1990 GSM specifications ported to DCS 1800
1992 Official commercial launch of GSM in Europe
1995 GSM specifications ported to PCS 1900
2000 Responsibility for GSM Standard transferred to 3GPP (3rd Generation Partnership Project)
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.6
GSM frequency bands
• 890-915 MHz Uplink
• 935-960 MHz Downlink
• 1710-1785 MHz Uplink
• 1805-1880 MHz Downlink
• 1850-1910 MHz Uplink
• 1930-1990 MHz Downlink
• 900 MHz
• 2*25 MHz Bands
• 45 MHz Duplex Spacing
• 125 carriers
• 1800 MHz
• 2*75 MHz Bands
• 95 MHz Duplex Spacing
• 375 carriers
• 1900 MHz
• 2*60 MHz Bands
• 80 MHz Duplex Spacing
• 300 carriers
North America
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.7
SYSTEM ARCHITECTURE
PSTN GMSC
ISDN
PLMN
MSC
BSC
BTS BTS
BSC
MSC
HLR
VLR VLR
AUC
EIR
MS
AUC: AUthentication Center
OMC: Operation and Managing Center
BTS: Base Tranciver Staition
BSC: Base Station Controller
EIR: Equipment Identity Register
GMSC: Gateway MSC
HLR: Home Location Register
MS: Mobile Station
MSC: Mobile Switching Center
VLR: Visiting Location Register
OMC
GSM is a PLMN (Public Land Mobile Network)
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.8
GSM: elements and interfaces
NSS
MS MS
BTS
BSC
GMSC
IWF
OMC
BTS
BSC
MSC MSC
Abis
Um
EIR
HLR
VLR VLR
A
PDN
ISDN, PSTN
RSS
radio cell
radio cell
MS
AUCOSS
signaling
O
The Radio Station Subsystem (RSS) -
The Wireless Part
Base Transceiver Station (BTS),
cell coverage, comprises radio specific
functions
Base Station Controller (BSC)
controls several BTSs, the switching
center for radio channels
Functions BTS BSC
Management of radio channels X
Frequency hopping (FH) X X
Management of terrestrial channels X
Mapping of terrestrial onto radio channels X
Channel coding and decoding X
Rate adaptation X
Encryption and decryption X X
Paging X X
Uplink signal measurements X
Traffic measurement X
Authentication X
Location registry, location update X
Handover management X
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.9
GSM: elements and interfaces
NSS
MS MS
BTS
BSC
GMSC
IWF
OMC
BTS
BSC
MSC MSC
Abis
Um
EIR
HLR
VLR VLR
A
BSS
PDN
ISDN, PSTN
RSS
radio cell
radio cell
MS
AUCOSS
signaling
O
Network Switching SubSystem
NSS is the main component of the public
mobile network GSM
switching, mobility management,
interconnection to other networks,
system control
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.10
GSM: elements and interfaces
NSS
MS MS
BTS
BSC
GMSC
IWF
OMC
BTS
BSC
MSC MSC
Abis
Um
EIR
HLR
VLR VLR
A
BSS
PDN
ISDN, PSTN
RSS
radio cell
radio cell
MS
AUCOSS
signaling
O
The Network Switching Subsystem (NSS) -
The Mobile Switching Centre (MSC) manages a
large number of BSCs
Gateway Mobile Switching Centre (GMSC) is
the gateway to other networks
Various Registers (data bases)
Signalling messages and data base accesses
are transported by the Signalling System Nr. 7
(SS7) using the Mobile Application Part (MAP)
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.11
GSM: elements and interfaces
NSS
MS MS
BTS
BSC
GMSC
IWF
OMC
BTS
BSC
MSC MSC
Abis
Um
EIR
HLR
VLR VLR
A
BSS
PDN
ISDN, PSTN
RSS
radio cell
radio cell
MS
AUCOSS
signaling
O
The MSC plays a central role in GSM
controls all connections via a separated network to/from a
mobile terminal within the domain of the MSC - several BSC
can belong to a MSC
•switching functions
•additional functions for mobility support
•management of network resources
•interworking functions via Gateway MSC (GMSC)
•integration of several databases
Functions of a MSC
•specific functions for paging and call forwarding
•mobility specific signaling
• location registration and forwarding of location information
•support of short message service (SMS)
•generation and forwarding of accounting and billing
information
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.12
GSM: elements and interfaces
NSS
MS MS
BTS
BSC
GMSC
IWF
OMC
BTS
BSC
MSC MSC
Abis
Um
EIR
HLR
VLR VLR
A
BSS
PDN
ISDN, PSTN
RSS
radio cell
radio cell
MS
AUCOSS
signaling
O
Home Location Register (HLR)
Central master database containing user data,
permanent and semi-permanent data of all
subscribers assigned to the HLR
* usually one HLR per provider
* primarilly a data base for subscriber data.
