kalu ifeoma mba - university of nigeria
TRANSCRIPT
1
MOBILITY MANAGEMENT IN GSM SIGNALING
BY
KALU IFEOMA MBA
PG/M.SC/07/43497
A PROJECT SUBMITTED TO THE PARTIAL FULFILLMENT OF THE REQUIREMENTS
FOR THE AWARD OF DEGREE OF MASTER OF SCIENCE (M.SC)
DEPARTMENT OF ELECTRONIC ENGINEERING
FACULTY OF ENGINEERING
UNIVERSITY OF NIGERIA NSUKKA
MAY 2010
APPROVAL PAGE
2
This is to certify that the research work “The Quantification of Signaling for Mobility Management” was
submitted to the Department of Electronic Engineering, University of Nigeria Nsukka, for the award of
Degree of Master of Science (M.Sc) in Telecommunication Engineering.
KALU IFEOMA MBA DATE
DR C.I.ANI (SUPERVISOR) DATE
VEN. PROF. T. C MADUEME
(HEAD OF DEPARTMENT) DATE
3
DECLARATION
I KALU IFEOMA MBA declare that this work is my own, and contains no materials accepted for
publication for the award of any other degree at any institution.
KALU IFEOMA MBA DATE
4
DEDICATION
This research work is dedicated to Almighty God and my parents Elder and Mrs. A.M. Kalu.
5
ACKNOWLEDGEMENT
I thank God Almighty for the successful completion of this research work. My special gratitude goes to
my supervisor, Dr. C. I. Ani, for his advice and the relevant materials he made available to me.
I would wish to thank the Head of Department Electronic Engineering, Ven. Prof. T. C Madueme and the
entire staff for their tremendous assistance during the course of this project. My special thanks go to my
parents, Elder and Mrs. A.M. Kalu, Pastor Joshua Ukoha, and my sister Ngozi Kalu for their sponsorship
and support towards the success of this research work. My thanks also go to my special friends and
colleagues who have contributed to the success of this work; remain blessed.
6
TABLE OF CONTENTS
Approval page i
Declaration ii
Dedication iii
Acknowledgement iv
Table of Contents v
List of Figures viii
List of Table x
Abstract xi
CHAPTER ONE: INTRODUCTION
1.0 Background of the Study 1
1.1 Objectives of the Study 2
1.2 Significance of the Study 2
1.3 Scope of the Study 2
1.4 Dissertation Outline 3
7
CHAPTER TWO: LITERATURE REVIEW
2.0 Introduction 4
2.1 GSM Network Architecture 9
2.2 Mobile Station Subsystem 11
2.3 Base Station Subsystem 13
2.4 Network Switching System 17
2.5 GSM Network Architecture over Interfaces 20
2.6 GSM Channel Structure 23
2.7 GSM TDMA Frame 27
2.8 GSM Frame Structures and Hierarchy 28
2.9 GSM Technical Specifications 29
2.10 Mobility Management in GSM Network 34
2.11 Signaling Concept 38
2.12 Signaling System No.7 40
2.13 Objectives of Signaling System No.7 40
2.14 Components of SS7 41
2.15 SS7 Signaling Points 44
2.16 The SS7 Architecture 44
2.17 The ISDN User Part 48
8
2.18 Telephone User Part 53
2.19 Signaling Connection Control Part 53
2.20 The Transaction Capabilities Application Part 56
2.21 Mobile Application Part 61
2.22 Operation and Maintenance Application Part 63
2.23 Intelligent Network Application Part 63
2.24 Signaling Protocol in GSM Network 63
CHAPTER THREE: SIGNALING TRAFFIC
3.0 Introduction 65
3.2 Mobility Management Procedures 65
3.3 Location Update Procedure 67
3.4 Handover Procedure 71
3.5 GSM Originating Call 73
3.6 GSM Terminating Call 75
CHAPTER FOUR: SIGNALING TRAFFIC MODEL
4.0 Introduction 78
4.1 Measured Traffic Data 79
4.2 Mobility Signaling Traffic Model 82
4.2.1 Location Update 82
4.2.2 Handover 83
4.3 Location Area Management 86
9
CHAPTER FIVE; RECOMMENDATION AND CONCLUSION
5.1 Summary of Achievements 91
5.2 Recommendations 91
5.3 Conclusion 92
References 93
Appendix A 98
Appendix B 100
Appendix C 102
Appendix E 108
Appendix F 112
Appendix G 114
LIST OF FIGURES
Figure 2.1 GSM Network Architecture 10
Figure 2.2 SIM Authentication Sequence 13
Figure 2.3 GSM Base Stations 14
Figure 2.4 Block Diagram of a BSC 16
Figure 2.5 Equipment Identity Register 19
Figure 2.6 Network Switching System 20
Figure 2.7 GSM Network Architecture over Interfaces 21
Figure 2.8 Organizations of Burst, TDMA Frames and Multiframes 28
10
Figure 2.9 Composition Structure of SS7 Message Type 42
Figure 2.10 SS7 Signaling Units 43
Figure 2.11 SS7 Signaling Points 44
Figure 2.12 SS7 Protocol Layer 45
Figure 2.13 SS7 Model compared with OSI Model 46
Figure 2.14 ISUP Signaling between Exchanges 49
Figure 2.15 MAP Interfaces between Networks 62
Figure 2.16 GSM Signaling Protocol 64
Figure 3.1 Signaling Network Architecture 67
Figure 3.2 Intra-MSC Location Update 68
Figure 3.3 Inter-MSC Location Update 69
Figure 3.4 GSM Location Update Procedures 66
Figure 3.5 GSM Location Update Procedures 67
Figure 3.6 Handover Signaling Message Sequence 70
Figure 3.7 Handover Signaling Message Sequence 71
Figure 3.8 Intra-MSC Handover Flow Chart 72
Figure 3.9 Intra-MSC Handover Flow Chart 73
Figure 3.10 Intra-MSC Handover Flow Chart 74
Figure 3.1 Intra-MSC Handover Flow Chart 75
Figure 3.12 Inter-MSC Handover Flow Chart 76
Figure 3.13 Inter-MSC Handover Flow Chart 77
Figure 3.14 Inter-MSC Handover Flow Chart 78
11
Figure 3.15 Inter-MSC Handover Flow Chart 79
Figure 3.16 GSM Originating Call Flow 82
Figure 3.17 GSM Originating Call Flow 83
Figure 3.18 GSM Terminating Call Flow 85
Figure 3.19 GSM Terminating Call Flow 86
Figure 4.1 Traffic to and from the Node 79
Figure 4.2 Graph of local arrivals 80
Figure 4.3 Graph of Average LU Rate 89
Figure 4.4 Graph of Average Handover rate 90
LIST OF TABLES
Table 2.1 GSM Technical Specifications 32
Table 3.1 Number of Signaling Messages involved in GSM call types 87
Table 4.1 Summary of call type parameters and mean values 81
Table 4.2 SS7 Signaling Traffic for a Node 81
Table 4.3 Average of Signaling Traffic within an MSC per hourly average 85
Table 4.4 Summary of call type arrivals 86
Table 4.5 Modeled Parameters 86
12
ABSTRACT
Modern telephone network was developed to provide the basic telephone service, which involves the two-
way real time transmission of voice signals. Cellular networks extended the basic telephone services by
providing mobility to mobile users. The main issue with the provisioning of the mobile services is the
need to track mobile users. Mobility management enables telecommunication network to locate mobile
users for call delivery. This dissertation, therefore, presented the protocols involved in GSM network
mobility management and the comprehensive signaling messages required. The signaling messages were
categorized into the messages required for call connection setup; call connection maintenance,
disconnection, mobile station location update, and mobile call handover. The average rates at which
mobile station location updates and handovers were effected in a given cell area were defined and the
associated signaling messages were quantified. The results were validated using data measured from a
typical GSM network within a 24 hour period. It was confirmed that a network with smaller location area
size has increased rate of location updates. Also, a cell with an increased size minimizes the rate at which
active mobile stations are handed over to their neighboring cells. This implies that location area sizes
should be increased to reduce the number of signaling messages involved in location updates and
handover.
13
CHAPTER 1
INTRODUCTION
1.0 Background of the study
Communication can be defined as the process by which information is being transferred from
one point to another in space and time [1]. The point of origination of information is called the
source while the target point is called the destination. The facility that provides a service that
transfers information between users located at various geographical points is called the network.
It also provides access for gathering of information and flexibility in their usage [1]. Wireless
network is the most common real-time service provided by a network; Cellular telephone
service extended its services to mobile users who are free to move within a regional area
covered by an interconnected array of smaller geographical areas called cells. A cell has a radio
transmission system that allows it to communicate with users in its area [2]. The cellular system
handles the ‘’handing over’’ of users as the move from one cell to another so that an ongoing
conversation is not terminated suddenly. The need for mobility arises whenever a subscriber
wishes to access service from any part of the world.
Communication network is a set of facilities that provide services, and to transfer information
between a source and a destination [2]. The source and the destination comprise of terminal
equipment that attaches to the network, e.g. a telephone. This process may involve a transfer of
single block of information or the transfer of a stream of information. The basic capability is
provided by transmission systems that transfer information through various media; cable, radio,
and optical fiber. They are designed to carry specific types of information representation, analog
voice signals, bits or characters. The switches transfer the information flow from one
transmission line to another [7]. A path is set to transfer different information to their various
destinations, which is called routing. The basic network functions include; transmission,
information representation, switching includes routing and forwarding, addressing, traffic
control, congestion control, and network management. Signaling was introduced to carry the
message between the terminal and the network [2].
14
Signaling allows mobility, which is the capability of a network to locate users as the roam away
from their home network. There are two basic types of signal exchanges; between the user and
the network, within the network. These types of signaling have to work together to establish a
call. When a request for a call would come in, stored program control would check whether the
destination is available. A separate computer communication network was introduced to carry
the signaling information [2]. Communications from the user are split into two streams, at the
service switching point (SSP). The signaling information is directed toward the signaling
network where it is routed and processed. The signaling systems issues commands to the
switches to establish the desired connection. The second stream in the SSP consists of the user
information that is directed to the transport network to where it flows from one user to another.
1.2 Objectives of the study
The aim of this study is to quantify the impact of mobility on GSM signaling in Nigerian
network systems. Other objectives of this research work include;
� To know how much signaling messages exchanged between network components for a
local, trunk or GSM to fixed network.
� To quantify the impact of mobility on GSM signaling
� To determine how much signaling messages involved in mobility; handover and location
updates in GSM network.
1.3 Significance of the study
The results obtained from this research work will help GSM operators in Nigeria to determine
the location of base stations, type of cell selection, the measurements values and corresponding
signaling events of all customers’ calls in a specific time.
1.4 Scope of the study
In this research work, the areas covered include all call traffic data from a typical GSM operator
in Nigeria gotten on average, which the network experienced within a given time. This was used
for the quantification of the signaling traffic, and influence of mobility in GSM signaling.
15
The number, cell size, sizes of a location area and user movement determine the influence of
mobility in the network. The GSM service providers in Nigeria are MTN, Globacom, Zain and
Etisalat.
1.5 Dissertation outline
This dissertation report is organized as follows; Chapter one is the background of the study. In
chapter two different literatures were reviewed on GSM network architecture, components, and
technical specifications, Signaling System No.7, Signaling Concepts and Signaling Protocols.
Chapter three defines signaling traffic and gives the various signaling messages exchanged in
GSM network with respect to local, trunk and GSM to fixed network calls, calls involved in
mobility, the quantification of mobility signaling. In chapter four analytical results were
presented on location update rate, handover rate, and graphs showing influence of mobility in
the network. In chapter five, conclusions were drawn and recommendations made. Lastly, the
work concludes with references, and appendix which shows the signaling flow diagrams.
16
CHAPTER TWO
LITERATURE REVIEW
2.0 Introduction
The Global System for Mobile communications (GSM) is comprised of several functional
entities, whose functions and interfaces are specified. These entities of the GSM network inter-
communicate to give the total functions and capabilities of the GSM communications. In this
chapter, the GSM network architecture and the entities functions are presented.
Mobile communication today employs digital technology in distinction to the old analog mobile
phones like the first generation (1G) mobile standards. A wireless user is no longer limited to
only voice calls or very low speed data applications often using circuit switched data. The GSM
network allows file downloads of high-speed multimedia, e-mails and browsing the internet.
During the early 1980s, analog cellular telephone systems were experiencing rapid growth in
Europe, particularly in Scandinavia and the United Kingdom, also in France and Germany.
These countries developed its own system, which was incompatible with everyone else's in
equipment and operation [12]. This caused the limitation of mobile equipments to operate
within national boundaries. The Europeans realized this early, in 1982 the Conference of
European Posts and Telegraphs (CEPT) formed a study group called the Groupe Special Mobile
later called Global System for Mobile Communication (GSM) to study and develop a pan-
European public land mobile system. The system was to meet the following criteria below:
• Good subjective speech quality
• Low terminal and service cost
• Support for international roaming
• Ability to support handheld terminals
• Support for range of new services and facilities
• Spectral efficiency
• Integrated Services Digital Network (ISDN) compatibility
17
Services offered by GSM Network
The planners of GSM wanted ISDN compatibility in provision of the services offered and the
control signaling used [8]. Radio transmission limitations, in terms of bandwidth and cost, do
not allow the standard ISDN B-channel bit rate of 64 kbps to be practically achieved. Using the
ITU-T definitions, telecommunication services can be divided into bearer services, teleservices,
and supplementary services. The most basic teleservice supported by GSM is telephony; speech
is digitally encoded and transmitted through the GSM network as a digital stream [12]. A
variety of data services is offered. GSM users can send and receive data, at rates up to 9600 bps,
compared to users on Plain Old Telephone Service (POTS), ISDN, Packet Switched Public Data
Networks, and Circuit Switched Public Data Networks using a variety of access methods and
protocols, such as X.25 or X.32. A unique feature of GSM, not found in older analog systems,
is the Short Message Service (SMS).
SMS is a bidirectional service for short alphanumeric (160 bytes) messages [13]. Messages are
transported in a store-and-forward fashion. SMS can also be used in a cell-broadcast mode, for
sending messages such as traffic updates or news updates. Supplementary services are provided
on top of teleservices or bearer services. In the current (Phase I) specifications, they include
several forms of call forward (such as call forwarding when the mobile subscriber is
unreachable by the network), and barring of outgoing or incoming calls, that is when roaming in
another country, call waiting, and advice of charge [12]. The ability to provide these services
introduces a new level of complexity. Information being transferred over the air interface at 13
kbps transcoding schemes and format translation services are provided by the GSM network
components.
Voice information is digitized using the Regular Pulse Excitation-Long Term Prediction
algorithm that removes enough redundancy from the voice signal to transmit over the 13 kbps
channel; this is translated to pulse code modulation (PCM) and adaptive differential pulse code
modulation (ADPCM) by the GSM switching network for transmission over the PSTN [12].
Mobility management presents a unique set of challenges; users may roam into areas supported
by other carriers. Algorithms and protocols have been designed to locate users and handle
charging while users are visiting areas away from home. Data formats and control signals are
transferred between the switching systems and mobile subscriber equipment.
18
Protocols used in GSM Network
The collection of components and services require the use of several protocols to control calls,
transfer information, and provide overall system management [19]. There are four layers for
communication;
• The radio frequency (RF)interface to the base transceiver station (BTS)
• The radio resource management (RR) layer to the base station controller (BSC)
• Mobility management (MM)
• Communications management (CM) to the mobile switching center/ visitors location
register (MSC/ VLR )
Additional protocols are used to provide control services that are managed between the system
switching and management components; Mobile application part, transmission layer [7].
Transmission layer; the transmission layer sets up a connection between mobile station (MS) and
BTS [7]. Transmission channel between the MS and the BTS is a unique component to GSM
cellular networks, modified to operate on different frequencies in the case of personal
communication systems (PCS) and replaced in its entirety in the case of satellite communications
systems.
Mobile application part (MAP); is the protocol that is used to allow the GSM network nodes
within the Network Switching Subsystem (NSS) to communicate with each other [7]. They
provide services, such as roaming capability, text messaging (SMS), and subscriber
authentication. MAP provides an application layer on which to build the services that support a
GSM network. This application layer provides a standardized set of operations. MAP is
transported and encapsulated with the signaling system no.7 (SS7) protocols; message transfer
part, signaling connection control part, transaction capabilities application part (MTP, SCCP,
and TCAP) [7].
Radio Resource Management; the radio resource (RR) protocols are responsible for the
allocation and reallocation of traffic channels between the MS and the BTS [1]. These services
include controlling the initial access to the system, paging for Mobile terminated calls, and
19
handover of calls between cell sites, power control, and call termination. The RR protocols
provide the procedures for the use, allocation, reallocation, and release of the GSM channels.
RF Interface to the BTS; the interface between the MS and the BTS consists of a frequency-
Hopped time division multiple access (TDMA) channel that is divided into several sub channels
[8]. They are used for the transmission of user information [19]. Moreover, to increase battery
life and decrease interference between stations operating in adjacent cell-sites, the MS and the
BTS transmitters automatically adapt their transmission power [8]. Several channels are used in
the air interface.
Mobility Management
One of the major features used in GSM networks is the ability to support roaming users [1].
Through the control signaling network, the mobile switching center (MSC) interacts to locate
and connect to users throughout the network. "Location Registers" are included in the MSC
databases to assist in the role of determining how and whether connections are to be made to
roaming users. A mobile subscriber is assigned a Home Location Register (HLR) that is used to
maintain the user's location and subscribed services [1]. A separate register, the Visitor Location
Register (VLR) is used to track the location of a user. As the users roam out of the area covered
by the HLR, the mobile station (MS) notifies a new VLR of its whereabouts. The VLR in turn
uses the control network (this is based on SS7) to signal the HLR of the MS's new location.
Through this information, mobile terminated calls can be routed to the user by the location
information contained in the user's HLR.
Mobility management entails keeping track of the MS while it is on the move [1]. The mobility
management procedures vary across three different ways; when MS is turned off, MS idle
mode, and MS has an active call [12]. In the first scenario, when the network cannot reach it
because it does not respond to the paging message, the MS is considered to be in the turned-off
state. In this state, the MS is considered detached from the system international mobile
subscriber identity (IMSI detached). In the second scenario, the MS is in the ready state to make
or receive calls [3]. The system considers it attached (IMSI attached). The MS informs the
system about any changes in LA while on the move; this is known as location updating. In the
third scenario, the system has active radio channels that are allowed to the MS for conversation
and data flow. The MS is required to change to new radio channels if the quality of current
20
channels drops below a certain level; this is known as handover. The MSC (sometimes BSC)
makes the decision to handover an analysis of information that is obtained real-time from the
MS and BTS [3].
