1) The document outlines the GSM architecture and mobility management procedures. 2) GSM uses a two-level hierarchical strategy with HLR and VLR databases to track the location of mobile stations as they move between different location areas and mobile switching centers. 3) The three cases of location update in GSM are inter-LA movement, inter-MSC movement, and inter-VLR movement. The location update procedures exchange signaling messages between the mobile station, base station, MSC, VLR, and HLR to update the location information in the databases.

1. Chap 5
2G: GSM System

2. Outlines
Introduction
GSM Architecture
Air Interface
Location Tracking and Call Setup
HandOff
Security
Summary

3. Introduction

4. Introduction
Global System for Mobile Communications
(GSM) is a digital wireless network standard.
It was developed by Group Special Mobile of
Conference Europeenne des Postes et
Telecommunications (CEPT) and European
Telecommunications Standards Institute
(ETSI).
GSM Phases 1 and 2 define digital cellular
telecommunications system.
GSM Phase 2+ targets on Speech Codec
and Data Service.

5. Basic Requirements set out by GSM
Original text as written by the committee in 1985
Services
Quality of Services and Security
Radio Frequency Utilization
Network
Cost
The Basic Requirements of
GSM

6. GSM Architecture

7. SS
BSSMS
GSM System Structure
OMC
BSCRBS
AUC
HLR
EIR
ILR
GMSC
DTI
MSC/
VLR
PSTNPSTN

8. GSM Architecture
Network and Switching
Subsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base Station
Subsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and Switching
Subsystem (NSS)
Cloud
Cloud
Cloud
PSTNGMSC
EIR

9. Also called Mobile Terminal (MT)
The MS consists of two parts:
Subscriber Identity Module (SIM)
Mobile Equipment (ME)
Mobile Station (MS)

10. A SIM contains subscriber-related information
A list of abbreviated and customized short dialing
numbers
Short message
Names of preferred Networks to provide service
Personal Identity Number (PIN) .
SIM

11. SIM
SIM contains important information including
IMSI
Ki
TMSI
Access Control Code
Kc
LAI
SIM information can be modified:
By the subscriber either by keypad or a PC using an
RS232 connection
By sending codes through short messages (network
operators)

12. Mobile Equipment (ME)
ME: non-customer-related hardware and
software specific to the radio interface
ME can not be used if no SIM is on the MS.
Except for emergency calls
The SIM-ME design supports portability:
The MS is the property of the subscriber.
The SIM is the property of the service provider.

13. Base Station System (BSS)
The Base Station System (BSS) connects the
MS and NSS.
BSS contains
Base transceiver station (BTS)
Base station controller (BSC)

14. BTS
Base Transceiver Station (BTS) contains
Transmitter
Receiver
Signaling equipment specific to the radio
interface in order to contact the MSs.
Transcoder/Rate Adapter Unit (TRAU)
GSM-specific speech encoding/decoding and rate
adaptation in data transmission

15. GSM 900
GSM 1800
Lightning
conductor
Omni-directional Antenna

16. GSM 900
GSM 1800
Lightning
conductor
Directional Antenna

17. Directional Antenna

18. Base Station Controller (BSC)
Radio channel assignment
Handoff management
Connect to an MSC
Connect to several BTSs
Maintain cell configuration data of these BTSs.
The BSC communicates with the BTSs via the A-bis.
BSC (1/2)

19. BSC (2/2)
The processor load of a BSC:
Call activities (around 20-25%)
Paging and short message service (around 10-
15%)
Mobility management (handoff and location
update, around 20-25%
Hardware checking/network-triggered events
(around 15-20%)
When a BSC is overloaded, it first rejects
location update, next MS originating calls,
then handoff.

20. Network and Switching Subsystem (NSS)
Telephone switching functions
Subscriber profiles
Mobility management
Components in NSS:
MSC: provide basic switching function
Gateway MSC (GMSC): route an incoming call to
an MSC by interrogating the HLR directory.
NSS (1/2)

21. NSS (2/2)
Components in NSS (continuous):
HLR and VLR maintain the current location of the
MS.
Authentication Center (AuC) is used in the
security management.
Equipment Identity Register (EIR) is used for
the registration of MS equipment.

