GSM Concepts Handover
-
Upload
squaresimple -
Category
Documents
-
view
2.491 -
download
10
Transcript of GSM Concepts Handover
© Dr. D H Pesch, CIT, 2000 1
GSM ConceptsGSM Concepts
TelecommunicationsMSc in Software Development
© Dr. D H Pesch, CIT, 2000 2
GSM HandoverGSM Handover
• Handover is the process of switching a radio connection from one BS to another in order to maintain seamless radio connection during mobile station movement
• Handover in GSM is implemented as Mobile Assisted Handover (MAHO) and backward handover signalling
• GSM handover is hard handover as the old radio link is released before the new radio link has been fully established
→ due to non-synchronised BTSs
The overall handover process is implemented in the MS, BSS and MSC. Measurement of radio subsystem downlink performance and signal levels received from surrounding cells, is made in the MS. These measurements are signalled to the BSS for assessment. The BSS measures the uplink performance for the MS being served and also assesses the signal level of interference on its idle traffic channels. Initial assessment of the measurements in conjunction with defined thresholds and handover strategy may be performed in the BSS. Assessment requiring measurement results from other BTS or other information resident in the MSC, may be performed in the MSC.
© Dr. D H Pesch, CIT, 2000 3
Handover ProcessHandover Process
• The handover process in GSM consists of the following four steps
1. Measurements
2. Handover request
3. Handover decision
4. Handover execution
In any cellular mobile radio system handover is an essential part of radio link maintenance. In order to maintain a radio link in the light of mobility it is essential for the cellular system to be able to switch the radio link from one base station to another when the radio link quality with the exisitng base station drops below an acceptable level and/or the radio link quality with a target base station is better. The main input data into the handover process are radio link quality measurements taken by mobile station and/or base station. The handover decision can be made in the mobile station, in the base station or somewhere else in the network.
The GSM handover process is divided into four parts as indicated in the slide above. In a normal handover process, the handover request is generated by the BSC, and the handover decision and the actual handover are the responsibility of the MSC. Depending on the type of handover, functions 3 and 4 (see slide) can be implemented in the BSC.
© Dr. D H Pesch, CIT, 2000 4
Handover CriteriaHandover Criteria
• Permanent data such as transmitter power of– MS, BTS in supplying cell, BTSs in neighbour cells
• Results of real-time measurements by MS– downlink signal quality (gross bit-error-rate) - RXQUAL– downlink receive signal levelof current channel - RXLEV– downlink receive signal levelfrom neighbour cells
(BCCHs)
• Results of real-time measurements by BTS– uplink signal quality (gross bit-error-rate) - RXQUAL– uplink receive signal levelof current channel - RXLEV– uplink receive signal level from neighbour cells
• Traffic-oriented aspects (cell capacity, no. of free channels, no. of new connections waiting for TCH)
Handover is initiated by the network based on radio subsystem criteria (RF level, quality, distance) as well as network directed criteria (e.g. current traffic loading per cell, maintenance requests, etc.). In order to determine if a handover is required, due to RF criteria, the MS shall take radio measurements from neighbouring cells. These measurements are reported to the serving cell on a regular basis. When a network determines a need for a handover the procedures given in GSM 08.08 are followed. Additionally, the handover decision by the network may take into account both the measurement results from the MS and network directed criteria. The same decision process is used to determine when to perform both the Intra-MSC and Inter-MSC handover in all the procedures described in the following.
© Dr. D H Pesch, CIT, 2000 5
Measurement ProtocolMeasurement Protocol
• Measurements on current radio channel– measurement of signal strength and link quality of slot in
every frame (4.615ms measurement interval) → 100 samples per reporting period of 480ms
– reporting of average values once or twice per second (one or two 480ms SACCH blocks
• Measurement of channels in neighbour cells– up to six neighbour cells are considered– between UL and DL MS has about 2.3ms interval for
measurement of signal level from neighbour cells and 6.9ms interval to scan for neighbour cell’s BCCH frequency
– MS can measure up to 100 signal level samples per 480ms divided between the 6 strongest neighbour cells
© Dr. D H Pesch, CIT, 2000 6
Measuring Neighbour Cell SignalsMeasuring Neighbour Cell Signals
© Dr. D H Pesch, CIT, 2000 7
Measurement ParametersMeasurement Parameters
dBm
… -110-110 … -109-109 … -108-108 … -107
.
.
.-51 … -50-50 … -49-49 … -48-48 …
Bit error [%]
… 0.20.2 … 0.40.4 … 0.80.8 … 1.61.6 … 3.23.2 … 6.46.4 … 12.812.8 …
RXLEV
0123...
