7_gsm.pdf
TRANSCRIPT
-
8/14/2019 7_gsm.pdf
1/55
GSM
Global System for Mobile communication
GPRS
General Packet Radio Service
-
8/14/2019 7_gsm.pdf
2/55
Examples of digital wireless systems
(all originally specified by ETSI)
GSM (Global System for Mobile communication) is acellular mobile system
cellular concept
high mobility (international roaming)
TETRA (TErrestrial Trunked RAdio) is an example of aProfessional/Privat Mobile Radio (PMR) system
limited access (mainly for professional usage) limited mobility (but other advanced features)
DECT (Digital Enhanced Cordless Telecommunications)is a cordless system
low mobility (only within isolated islands)
next
lecture
-
8/14/2019 7_gsm.pdf
3/55
Digital PLMN systems (status 2002)
IMT-2000GSM
CDMA2000
IS-136
GPRS
EDGE
IS-95
UMTS:
USA
2nd Generation (2G) 3rd Generation (3G) 4G
UTRA FDD
UTRA TDD
(PLMN = Public Land Mobile Network)
Packetservices
More radiocapacity
FDD
-EDGE: Enhanced Data Rates for GSM Evolution-UMTS: Universal Mobile Telecommunications System
-UTRA: UMTS Terrestrial Radio Access
-
8/14/2019 7_gsm.pdf
4/55
Duplexing
(separation of uplink/downlink transmission directions)
FDD (Frequency Division Duplexing)(GSM/GPRS, TETRA, UTRA FDD)
TDD (Time Division Duplexing)(DECT, UTRA TDD)
frequency
time
Uplink Downlink
UL DL UL DL... ...
duplex separation
-
8/14/2019 7_gsm.pdf
5/55
FDD vs. TDD
FDD TDD
Duplex filter is large andexpensive
Large MS-BS separation
=> inefficient
Different fading inUL/DL
Same fading in UL/DL
Same UL/DLbandwidth
Flexible UL/DL bandwidthallocation
=> effect on power control
asymmetric services
=> indoor
-
8/14/2019 7_gsm.pdf
6/55
GSM => cellular concept
The GSM network contains a large number of cells witha base station (BS) at the center of each cell to whichmobile stations (MS) are connected during a call.
BS
BS
BS
BS
MS
If a connected MS
(MS in call phase)moves between twocells, the call is notdropped.
Instead, the network
performs a handover(US: hand-off).
-
8/14/2019 7_gsm.pdf
7/55
GSM => mobility concept
The GSM network is divided into location areas (LA),each containing a certain number of cells.
As long as an idle MS(idle = switched on)
moves within a locationarea, it can be reachedthrough paging.
If an idle MS moves betweentwo location areas, it cannot bereached before it performs alocation update.
Location Area 1
Location Area 3
LocationArea 2
-
8/14/2019 7_gsm.pdf
8/55
Original GSM system architecture
NSSBSS
MS database
BTS
MS
MS
ME
SIM HLR
AuC
EIR
BSCMSC
VLR
GMSC
= BS
BTS
Base Station SubsystemNetwork switching subsystem
(GSM core network)
BTS: Base transceiver stationBSC: Base stattion controllerMSC: Mobile-services Switching CentreGMSC: Gateway MSC
EIR: Equipment identity registerHLR: Home location registerVLR: Visitor location register
-
8/14/2019 7_gsm.pdf
9/55
GSM: circuit switched connections
NSSBSS
BTS
ME
SIMHLR
AuC
EIR
GMSCBSC
MSC
VLR
Circuit switchedconnection
Signaling
MS
Database
TRAU
-
8/14/2019 7_gsm.pdf
10/55
GPRS: packet switched connections
NSSBSSGMSCBSC
MSC
VLR
Packet switchedconnection
Signaling
MS
Database
BTS
HLR
AuC
EIR
GGSN
IP
backbone
PCU
SGSN
TE ME
SIM
SGSN: Serving GPRS Support NodeGGSN Gateway GPRS Support Node
-
8/14/2019 7_gsm.pdf
11/55
Upgrading from GSM to GSM/GPRS
NSSBSSGMSCBSC
MSC
VLRMS BTS
HLR
AuC
EIR
GGSN
IP
backbone
PCU
SGSN
New MS/terminals
Packet Control Unit (PCU)
SGSN and GGSN routers software updates (BTS, HLR)
TE ME
SIM
-
8/14/2019 7_gsm.pdf
12/55
Task division between MSC and TRAU
(TRAU = Transcoding and Rate Adaptation Unit)
NSSBSS
BSC forsignalling only
13 kbit/s encoded speech ispacked into 16 kbit/s frame
Conventional64 kbit/s
PCM signal
TRAU
BSC
BTSMS
MS
MSC
VLR
-
8/14/2019 7_gsm.pdf
13/55
-
8/14/2019 7_gsm.pdf
14/55
-
8/14/2019 7_gsm.pdf
15/55
Radio interface - logical channels (GSM)
Traffic channels Control channels (for signaling)
TCH/F
TCH/H
