gsm gprs protocols overview

7/31/2019 GSM GPRS Protocols Overview

1/42

GSM/GPRS Protocols Overview -1

1 Copyright 2008 Nokia. All rights reserved. /

Sundararaman Sivaraman

Srinath Ananthaswamy


2/42

Contents

What is GSM

GSM Services

GSM System Functional Elements

GSM Protocol Functions

GSM Air Interface description

MS Power On Steps



3/42

What is GSM?

The Global System for Mobile Communications (GSM: originally from Groupe SpcialMobile that was established in the year 1982 in Europe)

It is a set of standards that encompass all aspects of a Mobile Communication System

GSM Specifications are being developed and maintained now by the Third Generation

Partnership Project (3GPP, www.3gpp.org ) The 3GPP is a consortium which also develops and maintains the WCDMA specifications

GSM is the most popular standard for mobile communication systems in the world.

Over 2 billion people use GSM service across the world.


e un que eature o t e stan ar ma es nternat ona roam ng very commonbetween mobile phone operators, enabling subscribers to use their phones in many partsof the world.


4/42

Some History of GSM

Early 80s the mobile communication area in Europe was fragmentedand served by several incompatible analog systems

Market was segmented, and hence costly No interoperability between systems and hence limited usage

Administration decided to open up some spectrum in the 900Mhzregion for usage by a Pan-European Mobile communication system

The CEPT (Conference of European Posts and Telegraphs ), formed aworking group called Groupe Spcial Mobile in charge of developingthis an-Euro ean s stem


This group decided early on not to just adopt/enhance one of theexisting analog systems, rather to develop a new digital system fromground up

As a result of this activity the GSM system evolved

Around (1991) the term GSM was defined to stand for Global Systemfor Mobile Communication

In the year (2000) the standardization work was handed over to 3GPPwhich was originally formed to develop UMTS standards


5/42

What is GSM (contd..)

GSM is a cellular radio system, as opposed to non-cellular wirelesssystems like WLAN, Bluetooth etc

GSM is a fully digital system as opposed to earlier systems like NMT(Nordic Mobile Telephone) which were primarily analog

GSM system handles transmission and reception of digital data (bits) Any analog data (speech) is converted to digital form before it passes into

the GSM system

GSM operates in frequencies close to 900MHz and 1800MHz in EU


and India GSM uses frequencies close to 850MHz and 1900MHz in US


6/42

Basic Concept of Cell

The geographical area is dividedinto a number of smaller segmentseach served by a base station

Each such segment is a cell.

Radio coverage from a base stationis limited to the dimension of the cellby adjusting the power oftransmission


s sys em a ows e opera or oreuse the frequencies allotted tothem across multiple cells

Since there is some overlap oftransmission from one base stationto another the same frequency is not

reused in adjacent cellsF1

F7

F6

F5

F3

F2

F4

F1

F7

F6

F5

F3

F2

F4

Realistic case: Overlap between cells. Seven

frequencies are used. Same frequencies are

never used in adjacent cells


7/42

Services

As a first step the working groups defining GSM had to decide on the servicesthat the new system would provide to users

These services need to be defined in a detailed manner as all the elements inthe system would be impacted by this definition

The terminology used in 3GPP specifications is in a sense borrowed from ISDNterminology

Services are classified into the following categories Bearer Services: Which simply carry information from one end to another. Only lower


. ,

direction's of data flow, type of data transfer (circuit or packet) and other physicalcharacteristics. E.g. Data transfer service at 14.4Kbps

Teleservices: A complete telecommunication service. All layers of protocols arespecified. E.g. Speech telephony, SMS

Supplementary Services: Supplementing and/or modifying the Basic Services(Bearer Services and Teleservices) E.g. Call Forward Unconditional


8/42

Glimpse of GSM Services

Bearer Services Data at 2.4, 4.8, 9.6, 14.4KBPS

Teleservices Voice Telephony Short Message Service

Supplementary Services


Calling Number Identification and Presentation

Refer: 3GPP TS 22.001 For details


9/42

GSM System

GSM system is described as a set offunctional elements and interfacesbetween them

Functional elements are intended togroup related functionality under a logical

name. They do not mean that each ofthem needs to be implemented asseparate hardware boxes

