GSM(Global System for Mobile Communication) Prepared by: Reynald Susainathan [Unit-3]
Need for development Europe had numerous coexisting Analog mobile phone system (1G), often based on similar standards, but ran on slightly different carrier frequency, resulting in: Each system was incompatible with other’s equipment and operation. Hence there was a limited market for equipments of this type.
Solution “Group Special Mobile” (GSM) was formed to study and develop a pan-European public land mobile system.
Features of the Proposed System Good subjective speech quality Low terminal and service cost Support for international roaming Ability to support handheld terminals Support for range of new services and facilities Spectral efficiency ISDN compatibility
Strategies for GSM development GSM developers chose “Digital System”, as opposed to then-standard analog cellular systems like AMPS in US and TACS in UK. They had faith in: Advancement in Compression Algorithms Digital Signal Processors Since they would allow fulfillment of the original criteria and continual improvement in QoS GSM recommendations allows: Flexibility & Competitive innovation GSM Specification provides enough standardization to: Guarantee proper internetworking between components of the system This is done by providing the following for each Functional Entities defined in the system: Functional Description & Interface Description.
GSM Versions GSM 400 (To replace analog systems in sparsely populated areas) Uplink : 450.4-457.6 / 478.8-486 MHz Downlink : 460.4-467.6 / 488.8-496 MHz GSM-Rail (For rail-road systems [GSM-R]) Offers many additional services not available in public GSM. Offers 19 exclusive channels for railroad operators for voice and data traffic. Special features: Emergency calls with acknowledgements Voice Group Call Service (VGCS) Voice Broadband Service (VBS) Advanced Speech Call Items (ASCI)
GSM-R Calls are prioritized: Calls have very short set-up times: Emergency calls less than 2s Group calls less than 5s Calls can be directed To all users at a certain location To all users with a certain function To all users within number space Trains going not faster than 160 km/h can control all gates, switches and signals themselves. GSM-R can be still used to maintain control in trains faster than 160 km/h
3 Categories of GSM Service GSM permits the integration of different voice and data services and the inter-working with existing network, offering 3 types of services: Bearer Service Tele Service & Supplementary Service
Bearer and Tele Service Model Mobile Termination (Performs all network specific tasks like TDMA, FDMA, Coding etc). It offers interface for data transmission. Mobile Station Air Interface GSM – Public Land Mobile Network Bearer Service comprises of all services that enable transparent transmission of data between the interfaces to the network. (ie., ‘S’ in case of MS) Interfaces like U, S, R in ISDN have not been defined for all networks, so it depends on specific network, which interface is used for reference for transparent transmission of data. In classical GSM model, bearer services are connection-oriented and circuit- or packet-switched. These services need only lower 3 layers of ISO/OSI reference model. Tele Service are application specific and need all 7 layers of ISO/OSI model
Bearer Services Original GSM data rates: up to 9600 bit/s for non-voice services. Bearer service permits data transmission, that may be Transparent and Non-Transparent & Synchronous and Non-Synchronous Transparent Bearer Service (TBS): Uses only the function of the physical layer to transmit data. Data transmission has constant delay and throughput if no transmission error occurs. Transmission quality can be improved by use of Forward Error Correction (FEC), which codes redundancy into data stream and helps reconstruct original data if transmission errors occur. Depending on FEC data rates of 2.4, 4.8 or 9.6 kbit/s is possible. TBS do not try to recover lost data in case of shadowing or interruption due to handover. Non-Transparent Bearer Service (NBS): Uses protocol layers 2 & 3 for error correction and flow control. These services use the TBS, adding a RLP (Radio Link Protocol). RLP comprises mechanisms like HDLC (High-Level Data Link Control) & Special selective-reject mechanism to trigger retransmission of erroneous data Achieved bit error rate is less than 10-7, but now throughput and delay may vary depending on transmission quality.
Advantages of Bearer Services Using TBS and NBS, GSM specifies several bearer services for internetworking with PSTN, ISDN and Packet Switched Public Data Network like X.25, which is available world-wide. Data transmission can be Full-Duplex, Synchronous with data rates of 1.2, 2.4, 4.8 & 9.6 kbit/s Full-Duplex, Asynchronous from 300 to 9600 bit/s Relatively low data rate reflect the assumption that data services will only constitute small percentage of overall traffic. But this is changing, new developments introduce new data services.