* Subscriber identifiers service profiles, etc.
* Localization information (current VLR, MSC)
* Is a platform for all kinds of services
Visitor Location Register (VLR)
local database for a subset of user data, including
data about all user currently in the domain of the
VLR
* usually one VLR per MSC
* stores all relevant data of visiting MS
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.13
GSM: elements and interfaces
NSS
MS MS
BTS
BSC
GMSC
IWF
OMC
BTS
BSC
MSC MSC
Abis
Um
EIR
HLR
VLR VLR
A
BSS
PDN
ISDN, PSTN
RSS
radio cell
radio cell
MS
AUCOSS
signaling
O
The OSS (Operation Subsystem) enables
centralized operation, management, and
maintenance of all GSM subsystems
Components
Authentication Center (AUC)
Equipment Identity Register (EIR)
Operation and Maintenance Center (OMC)
different control capabilities for the radio
subsystem and the network subsystem
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.14
GSM: elements and interfaces
NSS
MS MS
BTS
BSC
GMSC
IWF
OMC
BTS
BSC
MSC MSC
Abis
Um
EIR
HLR
VLR VLR
A
BSS
PDN
ISDN, PSTN
RSS
radio cell
radio cell
MS
AUCOSS
signaling
O
Equipment Identification Register (EIR)
registers GSM mobile stations and user rights
stolen or malfunctioning mobile stations can be
locked and sometimes even localized
•stores serial numbers (IMEI) of MS equipment
(models, software versions, black list)
Authentication Centre (AUC)
generates user specific authentication parameters
on request of a VLR authentication parameters
used for authentication of mobile terminals and
encryption of user data on the air interface within
the GSM system
* stores cryptographic data (keys)
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.15
GSM: Mobile Services
GSM offers
several types of connections
voice connections, data connections, short message service
multi-service options (combination of basic services)
Three service domains
Bearer Services: to transfer data between access points
Telematic Services: mobile telephony, SMS, MMS
Supplementary Services: conferencing, suppression of number forwarding,
etc.
GSM-PLMN
transit
network
(PSTN, ISDN)
source/
destination
network
TE TE
bearer services
tele services
R, S (U, S, R)Um
MT
MS
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.16
Bearer Services
Bearer services to transfer data between access points
Specification of services up to the terminal interface (OSI layers 1-3)
Different data rates for voice and data (original standard)
data service (circuit switched)
synchronous: 2.4, 4.8 or 9.6 kbit/s
asynchronous: 300 - 1200 bit/s
data service (packet switched)
synchronous: 2.4, 4.8 or 9.6 kbit/s
asynchronous: 300 - 9600 bit/s
Today: data rates of approx. 50 kbit/s possible – will be covered later!
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.17
Tele Services I
Telecommunication services that enable voice communication
via mobile phones
All these basic services have to obey cellular functions, security
measurements etc.
Offered services
mobile telephony
primary goal of GSM was to enable mobile telephony offering the
traditional bandwidth of 3.1 kHz
Emergency number
common number throughout Europe (112); mandatory for all
service providers; free of charge; connection with the highest
priority (preemption of other connections possible)
Multinumbering
several ISDN phone numbers per user possible
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.18
Tele Services II
Additional services
Non-Voice-Teleservices
group 3 fax
voice mailbox (implemented in the fixed network supporting the mobile
terminals)
electronic mail (MHS, Message Handling System, implemented in the fixed
network)
...