Location update
Location updating is the mechanism that is used to determine the location of a MS [12]. The MS
initiates location updating, which can occur when:
• The MS is first switched on
• The MS moves within the same VLR area, but to a new LA
• The MS moves to a new VLR area
• A location updated timer expires
There are several reasons why a mobile may provide update location information to the
network. Whenever a mobile is switched on or off, the network may require it to perform an
IMSI attach or IMSI detach location update procedure. A mobile phone is required to regularly
report its location at a set time interval using a periodic location update procedure [12].
Whenever a mobile moves from one location area to another while not on a call, a random
location update is performed. This is also required of a stationary mobile that reselects coverage
from a cell in a different location area, because of signal fade.
The enabling of periodic updating, and the time period between periodic updates, is controlled
by the operator, and is a trade-off between signaling traffic and speed of recovery. If a mobile
does not register after the updating time period, it is deregistered [3].
Signaling in GSM Network
Signaling refers to all the control signals used within or between communication equipments,
whose function is to set up communication [1]. The signaling used in GSM network is the
signaling system number seven (SS7). SS7 is a protocol that has several layers; each provides
functions for connection-oriented and connectionless-oriented signaling in GSM network. This
is important in GSM networks; it is responsible for establishment of call, billing, maintenance
and release connections.
21
Signaling can be in-band or out-of-band. In band signaling uses audio tones for conveying its
signals; that is the control information is exchanged in the same channel, while out-of-band
signaling the control information is done on a separate channel [2]. It reserves a narrow band
within the voice band for conveying control signals. The GSM network uses SS7 and its
communications involve much signaling messages to enable information to be transferred from
the source to the destination.
2.1 GSM Network Architecture
The GSM network can be divided into three broad parts; The Mobile Station Subsystem (MSS),
Base Station Subsystem (BSS), and the Network Switching Subsystem (NSS). The mobile
station is carried by the subscriber, base station controls the radio link with the Mobile Station,
and the network switching subsystem consists of the Mobile service Switching Center (MSC),
which performs the switching of calls between mobile users, and mobile to fixed network users.
The MSC also handles the mobility management operations. Operations and Maintenance
Center, oversees the proper operation and setup of the network [12, 14]. Figure 2.1 shows the
architecture of a GSM network.
22
PSTN, ISDN, PSPDN, CSPDNPSTN, ISDN, PSPDN,
CSPDN
Figure 2.1General Architecture of a GSM Network
Base Station
Controller
BSC
BSC
Base
Transceiver Station
(BTS)
Base
Transceiver Station
(BTS)
Base Station
Controller
VLR VLR
HLR
MSC
Visitors
Location
Register
Mobile service
Switching Centre
GMSC Gateway MSC
Home
Location
Register
The network & Switching
Subsystem (NSS)
(GSM Core Network)
MSC
23
2.2 Mobile Station subsystem
Mobile station subsystem (MSS) consists of the mobile equipment (the terminal) and a smart
card called the Subscriber Identity Module (SIM).
The Mobile Equipment
This is a terminal that is carried about by the GSM subscribers. This comes in different forms
and has different supporting features. Mobile equipment also supports different frequency
spectrum for their operations. The GSM terminal bears a unique number called the International
Mobile Equipment identity (IMEI) that is written on the phone. The GSM network to identify
valid terminals uses the IMEI number. It is also used to stop stolen phones from accessing the
network if reported, and identifies the mobile equipment not the subscriber. SIM card contains
the International Mobile Subscriber Identity (IMSI) used to identify the subscriber to the
system, a secret key for authentication, and other information. The IMEI and the IMSI are
independent, thereby allowing personal mobility [14].
Mobile equipment comprises of two parts: the transmitter and the receiver. The transmitter
sends dialed digits and voice signals from the handset to the network while the receiver receives
the signals sent to the subscriber from the network. The digital processes that take place at the
digital processor of the mobile equipment transmitter include error protection coding, bit
interleaving, encryption and appending of frame bits. At the receiver, the digital processes
include slot separation, removal of frame bits; bit de-interleaving, decryption and error
protection decoding [12].
Subscriber Identity Module (SIM)
The Subscriber Identity Module (SIM) is a smart card, which stores subscriber information
including the International Mobile Subscriber Identity (IMSI). The SIM card is inserted in any
GSM phone to enable the user to make, receive calls and other subscribed services. The SIM
card also allows mobility, so that the user can have access to the subscribed services irrespective
of the terminal. The SIM card is protected against unauthorized use by a password or personal
identity number [14].
24
SIM Authentication and security
Authentication is a process, which proves that the MS contains a secret key value Ki. It is a
very important element of a mobile network to identify a subscriber. Authentication involves
two functional entities, the SIM card in the mobile, and the Authentication Center (AuC). A
subscriber is given a secret key, one copy of which is stored in the SIM card and the other in
the AuC. The AuC generates a random number that is sent to the mobile during authentication.
The mobile and the AuC use the random number, in conjunction with the subscriber's secret
key and a ciphering algorithm called A3, to generate a signed response (SRES) that is sent
back to the AuC. This is to verify if the number sent by the mobile is the same as the one
calculated by the AuC, the subscriber is authenticated [7].
Encryption is done against unauthorized listening; the MSC uses the same initial random
number and subscriber key to compute the ciphering key using an algorithm called A8. The
ciphering key, and the TDMA frame number, use A5 algorithm to create a 114 bit sequence
that is XORed with the 114 bits of a burst (the two 57 bit blocks). Enciphering is an option for
the fairly paranoid, since the signal is already coded, interleaved, and transmitted in a TDMA
manner, thus providing protection from all but the most persistent and dedicated
eavesdroppers. The Authentication Center (AUC) is a secured database that handles the
authentication and encryption of keys. Authentication involves a two-way transaction, the base
station transmits a random "challenge number" (RAND) with different values when a call is to
be connected or an authentication is to be performed for another reason to the mobile set. The
mobile set performs a calculation using that number with an internal secret number and returns
the result of the computation SRES to the radio link. The base system also knows what the
correct result will be, and can reject the connection if the mobile did not respond with the
correct number [8, 13].
However, if a criminal copies the entire radio link transaction, it will not permit imitation of
the valid set, because the base system begins the next authentication with a different challenge
value. This transaction generates some other secret numbers, which are used in subsequent
transmissions for encryption of data.
25
There will be no technological fraud, such as customers presenting false identity to get service
but never paying their bills (subscription fraud). The MSC does not contain any information
about a particular mobile station; this information is stored in the location registers. The
network sends a randomly generated number to the mobile. The mobile performs a calculation
against it with a number it has stored and sends the result back. If the switch gets the number it
expects the call proceeds. The AC stores all data needed to authenticate a call and to encrypt
voice traffic and signaling messages [6]. Figure 2.2 explains the SIM authentication
sequences. Calculations in A3 algorithm are similar to Lucifer or other encryption codes
(repeated bit permutation and XORED with distinct secret number). It is performed in a
separate secure SIM chip (processor and memory) in GSM.
2.3 Base Station Subsystem
The Base Station Subsystem is composed of two parts; the Base Transceiver Station (BTS) and
the Base Station Controller (BSC). These communicate across the standardized Abis interface,
allowing operation between components made by different suppliers. Figure 2.3 shows the
GSM base station subsystem [14].
A3 algorithm
Authentication MSC (base)
SRES
correct value
RAND
RAND
Figure.2. 2 SIM authentication sequence
MS
Ki
SRES
Authentic or
wrong?
Compare
bits
26
The Base Transceiver Station (BTS)
The base Transceiver Station also called the Remote Base Station (RBS) houses the radio
transceivers that define a cell and handles radio-link protocols with the mobile station. The base
transceiver station contains the equipment for encryption, decryption and base station controller.
In a large urban area, there would be a large number of BTSs with several transceivers
deployed. The performance of a BTS is increased using frequency hopping which switches the
voice traffic between the transceiver and the mobile equipment [14]. The requirements for a
BTS are ruggedness, reliability, portability, and minimum cost. It is controlled by the Base
Station control function (BCF) through the BSC. BCF is a unit which provides an operation and
maintains the connection to the network management system.
Figure 2.3 GSM Base Station Subsystems
Location area
BSC BSC
LA 3
LA 1
Base Station
Controller
A Interface
Abis
Interface
Mobile
Terminal
Radio Interface
BTS
27
Functions of different components of a BTS
They functions of a BTS are illustrated as follows:
• Transceiver; the transceiver transmits and receives signals to other components of the
network such as the BSC.
• Power Amplifier; amplifies the signals from the transceiver through the antenna for
transmission [12].
• Combiner puts different signals together from several transceivers for onward
transmission through the antenna, reducing the number of antennas used.
• Duplexer is used to separate sending and receiving signals to and from the antennas.
• Alarm Extension System collects working status alarms of the various units in the BTS
and sends them to the operations and maintenance monitoring stations.
• Control Functions controls the BTS and manages its various units and the software for
the functioning of the BTS, software upgrade, and status changes [14].
The Base Station Controller (BSC)
The BSC manages the radio resources for one or more BTSs. It is responsible for the
allocation, release and management of the radio channels, frequency hopping, and handovers.
The BSC is the connection between the mobile station and the Mobile service Switching Center
(MSC). It is a small switch linking the several cells under its control to the MSC [19]. Figure
2.4 describes the switching of the incoming traffic channels to their correct Abis-interface
channels
28
The Internal Structures of a BSC
• Database: the BSC is the control centre for BSS. It contains the complete BTS
operations software for all attached and BSS specific information such as assigned
frequency. It maintains the quality of the radio resources, and the BSS.
• The switch Matrix switches the incoming traffic channels to the correct Abis-interface
channels. It also takes care of the relay functionality.
• Terminal control element (TCE) of the Abis-interface connects the BSC to the BTS.
The number of Abis TCE that a BSC contains depends on the number of BTS and the
system manufacturer. The major tasks of the Abis-TCEs are to setup LAPD connections
towards the BTS, the transfer of signaling data, and the transparent transfer of payload.
It also administers a BTS radio resource, which is the assignment, the release of
signaling and traffic channels over the Abis- interface and the Air interface. It also helps
in the evaluation of measurement results from the BTS concerning busy and idle
channels which are relevant for power control used in handover decisions.
Figure 2.4 Block diagram of a BSC
Abis interface
TM
TCE
TCE
TCE
Central
DB
Switch
matrix
TCE
TCE
TCE
Central functions and clock distributions OMC
TM
TM
TM
TM
TM
29
• The A-interface Terminal Control Elements (A-TCEs): A-TCE is required for the
connection of a BSC to the MSC. It is for setting up and operating the SS7/SCCP
connection towards the MSC.
• The central module decides when a handover should be taken place, and power control.
It also connects the OMC, which manages the BSS through the BSC.
• Connection to the OMC: the central module provides the connection to the OMC; every
BSS is supervised and managed by an OMC through the BSC [19].
2.4 Network Switching System (NSS)
Network switching system consists of the Mobile Switching Center (MSC), Home Location
Register, and the Visitor Location Register (VLR) is the GSM core network. It is responsible
for the switching, handling of calls and mobility management. It uses an intelligent network,
which separates the central database (HLR) from the switch (MSC) and uses STP to transport
signaling among the MSC and HLR. The MSC is the central component of this system [7].
Mobile Switching Center (MSC)
The central component of the Network Subsystem is the Mobile Switching Center (MSC). It
provides all the functionality needed to handle mobile subscriber applications, such as
registration, authentication, location updates, handovers, and call routing to a roaming
subscriber [7]. The MSC provides the connection between the GSM network and other
networks such as PSTN and ISDN. Signaling between functional entities in the Network
Subsystem uses Signaling System Number 7 (SS7), used for trunk signaling in ISDN and
widely used in current public networks [22]. The mobile switching center also handles
connections between cells. As a mobile user moves from one cell to another, a handover
procedure is carried out which transfers the connection from one base station to another,
allowing the call to continue without interruption [22].
30
Gateway Mobile Switching Center (GMSC)
This is an MSC with interface to other networks. An MSC routes calls to the gateway MSC
which routes it to their destination networks. Interworking function (IWF); is a gateway for
MSC to interface with the external networks for communication with users outside GSM, such
as packet-switched data network (PSDN) and circuit-switched data network (CSDN) . The role
of interworking function depends on the type of user data and the network to which it interfaces.
An incoming mobile terminating call is routed to a Gateway MSC, which finds the correct HLR
by knowing the directory number of the subscriber. GMSC has an interface with the external
network and the network operates the full SS7 signaling between NSS machines [7].
The Home Locations Register (HLR)
The Home Location Register is the GSM network permanent database which contains all the
administrative information of each subscriber registered in the corresponding GSM network,
along with the current location of the mobile. The location of the mobile is typically in the form
of the signaling address of the VLR associated with the mobile station. The Home Location
Register (HLR), Visitor Location Register (VLR), and the MSC provide the call routing and
roaming capabilities of a GSM network. There is logically one HLR per GSM network,
although it may be implemented as a distributed database [8].
The Visitor Location Registers (VLR)
The VLR is a temporary database containing the data necessary to set up calls to and from the
mobile station. It contains the location area information being roamed, the mobile stations
roaming number, the international Mobile Subscriber Identity and Mobile Station ISDN
number. The VLR keeps the home location area (HLR) updated on the location of the user [5].
It contains selected administrative information from the HLR, necessary for call control and
provision of the subscribed services, for each mobile currently located in the geographical area
controlled by the VLR.
31
Moreover, each functional entity can be implemented as an independent unit. All manufacturers
of switching equipment implements the VLR with the MSC, so that the geographical area
controlled by the MSC corresponds to that controlled by the VLR, thus simplifying the
signaling required.
The Equipment Identity Register (EIR)
The EIR is a database in GSM network which contains a list of all valid mobile equipments in
the network [6]. The mobile station is identified by its International Mobile Equipment Identity
(IMEI). It marks an IMEI invalid if stolen hence denying access to the subscriber, and checks
for unauthorized calls from mobile stations [6]. The EIR maintains three lists, it is the status
returned in response to an IMEI query to the EIR these are:
• White-listed: it contains all approved types of mobile equipments (type approved
codes).The terminal is allowed to connect to the network.
• Grey-listed: contains all mobile equipment to be traced. The terminal is under observation
from the network for possible problems.
• Black-listed: contains all mobile to be barred (complete IMEI). The terminal has either
been reported stolen, or is not type approved (the correct type of terminal for a GSM
network). The terminal is not allowed to connect to the network [6]. Fig 2.5 Shows the
Equipment Identity Register contents.
Grey-listed Black-listed White-listed
Figure.2.5 Equipment Identity Register contents
32
The Authentication Center (AuC)
The Authentication Center is used to authenticate and encrypt parameters that verify user’s
identity. An International Mobile Equipment Identity (IMEI) is marked as invalid if it has been
reported stolen or is not type approved. The Authentication Center (AuC) is a protected
database that stores a copy of the secret key stored in each subscriber's SIM card. This secret
key is used for authentication and encryption over the radio channel. The AuC is often
considered part of HLR [6, 8]. Figure 2.6 illustrates the internal structure of the network
switching system.
2.5 GSM Network Architecture over the interfaces
The different components that make up the GSM network have to communicate with each other
to enable efficient service provisioning [6]. Figure 2.7 shows the architecture of the GSM
network interfaces over the signalling network.
CF------Control Flow
UDF-----User Data Flow
C F
UDF
MSC/VLR
AUC HLR
BSS
BSS
GMSC PSTN
SS7
SS7 SS7
NSS
Figure .2.6 Network Switching System
33
As shown in figure 2.7, the MAP signalling is transferred among B, C, D, E, F and G interfaces
in the GSM network [8]. The BSSAP is responsible for the A interface, the description of each
interface is as follows:
Um- Interface: Is the air interface used for exchange between the mobile station (MS) and the
Base Station Subsystem (BSS). This interface uses the Link Access protocol for ISDN-D
channel of Mobile (LAPDm) for signalling.
Abis- Interface: this is a BSS internal interface that links the BSC and the BTS. This interface
uses TDMA traffic channels for traffic, LAPD protocol for BTS control, frequency allocation,
maintenance of data and signalling.
A-interface: is the communication interface between the network subsystem and the base
station subsystem. With respect to the functional entity of the subsystem, the A interface is the
interface between the Base Station Controller (BSC) and the Mobile Switching Centre (MSC).
The information transferred by this interface includes mobile station management, base station
management, mobility management and call processing.
Figure 2.7 GSM Network Architecture over Interfaces
E
MS
VLR VLR
HLR
EIR
MSC F
G
B
Um
D
C
A
BTS
Abis
MSC BSC
34
B-interface: is the interface between the VLR and the MSC. The B interface is used for the
MSC to query the current location information of a Mobile Station (MS). It is used for the
operations of supplementary services.
C-interface: is the interface between the MSC and the HLR. It is used when transferring short
messages to the MS, and used for the SMS gateway to obtain the number of the MSC where the
MS is currently located from the HLR.
D-interface: is the interface between the VLR and the HLR. This interface is used to exchange
the location information of the MS. The data exchange through the D interface is needed for the
service modification request of the subscriber such as supplementary service operation and the
subscriber data modification of the operation.
E-interface: is the interface between one MSC and another MSC. The E interface is used to
control the handover between different MSCs in the neighbouring cells The E interface is also
used for the data exchange between the MSCs to start and implement the handover operation.
F-interface: this is an interface between the MSC and the EIR. When an MSC needs to check
the validity of the International Mobile Equipment Identity (IMEI), the F interface is needed for
exchanging IMEI-related information with the EIR.
G-interface: is the interface between the VLR and the VLR. When a mobile subscriber roams
to a new VLR-controlled cell and the Temporary Mobile Subscriber Identity (TMSI) is used to
initiate the location updating, the G interface is used for the current VLR to obtain the IMSI and
authorization set from the previous VLR.
In GSM network, MAP is responsible for information transfer between the GSM functional
entities through SS7 system in the following processes: Location update, User Management;
authorization, encryption and IMEI management. Routing function; access processing, paging,
Processing of supplementary services, Handover Short message service, Operation and
maintenance. The VLR and MSC are integrated into the same entity. The B interface becomes
an internal interface, C and D interfaces can pass the same physical connection, likewise E and
G interfaces [6].
35
Link Layer on the Air interface
The data link layer over the radio link connecting the MS to the BSS is based on a LAPD-like
protocol, labeled LAPDm that has been modified for operation within the constraints set by the
radio path. In particular, LAPDm uses no flags for frame delimitation. Frame delimitation in
LAPDm is denoted by the physical layer that defines the transmission frame boundaries [9].
