7 Gsm

8/2/2019 7 Gsm

1/55

GSM

Global System for Mobile communication

GPRS

General Packet Radio Service

8/2/2019 7 Gsm

2/55

Examples of digital wireless systems(all originally specified by ETSI)

GSM (Global System for Mobile communication) is acellular mobile system

cellular concept high mobility (international roaming)

TETRA (TErrestrial Trunked RAdio) is an example of aProfessional/Privat Mobile Radio (PMR) system

limited access (mainly for professional usage) limited mobility (but other advanced features)

DECT (Digital Enhanced Cordless Telecommunications)is a cordless system

low mobility (only within isolated islands)

next

lecture

8/2/2019 7 Gsm

3/55

Digital PLMN systems (status 2002)

IMT-2000GSM

CDMA2000

IS-136

GPRS

EDGE

IS-95

UMTS:

USA

2nd Generation (2G) 3rd Generation (3G) 4G

UTRA FDD

UTRA TDD

(PLMN = Public Land Mobile Network)

Packetservices

More radiocapacity

FDD

8/2/2019 7 Gsm

4/55

Duplexing(separation of uplink/downlink transmission directions)

FDD (Frequency Division Duplexing)(GSM/GPRS, TETRA, UTRA FDD)

TDD (Time Division Duplexing)(DECT, UTRA TDD)

frequency

time

Uplink Downlink

UL DL UL DL... ...

duplex separation

8/2/2019 7 Gsm

5/55

FDD vs. TDD

FDD TDD

Duplex filter is large andexpensive

Large MS-BS separation=> inefficient

Different fading inUL/DL

Same fading in UL/DL

Same UL/DLbandwidth

Flexible UL/DL bandwidthallocation

=> effect on power control

asymmetric services

=> indoor

8/2/2019 7 Gsm

6/55

GSM => cellular concept

The GSM network contains a large number ofcells witha base station (BS) at the center of each cell to whichmobile stations (MS) are connected during a call.

BS

BS

BS

BS

MS

If a connected MS

(MS in call phase)moves between twocells, the call is notdropped.

Instead, the network

performs a handover(US: hand-off).

8/2/2019 7 Gsm

7/55

GSM => mobility concept

The GSM network is divided into location areas (LA),each containing a certain number of cells.

As long as an idle MS(idle = switched on)

moves within a locationarea, it can be reachedthrough paging.

If an idle MS moves between

two location areas, it cannot bereached before it performs alocation update.

Location Area 1

Location Area 3

LocationArea 2

8/2/2019 7 Gsm

8/55

Original GSM system architecture

NSSBSS

MS database

BTS

MS

MS

ME

SIM HLR

AuC

EIR

BSCMSC

VLR

GMSC

= BS

BTS

8/2/2019 7 Gsm

9/55

GSM: circuit switched connections

NSSBSS

BTS

ME

SIMHLR

AuC

EIR

GMSCBSC

MSC

VLR

Circuit switchedconnection

Signaling

MS

Database

TRAU

8/2/2019 7 Gsm

10/55

GPRS: packet switched connections

NSSBSSGMSCBSC

MSC

VLR

Packet switchedconnection

Signaling

MS

Database

BTS

HLR

AuC

EIR

GGSN

IP

backbone

PCU

SGSN

TE ME

SIM

8/2/2019 7 Gsm

11/55

Upgrading from GSM to GSM/GPRS

NSSBSSGMSCBSC

MSC

VLR

MS BTS

HLR

AuC

EIR

GGSN

IP

backbone

PCU

SGSN

New MS/terminals

Packet Control Unit (PCU)

SGSN and GGSN routers

software updates (BTS, HLR)

TE ME

SIM

8/2/2019 7 Gsm

12/55

Task division between MSC and TRAU(TRAU = Transcoding and Rate Adaptation Unit)

NSSBSS

BSC for

signalling only

13 kbit/s encoded speech ispacked into 16 kbit/s frame

Conventional64 kbit/s

PCM signal

TRAU

BSC

BTSMS

MS

MSC

VLR

8/2/2019 7 Gsm

13/55

Radio interface - multiple access techniques

Frequency divisionCode

division

Time divisiontime

code nr.

