8/14/2019 7_gsm.pdf

1/55

GSM

Global System for Mobile communication

GPRS

General Packet Radio Service

8/14/2019 7_gsm.pdf

2/55

Examples of digital wireless systems

(all originally specified by ETSI)

GSM (Global System for Mobile communication) is acellular mobile system

cellular concept

high mobility (international roaming)

TETRA (TErrestrial Trunked RAdio) is an example of aProfessional/Privat Mobile Radio (PMR) system

limited access (mainly for professional usage) limited mobility (but other advanced features)

DECT (Digital Enhanced Cordless Telecommunications)is a cordless system

low mobility (only within isolated islands)

next

lecture

8/14/2019 7_gsm.pdf

3/55

Digital PLMN systems (status 2002)

IMT-2000GSM

CDMA2000

IS-136

GPRS

EDGE

IS-95

UMTS:

USA

2nd Generation (2G) 3rd Generation (3G) 4G

UTRA FDD

UTRA TDD

(PLMN = Public Land Mobile Network)

Packetservices

More radiocapacity

FDD

-EDGE: Enhanced Data Rates for GSM Evolution-UMTS: Universal Mobile Telecommunications System

-UTRA: UMTS Terrestrial Radio Access

8/14/2019 7_gsm.pdf

4/55

Duplexing

(separation of uplink/downlink transmission directions)

FDD (Frequency Division Duplexing)(GSM/GPRS, TETRA, UTRA FDD)

TDD (Time Division Duplexing)(DECT, UTRA TDD)

frequency

time

Uplink Downlink

UL DL UL DL... ...

duplex separation

8/14/2019 7_gsm.pdf

5/55

FDD vs. TDD

FDD TDD

Duplex filter is large andexpensive

Large MS-BS separation

=> inefficient

Different fading inUL/DL

Same fading in UL/DL

Same UL/DLbandwidth

Flexible UL/DL bandwidthallocation

=> effect on power control

asymmetric services

=> indoor

8/14/2019 7_gsm.pdf

6/55

GSM => cellular concept

The GSM network contains a large number of cells witha base station (BS) at the center of each cell to whichmobile stations (MS) are connected during a call.

BS

BS

BS

BS

MS

If a connected MS

(MS in call phase)moves between twocells, the call is notdropped.

Instead, the network

performs a handover(US: hand-off).

8/14/2019 7_gsm.pdf

7/55

GSM => mobility concept

The GSM network is divided into location areas (LA),each containing a certain number of cells.

As long as an idle MS(idle = switched on)

moves within a locationarea, it can be reachedthrough paging.

If an idle MS moves betweentwo location areas, it cannot bereached before it performs alocation update.

Location Area 1

Location Area 3

LocationArea 2

8/14/2019 7_gsm.pdf

8/55

Original GSM system architecture

NSSBSS

MS database

BTS

MS

MS

ME

SIM HLR

AuC

EIR

BSCMSC

VLR

GMSC

= BS

BTS

Base Station SubsystemNetwork switching subsystem

(GSM core network)

BTS: Base transceiver stationBSC: Base stattion controllerMSC: Mobile-services Switching CentreGMSC: Gateway MSC

EIR: Equipment identity registerHLR: Home location registerVLR: Visitor location register

8/14/2019 7_gsm.pdf

9/55

GSM: circuit switched connections

NSSBSS

BTS

ME

SIMHLR

AuC

EIR

GMSCBSC

MSC

VLR

Circuit switchedconnection

Signaling

MS

Database

TRAU

8/14/2019 7_gsm.pdf

10/55

GPRS: packet switched connections

NSSBSSGMSCBSC

MSC

VLR

Packet switchedconnection

Signaling

MS

Database

BTS

HLR

AuC

EIR

GGSN

IP

backbone

PCU

SGSN

TE ME

SIM

SGSN: Serving GPRS Support NodeGGSN Gateway GPRS Support Node

8/14/2019 7_gsm.pdf

11/55

Upgrading from GSM to GSM/GPRS

NSSBSSGMSCBSC

MSC

VLRMS BTS

HLR

AuC

EIR

GGSN

IP

backbone

PCU

SGSN

New MS/terminals

Packet Control Unit (PCU)

SGSN and GGSN routers software updates (BTS, HLR)

TE ME

SIM

8/14/2019 7_gsm.pdf

12/55

Task division between MSC and TRAU

(TRAU = Transcoding and Rate Adaptation Unit)

NSSBSS

BSC forsignalling only

13 kbit/s encoded speech ispacked into 16 kbit/s frame

Conventional64 kbit/s

PCM signal

TRAU

BSC

BTSMS

MS

MSC

VLR

8/14/2019 7_gsm.pdf

13/55

8/14/2019 7_gsm.pdf

14/55

8/14/2019 7_gsm.pdf

15/55

Radio interface - logical channels (GSM)