22. GSM Interfaces
Network and Switching
Subsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base Station
Subsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and Switching
Subsystem (NSS)
Cloud
Cloud
Cloud
PSTNGMSC
EIR
MAP interface

23. Air Interface

24. Radio Interface－Um (1/3)
The GSM radio link uses TDMA/FDD
technology.
890-915 MHz (uplink)
935-960 MHz (downlink)
124 pairs × 200 KHz
8 time slots (bursts) per carrier
A frame consists 8 timeslots (each 0.577 msec for
a time slot).
The length of GSM frame in a frequency carrier is
4.615 msec.

25. Radio Interface－Um (2/3)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
892.2 MHz
Frame Frame (TDMA)
892.4 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS

26. GSM Normal Burst
Begin with 3 head bits, and end with 3 bits.
Two groups are separated by an equalizer
training sequence of 26 bits.
The flags indicates whether the information
carried is for speech/data, or signaling.
3 57 bits 1 26 bits 1 57 bits 3 8.25 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits/0.564 msec)
Time Slot (156.25 bits or 0.577 msec)

27. Logical Channels

28. Traffic Channel (TCH)
TCHs are intended to carry user information
(speech or data).
Full-rate TCH (TCH/F)
Transmission speed: 13 Kbps for speech
Transmission speed: 9.6, 4.8 or 2.4 Kbps for data
Enhanced full-rate (EFR) speech coders for improving
the speech quality
Half-rate TCH (TCH/H)
Transmission speed: 6.5 Kbps speech
Transmission speed: 4.8 or 2.4 Kbps of data.

29. Control Channels (CCH)
CCHs: to carry signaling information
Three types of CCHs :
Broadcast channel (BCH)
Common control channel (CCCH)
Dedicated control channel (DCCH)

30. Broadcast Channels (BCHs)
BTS broadcasts system information to the
MSs through BCHs.
Two types in BCH:
Frequency Correction Channel (FCCH) and
Synchronization Channel (SCH)
The information allows the MS to acquire and stay
synchronized with the BSS.
Broadcast Control Channel (BCCH) (downlink)
Access information for the selected cell
Information related to the surrounding cells to support
cell selection
Location registration procedures in an MS

31. Three types in CCCH:
Random Access Channel (RACH) (uplink)
Used by the MSs for initial access to the network
Collision may occurs.
Slotted Aloha protocol is used to resolve access
collision.
Access Grant Channel (AGCH) (downlink)
Used by the network to indicate radio link allocation
upon prime access of an MS
Paging Channel (PCH) (downlink)
Used by the network to page the destination MS in
call termination
Common Control Channel (CCCH)

32. DCCH is for dedicated use by a specific MS.
Four types in DCCH:
Standalone Dedicated Control Channel (SDCCH)
(down/uplink)
used only for signaling and for short message
Slow Associated Control Channel (SACCH)
(down/uplink)
Associated with either a TCH or an SDCCH
For non-urgent procedures
Power and time alignment control information
(downlink)
Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (1/2)

33. Four types in DCCH (continuous):
Fast Associated Control Channel (FACCH)
(down/uplink)
Used for time-critical signaling, such as call-
establishing progress, authentication of subscriber, or
handoff.
FACCH use TCH during a call.
May cause user data loss.
Cell Broadcast Channel (CBCH) (downlink)
Carries only the short message service cell broadcast
messages, which use the same time slot as the
SDCCH.
Dedicated Control Channel
(DCCH) (2/2)

34. GSM Burst Structure
3 57 bits 1
Normal Burst
26 bits 1 57 bits 3 8.25 bits
Tailing Data Flag Training Flag Data Tailing Guard
3 142 bits
Frequency Correction Burst
3 8.25 bits
Tailing Fixed Bits Tailing Guard
3 39 bits
Synchronization Burst
64 bits 39 bits 3 8.25 bits
Tailing Data Training Data Tailing Guard
3 41 bits
Access Burst
36 bits 3 68.25 bits
Tailing Synch. Seq. Data Tailing Guard