frequency

8/2/2019 7 Gsm

14/55

Radio interface - physical channels

Frame of length 8 time slots

T S S T T T T T T S S T

T T T T T TT T T T T T T

T T T T T T T T T T T T

T T T T T T T T T T T T

Carrier 0

Carrier 1

Carrier 2

Carrier 3

TS2 TS2

TS0 TS1Typically used for signaling

Time Slot

Physical channel = time slot

8/2/2019 7 Gsm

15/55

Radio interface - logical channels (GSM)

Traffic channels Control channels (for signaling)

TCH/F

TCH/H

Broadcast Common control Dedicated

SCH

FCCH

BCCH

PCH

AGCH

SDCCH

SACCH

FACCHRACH

bidirectionaldownlink

uplink

8/2/2019 7 Gsm

16/55

GSM burst structure

3 57 encrypted bits 1 26 training bits 1 57 encrypted bits 3 8.25

TS7 TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1

1 2 3 4 5 6 7 8 9 10

23 24 25 26

11 12 13 14 15

traffic or signaling info in burst?

SACCH

Idle

GSM normal burst: 156.25 bits (0.577 ms)

TDMA frame (4.615 ms):

TDMA multiframe:

= 26 TDMA frames (in case of TCH)

8/2/2019 7 Gsm

17/55

GSM speech encoding

260 bits

57 bits

260 bits

456 bits

57 bits 57 bits

bits 4, 12, 20, 28,

36, 44, etc. from

the 456 bit frame

Voice coding: 260 bits in 20 ms blocks (13 kbit/s) MS - TRAU

Channel coding: 456 coded bits (22.8 kbit/s) MS - BTS

Interleaving: 8 x 57 bits (22.8 kbit/s)

8/2/2019 7 Gsm

18/55

GSM signaling message encoding

184 bits

57 bits

456 bits

57 bits 57 bits

bits 4, 12, 20, 28,

36, 44, etc. from

the 456 bit frame

Signaling message is segmented into blocks of 184 bits:

Each block is coded into 456 bits (22.8 kbit/s)

Interleaving: 8 x 57 bits (22.8 kbit/s)

8/2/2019 7 Gsm

19/55

Task Management in GSM/GPRS

Session Management (SM) in GPRS

Call Control (CC) in GSM

Mobility Management (MM)

Radio Resource Management (RM)

MOC, MTC

PDP Context

Random access and channel reservationHandover managementCiphering (encryption) over radio interface

IMSI/GPRS Attach (switch on) and Detach (switch off)Location updating (MS moves to other Location/Routing Area)Authentication

1

3

2

4

5

6

Numberrefers to theremaining

slides

8/2/2019 7 Gsm

20/55

Who is involved in what?

MS BTS BSC MSC/VLR

RR

MM

CM / SM

SGSN

8/2/2019 7 Gsm

21/55

Random access in GSM/GPRS (1)

Communication between MS and network is not possiblebefore going through a procedure called random access.

Random access must consequently be used in

network originated activity

paging, e.g. for a mobile terminated call in GSM

MS originated activity IMSI attach, IMSI detatch GPRS attach, GPRS detach location updating in GSM or GPRS

mobile originated call in GSM SMS (short message service) message transfer

1

8/2/2019 7 Gsm

22/55

Random access in GSM/GPRS (2)

1. MS sends a short access burst over the RandomAccess CHannel (RACH) in uplink using Slotted Aloha(collision possibility retransmission)

2. After detecting the access burst, the network (BSC)returns an immediate assignment message which

includes the following information:

- allocated physical channel (frequency, time slot) inwhich the assigned signalling channel is located

- timing advance (for correct time slot alignment)

3. The MS now sends a message on the dedicatedsignalling channel assigned by the network, indicatingthe reason for performing random access.