60616263
Average
0.140.280.571.132.264.539.0518.10
RXQUAL
01234567
Distance: m5542
s103.69sm103
2
-68
⋅=⋅⋅⋅⋅=⋅⋅= TATAtcTA
dTA bit
Signal Field Strength Signal Quality
© Dr. D H Pesch, CIT, 2000 8
Measurement ReportsMeasurement Reports• Measurement reports transmitted periodically every 480ms
interleaved over 4 SACCHs
• Measurements– Signal field strength
• from -110dBm to -48dBm (RXLEV) with relative accuracy of 1dB and absolute accuracy of 4dB (up to -70dBm) and 6dB
• Average calculated over SACCH multiframe (480ms)• Measurement of RXLEV on the allocated TCH in every frame and
at least one neighbour per TDMA frame– Signal quality
• measured in BER before channel decoding (based on training sequence) and mapped onto RXQUAL levels with accuracy of 75% for RXQUAL=1 - 4 and 95% accuracy for RXQUAL=5 -7
– Distance• absolute distance based on TA value with ±0.5 bit accuracy
→ provides about 1km spatial resolution (not too useful)
© Dr. D H Pesch, CIT, 2000 9
Measurement ResultMeasurement Result MessageMessage
© Dr. D H Pesch, CIT, 2000 10
Handover DecisionHandover Decision
• Handover decision and selection of target cell made by either BSC or MSC depending on measurements
• BSC may decide to initiate handover itself by sending HND_CMD message to BTS or to report to MSC by sending HDN_RQD that a handover is required
• In case of BSC deciding to handover, MSC is informed with HND_PERF message
© Dr. D H Pesch, CIT, 2000 11
Handover ScenariosHandover Scenarios
• Intra-BTS Handover
• Intra-BSC Handover
• Intra-MSC Handover
• Inter-MSC Handover
• Subsequent Handover
© Dr. D H Pesch, CIT, 2000 12
Transmitter Power ControlTransmitter Power Control
• The purpose of power control is reduction of interference and increase in MS battery working time
• Power control is mandatory for every MS, it is optional for a BTS
• Depending on radio link quality, BSC requests adjustment of transmitter power for MS and BTS
• Power adjustments are made over the SACCH every 480ms
• Maximum power is Pn, BTS adjustments are made relative to Pn in 2dB steps over dynamic range of 30dB
• BCCH is always transmitted at Pn
• MS power settings are set in absolute values measured in dBm (relative to 1mW)
© Dr. D H Pesch, CIT, 2000 13
GSM MS Transmitter Power LevelsGSM MS Transmitter Power Levels
C o d e G S M 9 0 0 G S M 1 8 0 0P C S 1 9 0 0
0 3 9 3 01 3 9 2 82 3 9 2 63 3 7 2 44 3 5 2 25 3 3 2 06 3 1 1 87 2 9 1 68 2 7 1 49 2 5 1 2
0 A 2 3 1 00 B 2 1 80 C 1 9 60 D 1 7 40 E 1 5 20 F 1 3 0
C o d e G S M 9 0 0 G S M 1 8 0 0P C S 1 9 0 0
1 0 1 1 01 1 9 01 2 7 01 3 5 01 4 5 01 5 5 01 6 5 01 7 5 01 8 5 01 9 5 01 A 5 01 B 5 01 C 5 01 D 5 3 61 E 5 3 41 F 5 3 2
© Dr. D H Pesch, CIT, 2000 14
MS and BTS Power ClassesMS and BTS Power ClassesGSM900 GSM1800 PCS1900
Class MS(W/dBm)
BTS(W/dBm)
MS(W/dBm)
BTS(W/dBm)
MS(W/dBm)
BTS(W/dBm)
1 -/- 320/55 1/30 20/43 1/30 20/43
2 8/39 160/52 0.25/24 10/40 0.25/24 10/40
3 5/37 80/49 4/36 5/37 2/33 5/37
4 2/33 40/46 -/- 2.5/34 -/- 2.5/34
5 0.8/29 20/43 -/- -/- -/- -/-
6 -/- 10/40 -/- -/- -/- -/-
7 -/- 5/37 -/- -/- -/- -/-
8 -/- 2.5/34 -/- -/- -/- -/-
Micro(M1)
-/- 0.25/24 -/- 1.6/32 -/- 0.5/27
Micro(M2)
-/- 0.08/19 -/- 0.5/27 -/- 0.16/22
Micro(M3)
-/- 0.03/14 -/- 0.16/22 -/- 0.05/17
© Dr. D H Pesch, CIT, 2000 15
Sample Algorithm (GSM 05.08) for Sample Algorithm (GSM 05.08) for Handover and Power ControlHandover and Power Control
• Averaging of measured values on UL and DL to reduce short-term fading effect. Parameters
– HREQAVE: no. of reports averaged
– HREQT: no. of averaged values in HND_RQD message
• Calculation of power budgetPBGT(n)=[min(MS_TXPWR_MAX, P) - RXLEV_DL - PWR_C_D]
- [min(MS_TXPWR_MAX(n), P) - RXLEV_NCELL(n)]
© Dr. D H Pesch, CIT, 2000 16
Power Control LevelsPower Control Levels
© Dr. D H Pesch, CIT, 2000 17
Handover Decision LevelsHandover Decision Levels
© Dr. D H Pesch, CIT, 2000 18
GSM Handover Threshold ValuesGSM Handover Threshold Values
© Dr. D H Pesch, CIT, 2000 19
BSS Decision AlgorithmBSS Decision Algorithm
• When threshold value comparison yields handover required → send HND_RQD to MSC indicating conditions:– RXLEV_NCELL(n) > RXLEV_MIN(n) + max(0,
MS_TXPWR_MAX(n) - P)– PBGT(n) > 0
• Conditions must be met by neighbour cell to become target cell
• Target cells are sorted by PBGT value and cell with highest PBGT is selected for handover
• If handover is considered imperative, the list can also contain neighbour cells with PBGT(n) < 0.