Functional elements provide interfaces tocommunicate with other elements

SIM

ME

BTS1

BTS2

BTS3

BSC1

MSC

To Other MSCs

BSS1

AIR

INTERFACEA INTERFACE

A-Bis

INTERFACE

HLR/VLR

AuC


operates. This is nothing but a set ofrules for communication across theinterface

The protocol is divided into variouslayers for ease of implementation andanalysis

Having a well defined protocol across aninterface allows inter-operability offunctional elements from differentvendors

BTS1

BTS2 BSC2

To PSTN

BSS2

L1

LAPDm

RR

MM

CC

L1

LAPDm

MTP

RRBSSCA

P

MTP

BSSCAP

MM

CC

NON ACCESS STRATUM

ACCESS STRATUM


10/42

Base Station Subsystem (BSS)

Made up of a set of Base TransceiverStations (BTS) and a Base StationController (BSC)

BTS is a radio transceiver. It is part ofthe towers of antennas that we see.

Primarily the lower layer RF andbaseband functions

BSC manages radio resources for a setof BTSs. Primarily the Radio Resourceintelligence in the network

SIM

BTS1

BTS2

BTS3

BSC1

MSC

MSTo Other MSCs

BSS1

AIR


A-Bis

INTERFACE

HLR/VLR

AuC


not standardized. Hence they aretypically from the same vendorBTS1

BTS2 BSC2

To PSTN

BSS2

L1

LAPDm

RR

MM

CC

L1

LAPDm

MTP

RRBSSCA

P

MTP

BSSCAP

MM

CC

NON ACCESS STRATUM

ACCESS STRATUM


11/42

Network Switching Subsystem (NSS)

Mobile Switching Centre (MSC): Acts like atelephone exchange with added functions tointerface with set of BSCs

If MSC has a function to interface with othernetworks like PSTN, then it is called a GatewayMSC

NSS has a number of databases thatcommunicate with MSC using SignalingSystem 7 (SS7) protocols

Home Location Register (HLR): Databasestoring all subscriber information. It also holdsthe address of the current Visited LocationRegister (VLR)

SIM

BTS1

BTS2

BTS3

BSC1

MSC

MSTo Other MSCs

ToPDN

BSS1

AIR


A-Bis

INTERFACE

HLR/VLR

AuC


VLR in the destination NSS holds selectedmanagement information taken from the HLR.This is so as to enable/disable services. VLR isassociated with an MSC

Authentication Register (AuR): Protecteddatabase holding the secret key stored in theSIM card used for encryption andauthentication over the air interface

Equipment Identity Register (EIR): Database ofInternational Mobile Equipment Identity (IMEI)classified according to White (goodequipments), Black (stolen or bad equipments)and Grey (uncertain)

BTS1

BTS2 BSC2

To PSTN

BSS2

L1

LAPDm

RR

MM

CC

L1

LAPDm

MTP

RRBSSCA

P

MTP

BSSCAP

MM

CC

NON ACCESS STRATUM

ACCESS STRATUM


12/42

Subscriber Identity Module (SIM)

The SIM is the entity that contains the identity of the subscriber. When placedin a Mobile Equipment (ME), together they become a Mobile Station (MS)which may then register onto a GSM network

SIM is a smartcard as defined by ISO specifications

The International Mobile Subscriber Identity (IMSI) which unambiguouslyidentifies a subscriber

The phone number called MS-ISDN number is not the identity of the subscriber

SIM also stores a number of other items as given below Subscriber Authentication Ke Ki


Authentication Algorithm A3, Cipher key generation algorithm (A8) Cipher key (Kc) TMSI, LAI, Forbidden PLMNs Phonebook If the SIM is removed from the MS during a call, the call shall be terminated

immediately Refer: 3GPP TS 02.17 For details


13/42

Protocol Layers

Across each interface a set of protocols operate. They are the rules of communicationacross the interface

Protocols are layered according to function. Similar but not the same as OSI layering

The protocol layers in operation from MS are classified into two main groups

The Access Stratum (AS)The layers of the protocol that depend on the Radio Access Network (RAN) in use.GSM EDGE Radio Access Network (GERAN): The RAN using GSM technologyUniversal Terrestrial Radio Access Network: The RAN using UMTS technology

The Non Access Stratum (NAS)The layers of the protocol that are essentially independent of the RAN in use. Hence they are common forthe GERAN and UTRAN cases