Tele-Services GSM focuses on Voice-Oriented Tele Services These comprise: Encrypted Voice Transmission Message Services & Basic Data Communication with terminals as known from PSTN or ISDN Main service is “Telephony” Hence the primary goal of GSM is “Provision of High-Quality Digital Voice Transmission” offering at least typical bandwidth of 3.1 KHz of analog phone systems. Special codes (coder/decoder) are used for voice transmission, while other codes are used for transmission of analog data for communication with traditional computer modems. “Emergency Number” Same number throughout Europe Mandatory service for all providers and its free of cost Highest priority, pre-empting other connections & Will automatically be set-up with the closest emergency center.
Tele-Services Short Message Service (SMS) Offers transmission of message up to 160 characters. SMS do not use standard data channel of GSM Uses unused capacity in signaling channels. Sending / Receiving SMS possible during data / voice transmission. Applications usage – Network Operators – Content Providers – Push Service Enhanced Message Service (EMS) Successor of SMS. Large message size (760 characters), concatenating several SMSs Formatted Text Transmission of animated pictures, small images & ring tones in standardized way Multimedia Message Service (MMS) Allows transmission of large pictures (GIF, JPG, WBMP), short video clips & Comes with mobile phones that integrate small camera.
Tele-Services Group 3 Fax Non-Voice Tele Service Fax data transmitted as Digital Data over Analog Telephone Network according to ITU-standards T.4 and T.30 using modems. Transparent Fax Service is used. Fax Data & Fax Signaling is transmitted using TBS Low transmission quality causes an automatic adaptation of bearer service to lower data rates and higher redundancy for better FEC.
Supplementary-Services Similar to ISDN networks, it offers enhancement to standard telephony services Typical services offered are: User Identification Call Redirection or Forwarding of ongoing calls Standard ISDN features are also available: Closed Group Users & Multi-party Communication
Radio Subsystem Comprises radio specific entities like: MS (Mobile Station) BSS (Base Station Subsystem) RSS and NSS are connected via “A Interface” and connected to OSS via “O Interface”. “A Interface” is based on circuit-switched PCM-30 systems (2.048 Mbit/s), carrying up to 30 64 kbit/s connections. “O Interface” uses Signaling system No. 7 (SS7) based on X.25 carrying management data to/from the RSS.
Components of RSS Base Station Subsystem (BSS) Base Transceiver Station (BTS) Base Station Controller (BSC) Mobile Station (MS)
Base Station Subsystem A GSM Network comprises many BSSs. BSS is controlled by BSC BSS contains several BTSs. Functions of BSS are: Maintaining radio connections to a MS. Coding / Decoding of voice & Rate adaptation to / from the wireless network part.
Base Transceiver Station BTS comprises all radio equipments like: Antennas Signal Processing Amplifiers A BTS can form a radio cell, or several cells using sectorized antennas. BTS is connected to MS via Um Interface. BTS is connected to BSC via Abis Interface. Um contains all mechanisms necessary for wireless transmission (TDMA, FDMA etc) Abis consists of 16 or 64 kbit/s connections. A GSM cell can measure between some 100m and 35km depending on the environment.
Base Station Controller Manages BTSs Its functionality include: Reserves radio frequencies Handles the handover from one BTS to another within BSS Performs paging of the MS Multiplexes radio channel onto the fixed network connections at the A interface.
Mobile Station MS comprises of below for communication with GSM Network User equipment User independent Hardware & Software Subscriber Identity Module (SIM) Stores user specific data relevant to GSM Without SIM only emergency call are possible User can personalize MS using SIM Contains many identifiers and tables such as: Card-type Serial number A list of subscribed services Personal Identity Number (PIN) PIN Unblocking Key (PUK) An Authentication Key Ki& International Mobile Subscriber Identity (IMSI) A MS can be identified via the International Mobile Equipment Identity (IMEI), helps in theft protection.