Short Message Service (SMS)
alphanumeric data transmission to/from the mobile terminal using the
signaling channel, thus allowing simultaneous use of basic services and
SMS
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.19
Supplementary services
Services in addition to the basic services, cannot be offered
stand-alone
Similar to ISDN services besides lower bandwidth due to the
radio link
May differ between different service providers, countries and
protocol versions
Important services
identification: forwarding of caller number
suppression of number forwarding
automatic call-back
conferencing with up to 7 participants
locking of the mobile terminal (incoming or outgoing calls)
...
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.20
GSM Mobile Communications
The GSM 900 MHz Frequency Band
860 870 880 890 900 910 920 930 940 950 960 970
25 MHz25 MHz
10 10
4 4
P-GSM
E-GSM
R-GSM
*)
*) several other Systems:
- Cordless Telephone CT1, CT1+, CT2
- Telemetry / Telecommand
- Terrestrial Trunked Radio (TETRA)
- Digital Satellite System Receiver (DSSR)
Uplink Downlink
Duplex Distance 45 MHz
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.21
GSM Mobile Communications
The GSM 1800, DECT and UMTS Bands
1700 1750 1800 1850 1900 1950 200 2050 2100 2150 2200 2250
75 MHz
UMTS
GSM 1800
DECT
1: Time Division Duplex (TDD)
2: Frequency Division Duplex (FDD)
3: Mobile Satellite System (MSS)
Uplink Downlink
Duplex Distance
95 MHz
75 MHz
1 2 3 1 2 3
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.22
R cell radius
K cluster size
D repeating
distance
GSM Mobile Communications
Spatial Frequency Re-use in Cell Clusters
1
23
1
23
1
23
1
23
546
71
23
546
71
235
46
71
23
546
71
23
K = 12
D
R
546
71
23
98 10
11
12
546
71
23
98 10
11
12
546
71
23
98 10
11
12
546
71
23
98 10
11
12
K = 7
K = 3 D R K 3
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.23
possible radio coverage of the cell
idealized shape of the cellcell
segmentation of the area into cells
GSM: cellular network
use of several carrier frequencies
not the same frequency in adjacent cells
cell sizes vary from some 100 m up to 35 km depending on user
density, geography, transceiver power etc.
hexagonal shape of cells is idealized (cells overlap, shapes depend on
geography)
if a mobile user changes cells
handover of the connection to the neighbor cell
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.24
MACRO, MICRO AND PICO CELLS
By using small macro
cells in combination with
Tighter Frequency Reuse
and a micro cellular
overlay, the capacity of a
standard 4/12 reuse
cellular network with 7.5
MHz available spectrum
can be increased eight-
fold. The micro cellular
network operates in a
segmented frequency and
from the nearby macro
cells and provides the
additional benefit of
coverage redundancy.
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.25
B = 200 kHz
B
B
B
B
Guard Band
···
f
fN
fk
f2
f1
0
Radio
Frequency
Channels
Guard Band fL
fU
Frequency
Band
...
GSM Mobile Communications
Combined FDMA / TDMA Scheme
t
...0 1 2 ... 7 0 1
...0 1 2 ... 7 0 1
...0 1 2 ... 7 0 1
...0 1 2 ... 7 0 1
Time Slots
Frame
T
T 577 s
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.26
TDMA: FRAME
0 1 2 3 4 5 6 7
4.613 ms
156.25 bit/s
0.579 ms
• A slot lasts for a duration of 156.25 bit times
• The slot lasts 15/26 ms=579.9 micro s
• so a frame takes 4.613 ms
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.27
f2
f1...0 1 2 ... 7 0 1
...0 1 2 ... 7 0 1
GSM Radio Interface Um
Bursts
156.25 Bits in 576.923 s
(3.6923 s/Bit)
useful part
Power p(t)
t
8.25 Bits Guard Period
26 Training Bits
2 x 58 Encrypted Bits
3 Tail Bits 3 Tail Bits
Tail Bits:
Set to zero
Can be used to
Enhance the receiver
performance
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.28
GSM Radio Interface Um
Types of Burst
Structure of Normal Burst
2 x 3 Tail Bits (TB)
2 x 58 Encrypted Bits (Payload for Traffic and Control Channels)
2 x 1 Stealing Flag (Switch between Traffic / Control Payload)
2 x 57 Payload Bits
26 Bits Training Sequence (Midamble)
Fixed bit sequence used for channel estimation allowing optimum channel
equalization
Five Different Types of Burst
Normal Burst - Traffic and Control Payload
Frequency Correction Burst - All Zeroes Sequence
Synchronization Burst - Special Fixed Sequence
Access Burst - Extended Guard Period of 68.25 Bits (252 s)
Dummy Burst
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.29
GSM Radio Interface Um
Adaptive Frame Alignment
Thanks to the time shift of 3 time slots between the BTS TX and RX
TDMA frames, the MS is not required to receive and transmit
simultaneously. This simplifies the MS hardware.