Broadcast Common control Dedicated
SCH
FCCH
BCCH
PCH
AGCH
SDCCH
SACCH
FACCHRACH
bidirectionaldownlink
uplink
-
8/14/2019 7_gsm.pdf
16/55
-
8/14/2019 7_gsm.pdf
17/55
GSM speech encoding
260 bits
57 bits
260 bits
456 bits
57 bits 57 bits
bits 4, 12, 20, 28,
36, 44, etc. from
the 456 bit frame
Voice coding: 260 bits in 20 ms blocks (13 kbit/s) MS - TRAU
Channel coding: 456 coded bits (22.8 kbit/s) MS - BTS
Interleaving: 8 x 57 bits (22.8 kbit/s)
-
8/14/2019 7_gsm.pdf
18/55
GSM signaling message encoding
184 bits
57 bits
456 bits
57 bits 57 bits
bits 4, 12, 20, 28,
36, 44, etc. from
the 456 bit frame
Signaling message is segmented into blocks of 184 bits:
Each block is coded into 456 bits (22.8 kbit/s)
Interleaving: 8 x 57 bits (22.8 kbit/s)
-
8/14/2019 7_gsm.pdf
19/55
Task Management in GSM/GPRS
Session Management (SM) in GPRS
Call Control (CC) in GSM
Mobility Management (MM)
Radio Resource Management (RM)
MOC, MTC
PDP Context
Random access and channel reservationHandover managementCiphering (encryption) over radio interface
IMSI/GPRS Attach (switch on) and Detach (switch off)Location updating (MS moves to other Location/Routing Area)Authentication
1
3
2
4
5
6
Numberrefers to theremaining
slides
-
8/14/2019 7_gsm.pdf
20/55
Who is involved in what?
MS BTS BSC MSC/VLR
RR
MM
CM / SM
SGSN
-
8/14/2019 7_gsm.pdf
21/55
Random access in GSM/GPRS (1)
Communication between MS and network is not possiblebefore going through a procedure called random access.
Random access must consequently be used in
network originated activity paging, e.g. for a mobile terminated call in GSM
MS originated activity IMSI attach, IMSI detatch GPRS attach, GPRS detach location updating in GSM or GPRS
mobile originated call in GSM SMS (short message service) message transfer
1
-
8/14/2019 7_gsm.pdf
22/55
Random access in GSM/GPRS (2)
1. MS sends a short access burst over the RandomAccess CHannel (RACH) in uplink using Slotted Aloha(collision possibility retransmission)
2. After detecting the access burst, the network (BSC)
returns an immediate assignment message whichincludes the following information:
- allocated physical channel (frequency, time slot) inwhich the assigned signalling channel is located
- timing advance (for correct time slot alignment)
3. The MS now sends a message on the dedicatedsignalling channel assigned by the network, indicatingthe reason for performing random access.
1
-
8/14/2019 7_gsm.pdf
23/55
Four security measures in GSM
1) PIN code (authentication of SIM = local securitymeasure, network is not involved)
2) User authentication (performed by network)
3) Ciphering of information sent over air interface4) Usage of TMSI (instead of IMSI) over air interface
IMSI = International Mobile Subscriber Identity(globally unique identity)
TMSI = Temporary Mobile Subscriber Identity(local and temporary identity)
-
8/14/2019 7_gsm.pdf
24/55
Basic principle of user authentication
algorithm algorithm
The same? If yes,authentication is successful
SIM(in terminal)
AirInterface
Network
Random numberChallenge
Response
Authentication key Authentication key
RAND
SRES
2
Ki Ki
-
8/14/2019 7_gsm.pdf
25/55
Ciphering in GSM
algorithm algorithm
Ciphering keyTime info Ciphering keyTime info
MS BTS
Data DataCiphered data
Cipher command(time info...)
For each call, a new ciphering key (Kc) is generatedduring authentication both in MS and MSC (in same wayas authentication response).
3
Kc Kc
algorithm algorithm
-
8/14/2019 7_gsm.pdf
26/55
Three security algorithms in GSM
(in UMTS many more )
A3Ki
Ciphered data
Time info (from network)
RAND (from network)
Data
SRES (to network)
A8
A5
Kc
Mobile Station (MS) Network
23
-
8/14/2019 7_gsm.pdf
27/55
Three security algorithms in GSM
at the network side ...
A3
Ki RAND
Data
A8
A5
Kc
Serving MSCMS AuC
RAND
Ciphered data
SRES
KcTimeinfo Ki
SRES SRES
Authenticationvector
?