Mobile Station MS stores dynamic information while logging onto the GSM System, such as: Cipher Key Kc & Location Information containing: Temporary Mobile Subscriber Identity (TSMI) & Location Area Identification (LAI). Transmit power of MS: GSM 900 : 2W GSM 1800 : 1W Other types of interfaces in MS: Display Loudspeaker & Microphone Programmable soft keys Computer Modems IrDA or Bluetooth
Functionalities of NSS NSS connects the Wireless Network with standard public networks. Performs handover between different BSSs. Comprises function for worldwide localization of users Supports charging, accounting and roaming of users between different providers in different countries
NSS Switches and Databases Mobile Service Switching Center (MSC) Home Location Register (HLR) Visitor Location Register (VLR)
Mobile Service Switching Center High performance digital ISDN Switches. Forms the fixed backbone of a GSM system: Sets up connection to other MSC and to BSC via “A” interface. MSC manages several BSCs in a geographical region. Gateway MSC (GMSC) has additional connections to other fixed networks like PSTN & ISDN. Using Internetworking Functions (IWF), a MSC can connect to a Public Data Network (PDN) like X.25
Mobile Service Switching Center MSC handles all signaling needed for: Connection setup Connection release & Handover of connections to other MSCs The Standard Signaling System No. 7 (SS7) is used. Aspects of SS7: Reliable routing and delivery of control messages Establishing and monitoring of calls Features of SS7: Number portability, Free phone/toll/collect/credit calls, Call forwarding, Three-way calling MSC functions for supplementary services: Call Forwarding, Multi-party calls, Reverse charging etc.
Home Location Register (HLR) An important database in GSM system. Stores user-relevant information like: Mobile Subscriber ISDN number (MSISDN) Subscribed Services (Eg: call forwarding, roaming restrictions, GPRS) & International Mobile Subscriber Identity (IMSI) Dynamic Information is also needed: Current Location Area (LA) of MS Mobile Subscriber Roaming Number (MSRN) Current Visitor Location Register (VLR) & Current MSC
Home Location Register (HLR) Functional Aspects: As soon as MS leaves its LA HLR is updated This is needed to localize a user within a worldwide GSM Network. Supports charging and accounting HLR can manage data for several millions of customers Maintains highly specialized databases that fulfills real-time requirements to answer requests within time-bound.
Visitor Location Register (VLR) VLR is associated with each MSC VLR is a dynamic database Functional aspects of VLR: Stores all important information needed for MS users currently in LA that is associated to the MSC IMSI MSISDN HLR Address If a new MS comes into an LA, VLR copies relevant information for this user from HLR. This hierarchy of VLR and HLR avoids frequent HLR updates and long-distant signaling from the user. Typically used for localization like HLR.
OSS Entities Operation and Maintenance Centre (OMC) Authentication Center (AuC) Equipment Identity Register (EIR)
Operation & Maintenance Centre (OMC) OMC monitors & controls all other Network Entities via “O interface” (SS7 with X.25) OMC uses concepts of TMN (Telecommunication Management Network) OMC’s management functions: Traffic monitoring Status reports of network entities Subscriber Management Accounting and Billing & Security Management
Authentication Centre (AuC) Defined to protect User Identity & Data Transmission AuC contains algorithms for: Authentication Key for encryption & Values needed for user authentication in HLR. AuC is situated in a special protected part of the HLR
Equipment Identity Register (EIR) EIR is a Database for all IMEIs Stores all device identifications registered for this network. Entries in EIR White-list List of valid IMEIs Grey-list List of malfunctioning devices
Um Interface Um is a Radio Interface It comprises of mechanisms needed for: Multiplexing GSM implements SDMA using cells with BTS and assigns an MS to a BTS. FDD is used to separate downlink and uplink. Media access. Combines TDMA and FDMA.
GSM - FDMA GSM 900: 124 channels, each 200 KHz wide Channel 1 & Channel 124 are not use for technical reasons. 32 channels are reserved for organizational data Remaining 90 are used for customers GSM 1800: 374 channels Each BTS manages a single channel for organizational data and up to 10 channels for user data.
GSM - TDMA Each of 248 channels is additionally separated in time via a GSM TDMA Frame. Each 200 KHz carrier is subdivided into frames that are repeated continuously. Duration of a frame is 4.615ms A frame is again subdivided into 8 GSM Time Slots Each slot represents a physical TDM channel and lasts for 577μs. Each TDM channel occupies the 200 KHz carrier for 577μs every 4.615ms.
Data Transmission Data is transmitted in small portions called bursts. Normal burst is shown in the previous picture. A Burst is only: 546.5μs long and Contains 148 bits The remaining 30.5μs is used as Guard Space. Avoids overlapping with other burst, due to: Different path delays & Give transmitter time to turn on and off. Filling the whole slot with data allows for transmission of 156.25 bit with 577μs. Each physical TDM channel has a raw data rate of about 33.8 kbit/s. Each radio carrier transmits approximately 270 kbit/s over Um interface.