35. Example of Channel Usage
(GSM Call Origination)

36. Example of Channel Usage
(GSM Call Termination)

37. Mobility Databases

38. Mobility Databases
The hierarchical databases used in GSM.
The home location register (HLR) is a database
used for MS information management.
The visitor location register (VLR) is the database
of the service area visited by an MS.
MSC 1
HLR
VLR 1 VLR 2
MSC 2

39. Key Terms
GSM uses some identifiers
Mobile system ISDN (MSISDN)
Mobile Station Roaming Number (MSRN)
International Mobile Subscriber Identity (IMSI)
Temporary Mobile Subscriber Identity (TMSI)
International Mobile station Equipment Identity
(IMEI)
Location Area Identity (LAI)
Cell Global Identity (CAI)

40. MSISDN
Mobile System ISDN
MSISDN uses the same format as the ISDN
address (based on ITU-T Recommendation
E.164).
HLR uses MSISDN to provide routing instructions
to other components in order to reach the
subscriber.
Country code
(CC)
National destination
code (NDC)
Subscriber
number (SN)
Total up to 15 digits

41. MSRN
Mobile Station Roaming Number
The routing address to route the call to the
MS through the visited MSC.
MSRN=CC+NDC+SN

42. IMSI
International Mobile Subscriber Identity
Each mobile unit is identified uniquely with an
IMSI.
IMSI includes the country, mobile network, mobile
subscriber.
Total up to 15 digits
Mobile country
code (MCC)
Mobile network
code (MNC)
Mobile subscriber
identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits

43. TMSI
Temporary Mobile Subscriber Identify
TMSI is an alias used in place of the IMSI.
This value is sent over the air interface in place of
the IMSI for purposes of security.

44. IMEI
International Mobile Station Equipment
Identity
IMEI is assigned to the GSM at the factory.
When a GSM component passes conformance
and interoperability tests, it is given a TAC.
Up to 15 digits
Type approval
code (FAC)
Final assembly
code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit

45. LAI
Location Area Identity
LAI identifies a location area (LA).
When an MS roams into another cell, if it is in the
same LAI, no information is exchanged.
Total up to 15 digits
Mobile country
code (MCC)
Mobile network
code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits

46. CGI
Cell Global Identity
CGI = LAI + CI
= MCC + MNC + LAC + CI
CI : Cell Identity

47. Home Location Register (HLR)
An HLR record consists of 3 types of
information:
Mobile station information
IMSI (used by the MS to access the network)
MSISDN (the ISDN number－“Phone Number” of the
MS)
Location information
ISDN number of the VLR (where the MS resides)
ISDN number of the MSC (where the MS resides)
Service information
service subscription
service restrictions
supplementary services

48. Visitor Location Register (VLR)
The VLR information consists of three parts:
Mobile Station Information
IMSI
MSISDN
TMSI
Location Information
MSC Number
Location Area ID (LAI)
Service Information
A subset of the service Information stored in HLR

49. Identifiers and Components
MSC號碼
CGI
LAI
TMSI
IMSI
MSRN
MSISDN
MSBTSBSCVLR/MSCHLR號碼

50. Location Tracking
(Mobility Management)

51. Location Update
BS 2
BS 1
BS 3

52. Two-level Hierarchical
Strategy
The current location of an MS is maintained
by a two-level hierarchical strategy with the
HLR and the VLRs.
MSC 1
HLR
VLR 1 VLR 2
MSC 2

53. Location Area
Location area (LA) is the basic unit for
location tracking.
MSC MSC
MSC
LA 1
LA 2
LA 3

54. GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR : HOME Location Register
VLR : VISITOR Location Register
MSC : Mobile Switching Center
LA : Location Area
MS : Mobile Station

55. Location Update Concept
Registration: the location update procedure
initiated by the MS:
Step 1. BS periodically broadcasts the LA
address.
Step 2. When an MS finds the LA of BS different
from the one stored in it memory, it sends a
registration message to the network.
Step 3. The location information is update.