LAPDm uses a “Length Indicator” field to distinguish the information carrying field from fill-in
bits used to fill the transmission frame. LAPDm uses an address field to carry the service access
point identifier (SAPI), 3 bits which it also uses to identify the user of the service provided by
the protocol [10]. The 2-bit link protocol discriminator (LPD) is used to specify a particular
recommendation for the use of LAPDm, the C/R is a single bit which specifies a command or
response frame as used in LAPD, and 1-bit extended address (EA) which is used to extend the
address field to more than one octet (the EA bit in the last octet of the address is set to 1, or to
0).
2.6 GSM Channel Structure
Channels are defined by the number and position of their corresponding burst periods within a
TDMA frame. There are two types of Channels namely; traffic (dedicated channels), which are
allocated to a mobile station, and control channels, which are used by mobile stations in idle
mode [14].
GSM Traffic channel (TCH)
A traffic channel (TCH) is used to carry speech and data traffic. Traffic channels are defined
using a 26-frame which forms the 26-multiframe, or group of 26 TDMA frames. The length of
a 26-multiframe is 120 ms, the length of a burst period is defined (120 ms divided by 26 frames
divided by 8 burst periods per frame) 26 frames, 24 are used for traffic, 1 is used for the Slow
Associated Control Channel (SACCH) and 1 is unused [12]. The unused frame allows the
mobile network to perform other functions such as measuring the signal strength of
neighboring cells. TCHs for the uplink and downlink are separated in time by 3 burst periods;
which prevent the mobile station from transmitting and receiving simultaneously.
36
In addition, Half-rate TCHs doubles the capacity of the system once half-rate speech codes are
specified (i.e., speech coding at around 7 kbps, instead of 13 kbps). Eighth-rate TCHs are also
specified, and are used for signaling. It is grouped in a 26-multiframe and has different
internal structure from the full rate traffic. In the recommendations, they are called Stand-alone
Dedicated Control Channels (SDCCH) [17].
GSM Control Channel
The common channels are used for network management and channel maintenance. They are
also used by idle mode mobiles to exchange the signaling information required to change to
dedicated mode [13]. Mobiles already in dedicated mode monitor the surrounding base stations
for handover and other information.
There are three main control channels in the GSM which are as follows;
(i) Broadcast Channel (BCH)
(ii) The common control channel (CCCH)
(iii) The dedicated channel(DCCH)
Each control channel consists of several logical channels which are distributed in time to
provide the necessary GSM control functions.
Broadcast channels (BCHs); these channels are used by the BTS to provide mobile equipment
with synchronization information. They continually broadcast on the downlink information
including base station identity, frequency allocations, and frequency-hopping sequences. The
BCH is defined by three separate channels which are given access to TS 0 during various time
frames of the 51 frame sequence [17]. There are three types of BCHs;
� Broadcast control channel (BCCH); broadcast control channel is used in the BSS to
give mobile equipments the direction to broadcast system information in the network,
such as the synchronization parameters, available services and cell identity.
37
� Synchronization channel (SCH); carries information from the BSS for frame
synchronization. That is, it gives the mobile equipment the training symbol sequence to
demodulate the information transmitted by the BTS.
� Frequency control channel (FCCH); carries information from the BSS for carrier
synchronization. Every cell in a GSM network broadcasts exactly one FCCH and one
SCH, which are by definition on time slot number 0 within a TDMA frame.
Common control channel (CCCH): Common control channels are used for transferring
signaling information between all mobiles, the BSS for call origination and call paging
functions. There are three common controls channels;
� Paging Channel (PCH): provides paging signals from the base station to all mobiles in
the cell, and notifies a specific mobile of an incoming call [7].
� Random Access Channel (RACH): is used by the mobile stations to request access to
the network. The mobiles use the slotted Aloha scheme over this channel to request
access from the network.
� Access Grant Channel (AGCH): is used by the BTS to assign resources to mobile for
signaling in order to obtain a DCCH channel following a request on the RACH.
Dedicated control channels (DCCH): these channels are used for message exchange between
a mobile and the network. There are three types of dedicated control channels in GSM:
� Stand-alone dedicated control channel (SDCCH): This channel is used for the transfer
of call control signaling in the TCHs, the SDCCH has its own SACCH to and from the
mobile during call setup. It is released once call setup is complete. It ensures that the
mobile station and the base station remain connected while the base station and MSC
verify the subscriber unit and allocate resources for the mobile [11].
� Slow-associated control channel (SACCH): is used for channel maintenance and
control. The SACCH is implemented on frame 12 numbered from O, providing eight
SACCH channels, one dedicated to each of the eight TCH channels. Frame 25 in the
multiframe is currently idle and reserved to implement the additional eight SACCH
required when half-rate speech channels become a reality [17].
38
� Fast –associated control channels (FACCHs): carries signaling data and is assigned
whenever a SDCCH has not been dedicated for a particular user when there is urgent
message. It is obtained on demand by stealing from the TCH, and is used by either end
for signaling, transfer characteristics of the physical path, or other purposes such as
connection, and handover control messages. The stealing of a TCH slot for FACCH
signaling is indicated through a flag within the TCH slot. The Random Access Channel
(RACH), Access Grant Channel (AGCH), and Standalone Dedicated Control Channel
(SDCCH) are for MS location updating [17].
The GSM Slow Associated Control channel (SACCH) which is associated with the SDCCH
channel permits the mobile station (MS) to receive from the base station (BS) to report its
beacon frequency for signal quality. The channels involved in handover are the Traffic
Channels (TCH) and Fast Associated Control Channel (FACCH). The control channels
involved in call setup are; Paging Channel (PCH) used to alert the mobile station (MS),
RACCH, AGCCH, SDCCH, FACCH and TACH. A mobile originated call involves the
RACCH while the FACCH is used in call release [17].
2.7 GSM TDMA Frame
The method chosen by GSM is a combination of Time and Frequency Division Multiple Access
(TDMA/FDMA). The FDMA part involves the division by frequency of the (maximum) 25
MHz bandwidth into 124 carrier frequencies spaced 200 kHz apart. One or more carrier
frequencies are assigned to each base station. These carrier frequencies are then divided in time,
using a TDMA scheme [14].The fundamental unit of time in this TDMA scheme is called a
burst period. The GSM TDMA frame time axis is divided into eight time slots of length 0.577
ms, which are grouped into a frame with length 4.615 ms. This forms the basic unit for the
definition of logical channels. One physical channel is one burst period per TDMA frame.
39
GSM Time Slots Structure
The TDMA factor of 8 in combination with a carrier spacing of 200 kHz would correspond to
the earlier analog system using single channel per-carrier with a 25 kHz carrier spacing. TDMA
structure is applied in both the forward (base station to mobile) and the reverse (mobile to base
station) directions. The numbering is staggered by three time slots to prevent the mobile station
from transmitting and receiving at the same time. These time slots are used to carry user and
signaling or control information in bursts [9]. GSM defines a variety of traffic and signaling or
control channels of different bit rates. These channels are assigned to logical channels derived
from multiframe structuring of the basic eight slotted TDMA frames. The GSM TDMA has two
types of burst duration which are the full duration (normal) and the short duration burst.
� Full Duration Burst; is used to carry data and signaling, and has a total length of
156.25 bits. The full duration burst is made up of two 57 information bits, a 26 bit
training sequence used for equalization, 1 stealing bit for each information block (used
for FACCH), 3 tail bits at each end, and an 8.25 bit guard sequence, as shown in Figure
2.9. The 156.25 bits are transmitted in 0.577 ms, giving a gross bit rate of 270.833 kbps.
The flag bit indicates if the normal burst has been replaced with FACCH signaling
information or not [11]. The Frequency correction burst (F burst); is used on the FCCH
to correct the mobile station radio frequency. The synchronization burst (S burst), is
used on the SCH to set hyper frame counter in mobile stations. It contains 64-bit long
training bits, and a 39-bit length information field. They have the same length as a
normal burst, but a different internal structure which differentiates them from normal
bursts. FCCH and SCH bursts are used in TS 0 of specific frames to broadcast the
frequency and time synchronization control messages on the forward link [14].
� The Short Duration Burst; this is used by all mobiles to access services from any base
station [11]. Short Duration Burst is an access burst used on TS 0 of predesigned carrier
on the uplink direction and after handover on any time slot in the uplink direction.
Dummy burst is used as filter information for unused time slot in the forward link. The
access burst is shorter than the normal burst, and is used only on the RACH [17].
40
Figure 2.8 Illustrates the Organization of bursts, TDMA frames, and multiframes for
speech and data.
2.8 GSM Frame Structures and Hierarchy
There are eight timeslots per TDMA frame, and the frame period is 4.615ms. A frame contains
8*156.25 which is equal to1250 bits; although some bit periods are not used. The frame rate is
270.833kbps/1250 bits/frame or 216.66 frames /sec. The 13th and the 26th frames are not used
for traffic, but for control purposes. In frame hierarchy, each frame is grouped into larger
structures called multiframes; which are grouped into supper frames and hyper frames. One
multiframe contains 26 TDMA frames, and one supper frame contains 51 multiframes, or 1326
TDMA frames [14]. A hyper frame contains 2048 supper frames or 2,715,648 TDMA frames.
Figure 2.8 Organization of bursts, TDMA frames, and multiframes for speech and data
BP0 BP1 BP2 BP3 BP4 BP5 BP6 BP7
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
Normal bursts
duration 15/26 ms
TDMA frame
duration: 60/13 ms
26- Frame multiframe
duration: 120 ms
Tail
bits
Tail
bits
Guard
bits
Data
bits
Stealing
bit
Training
sequence
Stealing
bit Data
bits
3 57 1 26 1 57 3 8.25
Frames 0-11: TCH Frame 12: SACCH Frames 13-24: TCH Frame 25; unused
41
It is important in GSM since the encryption algorithms rely on the particular frame number, and
sufficient security can only be obtained by using a large number of frames as provided by the
hyper frame [19].
2.9 GSM Technical Specifications
The techniques specified by the GSM group for GSM standard are presented below;
� Radio Channel Link; The International Telecommunication Union (ITU), which manages
the international allocation of radio spectrum, allocated the bands 890-915 MHz for the
uplink (mobile station to base station) and 935-960 MHz for the downlink (base station to
mobile station). The 25MHZ bandwidth is divided into 124 carrier frequencies with
200KHZ spacing, each of the 124 carrier frequency support 8 voice channels [9, 12].
� Multiple Access Structure; Radio spectrum is a limited resource shared by all users; a
method is devised to divide the bandwidth among many users. The method chosen by the
GSM group is a combination of Time and Frequency Division Multiple Access
(TDMA/FDMA). The FDMA technique divides the 25 MHz bandwidth into 124 carrier
frequencies spaced 200 kHz apart [9]. One or more carrier frequencies are assigned to
each base station, each of these carrier frequencies is then divided in time, using a TDMA
scheme. The fundamental unit of time in this TDMA scheme is called a burst period and
it lasts for 15/26 ms approximately 0.577ms. Eight burst periods make up 1 Logical
channel (1 TDMA frame is 8*0.577 ms = 4.615ms) which lasts120/26ms. This forms the
basic unit for the definition of logical channels. One physical channel is one burst period
per TDMA frame, radio transmission links are made at a channel data rate of 270.833
kbps (1625.0/6.0 kbps) using binary BT= 0.3 GMAK modulation [11].
42
� Speech coding; GSM is a digital system, speech which is inherently analog has to be
digitized. The method employed by ISDN, and by current telephone systems for
multiplexing voice lines over high speed trunks and optical fiber lines is Pulse Coded
Modulation (PCM). The output stream from PCM is 64kbps; it contains much
redundancy [17]. The GSM group studied several speech coding algorithms on the basis
of subjective speech quality and complexity which is related to cost, processing delay,
and power consumption once implemented before arriving at the choice of a Regular
Pulse Excited Linear Predictive Coder (RPELPC) with a Long Term Predictor loop. The
coefficients of the linear combination of the previous samples, plus an encoded form of
the residual, are the difference between the predicted and actual sample, which represent
the signal. Speech is divided into 20 millisecond samples, each of which is encoded as
260 bits, giving a total bit rate of 13 kbps. This is called Full-Rate speech coding; an
Enhanced Full-Rate (EFR) speech coding algorithm has been implemented which
provides an improved speech quality using the existing 13 kbps bit rate [12].
� Channel Coding; the encoded speech or data signal transmitted over the radio interface
should be protected from errors due to natural and man-made electromagnetic
interference [12]. GSM uses convolution encoding and block interleaving to achieve this
protection. The exact algorithms used differ for speech and for different data rates. The
method used for speech blocks is described below. The speech code produces a 260 bit
block for every 20 ms speech sample. From subjective testing, it was found that some bits
of this block were more important for perceived speech quality than others. The bits are
thus divided into three classes [6]:
• Class Ia 50 bits - most sensitive to bit errors
• Class Ib 132 bits - moderately sensitive to bit errors
• Class II 78 bits - least sensitive to bit errors
43
Class Ia bits have a 3 bit Cyclic Redundancy Code added for error detection. If an error is
detected, the frame is damaged to be comprehensible and it is discarded. It is replaced by the
attenuated version of the previous correctly received frame. The 53 bits, with the 132 Class Ib
bits and a 4 bit tail sequence (a total of 189 bits), are inputs into a 1/2 rate convolution encoder
of constraint length 4. Each input bit is encoded as two output bits, based on a combination of
the previous 4 input bits. The convolution encoder thus outputs 378 bits, to which are added to
the 78 remaining Class II bits, that are unprotected. Thus every 20 ms speech sample is encoded
as 456 bits, giving a bit rate of 22.8 kbps [6]. In supplementary protection against the burst
errors common to the radio interface, each sample is interleaved. The 456 bits output by the
convolution encoder are divided into 8 blocks of 57 bits, and these blocks are transmitted in
eight consecutive time-slot bursts. Any time-slot burst can carry two 57 bit blocks, each burst
carries traffic from two different speech samples, and each time-slot burst is transmitted at a
gross bit rate of 270.833 kbps.
� Modulation Technique; for signals to be transmitted, it needs to be in a form by which
the medium can transfer. The information signal parameters are used to vary the
parameters of a carrier signal to get a waveform suitable for transmission along the
medium. This digital signal is modulated onto the analog carrier frequency using
Gaussian-filtered Minimum Shift Keying (GMSK). GMSK was selected over other
modulation schemes as a compromise between spectral efficiency, complexity of the
transmitter, and limited spurious emissions. The complexity of the transmitter is related
to power consumption, which should be minimized for the mobile station. The spurious
radio emissions outside the allotted bandwidth should be strictly controlled so as to limit
adjacent channel interference [8].
� Multipath Equalization; at the 900 MHz range, radio waves bounce off everything such
as buildings, hills, cars, airplanes, etc. Thus many reflected signals, each with a different
phase, can reach an antenna. Equalization is used to extract the desired signal from the
unwanted reflections. It works by finding out how a known transmitted signal is modified
by multipath fading, and constructing an inverse filter to extract the rest of the desired
signal. This known signal is the 26-bit training sequence transmitted in the middle of
every time-slot burst.
44
� Frequency hopping; the mobile station high frequency agility enables it to move
between transmit, receive, and monitor time slot within one TDMA frame, which
normally are on different frequencies. GSM makes use of this inherent frequency agility
to implement slow frequency hopping, where the mobile and BTS transmit each TDMA
frame on a different carrier frequency. The frequency hopping algorithm is broadcast on
the Broadcast Control Channel; multipath fading is dependent on carrier frequency, slow
frequency hopping helps in the correction of bit interleaving errors. This also reduces co-
channel interference by spreading it evenly among all mobile stations [11].
� Discontinuous transmission; minimizing co-channel interference is a goal in any
cellular system. It allows better service for a given cell size, or the use of smaller cells
thus increasing the overall capacity of the system. Discontinuous transmission (DTX) is a
method that takes advantage of the fact that a person speaks less than 40 percent of the
time in normal conversation, by turning the transmitter off during silence periods. An
added benefit of DTX is that power is conserved at the mobile unit [13]. The most
important component of DTX is the Voice Activity Detection (VAD). It has the ability to
distinguish between voice and noise inputs. However, if a voice signal is misinterpreted
as noise, the transmitter is turned off and an effect called clipping is heard at the
receiving end.
� Discontinuous reception; another method used to conserve power at the mobile station
is discontinuous reception. The paging channel used by the base station to signal an
incoming call, is structured into sub-channels. Each mobile station needs to listen only to
its own sub-channel. In the time between successive paging sub-channels, the mobile can
go into sleep mode, when almost no power is used.
� Power control; there are five classes of mobile stations defined, according to their peak
transmitter power, rated at 20, 8, 5, 2, and 0.8 watts. To minimize co-channel interference
and to conserve power, both the mobiles and the Base Transceiver Stations operate at the
lowest power level that will maintain an acceptable signal quality. Power levels can be
stepped up or down in steps of 2 dB from the peak power for the class down to a
minimum of 13dB (20 mill watts) [13]. The mobile station measures the signal strength
45
Based on the Bit Error Ratio (BER), and passes the information to the Base Station
Controller, which decides if and when the power level should be changed. Power control
should be handled carefully, since there is the possibility of instability. This arises from
having mobiles in co-channel cells alternating increase in response to increased co-
channel interference caused by other mobile increasing its power.
� Duplexing; a full duplex system is required in GSM communication so that a subscriber
can talk and hear simultaneously which uses a pair of voice channels. The base station to
mobile station (forward communication) and mobile station to base station (reverse
communication) channels are provided in the GSM using frequency division duplex
where two channels are provided for talking and listening [14]. Table 2.1 gives the
summary of the GSM technical specifications discussed above.
Operations Technical Specifications
Frequency Allocations:
Uplink
890-915 MHZ
Downlink 935-960MHZ
Voice channels per carrier 8
Carrier spacing 200KHZ
Multiple Access FDMA/TDMA digital access
Modulation GMSK with BT=0.3
Duplexing FDD
Channel coding 270.833 kbps
Frequency hoping Slow frequency hopping (SHF)
Table 2.1 GSM Technical Specifications
46
2.10 Mobility Management in GSM Network
This section provides an introductory overview of mobility management. This is one of the
major functions of a GSM network that allows mobile phones to work. The aim of mobility
management is to track subscriber’s location, so that calls, SMS and other mobile phone related
services can be delivered to them [22].
Mobility management is concerned with the functions of tracking the location of roaming
mobiles, registering the information in appropriate network elements, and handling connection
handoffs for users in the communication process [7]. The mobility management procedures vary
across three distinct scenarios, these are: Mobile Station is turned off, Mobile Station is turned
on but is idle, and Mobile Station has an active call. In the first scenario, is when a MS cannot
be reached by the network because it does not respond to the paging message, the MS is
considered to be in the turned-off state. The MS fails to provide any update in relation to
changes in Location Area (LA) [12]. In this state, the MS is considered detached from the
system (IMSI detached). In the second scenario, the MS is in the ready state to make or receive
calls.