23
-
8/14/2019 7_gsm.pdf
28/55
Algorithm considerations
Using output and one or more inputs, it is in practice notpossible to calculate backwards other input(s)brute force approach, extensive search
Key length in bits (N) is important (in case of brute forceapproach 2N calculation attempts may be needed)
Strength of algorithm is that it is secret => bad idea!security through obscurity
Better: open algorithm can be tested by engineeringcommunity (security through strong algorithm)
23
-
8/14/2019 7_gsm.pdf
29/55
Usage of TMSI in GSM
MS NetworkRandom access
Authentication
Start ciphering
IMSI detach New TMSIallocated by
networkNew TMSI stored in SIM
CM or MM transaction
TMSI
23
IMSI is neversent over airinterface if
not absolutelynecessary!
-
8/14/2019 7_gsm.pdf
30/55
Connectivity states in GSM/GPRS
DisconnectedIdle
Connected
IdleStandby
Ready
MS is switched off (circuit mode)location updates on LA basis
handovers, not location updates
MS is switched off (packet mode)location updates on RA basis
location updates on cell basis
GSM
GPRS
4
-
8/14/2019 7_gsm.pdf
31/55
-
8/14/2019 7_gsm.pdf
32/55
MM areas in GSM/GPRS
Cell
Location Area (LA)
Routing Area (RA)
Locationupdatingin GSM
Location updating in GPRS(standby state)
Location updating in GPRS(ready state)
4
-
8/14/2019 7_gsm.pdf
33/55
Trade-off when choosing LA/RA size
Affects signalling load
If LA/RA size is very large (e.g. whole mobile network)
location updates not needed very oftenpaging load is very heavy
If LA/RA size is very small (e.g. single cell)
small paging loadlocation updates must be done very often
Affects capacity
+
+
4
-
8/14/2019 7_gsm.pdf
34/55
Example: GSM location update (1)
ME
SIM
HLR
MSC
VLR 1
Most recently allocated TMSI and last visited LAI (Location
Area ID) are stored in SIM even after switch-off.After switch-on, MS monitors LAI. If stored and monitoredLAI values are the same, no location updating is needed.
(most generic scenario)
MSC
VLR 2
LAI 1IMSITMSI
LAI 1IMSITMSI
IMSILAI 1
4
(in broadcast messages)
-
8/14/2019 7_gsm.pdf
35/55
GSM location update (2)
ME
SIM
MSC
VLR 1
Different LAI values => location update required !
MSC
VLR 2
LAI 2
HLRIMSILAI 1
IMSITMSI
LAI 1IMSITMSI
4
(in broadcastmessages)
-
8/14/2019 7_gsm.pdf
36/55
GSM location update (3)
ME
SIM
MSC
VLR 1
SIM sends old LAI and TMSI to VLR 2.
VLR 2 does not recognize TMSI since there is no TMSI-IMSI context. Who is this user?
MSC
VLR 2
LAI 1, TMSI
HLRIMSILAI 1
IMSITMSI
LAI 1IMSITMSI
No TMSI - IMSIcontext
4
-
8/14/2019 7_gsm.pdf
37/55
GSM location update (4)
ME
SIM
MSC
VLR 1
However, VLR 2 can contact VLR 1 (address: LAI 1) and
request IMSI.IMSI is sent to VLR 2.
MSC
VLR 2
HLRIMSILAI 1
IMSITMSI
LAI 1IMSITMSI IMSI
TMSI
IMSI
4
address:LAI 1
-
8/14/2019 7_gsm.pdf
38/55
GSM location update (5)
ME
SIM
MSC
VLR 1
Important: HLR must be updated (new LAI). If this is not
done, incoming calls can not be routed to new MSC/VLR.
HLR also requests VLR 1 to remove old user data.
MSC
VLR 2
HLRIMSILAI 1LAI 2
IMSITMSI
LAI 1IMSITMSI
IMSITMSI
LAI 2
4
-
8/14/2019 7_gsm.pdf
39/55
GSM location update (6)
ME
SIM
MSC
VLR 1
VLR 2 generates new TMSI and sends this to user. User
stores new LAI and TMSI safely in SIM.
Location update successful !