Normal Burst tail is set to zero; can be used to enhance receiver performance. Training sequence is used to: Adapt the parameters f the receiver to the current path propagation characteristics & Select the strongest signal in case of Multi-path propagation. S flag indicates whether the data field contains user or network control data.
Other types of Bursts Frequency correction burst Allows MS to correct the local oscillator to avoid interference with neighboring channels. Synchronization burst With an extended training sequence synchronizes MS with BTS in time. Access burst Used for the initial connection setup between MS and BTS Dummy burst Used if no data is available for a slot.
Simple Transmitter Hardware Two factors allow its use: The slot for uplink and downlink of a physical TDM channel are separated in frequency GSM 900 – 45 MHz GSM 1800 – 95 MHz uses FDD. TDMA frames are shifted in time for 3 slots: If BTS sends data at time t0 in slot one on the downlink. MS accesses slot one on uplink at time t0+3.577μs. An MS does not need a full-duplex transmitter, a simpler half-duplex transmitter switching between receiving and sending is enough.
Slow Frequency Hopping GSM specifies an optimal slow frequency hopping: To avoid frequency selective fading MS and BTS may change the carrier frequency after each frame based on a common hopping sequence. An MS changes its frequency between up and downlink slots respectively.
[Background Reading] Co-dec: Stands for "compressor / decompressor" and "code/decode". It helps speed up data transfer. Mathematical codecs are built to encode (“shrink”) a signal for transmission and then decode it for viewing or edition. Voice Co-dec: an application of data compression of digital audio signals containing speech. Coding uses voice-specific parameter estimation using audio signal processing techniques to model the speech signal, combined with generic data compression algorithm to represent the resulting modeled parameters in a compact bitstream
Two groups of logical channels Traffic channels & Control channels
Traffic Channel (TCH) GSM uses TCH to transmit user data (Voice, fax, etc… ) Two basic categories of TCH: Full-Rate TCH (TCH/F) Data Rate : 22.8 kbit/s Half-Rate TCH(TCH/H) Data Rate : 11.4 kbit/s With voice codecs available at beginning of GSM standardization, 13 kbit/s was required, remaining capacity of TCH/F is used for error-correction (TCH/FS) Improved codecs allow for better voice coding and can use TCH/H. Using TCH/HS doubles the capacity of the GSM system for voice transmission. However, speech quality reduces with use of TCH/HS Many providers are trying to avoid them.
Traffic Channel (TCH) Standard codecs for voice are called: Full Rate (FR) : 13 kbit/s Half Rate (HR) : 5.6 kbit/s Enhanced Full Rate (EFR) : 12.2 kbit/s Provides better quality than FR as long as transmission error rate is low. Adaptive Multi-Rate (AMR) New codes Automatically chooses best mode of operation depending on the error rate, will be used together with 3G systems. Tandem-Free Operation (TFO): An additional increase in voice quality is provided This mode can be used if two MSs are exchanging voice data: In this case, coding to and from PCM encoded voice can be skipped & GSM encoded voice data is directly exchanged.
Traffic Channel (TCH) Data transmission in GSM is possible at different rates: TCH/F4.8 for 4.8 kbit/s TCH/F9.6 for 9.6 kbit/s TCH/F14.4 for 14.4 kbit/s These logical channels differ in terms of their: Coding schemes and Error correction capabilities.
Control Channel (CCH) Many different CCHs are used in a GSM system to control: Medium Access Allocation of traffic channels or Mobility Management
3 Groups of CCH Broadcast Control Channel (BCCH) Common Control Channel (CCCH) Dedicated Control Channel (DCCH)
Broadcast Control Channel (BCCH) BTS uses this channel to signal information to all MSs within a cell. Information transmitted in the channel is: The Cell identifier Options available within this cell and in neighboring cells & Frequencies available within this cell and in neighboring cells Sub-channels of BCCH: Frequency Correction Channel (FCCH): BTS sends information for frequency correction via this channel. Synchronization Channel (SCH): BTS sends information about time synchronization via this channel.
CommonControl Channel (CCCH) All information regarding the connection setup between MS and BS is exchanged via CCCH. Sub-channels: Paging Channel (PCH): BTS uses this channel for calls towards an MS. Random Access Channel (RACH): If an MS wants to set up a call, it uses RACH to send data to BTS. RACH implements multiple access using slotted ALOHA. All MSs within a cell may access this channel. Access Grant Channel (AGCH): BTS uses it to signal an MS that it can use a TCH or SDCCH for further connection setup.