The system considers it attached (IMSI attached), and it can be successfully paged. The MS
informs the system about any changes in location area while on the move; this is known as
location updating. In the third scenario, the system has active radio channels that are allowed to
the MS for conversation and data flow [12]. The MS is required to change to new radio
channels if the quality of current channels drops below certain required level; this is known as
handover. The MSC (sometimes BSC) makes the decision to handover an analysis of
information that is obtained in real-time from the MS and BTS. All operations revolve around
the three scenarios presented above. The rest of this chapter explains these operations in more
details, Location update, call handover, mobile terminated call, mobile originated call, mobile-
to-mobile call, IMSI detach and attach [22].
47
Location Update
Location updating is a procedure for keeping the network informed of where the mobile is
roaming [2]. Location updating is always initiated by the mobile station on either detecting that
it is in a new location area or by the network. The network registers the user’s location in a
register called the user’s home location register (HLR), which is associated with an MSC
located in the public land mobile network (PLMN), to which the user is subscribed to. It
periodically monitors the location information broadcast by the network on the broadcast
channel, and comparing it to the information previously stored in its memory [18]. The mobiles
within each cell keep monitoring such information, as changes in location are detected from the
last information recorded by them. They report their new locations to the BSS which routes it to
the VLR, of the MSC to which it is connected. The mobile station also receives indication from
the network that it is not known in the VLR upon trying to establish an MM connection.
Location update message is sent to the new MSC/VLR, which records the location area
information, then sends the location information to the subscriber's HLR. The information sent
to the HLR is normally the SS7 address of the new VLR, although it may be a routing number.
The reason a routing number is not normally assigned, even though it would reduce signaling, is
that there is only a limited number of routing numbers available in the new MSC/VLR and they
are allocated on demand for incoming calls. When the subscriber is entitled to service, the HLR
sends a subset of the subscriber information, needed for call control, to the new MSC/VLR, and
sends a message to the old MSC/VLR to cancel the old registration [6].
However, the network updates the mobile's location, it sends an updated 'temporary mobile
subscriber identification’ (TMSI), in ciphered mode, which is stored in the MS and used for
subsequent mobile identification in paging and call initiating operations. The purpose of using
the TMSI as opposed to the user's IMSI is to keep the subscriber’s identity confidential on the
radiolink.TheTMS1 has no GSM specific structure, and has significance only within the
48
location area assigned. The TMSI has to be combined with the location area identifier (LAI) to
provide for unambiguous identification outside the area where it is assigned [9].
Call Handovers
Handover is essential in mobile cellular communication systems. It is the switching of an
ongoing call to a different channel or cell. Mobility causes dynamic variations in link quality
and interference levels in cellular systems, sometimes requiring that a particular user changes its
serving base station. This may be done between channels in the same cell, between channels in
different cells under the same BSS coverage, or between cells under the coverage of different
BSSs, and different MSCs [18]. The execution and measurements required for handover form
one of the basic functions of RR layer. There are two different types of handover in the GSM
system;
• Internal connection handovers: the BSS may handle the connection handovers in the
same cell, or between cells under its own coverage.
• External connection handovers; The MSC is involved in managing connection
handovers that need to take place between cells under coverage of two different BSSs.
When the BSS indicates that an external handover is required, the decision of when and
whether an external handover should occur is then taken by the MSC. The MSC uses
the signal quality measurement information reported by the mobile stations (MSs)
which are pre-processed at the BSS for external handover determination. The original
MSC handling a call will always keep control of the call in an external handover to a
different and subsequent MSC [5]. The BSS performs an internal connection handover,
and informs the MSC at the completion of the process.
The need for a connection handover may be indicated by the mobile user, through messaging on
the FACH, or by the BSS as it keeps tracking the quality of the signals received.
The BSS monitors the quality of the radio signal received, also transmits such results to the
MSC which keeps a more global view on the radio channels belonging to its BSSs. The MSC
may also initiate the need for a connection handover for traffic reasons in an attempt to balance
out the traffic load in the network [9].
49
Mobility Management Common Procedures
The mobility management common procedures can be initiated at any time while a dedicated
radio channel exists between the network and the Mobile Station. They do not set up an MM
connection, but can be initiated during an MM specific procedure, or while an MM connection
is in place [9]. The MM Common procedures consist of IMSI detach, IMSI attach, TMSI
reallocation, and identification. These are described below;
TMSI Reallocation; the purpose of TMSl reallocation is to provide identity confidentiality [9].
That is, to protect the user from being identified and located by an intruder. This procedure
should be performed at every change of the MSC coverage area. Reallocation in any other case
is left to the network operator. If the TMSI provided by a mobile station is unknown in the
network for instance, in the case of a data base failure, the MS has to provide its IMSI on
request from the network. In this case the identification procedure has to be performed before
the TMSI procedure can be initiated.
Identification; This procedure is used by the network to request a mobile station to provide
specific identification parameters to the network, such as the user’s international mobile
subscriber or equipment identifiers (IMSI or IMEI) [9]. The mobile station should be ready to
respond to an identity request message at any time while radio resource connection exists
between the mobile and the network.
International mobile subscriber identity (lMSl) Detach; The IMSI detach procedure is invoked
by the mobile station to indicate inactive status to the network. No response or
acknowledgement is returned to the MS by the network on setting the active flag for the IMSI.
[9]. The IMSI detach procedure is delayed, until the MM-specific procedure is finished,
otherwise the IMSI detach request is omitted. Moreover, at the time of detach request, a radio
connection is in existence between the MS and the network, the MM sub layer will release any
ongoing MM connections before the MM detach indication message is sent. The IMSI detach
disables the location updating function to prevent unnecessary signaling overhead in the
network. Incoming calls are either rejected or forwarded as may be specified by the user [22].
50
International mobile subscriber identity (lMSl) Attach; The IMSI attach is used to indicate the
IMSI as active in the network [22]. This procedure is invoked if an IMSI is activated in an MS
(power up, or SIM insertion) in the coverage area of the network or an activated MS enters the
network's coverage area from outside. The IMSI attach procedure is then performed only if the
stored location area at the time is the same as the one being broadcast on the BCCH channel of
the serving cell [22]. When this procedure is not performed, a normal location updating
procedure is invoked regardless whether the network supports IMSI attach /detach procedures.
The IMSI detach/attach procedures mark the MS as detached /attached in the VLR (optionally
in the HLR) on MS power down and power up, or subscriber information module (S1M)
removed or inserted. These procedures are network options whose necessity of usage is
indicated through a flag in the system information broadcast on the BCCH channel.
Communication Management
The Communication Management layer (CM) is responsible for Call Control (CC),
supplementary service management, and short message service management. Other functions of
the CC sub layer include call establishment, selection of the type of service including alternating
between services during a call, and call release [9].
2.11 Signaling Concept
Signaling refers to the exchange of control information between components of a network
(telephones, switches) in order to establish, manage and disconnect calls [2]. Signaling is a
message that constitutes the control infrastructure of the modern telecommunication networks.
The GSM network uses it to exchange messages among they network components, these
messages are conveyed by the elements of the signaling network, which communicate within the
GSM network [9]. The signaling used in GSM network is the signaling system Number seven
(SS7). SS7 is a protocol that has several layers, each providing functions for connection-oriented
and connectionless-oriented signaling in a GSM network. This is important in GSM network,
and is responsible for call billing, establishment of call. They several functions performed by the
signaling system are;
51
• Supervisory functions provide the necessary control and status signals to establish calls,
release calls, and make other service features possible. It informs the exchanges about
subscriber loop on-hook/off-hook conditions, using on-hook/off-hook to indicate idle or
busy status [2].
• Addressing; provides addressing information for subscriber number or called number,
area code, access code between network components.
• Providing call information; informs the calling subscriber about the status of a call, and
alerts the called subscriber about a waiting call. It notifies dial tone and busy signals.
• Network management; It includes the handling of congestion and component failure
situations, gathering and reporting of useful status information such as traffic
conditions and maintaining information for cost and enhances call billing [2].
Signaling in GSM can be classified into the following;
Subscriber signaling, in [1] Subscriber signaling refers to the signaling used between the
subscriber and the exchanged. Interexchange signaling is the signal exchanged between two or
more network exchanges in order to handle calls. Channels used in signaling are; in channel
signaling, and common channel signaling. In channel signaling, the control signals occupy the
same channel as the voice signal. It comes in two forms: in-band signaling which uses audio
tones for conveying its signals, and out-of-band signaling reserves a narrow band within the
voice band for conveying control signals. In channel signaling has the advantage of using the
same trunk lines and equipment for carrying control signals and voice signals [4].
In Common channel signaling, the signaling of a group of voice channels is transmitted on a
common high speed data link in the form of time multiplexing [1]. It uses a separate channel
from the voice channel for carrying the control signals. Control signals have a lower bandwidth
requirement than voice signals, the same control channel can be used for carrying the control
signals of multiple voice channels hence the term common channel [1].
52
2.12 Signaling System No.7
Signaling System No. 7 (SS7) is defined as a common channel signaling standard, which is
suitable for use with a wide range of circuit-switched digital networks. It was adopted and
published by the International Consultative Committee for Telephone and Telegraph (CCITT).
It is a standard organization affiliated with the International Telecommunication Union (ITU).
The procedures and protocols by which the network elements exchange information in public-
switched telephone network over a digital network were defined to effect call set-up, routing
and control. SS7 is a data network designed for the specific application of signaling. Its protocol
architecture is compared to the OSI reference model [2].
2.13 Objectives of SS7
In the words of the CCITT specification, the overall objective of Signaling System No.7 is to
provide an international standardized general purpose Common Channel Signaling (CCS)
system:
� Optimized for operation in digital telecommunication networks in conjunction with
stored program controlled exchange.
� That can meet present and future requirements of information transfer (circuit and non-
circuit related) for inter-processor transactions within telecommunications networks for
call control, remote control, and network data base access, management and
maintenance of signaling.
� That provides a reliable means of information transfer in correct sequence, without loss
or duplication.
They SS7 protocol features ensure reliable high performance transfer of signaling information
in the face of network disturbances and failures. However, application-level procedures support
call control for analog, digital, and ISDN calls. It also supports generalized and transaction-
oriented information transfer, management and a reliable transport system for other types of
information transfer between exchanges and maintenance in telecommunication networks [56].
53
2.14 Components of SS7 Network
SS7 signaling network is composed of three elements: Signaling Point (SP), Signaling Transfer
Point (STP) and Signaling Link (SL).
� SP is the originating or destination point of an SS7 message. In each signaling
network, SP has an exclusive signaling point code: SPC (14 bits). It has user parts that
allow the process of the SS7 addressed messages. Examples are the MSC, the BSC,
and exchange in a PSTN.
� Signaling Transfer Point (STP); it has the network node which transfers SS7 messages,
and capability of routing SS7 messages.
� Signaling Link (SL); Link is the data channel which connects the nodes (SPs and
STPs) in SS7 network. It has the link set; a number of parallel signaling links that
directly interconnect two signaling points [4].
Signaling Message Type in SS7
SS7 Signaling Unit; this is the minimum unit used to carry the various signaling message units
in SS7. SS7 uses signaling unit of different lengths in a packet to transmit various signaling
messages. The length of each unit is the integral of 8-bit called ‘one-octet’. Three signal unit
types are:
� Message Signal Unit (MSU). This is used for carrying signaling information from
higher levels. The data field consists of a Service Information Octet (SIO) and a
Signaling Information Field (SIF). The SIO denotes the role of the MSU. The SIF
consists of source and destination message addresses, a Signaling Link Selection field
(SLS), and user data from a higher level entity.
� Link Status Signal Unit (LSSU). This is used for carrying signaling link control
information. The data field consists of a Status Field (SF) which is used to
communicate with the link status between signaling points, and may be used by
network management entities. One major use of LSSU is for flow control or recovery
of signaling link.
54
� Fill-in Signal Unit (FISU), this is used for continued transmission in absence of other
signals. It is used to fill in the vacant locations when the link is free or congested, so as
� To keep the link in the status of communication. FISU is also used to confirm the
receipt of message from the opposite side [1, 4].
Figure 2.10 illustrates the composition structure of SS7 message type. The fields making up
FISU can also be found in LSSU and MSU, because FISU only includes the fields which could
realize the level 2 functions. LSSU only has one field that is unique for it, that is signaling field.
SF is the field that carries the information about the link status. MSU contains the information
and has more fields. The special fields for MSU are Signaling Information Octet (SIO) and
Signaling Information Field (SIF). SIO contains the information added on the third level. In
SIF, some information is added on the third level, and the information created by user part is
also included.
F CK LI SF FIB FSN BIB F BSN
8 7 1 7 16 6 1 8 2 8 Sending Direction
The Structure of MSU, LSSU and FISU
Structure of FISU
Structure of LSSU
Structure of MSU
Sending Direction8 16 2 6 7 1 8 1 7
F LI CK FIB FSN BIB BSN F
The Structure of MSU, LSSU and FISU The Structure of MSU, LSSU and FISU
F CK SIF SIO LI FIB FSN BIB BSN F
Figure 2.9 Composition Structures of SS7 Message Type
55
Functions of the various signaling units;
Flag; Start flag: marks the beginning of a signal unit. The start flag of one signal unit is
normally the closing flag of the preceding. The binary value is 01111110. End flag: marks the
end of a signal unit with binary value 01111110.
The Backward Sequence Number (BSN) and Forward Sequence Number (FSN); these
correspond to HDLC receive and send sequence numbers. They are used to implement an error
control (Go- Back-N) mechanism for dealing with transmission errors, and a flow control
(sliding window) mechanism for dealing with congestion situations.
Data Length field; specifies the length of the following Data field which contains information
used by levels 3 and 4 in octets.
Checksum field; is a 16-bit CRC over the whole unit except for the flags and the CRC field itself.
Length Indicator; is used to indicate the number of octets and preceding the check bits. It is a
number in binary code in the range 0-63.
Service information octet; is divided into two service indicator (SI) and the sub-service field
(SSF). The Service indicator is used to associate signaling information with a particular user
part and is present only in the message signal units. It is sometimes used to perform message
routing. The sub-service field contains the network indicator which is used by signaling
message handling functions [17]. Figure 2.10 shows the structure of signaling unit.
Flag BSN/BIB FSN/FIB Length IndicatorService information Octet Signaling information field Checksum
3 2 1 4 5 6
1 8-272 1 1 1 1 1
Figure 2.10 Signal unit
56
2.15 SS7 Signaling Points
The procedure by which calls are handled led to the concept of intelligent networks. Network
access in SS7 has a point code used to identify source and destination messages. There are three
types of signaling points in SS7;
• Service switching points (SSPs)
• Signaling transfer parts (STPs)
• Signaling control point (SCP)
Service Switching Points (SSPs) are switches that originate and terminate calls.
Signaling Transfer Points (STPs) controls the switches between the signaling links. An STP
routes an incoming message to an outgoing signaling link based on SS7 message. Service
Control Point (SCP) is in charge of dictating how calls should be handled and routed [2]. Figure
2.11 Shows the SS7 signaling points.
2.16 The SS7 Architecture
The development of the SS7 protocol has helped to implement telephone signaling in data
communication. It controls the setting up, maintaining, releasing of telephone calls, and to
ensure flexibility for diverse applications. The SS7 architecture illustrates the signaling
protocol which consists of functional parts, patterned after the open systems interconnection
(OSI) reference model [18, 19].
STP
SS7 Links
SSP
SSP
SCP
SS7 Links
Figure2.11 SS7 Signaling points
Voice trunks
SCP STP
57
The major functional parts of SS7 are; the message transfer part (MTP), signaling connection
control part (SCCP), telephone user part (TUP), ISDN user part (ISUP), and operations and
maintenance applications part (OMAP). The message transfer part which provides a highly
reliable connectionless sequenced transport service consists of three layers: a physical/electrical
layer, a data link layer, and a network layer. Figure 2.12 Shows the SS7 protocol layers.
Figure 2.13. Illustrates the SS7 Protocol Layers compared with the OSI Reference Model
Figure 2.12 SS7 Protocol Layers
ISUP
SCCP
INAP MAP TUP
MTP LAYER 1
MTP LAYER 2
MTP LAYER 3
TCAP
IS41
58
The Hierarchy of Signaling System No.7
This can be functionally divided into two parts; Message Transfer Part (MTP) and User Part (UP).
� Message Transfer Part provides the functions that enable User parts significant
information to be transferred across the signaling network to the required destination.
� The functions in the MTP are to overcome network and system failures that would
affect the transfer of signaling information. User Part; The User Part (UP) is the
“User” of MTP. It includes Telephone User Part (TUP), ISDN user part (ISUP),
Signaling Connection Control Part (SCCP) [47].
Figure 2.13 SS7 Model compared with the OSI Model
TUP
OSI
MTP
ISUP
Network
SCCP
TCAP
Application GSM OMAP
Signaling Link
Presentation
Session
Transport
Data Link
Physical
Signaling Network
Signaling Data Link
SS7
59
Message Transfer Part; the Message Transfer Part (MTP) is divided into three levels.
• MTP Level 1-- signaling data link
• MTP Level 2 -- signaling link
• MTP Level 3 -- signaling network.
These three levels are similar to the first three levels of OSI model.
Signaling Data Link Functions (Level 1); A signaling data link is a bidirectional transmission
path for signaling, consisting of two data channels operating together in opposite directions at
the same data rate. It complies with the OSl definition of the physical layer (layer 1). A digital
signaling data link is made up of digital transmission channels and their terminating
equipments, e.g., Data Circuit terminating Equipment (DCE) or time slot access equipment, that
has an interface to signaling terminals [4].
Signaling Link Functions (Level 2); The signaling link functions correspond to the OSI’s data
link layer (layer 2), with a signaling data link, the signaling link functions provide a signaling
link for reliable transfer of signaling messages between two directly connected signaling points.
It provides functions such as signal unit alignment, error detection, error correction, initial
alignment, signaling link error monitoring and flow control. It works together with level 1.
Signaling Network Functions (Level 3); The signaling network functions corresponds to the
lower half of the OSI’s network layer, and provides the functions and procedures for the transfer
of messages between signaling points, which are the nodes of the signaling network. The
signaling network functions can be divided into two basic categories: Signaling message
handling and signaling network management. In the transmission of messages, the signaling
message handling sends message to the proper link or user part. The network management
function realizes the reorganization of the signaling network when malfunctions come up and
congestion appears. The network management function also carries out flow control at the
network level, so as to ensure reliable transmission of signaling under extreme conditions [2,
47].
