The document provides a comprehensive overview of GSM (Global System for Mobile Communications) technology, including its history, architecture, and operational principles. It highlights key concepts such as frequency division multiple access (FDMA), time division multiple access (TDMA), and the layers involved in GSM communication. Additionally, the document discusses the integration of GSM with Voice over IP (VoIP) technologies and emphasizes the importance of security and authentication methods within the network.

1. OpenBTS® Mini-
Workshop
OpenBTS is a registered trademark of Range Networks, Inc.
1
Saturday, August 6, 2011 1

2. GSM Basics
2
Saturday, August 6, 2011 2

3. GSM History
• 1982 - CEPT establishes GSM group
• 1987 - Basic parameters selected
• 1989 - GSM standardization process moved to ETSI
• 1990 - Phase 1 spec frozen
• 1992 - First commercial service
• 1995 - Phase 2 spec frozen
• 2001 - 500M GSM users world-wide
• 2009 - Accounts for about 80% of all cellular service
• 2011 - 3G UMTS displacing 2G GSM in some places, but all 3G
UMTS phones still support 2G GSM
3
Saturday, August 6, 2011 3

4. GSM Layers
• Layers similar to OSI model.
• L1 - physical layer - bits and waveforms
• L2 - data link layer - makes the link reliable
• L3 - connection management layer - where
most of the cellular telephone application
happens
4
Saturday, August 6, 2011 4

5. Physical Layer (L1)
5
Saturday, August 6, 2011 5

6. Cellular Concepts:
FDMA
• Frequency division multiple access: users on
different radio frequencies.
• The only MA type in older analog systems.
F
r
e
q
Time
6
Saturday, August 6, 2011 6

7. Cellular Concepts:
TDMA
• Time division multiple access: users share a channel,
using it at different times.
• Can be sync or async (802.11).
F
r
e
q
Time
7
Saturday, August 6, 2011 7

8. Cellular Concepts:
FDMA and TDMA
• GSM is both FDMA and TDMA.
• 200 kHz radio channel spacing
• 8 timeslots per channel
F
r
e
q
Time
8
Saturday, August 6, 2011 8

9. Timeslots
from “GSM for Dummies”, with permission
9
Saturday, August 6, 2011 9

10. The “ARFCN”
• Absolute Radio Frequency Channel
Number
• 200 kHz radio channel spacing
• 270.833 kHz radio channel bandwidth
• Cannot use adjacent ARFCNs in the same
cell because they overlap.
• Assigned in fixed uplink/downlink pairs.
10
Saturday, August 6, 2011 10

11. Frequency Duplexing
from “GSM for Dummies”, with permission
11
Saturday, August 6, 2011 11

12. Common GSM Bands
Name Up Down ARFCNs Regions
P-GSM 900 890-915 935-960 1-124 1, 3
E-GSM 900 880-915 925-960 0-125, 1, 3
975-1023
GSM 850 824-849 869-894 128-251 2
DCS 1800 1710-1785 1805-1880 512-885 1, 3
PCS 1900 1850-1910 1930-1990 512-810 2
12
Saturday, August 6, 2011 12

13. Duplexing
• Handset and BTS cannot transmit on the same
frequency at the same time.
• TDD - Time Division Duplexing - Handset and BTS
time transmissions to avoid conflict. This is cheapest.
• FDD - Frequency Division Duplexing - Handset and
BTS operate on different frequencies. This requires
special RF filters.
• GSM is FDD in the BTS, and both FDD and TDD
for the handset.
13
Saturday, August 6, 2011 13

14. Frequency Duplexing
from “GSM for Dummies”, with permission
14
Saturday, August 6, 2011 14

15. Frequency Duplexing
“Cavity Duplexer”
15
Saturday, August 6, 2011 15

16. Timing and Power
Control
• BTS controls output power level of the
handset to maximize battery life and
optimize receiver performance.
• BTS controls timing advance of the handset
to prevent collisions of arriving radio
bursts.
• This happens on the SACCH.
16
Saturday, August 6, 2011 16