1

8/2/2019 7 Gsm

23/55

Four security measures in GSM

1) PIN code (authentication of SIM = local securitymeasure, network is not involved)

2) User authentication (performed by network)

3) Ciphering of information sent over air interface

4) Usage of TMSI (instead of IMSI) over air interface

IMSI = International Mobile Subscriber Identity(globally unique identity)

TMSI = Temporary Mobile Subscriber Identity(local and temporary identity)

8/2/2019 7 Gsm

24/55

Basic principle of user authentication

algorithm algorithm

The same? If yes,authentication is successful

SIM(in terminal)

AirInterface

Network

Random numberChallenge

Response

Authentication key Authentication key

RAND

SRES

2

Ki Ki

8/2/2019 7 Gsm

25/55

Ciphering in GSM

algorithm algorithm

Ciphering keyTime info Ciphering keyTime info

MS BTS

Data DataCiphered data

Cipher command(time info...)

For each call, a new ciphering key (Kc) is generatedduring authentication both in MS and MSC (in same wayas authentication response).

3

Kc Kc

algorithm algorithm

8/2/2019 7 Gsm

26/55

Three security algorithms in GSM(in UMTS many more )

A3Ki

Ciphered data

Time info (from network)

RAND (from network)

Data

SRES (to network)

A8

A5

Kc

Mobile Station (MS) Network

23

8/2/2019 7 Gsm

27/55

Three security algorithms in GSMat the network side ...

A3

Ki RAND

Data

A8

A5

Kc

Serving MSCMS AuC

RAND

Ciphered data

SRES

KcTimeinfo Ki

SRES SRES

Authenticationvector

?

23

8/2/2019 7 Gsm

28/55

Algorithm considerations

Using output and one or more inputs, it is in practice notpossible to calculate backwards other input(s)brute force approach, extensive search

Key length in bits (N) is important (in case of brute forceapproach 2N calculation attempts may be needed)

Strength of algorithm is that it is secret => bad idea!security through obscurity

Better: open algorithm can be tested by engineeringcommunity (security through strong algorithm)

23

8/2/2019 7 Gsm

29/55

Usage of TMSI in GSM

MS NetworkRandom access

Authentication

Start ciphering

IMSI detach New TMSIallocated by

networkNew TMSI stored in SIM

CM or MM transaction

TMSI

23

IMSI is never

sent over airinterface if

not absolutelynecessary!

8/2/2019 7 Gsm

30/55

Connectivity states in GSM/GPRS

DisconnectedIdleConnected

IdleStandby

Ready

MS is switched off (circuit mode)location updates on LA basishandovers, not location updates

MS is switched off (packet mode)location updates on RA basis

location updates on cell basis

GSM

GPRS

4

8/2/2019 7 Gsm

31/55

GPRS connectivity state model

Idle

Ready

Standby

GPRS attach GPRS detach

Timer expired Transmission of packet

Standbytimer

expired

No location management,MS not reachable

Location update when MSchanges cell

Location update when MSchanges routing area

4

8/2/2019 7 Gsm

32/55

MM areas in GSM/GPRS

Cell

Location Area (LA)

Routing Area (RA)

Locationupdatingin GSM

Location updating in GPRS(standby state)

Location updating in GPRS(ready state)

4

8/2/2019 7 Gsm

33/55

Trade-off when choosing LA/RA size

Affects signalling load

If LA/RA size is very large (e.g. whole mobile network)

location updates not needed very oftenpaging load is very heavy

If LA/RA size is very small (e.g. single cell)

small paging loadlocation updates must be done very often

Affects capacity

+

+

4

8/2/2019 7 Gsm

34/55

Example: GSM location update (1)

ME

SIM

HLR

MSC

VLR 1

Most recently allocated TMSI and last visited LAI (Location

Area ID) are stored in SIM even after switch-off.After switch-on, MS monitors LAI. If stored and monitoredLAI values are the same, no location updating is needed.

(most generic scenario)

MSC

VLR 2

LAI 1

IMSITMSI

LAI 1IMSITMSI

IMSILAI 1

4

(in broadcast messages)

8/2/2019 7 Gsm

35/55

GSM location update (2)

ME

SIM

MSC

VLR 1

Different LAI values => location update required !