60
2.17 The Integrated Services Digital Network User Part (ISUP)
The ISDN-UP of the SS7 protocol provides the signaling functions. The purpose of the
signaling in an ISDN network is to deliver control information to the switching nodes for call
establishment and call control through the ISDN network applications to ISDN-UP [4]. ISDN’s
capability to handle many different services puts new requirements on the signaling capacity.
The signaling in ISDN can be divided into two types;
The first type is used between a subscriber terminal and the local ISDN exchange. This
signaling utilizes the D -channel on the digital subscriber line and is called Digital Subscriber
Signaling System No. 1 (DSS 1). The second type of signaling is used between exchanges when
more than one exchange is involved in an ISDN call. The CCITT No. 7 Signaling System is
used to deliver the control information to all involved exchanges.
Applications of ISUP
ISUP is used for signaling between exchanges in ISDN network. The ISDN User Part (ISUP)
defines the protocol and procedures used to set-up, manage, and release trunk circuits that carry
voice and data calls over the public switched telephone network (PSTN). ISUP is used for both
ISDN and non-ISDN calls. However, calls that originate and terminate at the same switch do
not use ISUP signaling. Channel that carries the signaling information can be one of the
channels in a dedicated signaling link. The signaling path is separated from the speech path and
it serves a great number of speech circuits (common channel signaling).
Basic ISUP Call Control
The connection between the ISDN users consists of two parts: the connection between user
terminal and local exchange (network), and the connection between two exchanges.
61
ISUP Signaling between Exchanges;
The initial address message (IAM); when a call is placed to an out-of-switch number, the
originating SSP transmits an ISUP initial address message (IAM) to reserve an idle trunk circuit
from the originating switch to the destination switch; it is marked by 1a in figure 2.15. The IAM
includes the Originating point code (OPC), destination point code (DPC), circuit identification
code (CIC), dialed digits, and optionally, the calling party number and name. In this example,
the IAM is routed through the home STP of the originating switch to the destination switch; it is
marked by (1b) [4]. Figure 2.14 shows the basic ISUP signaling between exchanges.
2a. ACM
3a.ANM
5a.RLC
STP STP
SSP
1a. IAM
4a. REL
SS7 Links
1b.IAM
4b. REL
2b.ACM
3b. ANM
5b.RLC
Voice Circuit Identificator Code =5
SSP
Figure2.14 ISUP Signaling between Exchanges
62
Address Complete Message (ACM); the destination switch checks the dialed number,
determines that it serves the called party, and that the line is available for ringing. The
destination switch rings the called party line and transmits an ISUP address complete message
(ACM) to the originating switch through its home STP; it is marked by 2a in this figure. The
message ACM indicates that the remote end of the trunk circuit has been reserved. The STP
transfers the ACM to the originating switch, which is marked by 2b. It rings the calling party's
line and connects it to the trunk to complete the voice circuit from the calling party to the called
party [4].
However, if the originating and destination switches are not directly connected with trunks, the
originating switch transmits an IAM to reserve a trunk circuit to an intermediate switch. The
intermediate switch sends an ACM to acknowledge the circuit reservation request and then
transmits an IAM to reserve a trunk circuit to another switch. This process continues until all
trunks required to complete the voice circuit from the originating switch to the destination
switch are reserved. When the called party picks up the phone, the destination switch terminates
the ringing tone and transmits an ISUP answer message (ANM) to the originating switch
through its home STP. The STP routes the ANM to the originating switch. They are marked by
3a and 3b respectively. The message ANM verifies that the calling party's line is connected to
the reserved trunk and, if so it initiates billing.
The calling party hangs-up first; the originating switch sends an ISUP release message (REL) to
release the trunk circuit between the switches (4a). The STP routes the REL to the destination
switch (4b). If the called party hangs up first, or if the line is busy, the destination switch sends
an REL to the originating switch indicating the release cause (e.g., normal release or busy).
Upon receiving the release message (REL), the destination switch disconnects the trunk from
the called party's line, sets the trunk state to idle, and transmits an ISUP release complete
message (RLC) to the originating switch (5a) to acknowledge the release of the remote end of
the trunk circuit. When the originating switch receives or generates the RLC (5b), it terminates
the billing cycle and sets the trunk state to idle in preparation for the next call. ISUP messages
may also be transmitted during the connection phase of the call (i.e., between the ISUP Answer
63
(ANM) and Release (REL) messages. The same signaling links are used for the duration of calls
unless a link failure condition forces a switch to use an alternate signaling link [4].
Signaling cooperation between DSS1 and ISUP
The call request information in a SETUP message is transmitted between ISDN nodes by an
Initial Address Message (IAM). The D -channel message ALERT corresponds, the Address
Complete Message (ACM), and CONNECT is converted to an Answer Message (ANM) [22].
End-to-End Signaling transmission is an important feature of ISUP. It is defined as the
capability to transfer signaling information of end points significance directly between signaling
end points. The end point is the originating and terminating exchanges of call. This kind of
signaling is used to request additional call related information, to invoke a supplementary
service or to transfer user-to-user information transparently through the network.
The typical application of end-to-end signaling is the transmission of information as to a certain
supplementary service related with the call. It is related with the call, not directly with the
circuit control. This is a of non-circuit relative message in nature. The originating exchange
launches an Initial Address Message (IAM 1) towards the transit exchange for the purpose of
setting up trunk a. The transit exchange processes IAM 1, sets up trunk a, and launches another
Initial Address Message (IAM2) towards the destination exchange requesting use of trunk b.
Address Complete Message (ACM) is sent by the destination exchange to the transit exchange
to process it after the subscriber has been alerted, generates and launches another ACM towards
the originating exchange. Alerting message is then generated by the originating exchange and
sent to the calling station [4, 22].
There are two end-to-end signaling methods supported in ISDN: Pass-along and SCCP
methods. In the Pass-along method a special message type (Pass-along Message-PAM) is used
to inform the intermediate exchanges that an end-to-end signaling is used. The intermediate
exchange is in charge of modification of the routing label, that is, CIC and DPC, and sends the
message to the next point.
64
The intermediate exchange does not analyze the contents of message, in other words, the
message is transferred transparently through them to the destination.
This method can be used when the information to be transferred relates to an existing call for
which a physical connection has been established. It is mainly used when the exchange doesn't
install SCCP. In the SCCP method the ISDN User Part is using the services provided by the
Signaling Connection Control Part (SCCP) to establish a signaling connection for the end-to-
end signaling.
User-to-user information carried by call establishment D-channel message is also carried by call
establishment message over the ISDN network. It provides the direct communication between
the ISDN users through the D-channel and SS7 signaling network. All network nodes do not
analyze and process it. During the call, D- channel messages can be transmitted over the same
signaling path that was established during the call setup. The called number analysis is not
needed, as the signaling path still exists in the processor memory. It can be used during call
setup, call connection and call release. During call setup and release, the user-to-user
information is transferred which is put in the message IAM, ACM, ANM, or REL [4].
ISUP message format
ISUP information is carried in the Signaling Information Field (SIF) of MSU. The SIF contains
the routing label followed by 12-bit (ITU) circuit identification code (CIC). The CIC indicates
the trunk circuit reserved by the originating switch to carry the call. The CIC is followed by the
message type field (e.g., IAM, ACM, ANM, REL, and RLC) which defines the contents of the
remainder of the message. ISUP message contains a mandatory fixed part containing mandatory
fixed-length parameters, and comprised only of the message type field. The mandatory fixed
part may be followed by the mandatory variable part and the optional part. The mandatory
variable part contains mandatory variable-length parameters [4]. The optional part contains
optional parameter, which is identified by a one-octet parameter code followed by a length
indicator field.
65
Optional parameters may occur in any order, if optional parameters are included the end of the
optional parameters will be indicated by an octet containing all zeros. The first part of ISUP
message is routing label. It consists of DPC, OPC, and SLS. It occupies 2 octets in which 4 bits
are spared. The routing label and CIC are followed by the contents of five mandatory fixed
length parameters which are message type, nature of connection indicator, forward call indicator
bits, calling party category and transmission medium requirement in sequence.
2.18 Telephone User Part (TUP)
The telephone user part (TUP) is used to support basic call setup and tear down in some
countries like China, and Brazil [4]. It handles only the analog circuits; ISUP has replaced TUP
for call management.
2.19 Signaling Connection Control Part (SCCP)
SCCP provides additional functions to MTP, and supports many new services. SCCP
supplements the message carrying capabilities by the MTP. The combination of MTP-SCCP is
termed “Network Service Part” (NSP). The NSP provides the full OSI layer 3 services to the
users of signaling system.No.7.
Application features of SCCP
• It enables to transfer circuit related, non-circuit-related signaling and user information
in the telecommunication networks.
• SCCP provides enhanced addressing and routing function, and helps to achieve the
direct global transmission between different No.7 signaling networks.
• SCCP provides two kinds of new address information: Global Title (GT) and
Subsystem Number. GT is like the dialed number, which can be numbered uniformly
in different network within the world (e.g. dialed 800 numbers, calling card number
and mobile identification number). SCCP translates these number into a destination
point code and subsystem number (SN).
66
There are two kinds of service provided by the SCCP protocol, which are Connectionless and
Connection-Oriented services. In addition to enhanced addressing capability, SCCP provides
four classes of service, two connectionless and two connection-oriented. The four classes are; 0,
1, 2, and 3.
0: Basic connectionless class.
1: In-sequence delivery connectionless class.
2: Basic connection-oriented class.
3: Flow control connection-oriented class. Class 0 and 1 is for connectionless service; class 2
and 3 is for connection-oriented service [1].
Connectionless Service
In the Connectionless service, the routing information to its destination is included in each data
packet. No logical connection is established between the end nodes.
The connectionless service is typically used to transfer small amounts of real-time critical
information between remote users. In GSM system, connectionless service is widely used in
Network Service Part, when an MSC requests information from the database about a mobile
stations location within the network.
In Class 0 service, a user-to-user information block, called “Network Service Data Unit”
(NSDU) is passed by higher layers to SCCP in the node of origin. It is transported to the SCCP
function at the destination node in the user field of a unit data message. The NSDUs are
transported independently and may be delivered out of sequence; this is pure connectionless
class of service.
In Class 1, the features of Class 0 are provided with an additional feature that allows a higher
layer to indicate to SCCP that a particular stream of NSDU should be delivered in sequence.
SCCP does this by associating the stream members with a sequence control parameter and
giving all messages in the stream the same SLS code. The receiving sequence of message is the
same to the transmission.
67
In Class 2, bidirectional transfers of NSDUs are performed by setting up a temporary or
permanent signaling connection (virtual circuits) through the signaling network. Messages that
belong to the same signaling connection are given the same SLS code to ensure sequencing.
In addition, this class of service provides a segmentation and reassembly capability. With this
capability, a NSDU that is longer than 255 octets is split into multiple segments at the
originating node; each NSDU segment is transported to the destination node in the data field of
a data message and at the destination node SCCP reassembles the original NSDU [4].
In Class 3, the capabilities of Class 2 are provided with the addition of flow control, detection of
message loss and mis-sequencing. In the event of lost or mis-sequenced messages, the signaling
connection is reset and notification is given to the higher layers.
Connection oriented service
Connection oriented service means the ability to transfer signaling messages through an
established signaling connection. The connection-oriented services are used when there are
many messages to be transferred, or when the signaling messages are too long. Dividing the
signaling messages into smaller parts is called segmenting; at the receiving side these parts are
reassembled. In connection oriented service, the logical signaling connection is achieved by
giving a local reference number to the signaling messages.
The connection-oriented transfer mode can be divided into three phases:
1. Establishing the connection
2. Data transfer
3. Release of connection
In the first stage, connection request (CR) is sent to the relay SCCP, the relay SCCP then sends
CR to the destination. A destination address is included in the CR message. A connection
confirmation is sent to the originating SCCP. The source local reference number (SLR) is
allocated to this logical connection by the originating SCCP, while the destination local
reference number (DLR) is allocated at the receiving side [4].
68
In the second stage, data is transferred bi-directionally. The data message format for class 2 is
DT1 and DT2 for class 3. The message “acknowledge” (AK) is only used in the class 3, and the
logical connection is released after the data transfer. In GSM system, class 2 service is widely
used in A interface, and there is no relay SCCP because of direct connection between MSC and
BSC.
2.20 The Transaction Capabilities Application Part (TCAP)
Transaction Capabilities (TC) refers to a set of protocols and functions used by distributed
applications in the network to communicate with one another. In SS7 TC refers to the
application-layer protocols. TCAP directly uses the services of SCCP, which in turn uses the
services of MTP, with transport, session, and presentation layers being null-layers. TCAP
provides a set of tools in a connectionless environment that can be used by an application at one
node to invoke execution of a procedure at another node and exchange the results of such
invocations. In telecommunication networks, the distributed applications that use TCAP can
reside in exchanges and in the network databases [47].
However, the subsequent various application services, and intelligent network services such as
called payment and VPN, Operation, Maintenance and Administration Part (OMAP) of the
signalling network, Mobile Application Part (MAP) and Closed User Group (CUG), require that
databases between the switches and those between the switch and the network centre should be
associated so as to provide information request and response function between them. The
“transaction” refers to any interaction process between two network nodes. TCAP is composed
of ISP and TCAP. The ISP refers to the Intermediate Service Part or component portion, which
corresponds to Layers 4 to 6 of the OSI and is set up on the connection-oriented basis of the
SCCP. TCAP refers to the Transaction Capability Application Part, which corresponds to Layer
7 of the OSI and is set up on the connectionless basis of the SCCP.
69
According to the different requirements for data transfer, the TC users can be divided into two
categories:
(1) Small volume of data transfer with strict real-time requirement
(2) Large volume of data transfer with lower real-time requirement
The users in the first class are called real-time users who pay attention to the data transfer rate.
For example, in the GSM system, during the call set-up stage of a user, the local switching
office queries the HLR for the routing information of the called party and the information
transfer time will directly influence the delay after dial-up. For this class of users, the ISP part
has excessive overhead, so it is not applicable. In this case, the TC only includes the TCAP,
which directly uses the connectionless service of the SCCP to transfer data. The users in the
second class are called offline users who mainly pay attention to the security in data transfer and
do not have strict requirements for data transfer rate. Example, a switching office sends batch
statistic data to the Network Management Centre, the sending time can be several seconds to
several minutes. The TC includes the ISP and need the support of the connection-oriented
service of the SCCP [19].
TCAP is divided into two sub layers: the transaction sub layer and component sub layer. These
components contain either requests for action at the remote end (e.g., invoking a process), or
data indicating the response to the requested operation. The transaction sub layer deals with
exchange of messages that contain such components which involves establishment and
management of a dialogue (transaction) between TC-users.
The Transaction Sub layer
A transaction (or dialogue 6) defines the context within which a complete remote operation
involving, for example, exchange of queries and responses between two TC-users, is executed.
The transaction sub layer is responsible for management of such dialogue. Two kinds of
dialogues can take place between peer transaction sub layers. They are unstructured dialogue
and structured dialogue.
70
� The unstructured dialogue service, the transaction sub layer provides a means for a TC-
user to send to its remote peer one or more components that does not require any
responses. These components are received by the transaction sub layer from the TC-
user. Through the intervening component sub layer, they are packaged and sent to the
remote transaction sub layer in a unidirectional message. There would be no explicit
association established between peer transaction sub layers for this service [4].
� The structured dialogue; TC-user issues a TC-BEGIN primitive containing a unique
dialogue ID to the Components sub layer. All the components that TC-user sends within
this dialogue would contain the same dialogue ID. The component sub layer maps this
TC-BEGIN primitive into a TR-BEGIN primitive containing a transaction ID and issues
it to the underlying transaction sub layer.
The messages that are included in a dialogue can be divided into four types:
(i) Start of dialogue (Begin); pointing out the start of a dialogue processing, similar to the
connection setup message in the SCCP. This message has a source transaction identifier
allocated by the local RSL to identify this dialogue.
(ii) Dialogue continues; used for bi-directional transfer of dialogue messages, indicating
the dialogue is in message exchange state. It is similar to the Data Transfer (DT) in the
connection-oriented service of the SCCP. For the receiving end to know which dialogue
the message belongs to, the message should have two transaction identifiers: the
destination and source transaction IDs. After receiving the message, the peer end can
identify the dialogue according to the destination transaction ID.
(iii) Dialogue End; indicating the dialogue ends normally. The dialogue end can be
originated by the TC user at any end. It should have the destination transaction ID.
(iv) Dialogue Abort; indicating the dialogue ends abnormally. The dialogue abort can be
originated by the TC user or the transaction sub layer, and should have the destination
ID. The dialogue abort can be originated by the TC user or the transaction sub layer,
each identification number is only meaningful in the allocated node [4].
71
The ID allocated at the transmitting end for each message, is the source end ID, and that
allocated at the receiving end is the destination transaction ID. The former serves as the
destination ID for the receiving end to return message, while the later is used for the receiving
end to determine the superior dialogue of the message.
The TCAP protocol defines the following six types of TR primitives:
TR-UNI (unidirectional): Used to transfer unstructured dialogue message.
TR-BEGIN: Used for the begin message of the unstructured dialogue.
TR-CONTINUE: Used for the transfer continue message of the structured dialogue.
TR-END: Used for the transfer end message of the structured dialogue.
TR-U-ABORT: Used to transfer the dialogue abort message of the structured dialogue
originated by the TC user.
TR-P-ABORT: Used to transfer the dialogue abort message of the structured dialogue
originated by the transaction sub layer itself.
Component Sub layer
The basic units responsible for dialogue message transfer in the transaction sub layer are the
components. The Component Sub Layer (CSL) implements the component processing and
control of dialogues. A dialogue message includes one or multiple components, which
corresponds to an operation execution request or operation execution result. Each component is
identified with different component invoke IDs.
The parallel execution of multiple same or different operation components is controlled with the
invoke ID. This invoke ID is only used for the Component sub layer to differentiate the parallel
execution operations so as to monitor and manage the execution of each operation. The
definitions of the specific operations are identified by the operation code and defined by the TC
user. The meaning depends upon the specific application service. The TCAP does not make
such analysis and processing [22].
72
The invoke ID is allocated by the CSL originating the operation request. When the peer end
returns the response component, the component also should includes the invoke ID so as to
indicate it is the execution result of which operation. The components are embedded into
messages, i.e., the components are subject to the dialogues, so the components in different
dialogues can use the same invoke ID. Thus, with the invoke ID; the TCAP can control the
parallel execution of large number of same or different operations. The contents of components
are related to the specific application, the components can be divided into the following five
types:
• Invoke-INV; invokes an operation, for example a query with permission
transaction may include invoke (Last) component to request SCP translation of a
dialled 800 number. The component is the ‘Last’ component in the query.
