4. 4
GSM Architecture
VLR
GMSC
B B
C
D
D
E
F F
G
E
SMS-SC
C
IWF IWF
MS MS
PSTN
ISDN
MSC EIR
B
T
S
B
T
S
BSC
BTS
A
A-Bis
B
T
S
B
T
S
A
BSC
BTS
BTS
BTS
A-Bis
other
PLMN
other
PLMN
ISDN
Um
VLR
HLR/AUC
PLMN
Um
data
data
PSTN
GSM Access
Network
Mobile
Station
GSM Core
Network
5. 5
Components of A Typical Mobile Network
Mobile
Station
Access
Network
Core
Network
6. 6
GSM Areas
MSC Region
MSC Region
MSC Region
Location Area
BSC
Cell Cell
BSC
Location
Area
Location
Area
BSC
PLMN
7. 7
Mobile Station
MS (Mobile Station)
The mobile station (MS) consists of the:
1) Mobile equipment (the terminal) having various functionalities:
DTMF Capability, SMS capability, Ciphering Algos A5/1 and
A5/2, Display capabilities, Support of Emergency calls without
SIM, Burned In IMEI.
2) A smart card called the Subscriber Identity Module (SIM) :
Security Data: Algorithm A3 and A8 , Ki
Subscriber Data: IMSI, TMSI.
PLMN Data: LAI,NCC, MCC and MNC of home PLMN. Radio
Frequency channel numbers of PLMN.
TIP: Stolen Mobiles
can be blocked with
help of IMEI number.
8. 8
BSS (Base Station Sub-system)
Base Station Controller (BSC)
The BSC manages the channel allocation/release and handovers. One BSC can
control up to tens of BTSs depending on their traffic capacity
Connected to MSC using A interface
Base Transceiver Station (BTS)
Acts as contact point for Subscribers, over the radio interface
BTS consists of Radio Interface & signal processing devices along with antenna
Each BTS channel is usually shared by 8 users in TDMA mode
Connected to BSC over Abis interface
TIP: BTS always
broadcast the LAI
information to MS via
BCCH channel.
9. 9
NSS (Network and Switching Subsystem)
Mobile Switching Centre (MSC)
Controls all connections via a separated network to/from a mobile terminal within
the domain of the MSC - several BSC can belong to a MSC.
Talks to various nodes on several interfaces.
Nodes interaction Interface Protocol Used
MSC MS A DTAP
MSC BSC A BSSMAP
MSC VLR B MAP
MSC HLR C MAP
MSC EIR F MAP
MSC SMS-SC E MAP
MSC MSC E ISUP/MAP
Performs the Switching and have overall control on the call.
Interact with other nodes during Origination and Termination half of call.
10. 10
NSS (Network and Switching Subsystem)
Home location register (HLR)
Central master database containing user data, permanent and semi-permanent data
of all subscribers assigned to the HLR (one provider can have several HLRs)
Permanent Data : IMSI,MSISDN, Subscriber SS related Information, MSC#, VLR#.
Semi-Permanent Data: Authentication triplets [RAND,SRES and Kc], MSRN, TMSI
Nodes interaction Interface Protocol Used
HLR MSC C MAP
HLR VLR D MAP
HLR SMS-SC C MAP
HLR AUC D MAP
Visitor location register (VLR)
Local database for a subset of user data, including data about all user currently in the
domain of the VLR
Local Data: IMSI,TMSI, MSRN, Authentication triplets, LAI, MSC#, HLR#
Nodes interaction Interface Protocol Used
VLR HLR D MAP
VLR VLR G MAP
VLR MSC B MAP
TIP: MSC always
contacts one VLR while
a VLR can serve to
several MSCs
11. 11
NSS (Network and Switching Subsystem)
Authentication center (AUC)
• Generates user specific authentication parameters on request of a VLR
• Authentication parameters used for authentication of mobile terminals and
encryption of user data on the air interface within the GSM system
• Usually Integrated with HLR node.
Authentication Data: IMSI,RAND, Ki, Kc, Algorithms A3 and A8
Equipment identity register (EIR)
Registers GSM mobile stations and user rights
Stolen or malfunctioning mobile stations can be locked and sometimes even
localized
EIR Data: IMEI, Status of IMEI(While,Black or Grey).
Nodes interaction Interface Protocol Used
HLR MSC F MAP
Operation and maintenance center (OMC)
Different control capabilities for the radio subsystem and the network subsystems.
13. 13
Location Update ?
What is Location Update?
The process of Mobile Station Subscriber identifying to the Network the location in the
coverage area so that the Network can provide services to the Subscriber (using the MS)
based on the services subscribed.