17. Link Layer (L2)
17
Saturday, August 6, 2011 17

18. The Link Layer
• L3 has variable-length messages and
assumes reliable delivery.
• L1 has fixed-length frames and loses them
sometimes.
• L2 connects these so that L3 can use L1.
18
Saturday, August 6, 2011 18

19. Connection
Management Layer
(L3)
19
Saturday, August 6, 2011 19

20. GSM Layer 3
• This is where things start to look like a
telephone system.
• Sublayers:
• Radio Resource (RR)
• Mobility Management (MM)
• Call Control (CC)
• Short Message Service (SMS)
20
Saturday, August 6, 2011 20

21. GSM L3 RR
• Radio Resource management.
• Assign and release radio channels.
• Page handsets for service.
• Generate the beacon.
• Data elements are descriptions of physical
layer parameters.
21
Saturday, August 6, 2011 21

22. GSM L3 MM
• Mobility Management.
• Keep track of what part of the network is
serving a given handset.
• Authenticate users.
• Data elements are subscriber identities and
authentication tokens.
22
Saturday, August 6, 2011 22

23. GSM L3 CC
• Call Control.
• Connect the handset to the telephone
switch.
• Nearly identical to ISDN’s Q.931.
• Data elements are phone numbers, call
status codes and bearer capability
descriptions.
23
Saturday, August 6, 2011 23

24. GSM L3 SMS
• SMS L3 is just a connection layer for SMS
L4.
• Just a pass-through. Nothing really happens
in SMS until you hit L5.
24
Saturday, August 6, 2011 24

25. Addressing in GSM
• IMSI: International Subscriber Mobile
Identity. A 14- 15-digit number in the SIM
that uniquely identifies the subscriber.
Encodes identity of issuing carrier, too.
• TMSI: Temporary Subscriber Mobile
Identity. A 32-bit number assigned by the
network that uniquely identifies the
subscriber within that network.
25
Saturday, August 6, 2011 25

26. Addressing in GSM
(cont.)
• IMEI: International Mobile Equipment
Identity. A 15-digit number that uniquely
identifies the handset. Encodes
manufacturer and model. Not used much in
GSM except for fraud detection.
• MSISDN: The subscriber’s telephone
number.
26
Saturday, August 6, 2011 26

27. Addressing in GSM
(cont.)
• The MSISDN-IMSI association exists only in
the network, not in the handset.
• There is no MSISDN-IMEI association.
• If a phone is “locked” that usually means
that it will accept SIMs only from a specific
carrier.
27
Saturday, August 6, 2011 27

28. Introduction to VoIP
28
Saturday, August 6, 2011 28

29. The Old Analog PSTN
• Phone numbers form an address space, like any
other address space.
• A phone line’s address is determined by where it is
physically connected to the network.
• Dialed numbers (“signaling”) are encoded as tones
in the audio stream (“in-band signaling”).
• The switch decodes signaling to connect completed
physical circuits between phones.
• “Circuit Switched Telephony”
29
Saturday, August 6, 2011 29

30. 70’s-era Analog Switch
30
Saturday, August 6, 2011 30

31. SS7
• Signaling System 7 (SS7) replaced analog lines with
synchronous digital ones, but it’s still circuit-switched.
• Signaling and media travel on different logical channels
(“out-of-band signaling”).
• Telephony is just an application in the SS7 network.
• ...so is the GSM core network.
• The switch is just a computer, shuffling frames between
media channels as instructed by the signaling.
• Phone numbers are no longer physical addresses, but
entries in a routing database.
31
Saturday, August 6, 2011 31

32. Q.931 Call Signaling
Subscriber Network
Subscriber dials number. SETUP
CALL PROCEEDING
Remote phone ringing.
ALERTING
Remote party answers.
CONNECT
CONNECT ACK
Call connected.
Subscriber hangs up.
DISCONNECT
RELEASE
RELEASE COMPLETE Dial tone.
32
Saturday, August 6, 2011 32