• Return Result (last)-RR-L; returns the last result of an invoke operation. The
component is the ‘last’ component in the response.
• Return Result (not last)-RR-NL; similar to the Return Result (last) component
except that the component is followed by more components.
• Return Error-RE; reports the unsuccessful completion of an invoked operation.
• Reject-RJ; indicates that an incorrect package type or component was received.
The TCAP also divides the operations into four according to their different response conditions:
Type 1: No matter an operation succeeds or fails, the invoke end should be reported, i.e., after
the INV component of such operation is sent, the peer end should return the RR or RE
component.
Type 2: Only the operation failure will be reported. It means that the operation only requires the
remote node to execute one action without the need to return any information. If this action is
executed successfully, then no return results are needed. Only when the operation is not
executed successfully, an RE component needs to be returned.
Type 3: Only the successful operation will be reported. Opposite to operations of Type 2, the RR
component is returned only when the operation succeeds.
73
Type 4: No matter the operation fails or succeeds no report is needed, i.e., after the local end
sends out the INV component, it will not receive any component from the remote end.
The component sub layer interfaces with the TC user interface through TC primitives. The TC
primitives can be divided into two types: Component processing primitives and dialogue
processing primitives. The component primitives are used to transfer component data between
the TC user and the component sub layer.
2.21 Mobile Application Part
This is an example of an entity of SS7 signaling, developed to serve a particular application in a
mobile network. It is used between a ‘mobile’ telephone network exchange and an intelligent
network database, called home (HLR) or visitor location register (VLR). The database is kept
informed of the current location of the mobile telephone handset. Thus the mobile telephone
incoming and outgoing calls can be handled at the same time. [15].
Functions of MAP
The MAP specifications of the GSM have specified the MAP signals between the entities such
as the mobile service switching centre, location register, authorization centre, and equipment
identification register of the 900MHz TDMA digital cellular mobile communication network,
including message flow, definitions of operations, data type, error type and specific codes.
The MAP is an information exchange mode provided between the GSM network entities to
implement the automatic roaming function of mobile stations. The transmission of the MAP
signalling is based on the series of SS7signaling technical specifications released by the CCITT
[22]. MAP is responsible for information transfer between the GSM functional entities in the
following processes:
• Location update and cancel location; Fault restoration of location register
• User Management; Authorization and encryption (IMEI management)
• Routing function; Access processing and paging, Processing of supplementary
services, Handover Short message service, Operation and maintenance.
74
In the GSM system, the MAP signalling transfers the information related to the above protocol
between various functional entities through the SS7 system of the GSM. Figure 2.15 shows the
MAP/C to MAP/I interface between core network entities.
2.22 Operation and Maintenance Application Part (OMAP)
The OMAP of SS7 provides the application protocols and procedures to monitor, coordinate,
and control all the network resources. It manages the functions of remote exchange and
equipment that make communication based on SS7. OMAP is specified in CCITT Blue Book
Recommendation [26].
2.23 Intelligent Network Application (INAP)
This provides the intelligent network services to the GSM mobile network [2].
Figure2.15. MAP/C to MAP/I Interface between Core Network Entities [7]
MS
EIR
SMS
Gateway
MAP/H
MAP/G MAP/C
MAP/D
MAP/I
MAP/F
MAP/E MAP/C
VLR
VLR
MSC
MSC
GMSC
HLR
75
2.24 Signaling Protocol in GSM Network
Signaling protocol in GSM is structured into three general layers, depending on the interface, as
shown in Figure 2.16 illustrates the signaling protocol architecture. Layer 1 is the physical
layer, which uses the channel structures over the air interface. Layer 2 is the data link layer.
Across the Um interface, the data link layer is a modified version of the LAPD protocol used in
ISDN, called LAPDm. Across the A interface, the Message Transfer Part layer 2 of Signaling
System Number 7 (SS7) is used [22]. Layer 3 of the GSM signaling protocol is divided into 3
sub layers;
Radio Resources Management over the link between the MS and the BSS Controls the setup,
maintenance, and termination of radio and fixed channels, including handovers.
Mobility Management manages the location updating, registration procedures, security and
authentication.
Connection Management; provides the communication between MS and the MSC. It handles
general call control, Supplementary Services and Short Message Service. Signaling between
different entities in the fixed part of the network, such as between the HLR and VLR, is
accomplished through the Mobile Application Part (MAP). MAP is built on top of the
Transaction Capabilities Application Part (TCAP), at the top layer of Signaling System Number
7 [22]. Figure 2.16 illustrates the signaling protocol involved in GSM network.
76
Um
Layer 2
GSM
Layer 3
Layer 1
Mobile Station BTS BSC MSC
Abis
A
Figure 2.16 Signaling Protocol Structure in GSM Network
RR
LAPDm
TDMA
BSSMAP
SCCP
MTP
CM
MM
BSSMAP
SCCP
MTP
CM
MM
RR
TDMA
LAPDm
77
CHAPTER THREE
SIGNALING TRAFFIC
3.0 Introduction
In a GSM network, several signaling messages are involved in call connection, maintenance,
release and in network management [21]. The number of control messages is dependent on the
type of call made. This chapter shows the signaling traffic in a GSM network and presents the
different signaling messages associated with calls that involve mobility and the non-mobility
calls.
Signaling traffic is referred to as the comprehensive control messages resulting from call
arrivals in a network [50]. The signaling traffic volume in a GSM network is the product of
signaling message volume per call and the number of calls, these can be quantified if the call
traffic, both mobility and non- mobility calls are obtained over a given period of time.
Signaling messages exchanged in the GSM network have their lengths in bytes which falls
within a particular range specified in the ITU-T signaling message format [9]. The sum of the
different lengths (in bytes) of the different signaling messages that are involved in a single GSM
call is referred to as the signaling message volume per call [50]. Signaling message number per
call is the number of control messages involved in a single call. It is the total number of signaling
messages exchanged among the components of the GSM network which include the call set up
request, call establishment, and call management. The GSM calls with mobility have higher
number of signaling messages than those without mobility.
3.1 MOBILITY PROCEDURES IN GSM NETWORK
Mobility management is the tracking of mobile subscribers to know their current location so
that calls, SMS and other mobile related services will be delivered to them [8]. In wireless
systems, the overall costs of maintaining accurate location records are at present very
challenging [16]. The relevant signaling events require use of radio channels; such use requires
optimization due to the scarcity of network resources.
78
Therefore optimized location management procedures need to be provided for high-density
signaling wireless systems. Services are delivered more effectively to a mobile user, when the
location of a called mobile user needs to be determined within a certain time limit [8]. Therefore,
it is significant to have an efficient way to locate the mobile user.
Location Management procedure is a two-stage process that enables the network to discover the
current attachment point of the mobile user for call delivery [9]. The first stage is location
registration or location update. In this stage, the mobile terminal periodically notifies the network
of its access point, allowing the network to authenticate the user and modify the user's location
profile. The second stage is call delivery; the network is queried for the user location profile and
current position of the mobile host. Current techniques for location management involve
database architecture design and the transmission of signaling messages between various
components of a signaling network [41]. Figure 3.1 shows the signaling network architecture
which is based on SS7 architecture that uses signaling transfer points (STPs).
An STP serves a group of location areas, when the visitors location register (VLR) needs to
contact the home location register (HLR), the signaling path would be from VLR to STP, and
then HLR. The STP routes each incoming message which is based on routing information
contained in the SS7 message. Service switching points (SSP) send the signaling messages to
other SSPs to set up manage and release calls [31, 41]. These signaling points have numeric
point codes used to identify the source and the destination of each message. Location update
procedure specifies the traffic involved in the mobility procedure. Figure 3.1presents the
signaling network architecture.
79
Figure 3.1 Signaling Network Architecture
3.2 LOCATION UPDATE PROCEDURE
The location of user should be known before a mobile network can offer connectivity to a user
[45]. Location update is a procedure where a mobile terminal informs the network of its where
about. The request by a mobile terminal for location updating upon entry into every new cell
produces enormous location updating traffic and thereby decreasing the system’s performance
[49]. Cells are grouped into location areas in order to reduce signaling load. In addition, the
network requires the mobile unit to carry out periodic location updating. The time between
periodic location updates is set by the operators and can vary.
80
However, a user’s location is stored in three different locations in the GSM network; the
subscriber identity module, the visitors location register (VLR) attached to the roaming mobile
switching center (MSC) and the home location register (HLR). In routing a mobile terminating
call, the HLR stores only the destination of the MSC being roamed, the VLR stores the location
the mobile terminal is currently in. These led to two variations in location updating procedure;
Inter-MSC and Intra-MSC location updates. Figure 3.2 shows Intra-MSC location update.
Intra-MSC location update: The mobile terminal moves into a new location area within the
same MSC. The VLR needs not to be informed and the HLR as the MSC roam is unchanged.
Figure 3.2.Intra-MSC Location Update in GSM
MSC
LA 2
VLR
BSC1
BSC2
LA 2
HLR
81
Inter-MSC location update: The mobile terminal comes into the coverage of a new location
area controlled by a different MSC. In this case, the VLR associated with the new MSC needs to
be informed. The new VLR have to update the HLR with the new MSC’s address and the old
VLR does not need to update [5]. A mobile phone keeps selecting the best cell to service a call
and also keep the cellular provider informed about a subscriber’s current location. Figure 3.3
illustrates Inter-MSC location update scenario.
Figure 3.3 Inter-MSC Location Update
MSC- old
BSC
MSC new
HLR
VLR VLR
BSC
LA
LA
82
GSM network is divided into cells, and a group of cells is called a location area [4]. A mobile
phone in motion keeps the network informed about changes in the location area. If a mobile
moves from a cell in one location area to a cell in another location area, the mobile phone
performs a location area update to inform the network about the exact location of the mobile
phone. When a GSM Mobile reaches a cell boundary (both cells in the same LA); it keeps
monitoring the beacon frequency for its current cell and its neighbors. The GSM measures the
cell strength to see if it should change its primary cell. The signal strength of the BCCH will be
monitored to select the best cell [3]. When the cell has reached the boundary and finds that the
signal quality of the next cell is better, the mobile marks the cell as the primary cell. The mobile
checks if the location of the old and the new cell are different whenever the primary cell changes.
In this case, the mobile finds that the location areas are the same, no location area update is
needed. When a GSM reaches a Location Area boundary (old and new cells are in different
Location Areas), the BCCH on the beacon frequency is monitored and the new cell is being
received with a better signal strength [3]. The mobile station initiates the Location Area
procedure.
Radio Resource Connection Setup
A mobile station establishes a RR connection to send the Location Update to the network [3].
The mobile tunes to the assigned radio channel and send the Set Asynchronous Balance Mode
(SABM) to initiate the radio connection [3]. The location update is piggybacked on the message,
and BSC receives the location update with a SABM. The location updating request is forwarded
to the MSC in the”BSSMAP COMPLETE LAYER 3 INFORMATION” message. The RR
connection setup is completed by responding with Unnumbered Acknowledgement for the
received SABM. The MSC finds that the old location area was handled by a different MSC.
Thus the MSC needs to contact the HLR; the MSC VLR does not find the TMSI in its database.
It uses the old Location Area Indicator (LAI) to obtain the address of the old MSC VLR, a
request is sent requesting the IMSI of the subscriber [3].
83
The MSC sends an update location message; the HLR updates its record to indicate that the
subscriber is now present in its new location area. The message contains a 64 bit ciphering key
used as a session key (kc), 128 bit random challenge (RAND) and a 32-bit Signed Response
(SRES). These parameters are used for authentication.
Authenticate Subscriber; the MSC VLR decides to authenticate the subscriber, the RAND
value received from the HLR is sent to the mobile [3]. The SIM applies secret GSM algorithms
on the RAND and the secret key (ki) to obtain the session key and SRES. The MSC initiates
ciphering of the data being sent on the channel. The BSC sends the CIPHERING MODE
COMMAND to the mobile. The new message assigns a new TMSI to the terminal, since TMSI
is sent after ciphering is enabled; the relationship between TMSI and the subscriber would not
be obtained by unauthorized users [3]. The RR connection is released by the MSC; the BSC
initiates RR release with the mobile. The BSC informs the MSC that the RR connection has
been released, the mobile sends a disconnect message to release the LAPDm connection.
Appendix A illustrates the signaling message sequence for a GSM location update [3].
3.3 HANDOVERS IN GSM NETWORK
The procedure where a radio path to a mobile user is switched during an active call, without
significant degradation in the quality of service is termed handover [19]. Factors that contribute
in causing a network to execute a handover are;
• Mobile Station moving out of radio coverage of a cell
• Signal strength deterioration
• Traffic management
Mobile stations moving out of radio coverage of a cell make measurements of the radio reception
levels for the current and neighboring cells, and report this information to the network [49].
The serving BSC makes the decision to execute a handover based on these measurements.
84
Signal strength deterioration; when a mobile reports that its signal strength is much weaker from
the current cell, the serving BSC extracts the radio resource (RR) handover command message
from the BSSMAP message and sends it to the mobile [49]. In traffic management, handovers
are initiated to improve the performance of the network. When the signal strength of the present
cell is weak, when compared with the target cell, handover will be initiated.
In GSM network, the decision to initiate a handover is made by the network. The three-stage
process for handover involves;
(i) Initiation
(ii) New connection generation
(iii) Data flow control
The first stage is initiation where the user, a network agent, or changing network conditions
identify the need for handover. The second stage is new connection generation, where the
network finds new resources for the handover connection and performs any additional routing
operations. Under Network-Controlled Handoff (NCHO), or Mobile-Assisted Handover
(MAHO), the network generates a new connection, finds new resources for the handover and
performs any additional operation. In Mobile Controlled Handover (MCHO), the mobile
terminal finds the new resources and the network approves [48].
The final stage is data flow control, where the delivery of the data from the old connection path
to the new connection path is maintained according to agreed-upon service guarantees.
In handover management, on-going calls are modified under two conditions: signal strength
deterioration and user mobility. Deterioration of the radio channel results in intra-cell handover,
where the calls are transferred to new radio channels of appropriate strength within the same cell,
or the MT's connections are transferred to an adjacent cell [39]. User mobility always results in
inter-cell handover. In each case, the MT's connections may be passed to the new BS without
interrupting communications with the old BS. The handover is soft when there is no interruption;
on the other hand, if the connections are interrupted at the old base station and then established at
the new BS, the process is called hard handover [39].
85
Appendix B illustrates the handover message sequence for the intra-MSC handover and inter-
MSC handover. Consequently, their respective flow charts of operations are presented in
Appendix C.
3.4 GSM ORIGINATING CALL
The signaling procedure for a mobile originating call is described. A GSM caller wishing to
make a call does not receive a line to the exchange as in the fixed network [3]. The user keys in
the phone number for the landline subscriber and presses the send button. Call related
information needs to be transported from the mobile phone to the Mobile switching centre
(MSC). This requires the establishment of a Radio Resource (RR) connection to MSC. The first
phase of the call setup sets up this RR connection [3].
RR Connection Establishment
This establishment is triggered by sending the Channel Request message. This message requests
the Base Station System (BSS) for allocation, the mobile waits for an assignment on the Access
Grant Channel (AGCH) [3]. At this point, the mobile is listening to the AGCH for a reply. Note
that the RR connection is sent on a Random Access Channel (RACH). This is a slotted Aloha
channel that can be used at random, without any coordination between the mobiles. Any mobile
can transmit on this channel whenever it wishes. If two mobiles transmit on the channel at the
same time, their messages will be lost in a collision [3]. The mobiles will detect the collision
through a time slot and retransmits the message after a random back off. The BSS allocates a
traffic channel (TCH) to the mobile. The TCH allocation assigns a specific frequency and a
timeslot on that frequency.
86
However, the mobile receives this message, and use the specified resources for communication
with the mobile network [3]. The message also contains the time and frequency corrections. The
time corrections allow the mobile to time its transmissions so that they reach the BSS only in
the specified slot, adjust the frequency and the timing based on the advice from the BSS. This
step is required so that mobile reach the base station at the precise time and with the correct
frequency. The mobile detunes from the AGCH and tunes to the specified radio channel. The
mobile initiates a LAPDm connection with the BSC by sending a Set Asynchronous Balanced
Mode (SABM) message [3]. The BSC receives the CM service Request message from the
mobile and forms a “BSSMAP COMPLETE LAYER 3 INFORMATION”. The BSC then
piggybacks the message on the SCCP connection request message. The MSC checks if the
subscriber has been authenticated. In the case where the subscriber has already been
authenticated it skips this procedure.
ENABLE CIPHERING
If the subscriber has been authenticated, the MSC initiates ciphering of the data being sent on
the channel [3]. The channel is ciphered so as to protect the call from eavesdropping. Ciphering
on the radio link is enabled in three steps. The first step, the BSS starts expecting data from the
mobile but continues to send data in clear. Since the mobile has been informed about the
ciphering, all data received from the mobile will be in error. The BSS sends the CIPHERING
MODE COMMAND to the mobile [3]. In the second step, the mobile receives the message and
enable ciphering in transmit and receive directions. This action will result in all BSS data being
received in error. (The BSS is still transmitting data in clear.) If ciphered is enabled, the
message is transmitted with ciphering. The BSS will receive this message as it is already
expecting ciphered data in receive direction. In the third step, the BSS enables the ciphering in
transmit direction [3]. The BSS replies back to the MSC, indicating that ciphering has been
successfully enabled. Radio Resource connection Establishment is completed. At this point, the
BSS is acting as a transport medium for the signaling messages between the mobile and the
MSC.
87
CALL SETUP
The mobile sends the setup message to establish a voice call. The message contains the dialed
digits and other information needed for call establishment [3]. The mobile is informed that the
call setup is in progress. The mobile phone displays a message on the screen to indicate that call
setup is being attempted. The MSC allocates a voice circuit on one of the digital trunks between
the MSC and the BSS. The call is switched from signaling to voice. The BSS notifies the mobile
about the change over to voice mode [3]. The MSC routes the call towards the called subscriber,
the PSTN indicates to the MSC that it has received all the digits and the called subscriber is
being rung. Mobile initiates call release, the subscriber hits End to clear the call. Disconnect
message is sent to the MSC by the mobile, which initiates release to the PSTN. The MSC
informs the PSTN that call release has been completed. The RR connection is released by the
MSC; BSC initiates RR release with the mobile, and releases the TCH channel [3]. Mobile goes
back to the default display to indicate that call has been completely released. Appendix D
illustrates the signaling sequence for GSM originating call flow.