56. Periodically Registration
The MS periodically send registration
messages to the network.
The period is 6 minutes to 24 hours.
Periodic registration is useful for fault-
tolerance purposes.

57. GSM Basic Location Update
Procedure
In GSM, registration or location update
occurs when an MS moves from one LA to
another.
Three cases of location update:
Case 1. Inter-LA Movement
Case 2. Inter-MSC Movement
Case 3. Inter-VLR Movement

58. Inter-LA Registration

59. Two LAs belong to the same MSC.
Four major steps:
Step 1. MS sends a location update request
message (MS→BTS→MSC) .
Parameters included: TMSI, Previous LA, target LA,
previous MSC and previous VLR.
IMSI (International Mobile Subscriber Identity) is used
to identify MS.
However, the MS identifies itself by the Temporary
Mobile Subscriber Identity (TMSI).
TMSI is used to avoid sending the IMSI on the radio
path.
TMSI is temporary identity is allocated to an MS by
the VLR at inter-VLR registration.
Inter-LA Movement (1/2)

60. The Process continues:
Step 2. The MSC forwards the location update
request to the VLR by a TCAP message,
MAP_UPDATE_LOCATION_AREA.
Parameter includes: Address of the MSC, TMSI,
previous Location Area Identification (LAI), target LAI,
Other related information
Steps 3 and 4.
Part I. The VLR find that both LA1 and LA2 belong to
the same MSC.
Part II. The VLR updates the LAI field of the MS.
Part III. The VLR replies an ACK to the MS through
the MSC.
Inter-LA Movement (2/2)

61. Inter-MSC Registration

62. The two LAs belong to different MSCs of the
same VLR.
The process is:
Steps 1 and 2. MS sends a location update
request message (MS→BTS→MSC) .
Step 3.
Part I. VLR1 finds that the LA1 and LA2 belong to
MSC1 and MSC2, respectively. Two MSCs are
connected to VLR1.
Part II. VLR1 updates the LAI and MSC fields of MS.
Part III. The VLR1 derives the HLR address of the MS
from the MS’s IMSI.
Inter-MSC Movement (1/2)

63. The process continues:
Step 3.
Part IV. The VLR1 sends the
MAP_UPDATE_LOCATION to the HLR.
Parameter includes: IMSI, previous MSC Address,
target MSC Address, VLR Address, other related
information
Step 4. HLR updates the MSC number field of
the MS. An acknowledgement is sent to VLR1.
Steps 5 and 6. The acknowledgement is
forwarded to the MS.
Inter-MSC Movement (2/2)

64. Inter-VLR Registration
Message Flow
HLR
VLR2
VLR1
MSC2
LA1 LA2
MS
8
1
7
1
MSC2 VLR2
1. MAP_UPDATE_LOCATION_AREA
6. MAP_UPDATE_LOCATION_AREA_ack
6
6
HLR
2. MAP_SEND_IDENTIFICATION
3. MAP_SEND_IDENTIFICATION_ack
4
5
3
2
4. MAP_UPDATE_LOCATION
5. MAP_UPDATE_LOCATION_ack
7. MAP_CANCEL_LOCATION
8. MAP_CANCEL_LOCATION_ack
VLR2
MSC1

65. MS Registration Process (2/2)
HLR
Old
VLR
New
VLR
1
3
4
2
5
TMSI
TMSI
MS’s IMSI 及其他認證資料
new TMSI
認證成功後向
HLR進行
location update
deregistration
消除VLR內資料

66. Two LAs belong to MSCs connected to
different VLRs.
The process is:
Step 1. MS sends a location update request.
MSC2 sends MAP_UPDATE_LOCATION_AREA
to VLR 2 with MS’s TMSI.
Steps 2 and 3.
VLR2 does not have the record of MS.
VLR2 identifies the address the VLR1 and sends
MAP_SEND_IDENTIFICATION (with TMSI) to VLR1.
VLR1 sends IMSI to VLR2.
Inter-VLR Movement (1/2)