33. VoIP
• Replace circuit-switched SS7 with packet-switched
IP.
• Signaling and media can follow entirely different
paths and use entirely different protocols.
• Telephony is an application running on the internet.
• The switch is just a computer shuffling packets as
directed by the signaling.
• IP network gives additional layer of addressing.
33
Saturday, August 6, 2011 33

34. VoIP Specifics: SIP & RTP
• Session Initiation Protocol (SIP), RFC-3261,
for signaling.
• SIP header design similar to HTTP.
• Real-Time Protocol (RTP), RFC-3550, for
media.
• Both protocols already used internally by
many telecom carriers, all renamed “IMS”.
34
Saturday, August 6, 2011 34

35. SIP Call Flow
Subscriber Network
Subscriber dials number.
INVITE
Trying 100
Remote phone ringing.
Ringing 180
Remote party answers.
OK 200
ACK
Call connected.
Subscriber hangs up.
BYE
ACK
Dial tone.
35
Saturday, August 6, 2011 35

36. Putting it Together:
OpenBTS = GSM + VoIP
36
Saturday, August 6, 2011 36

37. OpenBTS Design
Principles
• Put as little functionality as possible into
the GSM-specific software.
• Translate protocols to open standards
whenever possible.
• Exploit external applications whenever
possible.
37
Saturday, August 6, 2011 37

38. OpenBTS Design
Principles
• Terminate L3 RR inside OpenBTS to
eliminate the need for a BSC.
• Translate MM, CC and SMS to SIP and let
the VoIP software deal with them.
• Most new features will be external modules
on socket interfaces.
38
Saturday, August 6, 2011 38

39. OpenBTS VoIP Principles
• OpenBTS itself is invisible. The VoIP
network sees only the phones.
• Each handset appears as a SIP endpoint at
the IP address of its serving BTS.
• Each handset is a SIP user called
“IMSIxxxxxxxxxxxxxxxx”, where
“xxxxxxxxxxxxxxx” is the IMSI of the SIM
in the handset.
39
Saturday, August 6, 2011 39

40. Mobile-Originated Call
SIP Switch OpenBTS Handset
CHAN. REQ.
IMMED. ASSIGN.
CM SVC. REQ.
CM SVC. ACCEPT
SETUP
INVITE CALL PROCEEDING
Status: 100 Trying
Status: 182 Ringing
Status: 200 OK ALERTING
CONNECT
CONNECT ACK.
RTP traffic GSM traffic
40
Saturday, August 6, 2011 40

41. Mobile-Originated Call
SIP Switch OpenBTS Handset
CHAN. REQ.
IMMED. ASSIGN.
RR
This is where we skip CM SVC. REQ.
the encryption step. CM SVC. ACCEPT MM
SETUP
INVITE CALL PROCEEDING
Status: 100 Trying
Status: 182 Ringing CC
Status: 200 OK ALERTING
CONNECT
CONNECT ACK.
RTP traffic GSM traffic
41
Saturday, August 6, 2011 41

42. Mobile-Originated Call
SIP Switch OpenBTS Handset
CHAN. REQ.
IMMED. ASSIGN.
CM SVC. REQ.
CM SVC. ACCEPT
SETUP
INVITE CALL PROCEEDING
Status: 100 Trying
Status: 182 Ringing
Status: 200 OK ALERTING
CONNECT
CONNECT ACK.
RTP traffic GSM traffic
42
Saturday, August 6, 2011 42

43. Backhaul Loading
• GSM FR codec is about 13 kbit/sec/call.
• Asterisk can transcode to other codecs
ranging from 2.4-64 kbit/sec/call, with
varying quality.
• Regardless of codec type, RTP overhead is
about 17 kbit/sec/call.
• IAX overhead is closer to 20 kbit/sec/call,
but can be shared across multiple calls.
43
Saturday, August 6, 2011 43