Traffic channels Control channels (for signaling)

TCH/F

TCH/H

Broadcast Common control Dedicated

SCH

FCCH

BCCH

PCH

AGCH

SDCCH

SACCH

FACCHRACH

bidirectionaldownlink

uplink

8/14/2019 7_gsm.pdf

16/55

8/14/2019 7_gsm.pdf

17/55

GSM speech encoding

260 bits

57 bits

260 bits

456 bits

57 bits 57 bits

bits 4, 12, 20, 28,

36, 44, etc. from

the 456 bit frame

Voice coding: 260 bits in 20 ms blocks (13 kbit/s) MS - TRAU

Channel coding: 456 coded bits (22.8 kbit/s) MS - BTS

Interleaving: 8 x 57 bits (22.8 kbit/s)

8/14/2019 7_gsm.pdf

18/55

GSM signaling message encoding

184 bits

57 bits

456 bits

57 bits 57 bits

bits 4, 12, 20, 28,

36, 44, etc. from

the 456 bit frame

Signaling message is segmented into blocks of 184 bits:

Each block is coded into 456 bits (22.8 kbit/s)

Interleaving: 8 x 57 bits (22.8 kbit/s)

8/14/2019 7_gsm.pdf

19/55

Task Management in GSM/GPRS

Session Management (SM) in GPRS

Call Control (CC) in GSM

Mobility Management (MM)

Radio Resource Management (RM)

MOC, MTC

PDP Context

Random access and channel reservationHandover managementCiphering (encryption) over radio interface

IMSI/GPRS Attach (switch on) and Detach (switch off)Location updating (MS moves to other Location/Routing Area)Authentication

1

3

2

4

5

6

Numberrefers to theremaining

slides

8/14/2019 7_gsm.pdf

20/55

Who is involved in what?

MS BTS BSC MSC/VLR

RR

MM

CM / SM

SGSN

8/14/2019 7_gsm.pdf

21/55

Random access in GSM/GPRS (1)

Communication between MS and network is not possiblebefore going through a procedure called random access.

Random access must consequently be used in

network originated activity paging, e.g. for a mobile terminated call in GSM

MS originated activity IMSI attach, IMSI detatch GPRS attach, GPRS detach location updating in GSM or GPRS

mobile originated call in GSM SMS (short message service) message transfer

1

8/14/2019 7_gsm.pdf

22/55

Random access in GSM/GPRS (2)

1. MS sends a short access burst over the RandomAccess CHannel (RACH) in uplink using Slotted Aloha(collision possibility retransmission)

2. After detecting the access burst, the network (BSC)

returns an immediate assignment message whichincludes the following information:

- allocated physical channel (frequency, time slot) inwhich the assigned signalling channel is located

- timing advance (for correct time slot alignment)

3. The MS now sends a message on the dedicatedsignalling channel assigned by the network, indicatingthe reason for performing random access.

1

8/14/2019 7_gsm.pdf

23/55

Four security measures in GSM

1) PIN code (authentication of SIM = local securitymeasure, network is not involved)

2) User authentication (performed by network)

3) Ciphering of information sent over air interface4) Usage of TMSI (instead of IMSI) over air interface

IMSI = International Mobile Subscriber Identity(globally unique identity)

TMSI = Temporary Mobile Subscriber Identity(local and temporary identity)

8/14/2019 7_gsm.pdf

24/55

Basic principle of user authentication

algorithm algorithm

The same? If yes,authentication is successful

SIM(in terminal)

AirInterface

Network

Random numberChallenge

Response

Authentication key Authentication key

RAND

SRES

2

Ki Ki

8/14/2019 7_gsm.pdf

25/55

Ciphering in GSM

algorithm algorithm

Ciphering keyTime info Ciphering keyTime info

MS BTS

Data DataCiphered data

Cipher command(time info...)

For each call, a new ciphering key (Kc) is generatedduring authentication both in MS and MSC (in same wayas authentication response).

3

Kc Kc

algorithm algorithm

8/14/2019 7_gsm.pdf

26/55

Three security algorithms in GSM

(in UMTS many more )

A3Ki

Ciphered data

Time info (from network)

RAND (from network)

Data

SRES (to network)

A8

A5

Kc

Mobile Station (MS) Network

23

8/14/2019 7_gsm.pdf

27/55

Three security algorithms in GSM

at the network side ...

A3

Ki RAND

Data

A8

A5

Kc

Serving MSCMS AuC

RAND

Ciphered data

SRES

KcTimeinfo Ki

SRES SRES

Authenticationvector

?