The MS continuously aligns its TX frame start based on the Timing
Advance (TA) measurements received from the BTS
The extended guard period of the access burst (252 s) allows a
maximum range between MS and BTS of 35 km.
0 1 2 3 4 5 6 7
0 1 2 3 4 5 6 7
BTS
RX
TX
0
MS
0 TA = 2·t
0 1 2 3 4 5 6 7 TX
0 1 2 3 4 5 6 7 RXt = s / c
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.30
GSM Radio Interface Um
Logical Channels
Control
Channels
(CCH)
Traffic
Channels
(TCH)
Full Rate
(TCH/F)
Half Rate
(TCH/H)
Dedicated
Control
Channels
Stand Alone Dedicated Control Channel (SDCCH)Fast Associated Control Channel (FACCH)
Slow Associated Control Channel (SACCH)
Common
Control
Channels
Paging Channel (PCH)
Random Access Channel (RACH)Access Grant Channel (AGCH)
Notification Channel (PCH)
Broadcast
Channels
Synchronization Channel (SCH)Frequency Control Channel (FCCH)
Broadcast Control Channel (BCCH)
Downlink (DL)
Uplink (UL)
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.31
GSM Radio Interface Um
Broadcast Channels
Broadcast Channels are used for
synchronisation purposes and
broadcasting of cell-specific
information in the downlink from
BTS to MS
Frequency Correction Channel (FCCH)
carries information for frequency correction of the MS
Synchronization Channel (SCH)
carries information for frame synchronization of the MS (e.g.
TDMA frame number FN) and for identification of the BTS (e.g
Base Station Identity Code BSIC)
Broadcast Control Channel (BCCH)
broadcasts general information on the BTS as well as cell-
specific information like control channel organisation, frequency
hopping sequences, cell identification, etc.
Control
Channels
(CCH)
Dedicated
Control
Channels
Common
Control
Channels
Broadcast
Channels
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.32
GSM Radio Interface Um
Common Control Channels
Common Control Channels
are point-to-multipoint
channels used mainly for
access control
Paging Channel (PCH) - downlink only
used by the BTS for paging and localizing the MS
Random Access Channel (RACH) - uplink only
used by any MS to request allocation of a signalling channel
(SDCCH). A slotted Aloha protocol is used, so collisions among
concurring MS are quite possible.
Access Grant Channel (AGCH) - downlink only
used to allocate a SDCCH or directly a TCH
Notification Channel (NCH) - downlink only
used to notify MS of voice group and voice broadcast calls (ASCI
feature)
Control
Channels
(CCH)
Dedicated
Control
Channels
Common
Control
Channels
Broadcast
Channels
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.33
GSM Radio Interface Um
Dedicated Control Channels
Dedicated Control Channels are
bidirectional point-to-point
channels, that allow authentication,
signalling, handover and the
exchange of measurement values.