44. Backhaul Requirements
able 6.1: Backhaul bandwidth for various codec/trunking configurations. All rates in kbit/sec and a
ming 20 ms framing.
Codec per call per call 7 calls 7 calls speech
raw rate over RTP over RTP IAX trunking quality
G.711 64 81 567 468 toll-quality
GSM-FR 13 30 210 124 toll-quality
G.729 8 25 175 97 near-toll-quality
Speex 8 25 175 97 near-toll-quality
Speex 4 21 147 60 not toll-quality
LPC-10 2.4 20 136 37 not toll-quality
44
Saturday, August 6, 2011 44

45. Using IAX on VSAT Links
IAX IAX
OpenBTS
APs
PSTN
SIP/RTP IAX IAX
Local T1
Remote
SIP/RTP Switch Switch
VoIP
SIP/RTP
VoIP
Satellite-Based Site
Figure 6.5: Paired OpenSwitch servers for IAX trunking in satellite-based applications.
45
Saturday, August 6, 2011 45

46. Subscriber Registry
46
Saturday, August 6, 2011 46

47. The Authentication
Problem
• The IMSI is exposed in many places.
• Making a SIM with a controlled IMSI is
trivial.
47
Saturday, August 6, 2011 47

48. GSM Authentication
• Challenge-Response based on shared secret key Ki.
• Network generates 128-bit random string (RAND)
to send to phone.
• Phone encrypts RAND with Ki and a hash function
(A3) to produce SRES.
• Network performs identical SRES calculation with
same RAND, Ki and A3.
• Phone returns SRES and network compares results.
48
Saturday, August 6, 2011 48

49. Cache-Based
Authentication
• Can be used in OpenBTS when you don’t know Ki
or A3 for a SIM.
• Perform RAND-SRES exchange and save the result.
• Assume the first exchange is valid and allow access.
• Use the same RAND for subsequent exchanges
and see if you get the same SRES.
• Not full authentication, but better than nothing.
49
Saturday, August 6, 2011 49

50. SIM Parameters
• To perform RAND-SRES authentication, you must
know Ki and the A3 algorithm used by the SIM.
• SIMs do not disclose Ki; it is normally known only
by the party that issues the SIM.
• A3 is usually a variant of COMP-128; the current
industry standard is v3.
• To perform full authentication you must by able to
issue SIMs and have the software to implement
the A3 in those SIMs.
50
Saturday, August 6, 2011 50

51. Subscriber Registry
• “Realtime” Asterisk using external
databases.
• Core is an sqlite3 database file, /var/lib/
asterisk/sqlite3dir/sqlite3.db.
• HTTP interface for remote access.
• SIP interface for registration.
• Caching Behavior.
51
Saturday, August 6, 2011 51

52. Subscriber Registry
sip_buddies Table
• Based on pre-existing Asterisk “sip-buddies”
schema with extra per-subscriber fields:
• Ki, the SIM secret key for this subscriber
• RAND, SRES, the most recent challenge-
response pair used with this subscriber
• a3a8, the A3/A8 algorithm to be used with
this subscriber
52
Saturday, August 6, 2011 52

53. Subscriber Registry
dialdata_table
• Used by Asterisk dialplan for realtime
number resolution.
• A simple IMSI-number mapping.
• Calls to unresolvable numbers get passed
up to a higher-level switch.
53
Saturday, August 6, 2011 53

54. SR RAND-SRES
Authentication via SIP
• SIP Interface; follows form of RFC-2543
Section 14, using
• RAND as the nonce
• A3 instead of MD5
• SRES as the response
54
Saturday, August 6, 2011 54

55. SIP-Style Authentication
MS OpenBTS Registry
CHAN. REQ.
IMMED. ASSIGN.
LOC. UPDATE REQ.
REGISTER
401 Unauthorized
AUTH. REQ.
AUTH. RESP.
REGISTER
200 OK
LOC. UPDATE ACCEPT
CHAN. REL.
55
Saturday, August 6, 2011 55