3.5 GSM MOBILE TERMINATING CALL FLOW
In a GSM terminating call, a two step process is involved; first, the interrogation procedure
where a calling party’s MSC has the ability to interrogate the called party’s HLR [4]. Once the
HLR is interrogated, the call is routed to the roaming MSC. At the MSC, the call setup
procedure to the mobile terminal is independent of the call origin. The second step is the actual
call setup after the subscriber has been located [3]. The interrogation procedure; A PSTN
subscriber calls the mobile phone; it uses the MSISDN to locate the GMSC for the service
provider. Once the GMSC has been identified, the PSTN sends the ISUP Initial Address
Message to the GMSC. The GMSC requests routing information for the GSM subscriber from
the HLR which uses the dialed number to locate the HLR entry for the subscriber. The SS7
address for the MSC VLR serving the subscriber is obtained from this record. The MSC VLR
allocates a temporary roaming phone number (MSRN) which is then passed to the HLR [3].
88
The subscriber in a particular location area needs to be located since location area might have
several cells [3]. A paging mechanism is used to locate the subscriber, the BSSMAP PAGING
message will be sent to all the BSCs that handle the particular Location Area. All cells in the
location area will broadcast the page message on the Paging Channel (PCH), all mobile phones
listen to this channel every few seconds. The SS7 address of the serving MSC VLR was
updated through an inter VLR location update. The BSC sends a SCCP connection request to
the MSC VLR; the page response message is piggybacked with the request. The BSC sends the
CIPHERING MODE COMMAND to the mobile, and replies back to the MSC indicating that
ciphering has been successfully enabled [3]. The MSC VLR receives the page response and
sends a call setup to the mobile, which it acknowledges the receipt of the setup by sending the
call confirmed message. The mobile notifies the MSC that the subscriber is being alerted; the
MSC receives the alert indication and sends an ISUP address complete message to the GMSC.
Mobile initiates call release and the subscriber hits End to clear the call, it’s indicated that call
has been released. The RR connection is released by the MSC, mobile sends a disconnect
message to release the LAPm connection. Appendix E illustrates the signaling sequence for a
GSM terminated call.
89
Table 3.1 Number of signaling messages involved in GSM call types
S/N Call types Number of signaling messages in a
network per call
1 GSM Location Update 38
2 GSM Terminated Call 36
3 GSM Originating Call 35
Table 3.1 shows that GSM Location Update generated the highest number of signaling messages
in a GSM network. The number of signaling messages involved in a GSM network is dependent
on the type of call generated and system structure. However, when there is mobility in a GSM
network the signaling messages increases. The volume of signaling messages in bytes helps the
network designer to have a target on the traffic generations.
90
CHAPTER FOUR
QUANTIFICATION OF SIGNALING TRAFFIC FOR MOBILITY MANAGEMENT
4.0 Introduction
The signaling traffic generated in a GSM network is comprised of local traffic and trunk traffic.
SS7 signaling traffic could be grouped into traffics that support mobility and those that do not
support mobility. The two signaling traffic groups are bi-directional at the trunk and local
circuits [44] (see figure 4.1). Traffic that requires mobility may originate and terminate in other
GSM or fixed networks. The mean numbers of such traffic were calculated for each of the call
types. Average call arrivals at an MSC was measured from a typical GSM switching centre in the
country. The mean number of calls a Nigerian GSM network was calculated from the data the
node (MSC) experienced per second measured within the period of 24 hours. In observing these
call traffic generations, it was noted that not all calls that arrived in a GSM network attracted
mobility signaling.
In order to manage mobility in GSM networks, handover and location update signaling messages
are basically required. Therefore, in this chapter, both handover and location update signaling
message traffic flow were modeled and based on the model, the volume of mobility related
traffic was calculated.
91
4.1 Measured Traffic Data
The data contains all call arrivals and this was done based on the pattern behavior of the different
group of call arrival. In Appendix G, the table shows that there were call drops in the network
due to system failure or scarcity of radio resources. Some of these calls gain access to the
network and do not reach the subscriber destination. Only a fraction of the calls will be
answered. Figure 4.1 shows user mobility in the network.
T2 = Local & Trunk
(Terminating)
T 1 = Local & Trunk
(Originating)
GSM Node
Same
Other
T3 = Trunk
Figure 4.1 Traffic flow to and from a node
92
During the early hours of the day, traffic will be low because user mobility is low. Traffic
increased between 8am to 10 am this is when user movement is high. After sometime traffic kept
fluctuating, at about 8pm the traffic was a little below the maximum. Mobility increases with
user behavior. Table 4.2 shows the summary of call type parameters, and their mean values. The
mean values given were used for the calculation of the signaling traffic volumes.
Figure 4.2 Graph of Local call arrivals per hour from typical GSM Network
93
Table 4.1 Summary of call type parameters and their mean values
Call types Call type parameters Maximum Values
Minimum Values
Mean Values
Local Calls
Mobile calling subscriber connected calls
3195 13 1753
Number of called mobile subscribers connected calls
2324 4 1206
Call drops due to handover 3 0 0.8
GSM Trunk calls
Connected calls 2851 0 328
Call failure after connection 1182 0 121
Answered calls 744 0 97
GSM to fixed
network
Number of connected calls 6691 0 544
Number of Answered calls 2513 0 202
Table 4.2 was based on the actual data values measured from a typical GSM network in Nigeria.
It was shown that the number and volume for non-mobility signaling traffic (TSS7-1) are 70 and
3,421[bytes] respectively. The numbers of signaling traffic for mobility (TSS7-2) are 26
minimum, and 36 maximum, while the volume are 1539 minimum and 2,143 maximum bytes
respectively. Based on these calculations made on the number of signaling messages and
volume, the mobility behavior in the network was shown. It implies that during mobility, the
network will have a high signaling traffic intensity which affects the performance of the system
and reduces the efficiency of the network.
Table 4.2 SS7 signaling traffic for a node
Call Type Number of signaling Volume of signaling (byte)
Local and Trunk calls (without mobility)
70 3421
Local and Trunk calls (with mobility )
26/36 1539/2143
94
4.2 MOBILITY SIGNALING TRAFFIC MODEL
In order to manage mobility in GSM networks, location update and handover signaling message
groups are involved as earlier stated.
4.2.1 LOCATION UPDATE
Location updating on LA crossing allow the system to track the mobile stations during their
roaming in the networks [32]. It requires each BS to periodically broadcast the identity of its
LA. The mobile station is required to permanently listen to network broadcast information on
the broadcast channel and to store the current LA identity. A location update (LU) procedure is
automatically triggered by the mobile if the received LA number differs from the stored one
[48].
The mobile generates its LUs each time it detects a LA crossing [32]. Nevertheless, if no
communication has occurred between the mobile and the network for a fixed period, the mobile
generates a LU. This periodic LU typically allows the system to recover user location data in
case of a database failure. The structure of an LA is designed given the number of cells per LA,
and the rate of location updates of MSs is minimized. Location update rate is defined as the
average number of location updates received by a BS per unit time [48]. Mobility models
differentiate user movement models; location update rate is expressed as
λLU = Ck*λCBC * ηms (4.1)
Where
λLU --- location update rate
Ck – fraction of the perimeter at the kth cell of the LA
λCBC-- cell boundary crossing rate (Call/MS/ unit time)
ηms – Average number of MS per a cell
95
4.2.2 HANDOVER
Handover calls are in Poisson process with arrival rate λh [48]. Handover parameters are used to
describe the number of handover times a mobile device happens during a service delivery. It is
the same as the time of crossing different cell boundaries, i.e. cell boundary crossing rate which
was expressed in [48] as,
λCBC = γ/ηms (4.2)
Where
ηms – Average number of MS per a cell
γ – Average number of MS entering a cell per unit time
Therefore, the total signaling for mobility within an MSC area may be calculated using equation
(4.3).
T mobility Traffic = ρ4 T4+ ρ5 T5 (4.3)
Where,
ρi – signaling traffic quantification factors for the SS7 signaling groups that represent the precise average values for mobility of the,
• call handovers - ρ4
• MS updates - ρ5
The determination of the signaling traffic quantification factors, ρi, which would most precisely
generate the SS7 signaling traffic volume, is the main difficulty underlying the quantification of
signaling traffic. Researchers have been finding it difficult to arrive at generally accepted
analytical expressions that accurately model the coefficients [22, 46]. The problem has been to
produce a model that would generate data that would most closely approximate real life values
– values obtained from real systems.
96
Poisson statistical function, equation (4.2), is a popular teletraffic function applied in such
situation [40]. The inverse of the function required for the determination of the quantification
factors were usually evaluated using a sequence of uniformly distributed random numbers. The
evaluation produces direct call arrival distribution required for the simulation of the coefficients
call arrival generation. Equation (4.2), no doubt, is a probabilistic expression and can only
approximate the model of a system with certain level of accuracy.
(4.4)
where,
n – arrivals at a time
λ – number of arrivals within a unit time interval
t – time in seconds
Specifically, ρ4 and ρ5 were determined using an analytical model that is usually adopted
because of the accuracy of results it generates. The model is very popular and simple; it
employs fluid flow technique and provides satisfactorily approximate quantitative analysis of
aggregate MS mobility. The model, as applied in [44] and expressed in equation (4.3), assumed
uniformly distributed MS paths of movement in a given GSM cell area and also a uniformly
distributed MSs in the cell area. These assumptions greatly influenced the accuracy of the
approximation of the factors. Therefore, it may be very difficult with such a tractable analytical
expression to achieve absolute convergence of simulated data with the real life data.
(4.5)
where,
σ(t) – Mobile station density [MS/km2] at a specified time.
υ – Average mobile station velocity [km/hr]
L – Cell area perimeter [km]
97
The quantification factors, ρi, were determined from it bearing in mind that the number of call
arrivals included both successful and unsuccessful calls. Unsuccessful calls were referred to as
call drops and were measured as 9.23% of the connected calls. Call drops generate the same
signaling traffic with the successful calls. Table 4.3 presents the quantified SS7 mobility
signaling traffic for an MSC area.
ρi = αiθ = αi (1 + 0.0923) (4.6)
Where,
θ - Coefficient that accounts for call drops
αi – Average numbers of call arrivals within an observation period measured hourly.
Table 4.3 Average of the hourly average of signaling traffic within an MSC area
Signaling GroupCoefficients, Value of
Calls/Hour)
Number of Signaling
per Call
Volume of Signaling
per
Call [byte]
Average Number of
Signaling per hour
Average Volume of
Signaling per
hour [byte]
T4
ρ4
46
11min/
14max
518min/
621max
1540min/
1960max
72520min/
86940max
T5
ρ5
140
15min/
22max
1021min/
1522max
690min/
1012max
46,966min/
70,012max
Total
186
26min/
36max
1539min/
2143max
3500min/
2972max
119486min/
156952max
This table shows the total mobility traffic from which the node is expected to generate the
minimum of 3500 and the maximum of 2972 number of signaling messages that translate into
minimum of 119486 bytes and 156952maximum bytes traffic volume. These values were
obtained using average values measured from a typical network node. Table 4.5 shows the
average number of mobility calls (handover calls, and Location update), and the total traffic
arrivals.
98
Table 4.4 Summary of call arrivals; mobility and non mobility calls
Signaling Group Average Calls/Hour Average Volume of Signaling per
hour [byte]
Tss7-1 7502 4406949
Tss7-2 186 119486min./156952max.
Total traffic 7688 9,521,025min/9,558,491max
4.3 LOCATION AREA MANAGEMENT
The factors in the system architecture that affects location management include cell size, number of cells
per LA and signaling capacity. The number of calls received by a BS at each cell per hour was based on
the actual data gotten from a typical GSM network in Nigeria. In the Location area structure, each
location area is grouped into cells. It is assumed that cells are identical in size, and a base station is
assumed to be located at the center of each cell. Given the number of cells per LA, the structure of an LA
is designed so that the perimeter is minimized [55]. Table 4.5 shows the parameters used in the
signaling traffic rate for Location update, and Handover.
Table 4.5 Modeled parameters
Parameter Value
Number of cells/base stations 30
Traffic Model
MS residence time with different values 1hr-24hr
Mobility Modeling
Number of mobiles 7502
Cell area perimeter(L) 3km and 6km
Speed of mobiles (Sm) 20km/hr
Number of cells in a location area 6
MS movement (π) 42˚
Average no. of MS/cell 250
99
Applying the analytical model which employs fluid flow technique to determine call handover
rate.
(4.7)
Where,
σ(t) – Mobile station density [MS/km2] at a specified time.
υ – Average mobile station velocity [km/hr]
L – Cell area perimeter [km]
λ – Average outgoing handover rate
π– MS movement which can be distributed
Using the parameters given above;
λ =42
6*20*250
λ = 714 handover/cell/hr
For Location update rate;
λLU = Ck*λCBC * ηms (4.8)
Ck – fraction of the perimeter at the kth cell of the LA
λCBC cell boundary crossing rate (Call/MS/ unit time)
ηms – Average number of MS per a cell
λCBC = γ/ηms
Where;
γ = ηms/E (t)
γ – Average number of MS entering a cell per unit time
E (t) – mean cell time
100
ηms = 250
ηms = 08683.0*24
250
Average number of MS entering a cell per unit time (γ) = 119 MS/hr
λCBC = 250
119
λCBC = 1crossing/MS/hr
Location update rate is given as;
λLU = Ck*λCBC * ηms
λLU = 3*1*250
λLU = 750 LU/hr
The BS receives 750 LU rates per hour.
The evaluation of handover rate and Location update rate were obtained respectively 714
MS/hr and 750 LU/hr.
101
During location update, the signaling messages involved are higher than when there is no
mobility. This increases the network resources and reduces the systems performance. There is
need for signaling messages to be reduced in the network. This will help the service providers to
have suitable equipment for a base station in a location area.
Figure 4.3 Average LU rate against Number of calls per hour
102
A small location area will experience a high rate of location update and handover. As the
number of cells in an LA increases the average rate of location update decreases and handover.
Therefore, the cell size should be increased to minimize the rate at which mobile stations are
handed over to their neighboring cells.
Figure 4.4 Average handover rates against Number of calls per hour
103
CHAPTER FIVE
RECOMMENDATION AND CONCLUSION
5.1 SUMMARY OF ACHIEVEMENTS
In this concluding chapter, the major findings of this work are summarized. Also,
recommendation for further work in the area is given.
5.3 RECOMMENDATION
This project provides the knowledge required by GSM operators to effectively plan the
networks. There is need for proper signaling traffic evaluation by GSM operators, to enable
them determine the optimum network resource size. Inadequate network resource size will
result to improper signaling. Therefore, further research work is required on the determination
of the effective and efficient network resource size required to handle the mobility of mobile
stations.
5.3 CONCLUSION
The aims of this research was to determine the number and volume of mobility signaling traffic
as against total traffic in typical GSM network in Nigeria and to define mobility in GSM
signaling.
Therefore in this work, data on call traffic were measured from a typical GSM network in
Nigeria. Signaling message flow structure for Signaling System No.7 (SS7) with respect to call
processing, handover and Location updating were presented. The signaling messages involved in
each of the GSM call types were defined. Model was developed and used to define the signaling
messages involved stations’ mobility. Graphs were plotted to show the behavior of mobility in
GSM network in Nigeria. These values formed the bases of the signaling traffic quantification
done in this work. It was determined that mobility traffic has minimum signaling number of 26
and maximum of 36 (signaling messages), with the corresponding average volume of 3682
104
[bytes]. Non-mobility traffic generated signaling number of 70 with corresponding volume of
3421 [bytes].
However, the volumes in bytes of each call processing, handover and location updates were used
to determine the signaling volume per GSM local, trunk and GSM to fixed network calls. Each
Location area has its number of cells to help reduce the number of location updates and
handover. Higher call traffic in GSM networks means higher volume of signaling traffic in the
network. Movements of calling subscribers while on calls which results in mobility in the
network especially when the VLR is not attached to the MSC (VLR out) generate high signaling
traffic. The number of cells and size in a location area also determine the number of signaling
traffic generated in the network.
105
REFERENCES
[1] Sharam Hekmat. “Communication Networks,’’ 2005.”
[2] Martin p. Clarks; “Networks and Telecommunications, Design and operation’’.
[3] www.eventhelix.com/RealtimeMantra/telecom/GSM_network_example.htm
[4] GSM system (signaling in GSM network) www.huawei.com
[5] Suthaharan Sivagnanasundaram. “GSM Mobility Management using an intelligent
network platform”.
[6] Levine.R.C. www.ms.itb.ac.id/buku/umum/telephone/structure.html
[7] William C.Y. “Wireless Telecommunication,’’ third edition, pp. 110-130.
[8] Robert G. Winch. “Telecommunication Transmission Systems.’’ McGraw-Hill, New
York, 1993.
[9] Moe Rahnema. “Overview of the GSM system and protocol architecture.’’ IEEE
Communication Magazine, April 1993.
[10] Jon E. Natvig. Stein Hansen, and Jorge de Brito, “Speech processing in the pan-European
digital mobile radio system (GSM) system overview’’, IEEE Globecom 1989,
November,pp.40-53.
[11] John M. Griffiths. “Worldwide Network and Applications Technology.’’ John Wiley
&Sons, Chichester, 2nd edition, 1992.
[12] Balston. D. M and Macario R.C.V. “The pan-European system GSM.’’ Cellular Radio
Systems. Artech House, Boston, 1993
[13] Harris. I, Balston. D. M and Macario R.C.V. “Data in the GSM cellular network. Cellular
Radio Systems.’’ Artech House, Boston, 1993.
[14] Michel Mouly and Marie-Bernadette Pautet. “The GSM System for Mobile
Communications.’’ 1992.
[15] Seshadri Mohan and Ravi Jain. “Two User Location Strategies for Personal
Communication services.’’ IEEE Personal Communications, 1(1), 1994.
106
[16] Christopher Rose and Roy Yates. “Impact of Location Uncertainty on Mobile
Networks”.IEEE Communication Magazine, Feb.1997 pp. 94-100.
[17] Sanjay Sharma, “Wireless Communication”,pp. 158-272.
[18] Akiyildiz, J. McNair, J, and Wang.W. “Mobility Management in the Next Generation
Wireless Systems,” proceedings of the IEEE, Vol.87, No.8, August 1999,pp.1347-1387.
[19] Heine. G. “GSM Network and Protocols.” Artech House Publishers, 1999.
[20] Christopher Rose and Roy Yates. “Minimization under delay constraints,” proc. IEEE
infocom. April 1995 pp. 490-495.
[21] www.wikipedia.org/wiki/mobilitymanagament.