Stand Alone Dedicated Control Channel (SDCCH)
used for call setup (authentication, signalling, assignment
of actual TCH), localisation updates and SMS
Slow Associated Control Channel (SACCH)
is always coupled with a SDCCH or TCH and is used for the
exchange of measurement values and control parameters
Downlink : Control of MS Power Level and MS Timing Advance
Uplink : Measurement reports (MS reception levels) used
by the BTS for its handover-decisions
Fast Associated Control Channel (FACCH)
is activated in case of increased signalling demand e.g. during
handover. Bandwidth is stolen from associated TCH
Control
Channels
(CCH)
Dedicated
Control
Channels
Common
Control
Channels
Broadcast
Channels
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.34
GSM Radio Interface Um
Traffic Channels (TCH)
Full Rate Traffic Channel (TCH / F) Speech Codec
Speech @ 13 kbps (TCH / FS) Full Rate
Speech @ 12.2 kbps (TCH / EFS) Enhanced Full Rate
Data @ 14.4 kbps (TCH / F14.4)
Data @ 9.6 kbps (TCH / F9.6)
Data @ 4.8 kbps (TCH / F4.8)
Data @ 2.4 kbps (TCH / F2.4)
Half Rate Traffic Channel (TCH / H) Speech Codec
Speech @ 6.5 kbps (TCH / HS) Half Rate
Data @ 4.8 kbps (TCH / H4.8)
Data @ 2.4 kbps (TCH / H2.4)
Traffic Channels are used for
bidirectional transmission of
circuit switched voice or data.
Traffic
Channels
(TCH)
Full Rate
(TCH/F)
Half Rate
(TCH/H)
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.35
PCH Paging Channel
RACH Random Access Ch.
AGCH Access Grant Ch.
SDCCH Stand-alone
Dedicated Control
Channel
FACCH Fast Associated
Control Channel
TCH Traffic Channel
GSM Radio Interface Um
Call Setup (MS terminating)
MS BTSPaging RequestPCH
Paging Response
Call Confirmation
Assign Command
Setup
Authentication / Cipher Mode
SDCCH
Voice or DataPCH
Channel AssignmentAGCH
Channel RequestRACH
Assign Completion
Connect Acknowledge
Alert
Connect FACCH
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.36
GSM Radio Interface Um
Enhanced Full Rate Voice Channel Coding
every
20 ms
78 182
78 182
3 bit CRC
4 tail bits
78 189 189
160 Samples
260 bits
267 bits
456 bits
4 blocks
@ 114 Bits
RPE-LPC
Codec
Block
Coding
Convolutional
Coding
Inter-
leaving
sensitive (class I)
insensitive (class II)
1 2 3 8
Encryption
456 bits spread
over 8 bursts
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.37
1 2 3 4 5 6 7 8
higher GSM frame structures
935-960 MHz
124 channels (200 kHz)
downlink
890-915 MHz
124 channels (200 kHz)
uplink
time
GSM TDMA frame
GSM time-slot (normal burst)
4.615 ms
546.5 µs577 µs
tail user data TrainingSguard
space S user data tailguard
space
3 bits 57 bits 26 bits 57 bits1 1 3
GSM - TDMA/FDMA
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.38
GSM hierarchy of frames
0 1 2 2045 2046 2047...
hyperframe
0 1 2 48 49 50...
0 1 24 25...
superframe
0 1 24 25...
0 1 2 48 49 50...
0 1 6 7...
multiframe
frame
burst
slot
577 µs
4.615 ms
120 ms
235.4 ms
12 frames
one frame for
”slow signalling”
for all the 8 slots
SACCH
12 frames
1 empty frame
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.39
GSM hierarchy of frames
0 1 2 2045 2046 2047...
hyperframe
0 1 2 48 49 50...
0 1 24 25...
superframe
0 1 24 25...
0 1 2 48 49 50...
0 1 6 7...