MSC
VLR 2
HLRIMSILAI 2
LAI 1IMSITMSILAI 2TMSI
IMSITMSITMSI
LAI 2TMSI
4
-
8/14/2019 7_gsm.pdf
40/55
GSM identifiers (1)
MCC = Mobile Country Code (3 digits)MNC = Mobile Network Code (2 digits)
MSIN = Mobile Subscriber Identity Number (10 digits)
Globallyunique
LACLAI
MCC = Mobile Country Code (3 digits)MNC = Mobile Network Code (2 digits)
LAC = Location Area Code (10 digits)
=
Globallyunique
CI LAI + CI= CGI
Cell GlobalIdentity
MSINIMSI = GSM internalinformation
-
8/14/2019 7_gsm.pdf
41/55
GSM identifiers (2)
SNCCMSISDN
CC = Country Code (1-3 digits)
NDC = National Destination Code (1-3 digits)SN = Subscriber Number
=
Globally
unique
E.164 numberingformat
TNCCMRSN
CC = Country Code (1-3 digits)NDC = National Destination Code (1-3 digits)TN = Temporary Number
=
Temporaryallocation
E.164 numberingformat
for routing to GMSC
for routing to MSC/VLR
subscriber database in HLR
temporary subscriber ID
-
8/14/2019 7_gsm.pdf
42/55
GSM mobile terminated call (1)
BTS
ME
SIMHLR
AuC
EIR
GMSCBSC
MSC
VLR
Circuit switched connection
Signaling (ISUP, MAP)
MS
Database
Mobile terminated call = MTC
(64 kb/s PCM, 16 kb/s between TRAU and BTS,13 kb/s encoded speech over air interface)
5
-
8/14/2019 7_gsm.pdf
43/55
-
8/14/2019 7_gsm.pdf
44/55
GSM mobile terminated call (3)
BTS
ME
SIMHLR
AuC
EIR
BSC
MSC
VLR
MS
HLR knows location of Serving MSC/VLR (when usermoves to another VLR, this is always recorded in HLR).
HLR requests MSRN (roaming number) from VLR.
MSRN is forwarded to GMSC.
GMSC
5
-
8/14/2019 7_gsm.pdf
45/55
GSM mobile terminated call (4)
BTS
ME
SIMHLR
AuC
EIR
BSC
MSC
VLR
MS
Call can now be routed to Serving MSC/VLR using ISUP
(may involve several intermediate switching centers).MSC/VLR starts paging within Location Area (LA) inwhich user is located, using TMSI for identification.
GMSC
5
-
8/14/2019 7_gsm.pdf
46/55
-
8/14/2019 7_gsm.pdf
47/55
GSM mobile terminated call (6)
BTS
ME
SIMHLR
AuC
EIR
BSC
MSC
VLR
MS
Signaling channel is set up. After authentication andciphering procedures, call control signaling continues.
Finally, the circuit switched connection is established upto mobile user.
GMSC
5
-
8/14/2019 7_gsm.pdf
48/55
GPRS attach / PDP session
GPRS attach
MS is assigned PDP (IP) addressPacket transmission can take place
Separate or combined GSM/GPRS attachMS registers with an SGSN (authentication...)Location update possible
PDP context is created
GPRS detach
PDP context terminatedAllocated IP address released
In case ofdynamicaddress
allocation
6
DHCPRADIUS
-
8/14/2019 7_gsm.pdf
49/55
PDP context
PDP context describes characteristics of GPRS session(session = always on connection)
PDP context information is stored in MS, SGSN and GGSN
MS
GGSNSGSN
::::::
::::::
::::::
PDP type (e.g. IPv4)
PDP address = IP address of MS(e.g. 123.12.223.9)
Requested QoS (priority, delay )
Access Point Name (GGSN addressas seen from MS)
One user may have several PDP
sessions active
6
123.12.223.9
123.12.223.0
-
8/14/2019 7_gsm.pdf
50/55
PDP context activation
MS GGSNSGSN
::::::
Activate PDP context request
Create PDP context request
Create PDP context response
Activate PDP context accept ::::::
::::::
IP address allocated to MS
Security functions
6
-
8/14/2019 7_gsm.pdf
51/55
Packet transmission (1)
MS(client)
GGSN
SGSN Server(IP, WAP..)
IPbackbone
Dynamic IP address allocation has one problem:it is difficult to handle a mobile terminated transaction(external source does not know IP address of MS)
Fortunately, packet services are of client-server type=> MS initiates packet transmission
?
6
-
8/14/2019 7_gsm.pdf
52/55
-
8/14/2019 7_gsm.pdf
53/55
Packet transmission (3)
MS(client)
GGSN
SGSN Server(IP, WAP..)
GGSN sends packet through external IP network (i.e.Internet) to IP/WAP server.
Source IP addr. Dest. IP addr. IP payload
GGSN
Source IP
address:GGSN
Server
6
-
8/14/2019 7_gsm.pdf
54/55
-
8/14/2019 7_gsm.pdf
55/55
Further information on GSM/GPRS
Books:
Many good books available (GSM)
Andersson: GPRS and 3G wireless applications, Wiley, 2001,Chapter 3 (GPRS)
Web material:
www.comsoc.org/livepubs/surveys/public/4q99issue/reprint4q.html (GSM system and protocol architecture)
www.comsoc.org/livepubs/surveys/public/3q99issue/bettstetter.html (GPRS basics)
Part of this source is required course material