• If RXQUAL is low but RXLEV is fine, co-channel interference is high and intra-BTS handover is performed
© Dr. D H Pesch, CIT, 2000 20
GSM Power Budget HandoverGSM Power Budget Handover
© Dr. D H Pesch, CIT, 2000 21
MSC Decision AlgorithmMSC Decision Algorithm
• MSC evaluates handover request based on criteria:– Quality
– Signal level
– Distance
– Power budget
• There is also provision for giving individual cells priority in order to distribute traffic load– during congestion situations
– in hierarchical cellular systems for handover between cell layers
© Dr. D H Pesch, CIT, 2000 22
Problems of GSM HandoverProblems of GSM Handover
• Ping-pong Effect– HO_MARGIN = 5-10dB– Large HO_MARGIN or averaging window to
avoid ping-pong handover → loss of power budget handover or delayed handover
• Number of Handovers– Due to complexity of handover protocol GSM
tries to avoid unneccessary handovers– Due to shadow fading variations randomly
distributed handover points around best point and can cause large number of handovers
© Dr. D H Pesch, CIT, 2000 23
Proposed ImprovementsProposed Improvements
• Handover considering evolution of signal strength
• Handover utilising level crossing rate of received signals → provides estimation of MS speed
• MS speed and signal strength evolution can provide more reliable handover decision to avoid ping-pong effect → prediction based handover
© Dr. D H Pesch, CIT, 2000 24
Mobile IdentifiersMobile Identifiers
• GSM numbering follows the rules of ITU-T Rec. E.164 for ISDN numbering
• MS numbers/identifiers– MSISDN - Mobile Station ISDN Number
– IMSI - International Mobile Subscriber Identity
– MSRN - Mobile Station Roaming Number
– IMEI - International Mobile Equipment Identity
– TMSI - Temporary Mobile Subscriber Identity
© Dr. D H Pesch, CIT, 2000 25
Mobile IdentifiersMobile Identifiers
CC NDC SN
MCC MNC MSIN
CountryCode
NationalDestinationCode Subscriber Number
MobileCountryCode
MobileNetworkCode
Mobile SubscriberIdentification Number
14 - 15 digits (7 - 7.5 octets)
10 digits of less (≤ 5 octets)3 digits 2 digits
MSISDN
IMSI
© Dr. D H Pesch, CIT, 2000 26
Mobile IdentifiersMobile Identifiers
VCC VNDC SN (VMSC + VSN)
VisitorCountryCode
VisitorNationalDestinationCode VMSC = Visitor MSC
TMSITMSI
10 digits of less (≤ 5 octets)3 digits 2 digits
4 octets
MSRN
TAC FAC SNR SP
TypeApprovalCode
FinalAssemblyCode
SerialNumber Spare
IMEI
6 digits 2 digits 6 digits 1 digit
© Dr. D H Pesch, CIT, 2000 27
Network IdentifiersNetwork Identifiers
• Mobile Network Code (MNC)
• Location Area Identity (LAI)– MCC - Mobile Country Code, e.g. Ireland = 272
– MNC - Mobile Network Code, e.g. Eircell = 01
– LAC - Location Area Code (2 octets fixed code)
• Routing Area Identity (RAI) - similar to LAI
• Cell Identity (CI), 2 octets fixed length
• Global Cell Identity = LAI + CI
© Dr. D H Pesch, CIT, 2000 28
Network IdentitiesNetwork Identities
• Base Station Identity Code (BSIC)– 6 bit number consisting of
• Network Colour Code - NCC, 3 bits
• Base Station Colour Code - BCC, 3 bits
– allows MS to distinguish between neighbour base stations
• Regional Subscription Zone Identifier (RSZI)– consists of CC, MNC, ZC (2 octets fixed size)
© Dr. D H Pesch, CIT, 2000 29
SIM CardSIM Card• Microcontroller based smart card
• MS = SIM + ME (mobile equipment)
• SIM card personalises the mobile equipment
• Two types of SIM– credit card size - ISO SIM
– plug-in SIM (usually comes as an ISO from which its popped out)
• SIM architecture
– µController + RAM of 256 - 512 Byte, will to grow to 2KB (2000), several OS are in use
– ROM - 16 - 24kB (1997), will to grow to 64kB (2000)
– EEPROM - 16kB (1997), will grow to 64KB (2000)
– I/O ports
– SIM power and clock supplied by ME