Types of Location Updates –
IMSI attach/detach location update
Normal Location Update
Periodic Location Update
Key Words:
IMEI: International Mobile Equipment Identity.
IMSI : International Mobile Subscriber Identity
TMSI: Temporary Mobile Subscriber Identity
Kc: Ciphering Key.
Ki : Personal Secret Key
SRES : Signed RESponse (to authenticate subscriber)
14. 14
Types OF Location Update
IMSI Attach Location Update:
The opposite of IMSI Detach .
IMSI Attach is used by the MS to indicate that it has reentered the active state
Normal Location Update:
The MS moves across the boundaries of a location area while in the IDLE
state.
Not in case of Inter Cell movement of one location area.
Periodic Location Update:
Enables the location of the silent and stationary mobiles to be updated at a
reasonable rate .
It is invoked when the timer at the mobile expires and similar to Normal
Location Update
Map Signaling
B
C
D
F
DTAP
BSSMAP
}
16. 16
Normal Location Update
HLR MSC/VLR BSS MS
Location Update Request(LOURQ)
Connect Confirm
ID Request
ID Response
Send Authentication Information (SAI)
SAI_ACK
Authentication Request(AUTRQ)
Authentication Response(AUTRES)
Update Location(UPLOC)
Insert Subscriber Data(ISD)
ISD_ACK
Update Location Ack (UPLOCA)
Cipher Command
Cipher Complete
Location Update Accepted (LOUAC)
TMSI Relocation Complete (TMRCMP)
Clear Command (CLRCOM)
Clear Complete (CLRCMP)
Released (RLSD)
Release Complete (RLC)
TIP: This set of dialogs
not be performed as
VLR has already this
data in IMSI Attach
LOCU.
18. 18
Inter VLR Location Update
VLR1(OLD) HLR VLR2 (NEW) BSS MS
Location Update Request [TMSI]
Send Identification [UDT/BEGIN] [TMSI]
Send Identification ACK[IMSI,RAND, Kc, SRES]
Update Location [UDT/BEGIN] (UPLOC)
Insert Subscriber Data(ISD1)[UDT/CONTINUE]
------------------------------------- Insert Subscriber Data(ISD2) [UDT/CONTINUE]
-------------------------------------- Insert Subscriber Data(ISD3) [UDT/CONTINUE]
ISD_ACK [UDT/END]
Update Location Ack (UPLOCA)
Cancel Location [UDT/BEGIN]
Cancel Location ACK [UDT/END]
TIP: New VLR contacts
old VLR for
Authentication data.
Finds the Old VLR by
looking the old LAC &
Cell ID in LOCU_REQ.
19. 19
Detailed Messages (Channel Request)
Before performing any of the operation like Location Update or Originating Call,
MS has to reserve the channels for signaling or traffic. For this MS performs
the following sets of transactions with BTS and BSC.
Channel Request – MS request as channel from BTS. Uses RACCH to send this RR
msg.Also have the reason as “Location Update” of establish a connection.
Channel Required : BTS decodes the above message and send this to BSC with the
calculated distance of MS with Timing Advance.
Channel Activate: BSC informs the BTS which channel type to activate and which
channel number to reserve.
Channel Activate ACK: BTS confirms the acknowledgement.
Immediate Assignment: BSC asks to BTS to assign the reserved channel to MS.BTS
transmits the same message on AGCH.
TIP:Logical Channels
flows in
UPLINK,DOWNLINK
and Both directions.
20. 20
Detailed Messages
1. Location Update Request: MS initiated message to the network
requesting connection establishment. This “message” is actually multi-layered
with the following information:
SCCP CR message: Containing the MTP Routing Label*, Source Local
Reference Number(SLR), SCCP Calling/Called Party Addresses
BSSMAP CMPL3: Passes location information to MSC (lac +cell id)
A DTAP LOURQ message: Mobile identity (IMSI/TMSI), ClassMarkIE (20-
GSM Ph1, 00-GSM ph2,40-UMTS), Type Of Location Update(70-Normal,71-
Periodic,72-IMSI Attach).
2. Connect Confirmed – SCCP message from the Network to the BSC
indicating that a signaling connection can be made between the two entities. It
contains the following information:
Destination Local Reference Number (same as the source local reference sent
in the CMSRQ msg)*
Source Local Reference Number*
21. 21
Detailed Messages Contd…..
3. Identity Request– DTAP message from the Network to the MS requesting
its IMSI/TMSI/IMEI.
4. Identity Response –DTAP message from the MS to the Network
providing the requested identity (i.e. IMSI/TMSI).
5. Send Authentication Information (SAI): MAP message from VLR
to HLR requesting a list of services that the subscriber has subscribed.
Information includes IMSI of the Mobile Subscriber
6. SAI_ACK: MAP message from HLR to VLR acknowledging the receipt of
Send Parameters.