multiframe
frame
burst
slot
577 µs
4.615 ms
120 ms
235.4 ms
6.12 s
3 h 28 min 53.76 s
Larger frames
for encryption
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.40
GSM protocol layers for signaling
CM
MM
RR
MM
LAPDm
radio
LAPDm
radio
LAPD
PCM
RR’ BTSM
CM
LAPD
PCM
RR’
BTSM
16/64 kbit/s
Um Abis A
SS7
PCM
SS7
PCM
64 kbit/s /
2.048 Mbit/s
MS BTS BSC MSC
BSSAPBSSAP
CM: Call management, MM: Mobility management, RR: Radio Resource management
Protocol Architecture of GSMwith signalling protocol intefaces
CM
MM
RR
MM
LAPDm
radio
LAPDm
radio
LAPD
PCM
RR’ BTSM
CM
LAPD
PCM
RR’
BTSM
16/64 kbit/s
Um Abis A
SS7
PCM
SS7
PCM
64 kbit/s /
2.048 Mbit/s
MS BTS BSC MSC
BSSAPBSSAP
Interfaces:
is here of main interests
are intefaces from the fixed network
Um Abis A
Um
Abis A
Layer 3
Layer 2
Layer 1
Layer 1 (physical) : radio
Handles all radio specific functions
• creation of bursts – 5 different formats
• multiplexing of bursts into TDMA frames
• synchronisation with the BTS (see next slide)
• detection of idle channels
• measurements of channel quality at downlink
• the physical layer at Um uses GMSK modulation
• performs enchryption/decryption of data
CM
MM
RR
LAPDm
radio
LAPDm
radio
LAPD
PCM
RR’ BTSM
Um Abis
MS BTS
Layer 1: Synchronization:
The distance between the MS and the BTS
An MS 35 km from the BTS has a round trip time (RTT) of 0.23 ms!!!
The BTS sends the current RTT to the MS, which then adjusts its access time!!!
Adjusting the access is controlled by the variable timing advance, where a burst
can be shifted up to 63 bit times ealier => 0.23 ms. (each bit is 3.69 micro
seconds long).
Max 35 km between a BTS and a MS!!
0 1 2 3 4 5 6 7
0 1 2 3 4 5 6 7
BTS
RX
TX
0
MS
0 TA = 2·t
0 1 2 3 4 5 6 7 TX
0 1 2 3 4 5 6 7 RXt = s / c
Layer 1 (physical) : radio
Handles all radio specific functions
CM
MM
RR
LAPDm
radio
LAPDm
radio
LAPD
PCM
RR’ BTSM
Um
MS BTS
Channel coding and error detection/correction!
78 182
78 182
3 bit CRC
4 tail bits
78 189 189
sensitive (class I)
insensitive (class II)
The physical layer tries to correct errors, but it does
not deliver erroneous data to the higher layers.
The error correction introduses a delay of about 60 ms!
Layer 2 (data link) - LAPDm
It is said to be a lightweight LAPD protocol as it does not
handle error correction/detection.
It handles:
• segmentation and reassembly of data and
acknowledges/unacknowledged data transfer
• re-sequencing of data frames and flow control!
CM
MM
RR
LAPDm
radio
LAPDm
radio
LAPD
PCM
RR’ BTSM
Um
MS BTS
Layer 3
Layer 2
Layer 1
CM
MM
RR
MM
LAPDm
radio
LAPDm
radio
LAPD
PCM
RR’ BTSM
CM
LAPD
PCM
RR’
BTSM
16/64 kbit/s
Um Abis A
SS7
PCM
SS7
PCM
64 kbit/s /
2.048 Mbit/s
MS BTS BSC MSC
BSSAPBSSAP
The network layer in GSM comprises several sublayers!
The lowest sublayer is the Radio Resource Management (RR)!
Just a part of it is implemented in the BTS, the remainder in the BSC!
Setup,
maintenence and
release
of radio channels
CM
MM
RR
MM
LAPDm
radio
LAPDm
radio
LAPD
PCM
RR’ BTSM
CM
LAPD
PCM
RR’
BTSM
16/64 kbit/s
Um Abis A
SS7
PCM
SS7
PCM
64 kbit/s /
2.048 Mbit/s
MS BTS BSC MSC
BSSAPBSSAP
The network layer in GSM comprises several sublayers!
Mobility Management (MM) contains functions for registration
authentification
location updateIt also provides a temporary mobile subscriber identity (TMSI)
that replaces the international mobile subscriber identity (IMSI)
which hides the real identity of an MS user over the air interface.
CM
MM
RR
MM
LAPDm
radio
LAPDm
radio
LAPD
PCM
RR’ BTSM
CM
LAPD
PCM
RR’
BTSM
16/64 kbit/s
Um Abis A
SS7
PCM
SS7
PCM
64 kbit/s /
2.048 Mbit/s
MS BTS BSC MSC
BSSAPBSSAP
The network layer in GSM comprises several sublayers!