© Dr. D H Pesch, CIT, 2000 30
SIM Card TypesSIM Card Types
© Dr. D H Pesch, CIT, 2000 31
SIM Card Data OrganisationSIM Card Data Organisation
• SIM card data structured in Master File (MF) and Dedicated Files (DF)
• Dedicated files, which are actually directories– DFGSM - GSM related data
– DFTELECOM telecommunication services related data
• Elementary Files (EF) hold the actual data– One record EF to hold IMSI for example
– Multiple record EF to hold phone book for example
• SIM contains security features to protect data in EF
© Dr. D H Pesch, CIT, 2000 32
SIM Card FunctionsSIM Card Functions• SIM card holds user and network related data
• SIM card is involved in GSM security– holds the PIN
– computes SRES and Kc based on algorithms A3 and A8, which are stored in SIM’s ROM
• SIM card holds data about subscriptions of services in EFSST
(service table)– SMS, Last Number Dialled, AoC, CB Message Identifier, Service
provider name, etc
• SIM card holds access level information EFACC, which determines access restriction to the network
• Stores current location information
• Holds account and charge information (for prepaid SIM card)
© Dr. D H Pesch, CIT, 2000 33
Example SIM Card Elementary FilesExample SIM Card Elementary Files
© Dr. D H Pesch, CIT, 2000 34
Location ManagementLocation Management
• GSM is a cellular system and as such divided into location areas to facilitate efficient paging
• Location areas are identified by the LAI
• LAI is broadcast within SYSTEM-INFO message on BCCH
• Size of a location area depends on expected subscriber penetration and PCH capacity
• Every time MS detects a change of LAI, that is the LAI temporarily stored in the SIM is different to LAI in SYSTEM_INFO message, location update is performed
• Upon power up of the MS, a location registration procedure is performed of which the user is oblivious
© Dr. D H Pesch, CIT, 2000 35
GSM Security ManagementGSM Security Management
• Four basic security services provided by GSM– Anonymity: TMSI assignment upon location
registration/update
– Authentication
– Signalling data and user information protection through encryption
– SIM module identifying user and IMEI identifying ME independently
• GSM algorithms for authentication and encryption are strictly confidential and not publicly available
© Dr. D H Pesch, CIT, 2000 36
AuthenticationAuthentication
• Authentication is required in every mobile radio system– to establish the authenticity of a user/equipment
– establish whether the user is allowed to access the service
• Authentication consists of a challenge and a response– network provides a challenge in form of a random number
RAND
– response SRES is derived based on algorithm A3 from challenge (RAND), authen-tication key Ki and IMSI
– MS replies to challenge by sending SRES back to network, which then compares MS’s SRES with it’s own SRES
© Dr. D H Pesch, CIT, 2000 37
Generation of Authentication ChallengeGeneration of Authentication Challenge
© Dr. D H Pesch, CIT, 2000 38
Authentication ProcessAuthentication Process
© Dr. D H Pesch, CIT, 2000 39
EncryptionEncryption
• Protecting analogue information against eavesdropping is not easy but digital transmission allows for excellent level of protection
• Encryption is the process where a series of bits are transformed by mathematical or logical functions into another series of bits
• GSM cipher algorithm A5/n uses a cipher key Kc that is generated during authentication process and stored in SIM
• Kc is generated from RAND by algorithm A8 driven by Ki
• Kc is 64 bits in length
• Ciphering is periodic based on TDMA frame number (periodic with length of hyper frame)
© Dr. D H Pesch, CIT, 2000 40
Encryption ProcessEncryption Process