Information includes authentication triplets [RAND, SRES and Kc].
7. Authentication Request – DTAP message from the Network to the MS
to initiate authentication of the MS identity.
Ciphering Key Sequence Number (CkSN)
Authentication parameter RAND (used by the MS to calculate the SRES
response required for successful authentication)
22. 22
Detailed Messages Contd…..
8. Authentication Response: DTAP message from the MS to the Network to
respond to the authentication procedure. This message contains the calculated SRES.
9. Update Location- MAP message from VLR to HLR with location information of
the MS to be stored in the HLR.
10. Insert Subscriber Data - MAP message from HLR to VLR with subscriber
information
Information includes IMSI,MSISDN, Bearer Services, Tele Services, Supplementary
Services
11. Insert Subscriber Data Ack - MAP message from VLR to HLR
acknowledging the receipt of ISD
12. Update Location Ack - MAP message from HLR to VLR upon successful
completion of an Update Location request.
13. Cipher Mode Command – BSSMAP message sent from the Network to the
BSS to update the encryption parameters for the concerned MS. The encryption key is sent
in this message to the BSS.Sends Kc and Algorithm A5/1 or A5/2 be used.
14. Cipher Mode Complete – BSSMAP message sent from the BSS to the Network
to indicate that successful stream ciphering has been achieved over the Um I/F.
23. 23
Detailed Messages Contd…..
15. Location Update Accepted - DTAP message from Network to MS
indicating that the location update procedure has been successful
Information includes TMSI that the MS stores and uses in later transactions
16. TMSI Re-allocation Completed - DTAP Message from MS to Network
acknowledging the TMSI that has been received in Location Update Accepted.
17. Clear Command - BSSMAP message from Network to BSS to clear the
dedicated resource established during the Location Update Request message.
18. Clear Complete - BSSMAP Message from BSS to Network that the
associated dedicated resource has been successfully cleared
19. SCCP Released
20. SCCP Release Complete
27. 27
Mobile-to-Mobile Call contd….
MO MSC/VLR HLR EIR BSC BTS MT
Alerting
Alerting
Connect
Connect
Connect_ACK
Connect_ACK
************** CALL IS IN TALKING STATE NOW **************************
28. 28
MS-MS Call Flow (Release procedure)
MS(O) MS(T)
MSC HLR EIR
Disconnect
Release
Release Complete
Clear Complete
Disconnect
Release
Release Complete
Clear Command
Clear Complete
Released
Released Complete
Clear Command
Released Complete
Released
DTAP
SCCP
F Interface
BSSMAP
C Interface
D Interface
PSTN I/F
29. 29
Detailed Messages
1. CM Service Request – MS initiated message to the network requesting connection
establishment. In “normal” call establishment, this “message” is actually multi-layered
with the following information:
SCCP CR message: containing the MTP Routing Label*, Source Local Reference
Number*, Calling/Called Party Addresses
BSSMAP CMPL3: basically passes location information to the switch (lac and cell id)
DTAP CMSRQ message: classmark2 indication (20-GSM Ph1, 00-GSM ph2,40-
UMTS), mobile identity (IMSI/TMSI), CM Service Type (mobile originated call,
emergency call setup, short message xfer, SS Activation).
2. Connect Confirmed – SCCP message from the Network to the MS indicating
that a signaling connection can be made between the two entities. It contains the following
information:
Destination Local Reference Number (same as the source local reference sent in the
CMSRQ msg)*
Source Local Reference Number.
30. 30
Detailed Messages Contd….
3. Identity Request : DTAP message from MSC to MS for providing the
requested identity (i.e. the IMEI)
4. Identity Response – DTAP message from the MS to the Network
providing the requested identity (i.e. the IMEI).
5. Check IMEI – MAP message from the MSC to the EIR requesting IMEI validation.
This message contains MANY parameters:
SCCP Calling & Called Party address (i.e. MSC # and EIR # and their respective
SSNs)
IMEI value
Transaction ID: contained in each map message and are used to identify messages as
part of a certain dialogue between two nodes. (This has been covered in detail in the
MAP Overview)
Invoke ID: sent by the originating node to uniquely identify a request for an
operation (such as Check IMEI)
Operation Code: a unique code which identifies what is to be performed (such as
Check IMEI)
31. 31
Detailed Messages Contd….
6. Check IMEI Ack – MAP message from the EIR to the MSC telling replying the IMEI
validation request. It contains parameters similar to above including:
Equipment Status: this can be white, grey or black.