[22] Goodman D, Krishman P.and Sugla B.. “Minimizing Queuing Delays and Number of
Messages in Mobile Phone Location,” ACM-NOMAD vol.1, no.1 1996.
[23] Tabbane S.. “An alternative strategy for location tracking,” IEEE JSAC, vol.13, June
1995 pp.880-892.
[24] Rose .C. “Minimizing the Average Cost of Paging and Registration A Timer-Based
Method.” ACM Wireless, vol.2.June 1996,pp. 109-116.
[25] Jain et al R., ‘A caching strategy to reduce Network Impacts of PCS,” IEEE JSAC, vol.
12.oct. 1994 pp.1434-1444.
[26] Yates et al R.. “Analysis of a Mobile-Assisted Adaptive Location Management Strategy,”
ACM Wireless Nov.1995.
[27] Bar-Noy A. and Kessler I., “Tracking Mobile Users in Wireless Networks Systems” Proc.
infocom, Mar. 1993, San Francisco, CA, pp. 1232-39.
[28] Michael Cheung and Jon Mark, “Effect of Mobility on QOS Provisioning in wireless
Communication Networks” IEEE commag.1998.
[29] Joseph H. Zheng and Jon W. Mark. “A Local VLR Cluster Approach to location
Management for PCS Networks”. IEEE/ACM Trans, Aug.1998.
[30] 3GPP, “3rd Generation Partnership Project; Technical Specification Group Services and
Systems Aspects” Architectural Requirements for Release 1999, TS 23.121, V3.6.0
(2002-6), 2002.
107
[31] Debashis, S, Amitava M,Iti S.M,Mohuya C. “Mobility Support in IP: A Survey of
Related Protocols,” IEEE Network, November/December 2004, pp. 34-40.
[32] Perera R., Winter T. Fledderus E.R, Görg C., “Estimation of the Impact of Mobility for
Snapshot Generation in UMTS Network Simulations”, Technical Paper, Siemens AG,
Berlin, 2003.
[33] Pitoura E ,Samaras G, “Locating Objects in Mobile Computing”, IEEE Transactions on
knowledge and Data Engineering vol.13, no.4, pp.571-592,2001.
[34] Mohan S. and Jain R, “Two user Location Strategies for PCS” IEE Personal
Communication, vol.1, no.1, pp.42-50, 1994.
[35] Jain, R. Lin Y.B and Mohan S., “A Cache Strategy to Reduce Network Impacts of
Personal Communication Systems”, IEEE Selected Areas, comm. vol.12, no.8, pp.1434-
1445, 1994.
[36] Saran M. “Pervasive Computing Vision and Challenges” IEEE Personal Communication,
vol.8, no.4, pp10-17, 2001.
[37] Jain R., and Lin Y.B. “An Auxiliary User Location Strategy Employing Forwarding
pointers to reduce Network Impacts of PCS”, IEEE Int’l Conference on Communications.
June 1995, pp740-744.
[38] Stuckman P. “The GSM Evolution, and Mobile Packet Data Services”, Wiley.2003.
[39] Akylildiz etal I.F. “Mobility Management in Current and Future Communications
Networks. IEEE Network, vol.12, July 1998, pp.39-49.
[40] Zahariadis et al T.B. “Global Roaming in Next Generation Networks”, IEEE
Comm.Mag.vol.40.no.2, Feb 2002, pp.145-51.
[41] Simpson W.A. “IP Mobility Support”, Mobile IP Working Group, IETF Internet Draft,
May 1994.
[42] Badrinath B. R, and Imielinski T. “Replication and Mobility,” in Proc. IEEE 2nd
Workshop Management of Replicated Data, Monterey, CA, Nov. 1992, pp. 9–12.
[43] Badrinath B. R., Imielinski T., and Virmani A. “Locating Strategies for Personal
Communication Networks,” in IEEE Globecom’92 Workshop Networking Personal
Communication. Appl., Orlando, FL, Dec. 1992.
108
[44] Goodman D. J, Pollini G. and Meier-Hellstern K. S. “Network Control for Wireless
Communications,” IEEE Communication Magazine. pp. 116–124, Dec. 1992.
[45] Widjaja. “Data Communication Networks”, pp.227-231.
[46] Meier-Hellstern K. S, and Alonso E. “The use of SS7 and GSM to support high density
personal communications”, in Proc. IEEE ICC’92, Chicago, IL, June 1992, pp. 1689–
1702.
[47] Awuduche D.O, Ganz A., and Gaylord A. “An Optimal Search Strategy for Mobile
Stations in Wireless Networks”, Proceedings ICUPC 1996, Nov.1996.
[48] Derek Lam, Donald .C and Jennifer Widom, “Teletraffic Modeling for Personal
Communication Networks”.IEEE Com.Mag.Feb.1997, pp.79-110.
[49] Hong. D. and Rapp port S. “Traffic Model and performance Analysis for Cellular Mobile
Radio Telephony System with prioritized and Non-prioritized Handoff procedures”. IEE
Trans.Vehic.tech, vol.35 August 986, pp.77-92.
[50] Meier-Hellstern, K. S., Alonso, E. “Signaling System No.7 Messaging in GSM”, Wireless
Information Network Laboratory”, Rutgers – The State University of New Jersey
Technical Report, 1992.
[51] Meier-Hellstern, K. S., Alonso, E., O’Neil D. R. “The Use of SS7 and GSM to Support
high Density Personal Communications”, Wireless Information Network Laboratory,
Rutgers – The State University of New Jersey Technical Report, 1991.
[52] Kruijt, N. E., Sparreboom D. Schoute F. C. and Prasad R. “Location Management
Strategies for Cellular Mobile Networks”, Electronic & Communications Engineering
Journal; IEE; Vol. 10, No. 2, April 1998; pp 64 – 72.
[53] Jabbari, B. “Intelligent Network Concepts in Mobile Communications”, IEEE
Communications Magazine, February 1992, pp. 64 – 69.
[54] Moo-Ho Cho, K-S Kim, K-R. Cho and C.Cho. “Analysis of soft Handoff Rate in DS-
CDMA Cellular System.” ICUPC 1997, pp.235-238.
109
[55] Izahk Rubin and Cheon Won Choi, “Impact of the Location Area Structure on the
performance of Signaling Channels in Wireless Cellular Networks”. IEEE
Communication Magazine, February 1997.pp. 108-111.
[56] Southcott et al. C. B. “Voice Control of the pan-European Digital Mobile Radio System’’.
IEEE Globecom 1989, November 1989.
[57] Vary et al .P. “Speech Codec for the European Mobile Radio System.’’ IEEE Globecom,
November 1989.
110
APPENDIX A
MAP/G SEND PARAMETERS RESULT
GSM Location Update procedure [3]
GSM Mobiles
Subscribers
GSM Databases
HLR
Location Area 2
Cell
LA 2 GSM Equipment
MSC/VLR BSC
Location Area 1
Cell 2 Cell 1
LA 1GSM Equipment
LA 1 MSC/VLR
Cell 1(primary cell)
BCCH
Monitor LA 1 signal strength
RR Immediate Assignment
RR channel request
BCCH monitored
BCCH Signal strength great
RR Immediate Assignment
RR Channel Request
RR UA
RR SABM+MM LOCATION UPDATING REQUEST
RR UA
MAP/D INSERT SUBSCRIBER DATA
MAP/D UPDATE LOCATION
MAP/G SEND PARAMETERS
GSM mobile reaches LA (old and new cells are in different LAs)
MAP/D CANCEL LOCATION RESULT
MAP/D CANCEL LOCATION
MAP/D INSERT SUBSCRIBER DATA RESULT
MAP/D UPDATE LOCATION RESULT
GSM reaches cell boundary (both cells in same Location Area)
SABM+MM LU .REQUEST
111
BSSMAP CIPHER MODE COMMAND RR CIPHERING MODE COMMAND
MM LOCATION UPDATE ACCEPT
BSSMAP CIPHER MODE COMPLETE
RR CIPHERING MODE COMPLETE
MM TMSI REALLOCATION COMPLETE
RR UNNUMBERED ACK.
RR CHANNEL RELEASE
BSSMAP CLEAR COMMAND
RR DISCONECT
BSSMAP CLEAR COMPLETE
MM AUTHENTICATION RESULT
Enable ciphering
BSSMAP CIPHER MODE COMMAND
MM AUTHENTICATION RESPONSE
RR CIPHERING MODE COMMAND
Location Area 1 GSM Databases LA 1GSM
Equipment LA 2 LA 2 Equipment
GSM Network
Subscribers
RR Connection Release
112
APPENDIX B
Intra-MSC Handover call Procedure [3]
RR Measurement Report
RR Measurement Report
Signal quality good
Cell boundary
Signal quality poor
RR Measurement Report
BSSMAP HANDOVER REQUIRED
BSSMAP HANDOVER REQUEST
BSSMAP HANDOVER REQUEST ACKNOWLEDGE
BSSMAP HANDOVER COMMAND
RR HANDOVER COMMAND
RR HANDOVER ACCEPT
Highway
GSM
Mobiles
GSM Coverage GSM Equipment
Cell (Target)
Cell 1 BSC 1
MSC/VLR Cell (Source)
Cell 2 Mobile
BSC 2
113
Highway
GSM
Mobile
GSM Coverage GSM Equipment
Cell (Target)
Cell 1 BSC 1
MSC/VLRs
MSC/VLR
Cell (Source)
Cell 2 Mobile BSC 2
RR HANDOVER ACCEPT
BSSMAP HANDOVER DETECTED
RR PHYSICAL INFORMATION
RR SABM
RR UA
RR HANDOVER COMPLETE
BSSMAP HANDOVER COMPLETE
BSSMAP CLEAR COMPLETE
114
APPENDIX C
GSM
Mobile Cell 1 BSC 1
(Target)
MSC/VLR MSC/
VLR BSC 2
(Source)
Cell
Signal Quality = Good
RR MEASUREMENT REPORT
Voice
BSSMAP HANDOVER REQUIRED
Signal Quality= poor
RR MEASUREMENT REPORT
RR MEASUREMENT REPORT
MAP PREPARE HANDOVER
Allocate channel
BSSMAP HANDOVER REQUEST
BSSMAP HANDOVER REQUEST ACK.
MAP PREPARE HANDOVER RESPONSE
ISUP IAM
ISUP ACM
BSSMAP HANDOVER COMMAND
Inter-MSC Handover Procedures [3]
115
GSM
Mobile Cell 1 BSC 1
(Target)
MSC/
VLR
MSC/
VLR BSC 2
(Source)
Cell
RR HANDOVER COMMAND
RR HANDOVER ACCEPT
RR HANDOVER ACCEPT
MAP ACCESS SIGNALING REQUEST
BSSMAP HANDOVER DETECTED
RR PHYSICAL INFORMATION
RR PHYSICAL INFORMATION
RR SABM
RR HANDOVER COMPLETE
RR UA
MAP SEND SIGNAL
BSSMAP HANDOVER COMPLETE
ISUP ANS
ISUP RLC
ISUP REL
BSSMAP CLEAR COMPLETE
BSSMAP CLEAR COMMAND
MAP SEND END SIGNAL RESPONSE
End
116
APPENDIX D
Flow chart for intra-MSC handover
Start
Mobile call is on
YES
NO
No handover
NO
BSC generates and send HOR to
MSC
YES
BSC initiates handover
Monitor the signal strength
1
2
1
Is signal strength of
the nearby cell better?
Is signal strength
Satisfactory?
117
BSC sends handover
Command message to the
Mobile.
Mobile tunes to the assigned
Channel
YES
NO
Is user channel
available?
NO
YES
BSC replies Handover request
acknowledgement to MSC
MSC sends handover
Command message to
the BSC
Is dedicated channel
available?
Assign dedicated
Channel
Assign a user Channel
Terminate
2
4
3
118
NO
Mobile sends SABM to
establish signaling
YES
Timer counts for
Completion of
Handover
Is handover
complete?
MSC initiates a RR release
to the BSC
BSC informs the MSC handover
accepted
MSC switches the voice path
BSC sends a PHYSICAL INFORMATION message to
the mobile
BSC sends to the MSC
Handover completion message
3
4
119
4
NO
YES
MSC initiates a channel
release to the mobile
BSS informs MSC the
release of RR connection
Mobile indicates that channel
is released
End
Is channel
released?
120
Flow chart for inter-MSC handover
Start
Monitor the signal strength
YES
NO
NO
No handover
BSC initiates handover
YES
Call in conversation
1
1
2
Is signal strength
satisfactory?
Is signal strength of the
neighboring cell better?
121
3
2
BSC generates and sends HOR to
MSC
MAP prepares handover
MSC passes on BSSMAP
HOR to the target BSC
NO
YES
Allocate a TCH channel BSC prepares and sends RR HOC message
to the mobile
BSC sends the BSSMAP
HOR ACK. back to the
MSC
BSC sends RR HOC to
the mobile
MAP Allocate handover
number
Is user channel
available? Terminate
4
2
122
3
3
MSC initiates an inter-MSC call to the target
MSC
MSC sends BSSMAP HOC to the
source BSC
YES
NO
Timer counts the
completion of handover
BSC sends RR HOC
message to the mobile
Mobile tunes to the assigned
channel
YES
NO
MAP Prepares handover response
YES
BSC receives HANDOVER
ACCEPT from the mobile
Is handover
complete?
Is count equal
to 102?
Is handover
accepted?
4
4
123
4
MAP access signaling request
MSC switches call to new
voice path
BSC sends physical
information to the mobile
Mobile sends SABM to
BSC to establish signaling connection
NO
YES
BSC informs the release of RR
connection to the MSC
MSC indicates ISUP release
complete
End
MAP sends end signal; Handover
complete
Is RR
connection
released?
124
APPENDIX E
GSM Originating Call Flow
PSTN
Cell Mobile Network Fixed Network
NSS Base Stations Mobile Station
BSS Mobile PSTN
RR SABM + MM CM+ SERVICE REQUEST
MSC/VLR User
Send button
RR IMMEDIATE ASSIGNMENT
RR CHANNEL
SCCP CONN.REQEUST+MM CM SERVICE REQUEST
RR UA
RR CIPHERING MODE COMMAND
BSSP CIPHER MODE COMMAND
RR CIPHERING MODE COMPLETE
125
Connecting
CC CALL PROCEEDING
CC SETUP
CC CONNECT
ISUP ADDRESS COMPLETE MESSAGE
RR CHANNEL MODE MODIFY
BSSMAP ASSIGNMENT REQUEST
ISUP INITIAL ADD.MESSAGE
BSSMAP ASSIGNMENT COMPLETE
RR CHANNEL MODE MODIFY ACKNOWLEDE
ISUP ANSWER Alerting Tone
CC ALERTING
CC DISCONNECT
Speech
Connected
CC CONNECT ACKNOWLEDE
CC RELEASE
ISUP RELEASE
BSSMAP CLEAR COMMAND
CC RELEASE COMPLETE
ISUP RELEASE COMPLETE
RR CHANNEL RELEASE
Base Stations • PSTN
Cell Mobile Network Fixed Network
NSS Mobile Station
BSS Mobile PSTN MSC/VLR User
126
APENDIX F
GSM Terminating call flow procedure [50]
GSM Mobiles BSC Cell 2 Cell1
Location Area 1
MAP/C SEND ROUTING INFORMATION
RR CHANNEL REQUEST
MAP/D PROVIDER ROAMING NO.
GSM Common Equipment
MSC/VLR
LA 1 GSM Equipment
PSTN
Fixed Network
GMSC HLR
MAP/D ROAMING NO. RESULT
ISUP INITIAL ADD. MESSAGE
BSSMAPAGING
ISUP INITAIL ADD.MESSGAE
MAP/C SEND ROUTING INFORMATION RESULT
RR IMMEDIATE ASSIGNMENT
RR PAGING REQUEST
RR UA
SCCP CONNECTION REQUEST +RR PAGING RESPONSE
RR SABM+RR PAGING RESPONSE
RR CIPHERING MODE COMMAND
BSSMAP CIPHER MODE COMMAND
BSSMAP CIPHERING MODE COMPLETE
RR CIPHERING MOE COMPLETE
127
BSSMAP CLEAR COMMAND
CC CALL CONFIRMED
CC SETUP
GSM
Mobiles BSC Cell 2 Cell1
Location Area 1 GSM Common Equipment
MSC/VLR
LA 1 GSM Equipment
PSTN
Fixed Network
GMSC HLR
ISUP ADD. COMPLETE MESSAGE
CC ALERTING
ISUP RELEASED
CC DISCONNECT
ISUP ANSWER
CC CONNECT
RR UA
CC RELEASE COMPLETE
ISUP RELEASE COMPLETE
BSSMAP CLEAR COMPLETE
RR CHANNEL RELEASE
CONVERSATION PHASE
128
APPENDIX G
Time
(hours)
No. of
Mobile
calling
subscriber connected
calls
No. of
successful
mobile
calling
subscriber
call drops
No. of subscriber
mobile calling subscriber connected calls
No.of
Called
mobile subscriber
connected
calls
No. of
called
mobile
subscriber
call drops
No. of
successful
called
mobile subscriber
connected
calls
Call
drops due
to
handover
No. of
blocked
calls
00:00-01:00 127 9 118 61 10 51 0 67
01:00-02:00 29 1 28 22 2 20 0 8
02:00-03:00 35 0 35 7 1 6 0 29
03:00-04:00 17 0 17 6 0 6 0 11
04:00-05:00 13 0 13 4 0 4 0 9
05:00-06:00 117 0 17 36 1 35 0 82
06:00-07:00 908 22 886 468 22 446 0 440
07:00-08:00 1690 43 1647 1083 43 1040 1 606
08:00-09:00 2117 58 2059 1390 35 1355 1 703
09:00-10:00 3195 83 3112 1963 56 1907 1 1204
10:00-11:00 2530 58 2472 1762 55 1707 2 763
11:00-12:00 2345 43 2302 1691 59 1632 1 669
12:00-13:00 2462 59 2403 1662 57 1605 0 798
13:00-14:00 2198 56 2142 1443 50 1393 2 747
14:00-15:00 2420 55 2365 1556 58 1498 1 866
15:00-16:00 2782 63 2719 1990 50 1940 1 778
16:00-17:00 2754 72 2682 2092 61 2031 1 650
17:00-18:00 2429 72 2357 1781 45 1736 2 619
18:00-19:00 2761 86 2675 1936 59 1877 0 798
19:00-20:00 2839 59 2780 2167 50 2117 2 661
20:00-21:00 2983 93 2890 2324 68 2256 3 631
21:00-22:00 2762 72 2690 1984 59 1925 1 764
22:00-23:00 1686 107 1579 1064 27 1037 1 541
23:00-24:00 876 56 820 458 15 443 0 377
129
130
131
132
133