67. The process continues:
Steps 4 and 5.
VLR2 creates a VLR record for the MS.
VLR2 sends a registration message to HLR.
HLR updates the record of the MS.
HLR sends an acknowledge back to VLR2.
Step 6.
VLR2 generates a new TMSI and sends it to the MS.
Steps 7 and 8.
The obsolete record of the MS in VLR1 is deleted.
Inter-VLR Movement (2/2)

68. Call Origination and
Termination

69. Call Origination Operation
V L R V 2
M SC
u1
C loud
C loud
P ST N
V L R
T erm inating
Sw itch M SC
2. M A P _SE N D _IN F O _F O R _O U T G O IN G _C A L L
3. M A P _SE N D _IN F O _FO R _O U T G O IN G _C A L L _ack
4. IA M
2
3

70. GSM Basic Call Origination
The process is
Step 1. MS sends the call origination request to
MSC.
Step 2. MSC forwards the request to VLR with
message
MAP_SEND_INFO_FOR_OUTGOING_CALL.
Step 3. VLR checks MS’s profile and sends
MAP_SEND_INFO_FOR_OUTGOING_CALL_ac
k to MSC to grant the call request.
Step 4. MSC sets up the trunk according to the
standard PSTN call setup procedure.

71. Call Termination Message Flow

72. Call Termination (1/2)
Routing information for call termination can
be obtained form the serving VLR.
The basic call termination process:
Step 1. A MS’s ISDN (MSISDN) number is
dialed by a PSTN user. The call is routed to a
gateway MSC by an SS7 ISUP IAM message.
Step 2. GMSC sends
MAP_SEND_ROUTING_INFORMATION with
the MSISDN to HLR.

73. Call Termination (2/2)
The process continues:
Step 3. HLR sends a
MAP_PROVIDE_ROAMING_NUMBER to VLR.
Parameter included: IMSI of the MS, the MSC number.
Steps 4 and 5. VLR creates Mobile Subscriber
Roaming Number (MSRN) by using the MSC
number stored in the VLR record.
MSRN is sent back to the gateway MSC through HLR.
MSRN provides the address of the target MSC where
the MS resides.
Step 6. An SS7 ISUP IAM message is directed
from the gateway MSC to the target MSC to setup
the voice trunk.

74. Cloud
Cloud
Cloud
Other
Switches
HLR
1
3
GMSC
MSC
VLR
Cloud
Cloud
Cloud
Other
Switches
1
1 1
22
3
3
The Mobile Call Termination
(Delivery) Procedure
MSISDN
MSRN MSRN
IMSI
MSISDN
依據PSTN正常
程序建立電話
IMSI

75. Handoff (Handover)

76. Handoff

77. Two Aspects of Mobility in a
PCS Network
Handoff
Link transfer, or Handover
A mobile user moves from one coverage area of
an old BS to the coverage area of a new BS
during the conversation.
The radio link to the old BS is disconnected and
a radio link to the new BS should be established
to continue the conversation.
Roaming
When a mobile user moves from one system to
another, the user location should tell the PCS
system.

78. BS Coverage Area
BS coverage area：irregular.
In the cell boundary：
Signal from a neighboring BS
Signal from the serving BS
Otherwise: Forced termination

79. Handoff Cost
Handoffs are expensive.
Special for the system with small cell sizes
Small cell size for
To increase the capacity of the systems
To reduce power requirements of MSs.

80. Issues for Handoff
Management
Handoff detection
Who and how
Channel assignment
Radio link transfer

81. Handoff Detection

82. Strategies for Handoff
Detection
Who makes a decision for handoff？
Three handoff detection schemes:
Mobile-Controlled Handoff (MCHO)
Network-Controlled Handoff (NCHO)
Mobile-Assisted Handoff (MAHO)
Others

83. MCHO is used in DECT and PACS.
Part I. The MS continuously monitors the
signals of the surrounding BSs.
Part II. The MS initiates the handoff process
when some handoff criteria are met.
Mobile-Controlled Handoff
(MCHO)

84. Network-Controlled Handoff
(NCHO)
Used in CT-2+ and AMPS
Part I. The surrounding BSs measure the
signal from the MS.
Part II. The network initiates the handoff
process when some handoff criteria are met.
MSC controls the handoff.