MSC

VLR 2

LAI 2

HLR

IMSILAI 1

IMSITMSI

LAI 1

IMSITMSI

4

(in broadcastmessages)

8/2/2019 7 Gsm

36/55


ME

SIM

MSC

VLR 1

SIM sends old LAI and TMSI to VLR 2.

VLR 2 does not recognize TMSI since there is no TMSI-IMSI context. Who is this user?

MSC

VLR 2

LAI 1, TMSI

HLR

IMSILAI 1

IMSITMSI

LAI 1

IMSITMSI

No TMSI- IMSIcontext

4

8/2/2019 7 Gsm

37/55


ME

SIM

MSC

VLR 1

However, VLR 2 can contact VLR 1 (address: LAI 1) and

request IMSI.

IMSI is sent to VLR 2.

MSC

VLR 2

HLR

IMSILAI 1

IMSITMSI

LAI 1

IMSITMSI IMSI

TMSI

IMSI

4

address:

LAI 1

8/2/2019 7 Gsm

38/55


ME

SIM

MSC

VLR 1

Important: HLR must be updated (new LAI). If this is not

done, incoming calls can not be routed to new MSC/VLR.

HLR also requests VLR 1 to remove old user data.

MSC

VLR 2

HLR

IMSILAI 1LAI 2

IMSITMSI

LAI 1

IMSITMSI

IMSITMSI

LAI 2

4

8/2/2019 7 Gsm

39/55


ME

SIM

MSC

VLR 1

VLR 2 generates new TMSI and sends this to user. User

stores new LAI and TMSI safely in SIM.

Location update successful !

MSC

VLR 2

HLR

IMSILAI 2

LAI 1

IMSITMSILAI 2TMSI

IMSITMSITMSI

LAI 2TMSI

4

8/2/2019 7 Gsm

40/55

GSM identifiers (1)

MCC = Mobile Country Code (3 digits)MNC = Mobile Network Code (2 digits)MSIN = Mobile Subscriber Identity Number (10 digits)

Globallyunique

LACLAI

MCC = Mobile Country Code (3 digits)MNC = Mobile Network Code (2 digits)

LAC = Location Area Code (10 digits)

=

Globally

unique

CI LAI + CI= CGI

Cell GlobalIdentity

MSINIMSI = GSM internalinformation

8/2/2019 7 Gsm

41/55

GSM identifiers (2)

SNCCMSISDN

CC = Country Code (1-3 digits)NDC = National Destination Code (1-3 digits)

SN = Subscriber Number

=

Globallyunique

E.164 numberingformat

TNCCMRSN

CC = Country Code (1-3 digits)NDC = National Destination Code (1-3 digits)TN = Temporary Number

=

Temporaryallocation

E.164 numbering

format

for routing to GMSC

for routing to MSC/VLR

subscriber database in HLR

temporary subscriber ID

8/2/2019 7 Gsm

42/55

GSM mobile terminated call (1)

BTS

ME

SIMHLR

AuCEIR

GMSCBSC

MSC

VLR

Circuit switched connection

Signaling (ISUP, MAP)

MS

Database

Mobile terminated call = MTC

(64 kb/s PCM, 16 kb/s between TRAU and BTS,13 kb/s encoded speech over air interface)

5

8/2/2019 7 Gsm

43/55


BTS

ME

SIMHLR

AuCEIR

BSC

MSC

VLRMS

Call is routed to GMSC using MSISDN number of called

user (e.g. 040 1234567).MSISDN number in fact points to database in HLR.

HLR is contacted. Under which MSC/VLR is user?

GMSC

5

8/2/2019 7 Gsm

44/55


BTS

ME

SIMHLR

AuCEIR

BSC

MSC

VLRMS

HLR knows location of Serving MSC/VLR (when user

moves to another VLR, this is always recorded in HLR).HLR requests MSRN (roaming number) from VLR.