14/42

Layer Functions Layer 1

Layer 1 is concerned with transmission/reception of bits over the air interface

Source Coding: Compression of speech

Channel Coding: To add redundancy to the data to enable error correction at the receiver

Interleaving: Technique used to add robustness against burst errors. Essentially bytransmitting bits in a different order than they are generated

Ciphering: Encrypt the bits so that only the receiver having the ciphering key will be ableto make sense of the data. This ensures secure wireless communication

Modulation: To convert the baseband information to/from the appropriate band aroundthe carrier frequency


Radio Rx Bit Detection De-Ciphering

ChannelDecoding

- - - - - - - - - - - - - - -De- Interleaving

SpeechDecoder

Radio Tx Modulator Ciphering

ChannelCoding

- - - - - - - - - - - - - - - -Interleaving

SpeechEncoder

Tx ChainTx ChainTx ChainTx Chain

Rx ChainRx ChainRx ChainRx Chain

Cellular

ProtocolProcessing

UserInterfaceApplications


15/42

Layer Functions - LAPDm

LAPDm: This is a Link layer protocol used in the air interface

This layer allows upper layers to transfer messages reliably across the air interface

It uses the services from the physical layer to transfer messages

Main functions include segmentation and reassembly

Retransmission and acknowledgement to ensure reliable data transfer LAPDm is only used for transfer of control messages and not for data transfer. Hence this

is called a control plane protocol

Stands for Link Access Protocol for Dm Channel. This is a simplified adaptation of theLAPD protocol used in ISDN networks



16/42

Layer Functions - RR

RR stands for Radio Resource

Layer is responsible for managing the Radio Resources

RR layer uses the services of the LAPDm to send/receive messages from the peer RR layer

RR layer uses services from the L1 to perform measurements and other monitoring functions to keeptrack of the health of the channels/cells

RR layer is responsible for a number of other functions like establishing/releasing dedicated channels,handover, cell reselections etc

RR layer is a unique feature in wireless communication systems. Since the Radio resources arescarce we need a dedicated layer to manage the resources optimally and share the resources acrossmany MS



17/42

Layer Functions MM, CC

Mobility Management (MM)This layer is responsible for keeping track of the location of the MSMM uses services provided by the RR layer to send its messages to the PeerMS needs to inform the NSS about its location at power upMS needs to inform the NSS about its location if it is changing its location

MS needs to be authenticated by the NSS before it accesses services from the NSS Call Control: Establishment, Maintenance and Release of calls for various

applications (Voice Call, TTY etc) at the higher layer level with NSS



18/42

Air Interface Basics - 1

To avoid overlapping with other simultaneous users, wireless systemsuse many ways to allocate channels. These are called Multiple AccessMethods. Common used methods are:

Frequency division multiplex or FDMA, used in analog cellular;

Time division multiple access or TDMA, used in 2G digital cellular Code division multiple access or CDMA

To establish a two way communication link a somehow duplexingmethod. Typically used methods are


.

Time division duplex (TDD). (half duplex or simplex in analog systems)


19/42

FDMA

Frequency division is the oldest and simplest access method.

An own frequency channel is allocated for each user as long time asthe call is connected. Same channel can be re-used after the call isover.

RxF1

RxF2

RxF3

User 1

User 3

User 2 User 4


RxF4

TxF1

TxF2

TxF3

TxF4

User 1

User 3

User 2 User 4

Time


20/42


21/42

GSM Air Interface (Layer 1)

Uses a combination of Time Division Multiple Access (TDMA) and Frequency Division Multiple Access (FDMA)

Users transmit at same or different frequencies (Hence FDMA)

Transmission happens in short bursts in time called timeslots

Users using the same frequency transmit at different time intervals (Hence TDMA)

The transmission from MS to BTS (Uplink) and transmission from BTS to MS (Downlink) are separated in frequency by45MHz, hence Frequency Division Duplex (FDD)

Uplink and downlink transmissions are separated in time so that the RF need not receive and transmit at the same time



22/42

GSM Modulation

GSM uses a modulation technique called as Gaussian Minimum Shift Keying

This is basically Frequency Shift Keying with smoothening applied to the baseband signal in the formof a Gaussian Shaped Pulse