85. Mobile-Assisted Handoff
(MAHO)
Used in GSM, IS-136 and IS-95
Part I.. The network asks the MS to measure
the signal from the surrounding BSs.
Part II. The network makes the handoff
decision based on the reports from the MS.

86. Channel Assignment for
Handoff Calls

87. Channel Assignment
Purpose：to achieve a high degree of
spectrum utilization for a given grade of
service
Ex：To reduce forced terminations

88. Forced Terminations
Blocked call：Initial access requests fail
For new call
No available channels on the visited BS
Forced terminations：Handoff requests fail
For handoff call
No available channel on the selected BSs
Which one is serious, new call blocking or
force terminating?

89. Some trade-offs
Service quality
Spectrum utilization
Implementation complexity of the channel
assignment algorithm
Number of database lookups

90. Flowchart for Non-prioritized
Scheme
New or
handoff
call arrival
Channel
available?
Channel
assigned
yes
no Channel
blocked
Ongoing
call
Channel
released

91. Flowchart for Reserved
Channel Scheme
New
call
arrival
Normal
channel
available?
Channel
assigned
Handoff
call
arrival
Normal
channel
available?
Reserved
channel
available?
yes yes
yes
no
no no
Channel
blocked
Ongoing
call
Channel
released

92. Link Transfer

93. Link Transfer
Two operations:
The radio link is
transferred from the
old BS to the new BS.
The network bridges
the trunk to the new
BS and drop the trunk
to the old BS.
MSC
Old
BS New
BS

94. Five Distinct Link Transfer
Cases (1/3)
1. Intra-BTS handoff or intra-cell handoff
2. Inter-BTS handoff or inter-cell handoff
3. Inter-BSC handoff
4. Inter-MSC handoff or intersystem handoff
5. Intersystem handoff between two PCS
networks

95. Inter-BSC Handoff
MSC 1
Old
BS
New
BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old
BS
New
BS
BSC 2BSC 1

96. Intra-MSC
MS Target BSSMSCServing BSS
4 HAND_REQ_ACK
3 HAND_REQ
2 HAND_REQ
1 STRN_MEAS
5 HAND_COMM
6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP
12 REL_RCH
13 REL_RCH_COMP

97. Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk

98. Inter-MSC (1/2)
MS Serving
MSC
Serving
BSS
1 STRN_MEAS
Target
MSC
Target
BSS
Target
VLR
2 HAND_REQ
3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK
8 HAND_PER_ACK
9 NET_SETUP
10 SETUP_COMP
11 HAND_COMM
12 HAND_COMM

99. Inter-MSC (2/2)
MS Serving
MSC
Serving
BSS
13 HAND_ACC
Target
MSC
Target
BSS
Target
VLR
14 CHH_INFO
16 HAND_COMP
15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL

100. Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1
2
3
4
MSC A is the anchor MSC.
1: inter-BS handoff 2: handoff forward
3: handoff back 4: handoff to the third

101. Path Minimization
MSCA MSCB MSCA MSCB
(a) Handoff forwad
(a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCc
MSCA
MSCB
(d) Path Minimization
MSCc

102. Radio Link Transfer

103. Hard Handoff

104. Hard Handoff
MS connects with only one
BS at a time.
Interruption in the
conversation occurs
Used in TDMA and FDMA
systems
We will study the signaling of
handoff:
MCHO Link Transfer
MAHO/NCHO Link Transfer
Subrating MCHO Link Transfer
MSC
Old
BS
New
BS

105. Hard Handoff Link Transfer for
MCHO
A handoff request message is initiated by the
MS.
The network can initiate the handoff.
But always MS chooses the BS.
MS selects a new radio channel.
If a handoff failure occurs, the MS link-quality
maintenance process must decide what to do
next.

106. Soft Handoff

107. Soft Handoff
MS connects to multiple BSs
simultaneously.
BSs use the same frequency.
BSs must be synchronized.
The network must combine
the signals form the multiple
BSs simultaneously.
Soft handoff is more
complicated than hard
handoff.
MSC
BS 1 BS 2

108. Mobility Management
Mobility management procedures begin
when a system detects the presence of a
visiting terminal.
(1) serving base station → serving MSC
(inform MSC the terminal’s action)
(2) MSC records that the terminal is in its
operating area
(3) MSC send this information to its VLR.
(4) VLR notifies the terminal’s HLR.
(5) HLR notifies the old VLR to erase record.