MSRN is forwarded to GMSC.

GMSC

5

8/2/2019 7 Gsm

45/55


BTS

ME

SIMHLR

AuCEIR

BSC

MSC

VLRMS

Call can now be routed to Serving MSC/VLR using ISUP

(may involve several intermediate switching centers).MSC/VLR starts paging within Location Area (LA) inwhich user is located, using TMSI for identification.

GMSC

5

8/2/2019 7 Gsm

46/55


BTS

ME

SIMHLR

AuCEIR

BSC

MSC

VLRMS

Only the mobile user with the corresponding TMSI

responds to the paging.Using random access procedure, user requests achannel, e.g. SDCCH, for call control signaling.

GMSC

5

8/2/2019 7 Gsm

47/55


BTS

ME

SIMHLR

AuCEIR

BSC

MSC

VLRMS

Signaling channel is set up. After authentication and

ciphering procedures, call control signaling continues.Finally, the circuit switched connection is established upto mobile user.

GMSC

5

8/2/2019 7 Gsm

48/55

GPRS attach / PDP session

GPRS attach

MS is assigned PDP (IP) addressPacket transmission can take place

Separate or combined GSM/GPRS attachMS registers with an SGSN (authentication...)Location update possible

PDP context is created

GPRS detachPDP context terminatedAllocated IP address released

In case ofdynamicaddress

allocation

6

DHCPRADIUS

8/2/2019 7 Gsm

49/55

PDP context

PDP context describes characteristics of GPRS session(session = always on connection)

PDP context information is stored in MS, SGSN and GGSN

MS

GGSNSGSN

::::::

::::::

::::::

PDP type (e.g. IPv4)

PDP address = IP address of MS(e.g. 123.12.223.9)

Requested QoS (priority, delay )

Access Point Name (GGSN addressas seen from MS)

One user may have several PDP

sessions active

6

123.12.223.9

123.12.223.0

8/2/2019 7 Gsm

50/55

PDP context activation

MS GGSNSGSN

::::::

Activate PDP context request

Create PDP context request

Create PDP context response

Activate PDP context accept ::::::

::::::

IP address allocated to MS

Security functions

6

8/2/2019 7 Gsm

51/55

Packet transmission (1)

MS(client)

GGSN

SGSN Server(IP, WAP..)

IPbackbone

Dynamic IP address allocation has one problem:it is difficult to handle a mobile terminated transaction(external source does not know IP address of MS)

Fortunately, packet services are of client-server type=> MS initiates packet transmission

?

6

8/2/2019 7 Gsm

52/55


MS(client)

GGSN


Packet is sent to SGSN. SGSN sends packet to GGSNthrough GTP (GPRS Tunneling Protocol) tunnel.

Packet is tunneledthrough IP backbone

IP address ... IP address IP payload

Tunneling = encapsulation of IP packet in GTP packet

... = APN of GGSN, used for routing through tunnel

6

8/2/2019 7 Gsm

53/55


MS(client)

GGSN


GGSN sends packet through external IP network (i.e.Internet) to IP/WAP server.

Source IP addr. Dest. IP addr. IP payload

GGSN

Source IP

address:GGSN

Server

6

8/2/2019 7 Gsm

54/55


MS(client)

GGSN


Server sends return packet via GGSN, GTP tunnel andSGSN to MS.

Packets from server to MS are always routed via GGSN(since this node has PDP context information).

Dest. IP

address:GGSNDest. tunneladdress: SGSN

Dest. IP address: MS

6

8/2/2019 7 Gsm

55/55

Further information on GSM/GPRS

Books:

Many good books available (GSM)

Andersson: GPRS and 3G wireless applications, Wiley, 2001,Chapter 3 (GPRS)

Web material:

www.comsoc.org/livepubs/surveys/public/4q99issue/reprint4q.html (GSM system and protocol architecture)

www.comsoc.org/livepubs/surveys/public/3q99issue/

bettstetter.html (GPRS basics)Part of this source is required course material

7 Gsm

Documents

Transcript of 7 Gsm