This technique has the advantage similar to PSK for having a low Eb/No requirement for a given BitError Rate (BER) requirement

The waveform generated has a constant envelope The waveform has no discontinuities at the bit transitions

This results in a scheme that allows an optimum bandwidth usage coupled with lower transmit powerrequirement for a given BER and Noise conditions

Refer: Subbarayan Pasupathy, Minimum Shift Keying: A spectrally efficient modulation, IEEECommunications Ma azine, Jul 1979



23/42

GSM Modulation (Contd )

One symbol corresponds to a bit in GMSK

One symbol is 3.69us = (4*12/13us)

Thus the bit rate at radio interface is 271Kbps approx

The bandwidth occupied by the signal (Frequency range containing significant energy) is

200KHz Thus we get a figure of merit of >1 bits/s/Hz which is a good modulation technique

considering the complexity as well as the constant envelope nature of the signal



24/42

GSM Frame structure

Transmission/Reception happens in units of timeslots of 577microsecondseach (156.25bit periods)

Eight timeslots are grouped together to form a GSM TDMA frame 4.615ms

Frames are logically grouped into higher duration intervals like multiframes

(51frames) A physical channel in GSM therefore consists of specifying

a frequency number and a timeslot number between 0 and7. Physical Channel => (F, TN)


Physical channel provides a pipe for carrying information The data transmitted


25/42

GSM Frame structure (Contd)



26/42

Data Transfer with Higher Layers

Information transfer between higher layers and layer1 happens in terms of blocks.

Each block of data is channel encoded, interleaved, modulated and transmitted by layer 1 in fourconsecutive timeslots

Thus a logical channel that carries control information consists of groups of 4 TDMA frames

For instance system information containing information about the cell, is transmitted in the BroadcastControl (BCCH) logical channel in terms of blocks spanning over 4 TDMA frames

There are a few logical channels whose data consists of only one burst. This is only for controlpurposes



27/42

GSM Cell Basics

Each cell in GSM is given a set of carriers. This is a subset of the carriers thatthe operator is licensed to use

One carrier in each cell is called the BCCH carrier

This frequency is transmitted by the cell continuously an at a high power level

set by the operator All timeslots are transmitted irrespective of usage

The power level is set by the operator to control the size of the cell



28/42

BCCH Carrier

Timeslot Number 0 of the BCCH carrier contains a lot of useful information

The timeslot 0 contains transmissions of the Frequency correction burst,Synchronization burst and the System Information

The frames in BCCH carrier TN 0 are organized into multiframes of 51 frameseach



29/42

BCCH Carrier (Contd )

FCCH: This consists of a specific burst that is modulated with all zeros. This results in a reference frequency used bythe MS to correct its local oscillator. This is called the Frequency Burst (FB)

SCH: This contains a specific burst that contains the frame number information and a long training sequence, used fortime synchronization in the MS

BCCH: This is a logical channel transmitting system information, containing details about the cell to be used by higherlayers of the protocol stack

CCCH: This is a logical channel used for the process of Paging. i.e. notifying an MS about an incoming call


A view of Timeslot 0 on the BCCH Carrier


30/42

MS POWER ON STEPS

POWER ON

REGISTER FOR SERVICES

WITH NSS AND INFORM

LOCATION

FIND A GOOD CELL IN

REGION


IDLE MODE

NO DEDICATED RADIO

RESOURCES

AUTONOMOUS CELL

CHANGES

DEDICATED MODE

DEDICATED RADIO

RESOURCES

CELL CHANGE

INITIATED BY

NETWORK

RANDOM ACCESS PROCEDURE

TO GET DEDICATED RADIO RESOURC

CALL RELEASE

RELEASE USE OF

DEDICATED

ADIO RESOURCES


31/42

MS Power On - 1

RF SEARCH: Look through the entire receive frequency band in stepsof 200KHz, measuring the energy in the carrier. The results areaveraged over 5 samples spaced in time over 5s

ORDER RESULTS: Arrange the carriers in decreasing order of energy



32/42

MS Power On - 2

CELL SEARCH: A carrier corresponds to a BCCH carrier if and only if we findan FB and SB in that frequency

Search and find a Frequency Correction Burst (FB). Use the information tocorrect the local oscillator

Search for an SB and get the timing information, i.e. Frame Number and timelocation of timeslot 0 in the cell