DedicatedControl Channel (DCCH) Previous channels are unidirectional; DCCH is bidirectional. Sub-channels of DCCH: Stand-alone Dedicated Control Channel (SDCCH): As long as an MS has not established a TCH with BTS, it uses SDCCH with a low data rate of 782 bit/s for signaling. This can comprise authentication, registration or other data needed for setting up a TCH. Slow Associated Dedicated Control Channel (SADCCH): Each TCH and SDCCH has a SADCCH associated with it for exchanging system information, such as Channel Quality & Signal Power Level Fast Associated Dedicated Control Channel (FADCCH): If more signaling information needs to be transmitted and a TCH already exists, GSM uses FADCCH. FADCHH uses Time Slots which are otherwise used by the TCH: This is necessary in case of handovers where BTS and MS have to exchange large amount of data in less time.
Accessing Time Slots Channels cannot use time slots arbitrarily: GSM specifies multiplexing schemes that integrate several hierarchies of frames. If a simple TCH/F is used for Data Transmission: Each TCH/F will have an associated SACCH. If fast signaling is required, the FACCH uses the time slots for the TCH/F. Typical usage pattern of a physical channel for data transmission looks like this: With T indicating the User Traffic in the TCH/F and S indicating the signaling traffic in SACCH TTTTTTTTTTTTSTTTTTTTTTTTTx TTTTTTTTTTTTSTTTTTTTTTTTTx 12 slots of user data followed by a signalling slot, again 12 slots with user data follow, then an unused slot. This pattern of 26 slots is repeated over and over again. Only 24 out of 26 physical slots are used for TCH/F. As each normal burst for data transmission carries 114 bit user data and is repeated every 4.615ms. This results in data rate of 24.7 kbit/s. As TCH/F uses only 24/26 slots, final data rate is 22.8 kbit/s as specified. SACCH thus has capacity of 950 bit/s.
Traffic Multi-frame The periodic pattern of 26 slots occurs in all TDMA frames with a TCH. The combination of these frames is called Traffic Multi-Frame.
GSM structuring of time using a frame hierarchy
Protocol Architecture for Signalling BSS Application Call Management Mobility Management BTS Management Radio Resource Management Link Access Procedure for D-Channel (Light-weight) Signalling System No. 7 Pulse Code Modulation
Layer-1 Physical Layer Handles all radio-specific functions: Creation of bursts according to the five different formats, Multiplexing of bursts into a TDMA Frame, Synchronization with BTS, Detection of Idle channels & Measurement of Channel Quality on the downlink. Physical layer at Um interface: Uses GMSK for digital modulation & Performs encryption / decryption of data Encryption is not performed end-to-end but only between MS and BSS over the Air Interface (Um)
Layer-1 Physical Layer Synchronization includes: Correction of individual path delay between an MS and BTS. As all MSs within a cell use the same BTS and thus needs to be synchronized to this BTS. BTS generates time structure of frames, slots, etc. Here, the problematic aspect are different round-trip times (RTT) Adjusting Access Time for Synchronization for long distant MS. Maximum distance between MS and BSS is 35 km: MS 35 km away has RTT of around 0.23ms If this MS used the slot structure without correction, large guard spaces would be required, as 0.23 ms, As already 0.23 ms is 40% of 0.577ms available for each slot. Hence, BTS sends the current RTT to MS, which then adjusts its access time to that all burst reach BTS within time limits. This mechanism reduces guard space to 30.5μs / 5%. Adjusting the access is controlled via: The variable Timing Advance, where a burst can be shifted up 63 bit earlier time, with each bit having a duration of 3.69 μs As the variable timing advance cannot be extended a burst cannot be shifted earlier than 63 bit times This results in 35 km maximum distance between an MS and a BTS. It might be possible to receive the signal over long distance; To avoid collision at the BTS, the access cannot be allowed!!.