23

8/14/2019 7_gsm.pdf

28/55

Algorithm considerations

Using output and one or more inputs, it is in practice notpossible to calculate backwards other input(s)brute force approach, extensive search

Key length in bits (N) is important (in case of brute forceapproach 2N calculation attempts may be needed)

Strength of algorithm is that it is secret => bad idea!security through obscurity

Better: open algorithm can be tested by engineeringcommunity (security through strong algorithm)

23

8/14/2019 7_gsm.pdf

29/55

Usage of TMSI in GSM

MS NetworkRandom access

Authentication

Start ciphering

IMSI detach New TMSIallocated by

networkNew TMSI stored in SIM

CM or MM transaction

TMSI

23

IMSI is neversent over airinterface if

not absolutelynecessary!

8/14/2019 7_gsm.pdf

30/55

Connectivity states in GSM/GPRS

DisconnectedIdle

Connected

IdleStandby

Ready

MS is switched off (circuit mode)location updates on LA basis

handovers, not location updates

MS is switched off (packet mode)location updates on RA basis

location updates on cell basis

GSM

GPRS

4

8/14/2019 7_gsm.pdf

31/55

8/14/2019 7_gsm.pdf

32/55

MM areas in GSM/GPRS

Cell

Location Area (LA)

Routing Area (RA)

Locationupdatingin GSM

Location updating in GPRS(standby state)

Location updating in GPRS(ready state)

4

8/14/2019 7_gsm.pdf

33/55

Trade-off when choosing LA/RA size

Affects signalling load

If LA/RA size is very large (e.g. whole mobile network)

location updates not needed very oftenpaging load is very heavy

If LA/RA size is very small (e.g. single cell)

small paging loadlocation updates must be done very often

Affects capacity

+

+

4

8/14/2019 7_gsm.pdf

34/55

Example: GSM location update (1)

ME

SIM

HLR

MSC

VLR 1

Most recently allocated TMSI and last visited LAI (Location

Area ID) are stored in SIM even after switch-off.After switch-on, MS monitors LAI. If stored and monitoredLAI values are the same, no location updating is needed.

(most generic scenario)

MSC

VLR 2

LAI 1IMSITMSI

LAI 1IMSITMSI

IMSILAI 1

4

(in broadcast messages)

8/14/2019 7_gsm.pdf

35/55

GSM location update (2)

ME

SIM

MSC

VLR 1

Different LAI values => location update required !

MSC

VLR 2

LAI 2

HLRIMSILAI 1

IMSITMSI

LAI 1IMSITMSI

4

(in broadcastmessages)

8/14/2019 7_gsm.pdf

36/55

GSM location update (3)

ME

SIM

MSC

VLR 1

SIM sends old LAI and TMSI to VLR 2.

VLR 2 does not recognize TMSI since there is no TMSI-IMSI context. Who is this user?

MSC

VLR 2

LAI 1, TMSI

HLRIMSILAI 1

IMSITMSI

LAI 1IMSITMSI

No TMSI - IMSIcontext

4

8/14/2019 7_gsm.pdf

37/55

GSM location update (4)

ME

SIM

MSC

VLR 1

However, VLR 2 can contact VLR 1 (address: LAI 1) and

request IMSI.IMSI is sent to VLR 2.

MSC

VLR 2

HLRIMSILAI 1

IMSITMSI

LAI 1IMSITMSI IMSI

TMSI

IMSI

4

address:LAI 1

8/14/2019 7_gsm.pdf

38/55

GSM location update (5)

ME

SIM

MSC

VLR 1

Important: HLR must be updated (new LAI). If this is not

done, incoming calls can not be routed to new MSC/VLR.

HLR also requests VLR 1 to remove old user data.

MSC

VLR 2

HLRIMSILAI 1LAI 2

IMSITMSI

LAI 1IMSITMSI

IMSITMSI

LAI 2

4

8/14/2019 7_gsm.pdf

39/55

GSM location update (6)

ME

SIM

MSC

VLR 1

VLR 2 generates new TMSI and sends this to user. User

stores new LAI and TMSI safely in SIM.

Location update successful !