109. Home
MSC
BS
BS
Visited
MSC
BS
BS
VLR
HLR
---
---
---
Power
on
: profile request result
:
:
VLR
Registration notification invoke,
contains MIN, ECN, SID, address
of VLR.
Registration cancellation invoke
: profile request invoke
CSS
:
Registration notification invoke,
contains MIN, ECN, SID

110. Figure 4.4 Registration of a terminal in a visited service area.

111. Prior
MSC
Prior
VLR HLR
Serving
VLR
Figure 4.4 Registration of a terminal in a visited service area

112. Handoff Categories
IS-41 specifies three handoff protocols:
handoff forward, handoff back, and handoff to
third.
Intersystem handoff requires dedicated
communication links between a pair of
MSCs:
voice trunks: for carrying user information in
calls handed from one MSC to another
data links: for carrying control messages
between the two switch.

113. Handoff forward:
The terminal moves into
the service area of system
B causing MSC-A and
MSC-B to perform a
handoff.
MSC-A is the anchor MSC
MSC-A is responsible for
routing the call to the
remote party.
MSC-B is the serving
MSC because it currently
has control of the call.
After handoff, MSC-B is
the target MSC.Figure 4.8 The situation after a handoff
forward from system A(anchor system) to
system B(serving system).

114. Handoff Back:
The terminal can return to
the service area of system
A.
MSC-B recognizes that
the call arrived from
system A and it initiates a
handoff back protocol,
which releases the voice
circuit between MSC-A
and MSC-B.
Without this protocol, the
systems would tie up two
voice trunks
one taking the call
from system A to
system B
the other taking it from
system B to system A.

115. Handoff forward:
It is possible that the
terminal will move from
system B to a third system C.
This produces two
possibilities in Figures 4.9
and 4.10.
In Figure 4.9, MSC-B and
MSC-C perform a handoff
forward procedure the one
that moved the call from
system A to system B.
System B provides a path
from MSC-A to MSC-C.
The situation can continue,
adding more and more
MSCs to the chain, up to a
limit established by the
anchor system.
Figure 4.9 Call path after handoff forward to
system C

116. Handoff to third:
An alternative occurs when
there is a direct connection
between systems A and C.
IS-41 includes a protocol
referred to as handoff to
third, which establishes a
direct link between MSC-A
and MSC-C and release the
link between A and B.
Figure 4.10 If there are circuits connecting MSC-A
and MSC-C, the system performs handoff to third.

117. Handoff Protocols
There are two phases to every handoff
procedure.
Location phase
the serving MSC collects measurement reports
from cells in the neighborhood of the cell
presently occupied by a terminal.
When measurements are required from one or
more cells in a system adjacent to the serving
system, the adjacent system becomes a
candidate system.
The serving MSC and a candidate MSC
exchange handoff measurement request
messages.

118. A HANDOFF MEASUREMENT REQUEST
INVOKE message, transmitted by the serving
MSC includes:
information about the terminal (station class mark,
SCM, indicates the capabilities of the terminal)
information about the serving base station (SAT and
a base station identifier), and
information about the radio channel carrying the call
(channel number).
Based on the identity of the serving base station,
the candidate MSC selects one or more
candidate cells and transmits a HANDOFF
MEASUREMENT REQUEST RESULT message
to the serving MSC.

119. The HANDOFF MEASUREMENT REQUEST
RESULT message contains identities of candidate
cells and associated signal strength measurements.
The serving MSC selects a target cell for the handoff.
If the target cell is served by a candidate MSC, this
MSC becomes the target MSC for the handoff.
The handoff procedure then moves from the location
phase to the handoff phase.
Handoff phase:
the serving MSC determines the type of handoff to
initiate (forward, back, or handoff to third).