Layer-1 Physical Layer Important tasks of Physical Layer: Channel Coding Makes use of FEC Different logical channels of GSM use different coding schemes with different correction capabilities. Speech channel needs additional coding of voice data after analog to digital conversion, to achieve data rate of 22.8 kbit/s Error Detection / Correction. GSM Physical layer does it. It does not deliver erroneous data to the higher layers. Voice service is main to GSM, the physical layer contain special functions like: Voice Activity Detection (VAD) Transmits voice data only when there is a voice signal. This helps to decrease interference as a channel might be silent approximately 60% of the time During periods of silence the physical layer generates a Comfort Noise to fake a connection, but no actual transmission takes place. The noise is even adapted to the current background noise at the communication partner’s location.
Layer-1 Physical Layer Delay Handling: Interleaving of data for a channel to minimize interference due to burst errors and the recurrence pattern of a logical channel generates a delay for transmission. Delay is about: TCH/FS – 60ms TCH/F9 – 100ms These times have to be added to transmission delay if communicating with an MS instead of a standard fixed station. This influences the performance of the higher layer protocols.
Layer 2: LAPDm Signalling between entities in GSM Network requires higher layers. For this purpose LAPDm protocol has been defined at the Um interface for Layer-2. LAPDmis derived from LAPD in ISDN systems, which is a version of HDLC. LAPDm is lightweight LAPD because it does not need synchronization flags or check-summing for error detection (Since GSM Physical layer does). LAPDm offers: Reliable data transfer over connections, Re-sequencing of data frames & Flow control. There is no buffering between layer 1 & 2, LAPDm obeys the frame structures, recurrence patterns etc… defined for Um interface. Further services provided by LAPDm: Segmentation & Re-assembly of data. Acknowledged / Unacknowledged data transfer.
Layer 3: Network Layer Comprises several sub-layers: Radio Resource Management (RR) Mobility Management (MM) Radio Resource Management (RR): Lowest sub-layer Only a part of this layer RR’, is implemented in BTS, remainder is situated in BSC. The functions of RR’ are supported by BSC via the BTS Management (BTSM) Main task of RR include: Setup, Maintenance & Release of radio channels. RR also directly accesses the physical layer for radio information and offers a reliable connection to the next higher layers.
Layer 3: Network Layer Mobility Management (MM): Contains functions for: Registration, Authentication, Identification, Location updating & Provision of a TMSI (Temporary Mobile Subscriber Identity) Replaces IMSI (International Mobile Subscriber Identity) & Hides the real identity of an MS user over an air interface. While IMSI identifies a user, the TMSI is valid only in the current location area of a VLR. MM offers reliable connection to the next higher layer
Layer 4: Call Management Layer Contains three entities: Call Control (CC) Provides point-to-point connection between two terminals and is used by higher layers for: Call establishment Call Clearing & Change of call parameters. Short Message Service (SMS) Allows message transfer using: SDCCH & SADCCH (if no signalling data is sent) Supplementary Service (SS) DTMF (Dual Tone Multiple Frequency) Provides functions to send in-band tones over GSM Network. These tones are used for: Remote control of answering machines or The entry of PINs in electronic banking & Also used for dialing traditional analog telephones systems. These tones can be directly send over the voice codec of a GSM MS, as the codec would distort tones. They are transferred as signals and then converted into tones in the fixed network part of the GSM system.
Additional Protocols used Additional protocols are used at Abis and A interfaces. Data transmission at physical layer uses PCM (Pulse Code Modulation) system. PCM systems offer transparent 64 kbit/s channels, GSM also allows for sub-multiplexing of four 16kbit/s channel into a single 64 kbit/s channel. Signalling System (SS7): Used for signalling between an MSC and BSC. Transfers management information between: MSCs, HLR, VLRs, AuC, EIR & OMC MSC can also control BSS via a BSS Application (BSSAP).
Roaming As soon as the MS moves the range of new VLR, the HLR sends all the user data needed to the new VLR. Changing VLRs with uninterrupted availability of all services is call Roaming.
Locating & Addressing a MS We need several numbers like: MSISDN Mobile Station International ISDN Number IMSI International Mobile Subscriber Identity TMSI Temporary Mobile Subscriber Identity MSRN Mobile Station Roaming Number
MSISDN The only important number for a GSM user is the phone number. This is associated with SIM, personalized for a user. MSISDN follows the ITU-T standard E.164 for addresses as it is also used in fixed ISDN Networks. This number consists of: Country Code (CC) National Destination Code (NDC) & Subscriber Number (SN)
IMSI GSM uses IMSI for internal unique identification of a subscriber. ISMI consists of: Mobile Country Code (MCC) Mobile Network Code (MNC) Mobile Subscriber Identification Number (MSIN)
TMSI To hide IMSI, which would give away the exact identity of the user signalling over the air interface. GSM uses 4 byte TMSI for local subscriber identity. TMSI is selected by the current VLR and is only valid temporarily and within the location area of a VLR. Additionally VLR may change TMSI periodically.