MSC

VLR 2

HLRIMSILAI 2

LAI 1IMSITMSILAI 2TMSI

IMSITMSITMSI

LAI 2TMSI

4

8/14/2019 7_gsm.pdf

40/55

GSM identifiers (1)

MCC = Mobile Country Code (3 digits)MNC = Mobile Network Code (2 digits)

MSIN = Mobile Subscriber Identity Number (10 digits)

Globallyunique

LACLAI

MCC = Mobile Country Code (3 digits)MNC = Mobile Network Code (2 digits)

LAC = Location Area Code (10 digits)

=

Globallyunique

CI LAI + CI= CGI

Cell GlobalIdentity

MSINIMSI = GSM internalinformation

8/14/2019 7_gsm.pdf

41/55

GSM identifiers (2)

SNCCMSISDN

CC = Country Code (1-3 digits)

NDC = National Destination Code (1-3 digits)SN = Subscriber Number

=

Globally

unique

E.164 numberingformat

TNCCMRSN

CC = Country Code (1-3 digits)NDC = National Destination Code (1-3 digits)TN = Temporary Number

=

Temporaryallocation

E.164 numberingformat

for routing to GMSC

for routing to MSC/VLR

subscriber database in HLR

temporary subscriber ID

8/14/2019 7_gsm.pdf

42/55

GSM mobile terminated call (1)

BTS

ME

SIMHLR

AuC

EIR

GMSCBSC

MSC

VLR

Circuit switched connection

Signaling (ISUP, MAP)

MS

Database

Mobile terminated call = MTC

(64 kb/s PCM, 16 kb/s between TRAU and BTS,13 kb/s encoded speech over air interface)

5

8/14/2019 7_gsm.pdf

43/55

8/14/2019 7_gsm.pdf

44/55

GSM mobile terminated call (3)

BTS

ME

SIMHLR

AuC

EIR

BSC

MSC

VLR

MS

HLR knows location of Serving MSC/VLR (when usermoves to another VLR, this is always recorded in HLR).

HLR requests MSRN (roaming number) from VLR.

MSRN is forwarded to GMSC.

GMSC

5

8/14/2019 7_gsm.pdf

45/55

GSM mobile terminated call (4)

BTS

ME

SIMHLR

AuC

EIR

BSC

MSC

VLR

MS

Call can now be routed to Serving MSC/VLR using ISUP

(may involve several intermediate switching centers).MSC/VLR starts paging within Location Area (LA) inwhich user is located, using TMSI for identification.

GMSC

5

8/14/2019 7_gsm.pdf

46/55

8/14/2019 7_gsm.pdf

47/55

GSM mobile terminated call (6)

BTS

ME

SIMHLR

AuC

EIR

BSC

MSC

VLR

MS

Signaling channel is set up. After authentication andciphering procedures, call control signaling continues.

Finally, the circuit switched connection is established upto mobile user.

GMSC

5

8/14/2019 7_gsm.pdf

48/55

GPRS attach / PDP session

GPRS attach

MS is assigned PDP (IP) addressPacket transmission can take place

Separate or combined GSM/GPRS attachMS registers with an SGSN (authentication...)Location update possible

PDP context is created

GPRS detach

PDP context terminatedAllocated IP address released

In case ofdynamicaddress

allocation

6

DHCPRADIUS

8/14/2019 7_gsm.pdf

49/55

PDP context

PDP context describes characteristics of GPRS session(session = always on connection)

PDP context information is stored in MS, SGSN and GGSN

MS

GGSNSGSN

::::::

::::::

::::::

PDP type (e.g. IPv4)

PDP address = IP address of MS(e.g. 123.12.223.9)

Requested QoS (priority, delay )

Access Point Name (GGSN addressas seen from MS)

One user may have several PDP

sessions active

6

123.12.223.9

123.12.223.0

8/14/2019 7_gsm.pdf

50/55

PDP context activation

MS GGSNSGSN

::::::

Activate PDP context request

Create PDP context request

Create PDP context response

Activate PDP context accept ::::::

::::::

IP address allocated to MS

Security functions

6

8/14/2019 7_gsm.pdf

51/55

Packet transmission (1)

MS(client)

GGSN

SGSN Server(IP, WAP..)

IPbackbone

Dynamic IP address allocation has one problem:it is difficult to handle a mobile terminated transaction(external source does not know IP address of MS)

Fortunately, packet services are of client-server type=> MS initiates packet transmission

?

6

8/14/2019 7_gsm.pdf

52/55

8/14/2019 7_gsm.pdf

53/55

Packet transmission (3)

MS(client)

GGSN

SGSN Server(IP, WAP..)

GGSN sends packet through external IP network (i.e.Internet) to IP/WAP server.

Source IP addr. Dest. IP addr. IP payload

GGSN

Source IP

address:GGSN

Server

6

8/14/2019 7_gsm.pdf

54/55

8/14/2019 7_gsm.pdf

55/55

Further information on GSM/GPRS

Books:

Many good books available (GSM)

Andersson: GPRS and 3G wireless applications, Wiley, 2001,Chapter 3 (GPRS)

Web material:

www.comsoc.org/livepubs/surveys/public/4q99issue/reprint4q.html (GSM system and protocol architecture)

www.comsoc.org/livepubs/surveys/public/3q99issue/bettstetter.html (GPRS basics)

Part of this source is required course material