7. Setup- DTAP message sent from either the MS OR the MSC to initiate call
establishment.BASIC call setup information includes:
Speech or DATA bearer capability
Called & Calling Party Numbers
8. Send Info For Outgoing Call (SIOC) : MSC send SIOC to VLR to know the
Call Barring status of the originated call. Ex: BAOC, BAOIC etc
9. Call Complete (CC): Returned back in the response of SIOC.
Contains results of BAOC or any flavor of barring.
10. Progress – DTAP message from the MSC to the MS indicating the progress of the call in
the event of interworking
32. 32
Detailed Messages Contd….
11. Send Routing Information - MAP message sent from the GMSC to the
HLR requesting information on how to route a call towards a mobile subscriber.
This message includes previously mentioned MAP parameters including:
MSISDN: used by the HLR to determine where the called subscriber is currently
located in order to query its current VLR for a Roaming Number.
Number of Forwarding: indicates how many times the call has been forwarded (max
of 5 times)
12. Provide Roaming Number: HLR to the serving VLR requesting a roaming number
for the called subscriber. It includes:
IMSI: used by the VLR identify the called subscriber so an MSRN can be provisioned to
the MS.
13. Provide Roaming Number Ack:
Roaming Number(MSRN) : used by the originating MSC to translate to the proper MSC
where the called subscriber is located.
Forwarding Information: this includes the forwarded to number. During SRI, the HLR
may be able to make the determination of Call Forwarding before PRN is invoked (i.e.
CFU).
33. 33
Detailed Messages Contd….
14. Send Routing Info ACK: MAP message sent from the HLR to the GMSC returning
either the Roaming Number of the requested subscriber, forwarding information or an
Error.
Roaming Number: used by the originating MSC to translate to the proper MSC where the
called subscriber is located
Forwarding Information: this includes the forwarded to number. During SRI, the HLR
may be able to make the determination of Call Forwarding before PRN is invoked (i.e.
CFU
15. Paging – BSSMAP message sent from the MSC to the BSS which allows the BSS to
transmit the PAGING message to the proper cells. It Includes:
mobile identity (either TMSI or IMSI) and the cell identification.
After getting Paging Command message from BSC, BTS broadcasts the paging in Air I/F on
PCH.
16. Paging Response - Similar to the CM SERVICE REQUEST message except the
enveloped DTAP message is PGRSP instead of CMSRQ.
17. DTAP Setup.
18. SIIC/CC : Incoming calls barring check performed by MSC to VLR in same way as SIIC.
19. Call Confirmed- DTAP message sent by the called MS to the MSC to confirm
the attempted incoming call setup.
TIP: MS always listen
to PCH.
34. 34
Detailed Messages Contd….
20. Alerting – DTAP message sent by MSC to the MS to indicate that called user alerting
has begun.
21. Connect – DTAP message sent by MSC to the MS to indicate that the call has been
accepted.
22. Connect Ack – DTAP message sent by the MS to the MSC to indicate that the call is
being accepted.
23. Disconnect - DTAP message sent by the MS to the MSC indicating that the call needs to
be torn down.
36. 36
MS-to-ISUP Call
MO BSS MSC/VLR HLR ISUP
CM Serv Request
Connect Confirm
Authentication Request(AUTRQ)
Authentication Response(AUTRES)
Cipher Command
Cipher Complete
ID Request
ID Response
Setup
SIOC
CC
Call Proceeding
Assignment_Request
Assignment_Complete
Initial Address Message (IAM)
Address Complete Message (ACM)
37. 37
MS-to-ISUP Call
MO BSS MSC/VLR HLR ISUP
Alerting
Answer Message (ANM)
Connect
Connect_Ack
***************** CALL IS IN TALKING STATE HERE ************************
Disconnect
ISUP Release (REL)
Release
Release Complete (RLC)
Release Complete
Clear Command (CLRCOM)
Clear Complete (CLRCMP)
Released (RLSD)
Release Complete (RLC)
38. 38
Intra MSC- Inter BSC Handover
MO BTS1 BSC1 MSC/VLR HLR EIR BSC2
Channel request procedure
CM Serv Request
Connect Confirm
Authentication Request(AUTRQ)
Authentication Response(AUTRES)
SRES Comparison
Cipher Command
Cipher Complete
ID Request
ID Response
Check IMEI
Check IMEI ACK
Setup
HO Required
HO Request
HO request ACK
HO Command
HO Command
HO ACCESS
HO DETECT
HO Complete
HO Complete
39. 39
Intra MSC- Inter BSC Handover
BSC1 MSC/VLR HLR EIR BSC2 MO
CLR CMD
CLR CMP
Released (RLSD)
Release Complete (RLC)
Call Proceeding
SRI
PRN
PRN_ACK
SRI_ACK
Assignment_Request
Assignment_Complete
********* MO has been moved to BSC2 and rest flow of the call will remain same*************