120. Handoff Forward Protocol:
The serving MSC sends a FACILITIES DIRECTIVE
INVOKE message to the target MSC.
This message contains:
information about the terminal (SCM, MIN, ESN)
information about the call:
billing ID (established by the anchor MSC at the beginning
of the call);
inter-MSC circuit (voice trunk that will carry the call from
the serving MSC to the target MSC);
inter-switch count (the total number of MSCs through which
the call will pass after the handoff);
information about the call status (serving cell, serving channel);
and
target cell identifier (based on measurement reports from the
get MSC).

121. If the target MSC accepts the handoff, it selects a channel
to handle the call in the new cell and then sends a
FACILITIES DIRECTIVE RESULT message to the serving
MSC.
This message contains information about the new channel:
channel number, SAT, and transmit power level (VMAC).
On receiving this message, the serving MSC sends an
AMPS HANDOFF message to the terminal through the
serving cell.
When the target base station detects the SAT, it sends a
message to the target MSC which completes the handoff
forward operation by sending a MOBILE ON CHANNEL
INVOKE message to the prior serving MSC.

122. Figure 4.11 Message sequence and system operations for handoff forward.

123. Figure 4.11 Message sequence and system operations for handoff forward.

124. Handoff Back Protocol:
If the location phase results in a determination by the
serving MSC(MSC-B) that the call would best be handled
in the system(system A) previously occupied by the
terminal, the serving MSC initiates a handoff back
procedure.
It (MSC-B) sends a HANDOFF BACK INVOKE message
to the previous MSC (MSC-A), which is now the target
MSC of the handoff protocol.
The message plays the same role as the FACILITIES
DIRECTIVE INVOKE message.
The target MSC (MSC-A) sends HANDOFF BACK
RESULT message to the serving MSC (MSC-B).
This message contains the same information as the
FACILITIES DIRECTIVE RESULT message.

125. When the target MSC(MSC-A) learns that the terminal has
arrived on the assigned channel at the target base station,
it sends a FACILITIES RELEASE INVOKE message to the
serving MSC (MSC-B).
This message identifies the voice trunk that carries the call
between the two MSCs.
On receiving this message, the serving MSC (MSC-B)
releases the voice trunk and sends a FACILITIES
RELEASE RESULT message to the target MSC.
Any two MSCs in a chain can perform the handoff back
protocol.

127. Handoff to third Protocol:
Handoff to third protocol is an example of path
minimization procedure, in which the system reduces the
number of voice trunks carrying a call through three or
more systems.

129. Security

130. Security
GSM security is addressed in two aspects:
authentication and encryption.
Authentication avoids fraudulent access by a
cloned MS.
Encryption avoids unauthorized listening.

131. Parameters
Parameters:
Ki is used to achieve authentication.
Ki is stored in the AuC and SIM.
Ki is not known to the subscriber.
RAND
A 128-bit random number generated by the home
system.
SRES is generated by algorithm A3.
Kc is generated by algorithm A8 for the encryption.
Frame Number
A TDMA frame number encoded in the data bits.

132. Algorithms
Authentication Algorithms:
A3.
Authentication function.
In AuC and SIM
Encryption Algorithms:
A8.
To generate the encryption Key
In AuC and SIM
A5.
An algorithm stored in the MS (handset hardware) and
the visited system.
Used for the data ciphering and deciphering

133. Authentication and Encryption
Ki
RAND
A3 A8
Equal
?
SRES
Yes
No
reject
accept
A5
Kc
Ki
Frame
Number
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited
System
authentication
encryption

134. Authentication by Triplet
Triplet: RAND, SRES, Kc
AuC→HLR→VLR in advance
Example: Authentication in registration
New VLR uses LAI to find old VLR.
Old VLR sends triplets to new VLR.
New VLR challenges MS by using RAND and
SRES.

135. Encryption
Ki
RAND
A3 A8
Equal
?
SRES
Yes
No
reject
accept
A5
Kc
Ki
Frame
Number
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited
System
authentication
encryption

136. Summary
GSM Architecture
MS, BSS, NSS
Radio Interface
GSM Radio and Channels
Location Tracking
Hand Off
Security