FB and SB are repeated every 10TDMA frames in the BCCH carrier on timeslot0



33/42

MS Power On - 3

Read System Information (SI) Blocks from the BCCH logical channel

One SI is sent in each 51frame multiframe

SIs are numbered as SI 1, 2, 3 etc each containing different information about the cell

SIs are in general repeated over a period of 8 multiframes. This period is called as a TC

cycle. This means that there are only 8 types of system information. In reality the repetition is a little more complex and one needs to read some SIs to get

information about the presence of some others



34/42

MS Power On - 4

SUITABILITY: Check suitability of a cell

This has two parts Based on radio criteria

Signal strength of the cell Maximum allowed transmit power in the cell Maximum power the MS is able to transmit

Based on other criteria Whether the cell belongs to subscribed (Home) or allowed PLMN Whether the cell is allowed for access to operator only Whether the location area identity of the cell is allowed

These information relating to cell selection process are found in SI 3



35/42

MS Power on - 5

CAMP ON: Once a cell is found suitable the MS needs to inform the NSS about itslocation and then listen to the paging channel for incoming call alerts

Once camped on a cell the MS is said to be in IDLE mode

In IDLE mode the MS performs the following functions Listen for paging

Measure the strength of the neighbor and serving cells Read system information from serving and neighbor cells Take decisions on whether to remain camped on to the cell or change the cell. This process is

called as cell reselection



36/42

BACKUP



37/42

Location Update Procedure (1)

Intention is to inform the NSS about the MS location

The cells of an operator are grouped into together as Location Areas. The location area identity is broadcast in thesystem information

When the MS powers on for the first time and then each time it performs cell reselection, if the location area changesthen the MS needs to inform the NSS of its new location via the Location Update

Location of the MS is known to be within one of the cells of an LA

Incoming call pages are broadcast to all the cells in that LA by the NSS

This reduces signalling load on the network by avoiding MS having to update the location each time it changes cells

If the area consists of a large number of cells then the unnecessary paging load increases. The operator sizes thelocation area accordingly

This procedure is the responsibility of the Mobility Management (MM) layer

In order for the messages to be exchanged the MM layer requests the Radio Resource layer to establish a channel



38/42

Location Update Procedure - 2

Purpose: To notify the network that the MS is moving within a new

Location Area. This procedure is done prior to camping on a cell in

normal services.

MS calls the network (Mobile Originated)


MS registration is performed

MS is told whether the Cell can grant normal service


39/42

Channel Establishment - 1

Purpose: To gain access to a traffic channel (Freq, TN) for

transmission of full duplex information. The purpose of such an

establishment could be to transmit signaling messages (like Location

Update) or to perform a voice call or send SMS etc.


Send Channel Request messages to the BTS (RACH)

Keep reading CCCH/BCCH channels looking for Access Grant

BTS responds with an Immediate Assignment message (AGCH). The

description of the allocated full duplex channel is provided

MS stops Connection Establishment mode and enter Dedicated Mode


40/42

Channel Establishment - 2



41/42

Location Update Procedure - 3

RR CHANNEL REQUEST

RR IMMEDIATE ASSIGNMENT

MM LOCATION UPDATING REQUEST

MS NETWORK


MM AUTHENTICATION REQUEST

MM AUTHENTICATION RESPONSE

RR CIPHER MODE COMMAND

RR CIPHER MODE COMPLETE

MM LOCATION UPDATING ACCEPT

MM TMSI REALLOCATION COMPLETE

RR CHANNEL RELEASE


42/42

Authentication Process

On mobile startup the MS sends its IMSI to the Mobile Operator requesting access andauthentication.

The operator network searches its database for the incoming IMSI and its associated Ki.

The operator network then generates a Random Number (Rand) and signs it with the SIMs Kicomputing another number known as Signed Response (SRES_1) using an algorithm A3

The operator network then sends the RAND to the MS that also signs it with its Ki stored in SIM

and using A3 and sends the result (SRES_2) back to the operator network. The operator network then compares its computed SRES_1 with the SIMs computed SRES_2. If

the two numbers match the SIM is authenticated and granted access to the operator's network.

Algorithm A3 is operator specific and not specified. Only the SIM and HLR/AuC know it


gsm gprs protocols overview

Documents