Mobile Station Roaming Number Temporary Address that hides the identity and location of the subscriber. VLR generates this address on request from MSC, and the address is also stored in HLR. MSRN maintains: Current VCC (Visitor Country Code), VNDC (Visitor National Destination Code) The identification of the current MSC together with the subscriber number. MSRN helps the HLR to find a subscriber for an incoming call.
GSM Handover Aims at a maximum handover duration of 60ms.
Reasons for Handover Mobile station moves out of range of a BTS: Received signal level decreases continuously and falls below the minimum requirement for communication: Error rate may grow due to interference Diminishing quality of the radio link Load Balancing Wired infrastructure (MSC, BSC) decides that the traffic in one cell is too high and shifts some MS to other cell with lower load.
4 Possible Handover Scenarios in GSM Intra-cell Handover: Within a cell, Narrow-Band interference could make transmission at certain frequency impossible. BSC decides to change the carrier frequency. Inter-cell, intra-BSC Handover: MS moves from one cell to another But stays in the control of same BSC BSC performs a handover, assigns a new radio channel Inter-BSC, intra-MSC Handover: A BSC controls limited number of cells GSM performs handover between cells controlled by different BSC. This is controlled by MSC Inter-MSC Handover: Handover between two cells belonging to different MSCs. Both MSCs performs handover together.
Handover Decision Periodic measurement of the downlink and uplink quality respectively: Done by MS and BTS, to provide necessary information for a handover due to a weak link. Link Quality comprises: Signal Level & Bit Error Rate Measurement reports are sent by MS about every half-second; containing: The quality of the current link for transmission; The quality of certain channels in the neighboring cells.
Handover Decision depending on Receive Level Here, handover decision depends on the actual value of the received signal level, but on the average value. BSC collects all values from BTS and MS, calculates the average. This value is compared to the threshold (HO_MARIGIN) which includes some hysteresis to control ping-pong effect, it may even occur sometimes.
Confidential Information Storage Confidential Information is stored in: AuC & Individual SIM, which stores: Personal secret data – this is protected with PIN against unauthorized use.
GSM Security Service Access Control and Authentication Step 1: Authentication for valid user of a SIM User needs secret PIN to use SIM Step 2: Subscriber Authentication Based on Challenge-response scheme Confidentiality All user related data is encrypted. After authentication, BTS and MS applies encryption to voice, data and signalling. This confidentiality exists between BTS and MS, not end-to-end Anonymity All data is encrypted before transmission & User Identifiers are not used over air Instead GSM transmits a temporary identifier (TMSI), which is newly assigned by the VLR after each location update. Additionally VLR can change TMSI periodically.
GSM Security Algorithms Authentication – Algorithm A3 Encryption – Algorithm A5 Generation of Cipher Keys – Algorithm A8 Only A5 is publically available; A3 and A8 are secret but standardized with
Authentication Authentication is based on SIM, which stores: Authentication Key ki, User Identification IMSI & A3 Algorithm Uses Challenge-Response Method: AC sends RAND to SIM; and SIM replies with SRES. For each IMSI, AuC does: Generation of RAND Signed Response SRES & Cipher Key Kc. AuC sends the above to HLR Current VLR requests the appropriate value for RAND, SRES & Kc from HLR. For Auth, VLR sends RAND to SIM. Both Network and Subscriber module performs with Key Ki using A3. VLR compares both values; accepts if both are equal.
Encryption User-related information are encrypted over the air interface. After auth, MS and BSS starts encryption by cipher key Kc. Kc is generated using individual key Ki and random value by applying A8. Note, SIM and Network both calculate the same Kc on RAND. Kc is not transmitted over Air Interface. MS and BTS can encrypt and decrypt using A5 and Kc.
Approaches HSCSD: High Speed Circuit Switched Data As GSM is based on connection-oriented traffic channel, with 9.6 kbit/s, several such channels could be combined to increase bandwidth. This is called HSCSD. GPRS: Introduction of Packet-Oriented traffic in GSM. Shifts the thinking from Connections / Telephone to Packets / Internet