Call Management (CM) contains functions for:
call control (CC): point-to point connection between two terminals
call establishment, call clearing, etc.
short message service (SMS): using control channels SDCCH and SACCH
supplementary services (SS): user identification, forwarding, etc.
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.49
GSM Mobile Communications
Numbers and Identifiers I
International Mobile Equipment Identifier (IMEI)
Unique serial number assigned by equipment manufacturer
International Mobile Subscriber Identifier (IMSI)
Unique subscriber identification number, stored on SIM-card
Mobile Subscriber ISDN Number (MSISDN)
Actual phone number structured according to ITU-T E.164
Country Code (CC) up to 3 digits
National Destination Code (NDC) 2 to 3 digits
Subscriber Number (SN) with a maximum of 10 digits
Strict separation of subscriber identification (IMSI)
and phone number (MSISDN)
Several MSISDN numbers can be assigned to a single IMSI
(used for service selection)
The mapping between MSISDN and IMSI is not public
HSCSD: High Speed Circuit Switched Data
Chapter: 4.1.8.1
Read yourselves!
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.51
Mobile Terminated Call
PSTNcalling
stationGMSC
HLR VLR
BSSBSSBSS
MSC
MS
1 2
3
4
5
6
7
8 9
10
11 12
1316
10 10
11 11 11
14 15
17
1: calling a GSM subscriber
2: forwarding call to GMSC
3: signal call setup to HLR
4, 5: request MSRN (Mobile Station
Roaming Number) from VLR
6: forward responsible
MSC to GMSC
7: forward call to
current MSC
8, 9: get current status of MS
10, 11: paging of MS
12, 13: MS answers
14, 15: security checks
16, 17: set up connection
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.52
Mobile Originated Call
PSTN GMSC
VLR
BSS
MSC
MS1
2
6 5
3 4
9
10
7 8
1, 2: connection request
3, 4: security check
5-8: check resources (free circuit)
9-10: set up call
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.53
4 types of handover
MSC MSC
BSC BSCBSC
BTS BTS BTSBTS
MS MS MS MS
12 3 4
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.54
Handover decision
receive level
BTSold
receive level
BTSold
MS MS
HO_MARGIN
BTSold BTSnew
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.55
Handover procedure
HO access
BTSold BSCnew
measurement
result
BSCold
Link establishment
MSCMSmeasurement
report
HO decision
HO required
BTSnew
HO request
resource allocation
ch. activation
ch. activation ackHO request ackHO commandHO commandHO command
HO completeHO completeclear commandclear command
clear complete clear complete
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.56
Security in GSM
Security services
access control/authentication
user SIM (Subscriber Identity Module): secret PIN (personal
identification number)
SIM network: challenge response method
confidentiality
voice and signaling encrypted on the wireless link (after successful
authentication)
anonymity
temporary identity TMSI
(Temporary Mobile Subscriber Identity)
newly assigned at each new location update (LUP)
encrypted transmission
3 algorithms specified in GSM
A3 for authentication (“secret”, open interface)
A5 for encryption (standardized)
A8 for key generation (“secret”, open interface)
“secret”:
• A3 and A8
available via the
Internet
• network providers
can use stronger
mechanisms
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.57
GSM - authentication
A3
RANDKi
128 bit 128 bit
SRES* 32 bit
A3
RAND Ki
128 bit 128 bit
SRES 32 bit
SRES* =? SRES SRES
RAND
SRES
32 bit
mobile network SIM
AC
MSC
SIM
Ki: individual subscriber authentication key SRES: signed response
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.58
GSM - key generation and encryption
A8
RANDKi
128 bit 128 bit
Kc
64 bit
A8
RAND Ki
128 bit 128 bit
SRES
RAND
encrypted
data
mobile network (BTS) MS with SIM
AC
BSS
SIM
A5
Kc
64 bit
A5
MSdata data
cipher
key
Prof. Dr.-Ing. Jochen Schiller, http://www.jochenschiller.de/ MC SS02 4.59
End
Recommended