56. SR Authentication via
HTTP
• HTTP Interface
• Ad hoc but easy to implement
• Send IMSI in URL, get RAND result.
• Send IMSI, RAND and SRES in URL, get
success/failure result.
56
Saturday, August 6, 2011 56

57. HTTP-Based Authentication
MS OpenBTS Registry
CHAN. REQ.
IMMED. ASSIGN.
LOC. UPDATE REQ.
HTTP GET
200 OK
AUTH. REQ.
AUTH. RESP.
HTTP GET
200 OK
LOC. UPDATE ACCEPT
CHAN. REL.
57
Saturday, August 6, 2011 57

58. Generating SIMs
• For full authentication, you must know Ki.
• The only way to know Ki is to put it there
yourself.
• Programmable SIMs with write-only Ki
records!
• SIM-programming SW writes new entries
directly in to SR database.
58
Saturday, August 6, 2011 58

59. SIM Security
• COMP128 and cracking
• SIM protection
• COMP128v3
• Fraud detection
59
Saturday, August 6, 2011 59

60. Network Security
• SR caching makes isolated nodes robust.
• SR caching also moves a lot of sensitive
information around the network.
• Securing the backhaul is critical.
60
Saturday, August 6, 2011 60

61. Subscriber Security
• C2.8 generates TMSIs on a per-BTS basis.
• Good: TMSIs not globally significant
• Bad: Lots of TMSI reassignments
• C2.8 does not support A5/x. Future
versions will.
• A5/1 export restrictions
• A5/2 depreciation
61
Saturday, August 6, 2011 61

62. SMS Text Messaging
62
Saturday, August 6, 2011 62

63. GSM SMS
• Session-less transfer over Dm channel.
• Address is ISDN/E.164 or e-mail.
• Maximum payload is 140 bytes, 160 characters
in GSM 7-bit alphabet.
• SMSC acts as a store-and-forward server, since
handsets are only intermittently connected.
• SMS defined in 5 layers on Um, but 2 of them
are just relays.
63
Saturday, August 6, 2011 63

64. SIP RFC-3428
• Session-less transfer over an IP channel.
• Allows for intermediary store-and-forward
servers.
• Addressing is same as any other SIP.
• OpenBTS uses MIME-encoded RPDU
(application/vnd.3gpp.sms).
64
Saturday, August 6, 2011 64

65. SMS in OpenBTS
• Terminate SMS L3 and L4 locally.
• Translate SMS L5 to SIP RFC-3428 with vnd.
3gpp.sms content.
• Outgoing RFC-3428 addressed numerically.
• Inbound RFC-3428 addressed to IMSI-derived
SIP users.
• Cannot send directly from one handset to
another.
65
Saturday, August 6, 2011 65

66. Smqueue
• RFC-3428 store-and-forward server.
• Uses vnd.3gpp.sms content, making it payload-
agnostic.
• Translates SUMBIT TPDUs into DELIVER TPDUs.
• Accepts numeric addresses, resolves to SIP users
with the Subscriber Registry.
• In C2.8, must be running on the same computer
as the subscriber registry.
66
Saturday, August 6, 2011 66

67. MO-SMS
smqueue OpenBTS Handset
CHAN. REQ.
ASSIGNMENT
CM SVC. REQ.
CM SVC. ACCEPT
CP-DATA/RP-DATA
CP-ACK
MESSAGE
OK
CP-DATA/RP-ACK
CP-ACK
CHANNEL RELEASE
67
Saturday, August 6, 2011 67

68. MO-SMS
smqueue OpenBTS Handset
CHAN. REQ.
ASSIGNMENT
CM SVC. REQ.
CM SVC. ACCEPT
CP-DATA/RP-DATA
CP-ACK
MESSAGE
OK
CP-DATA/RP-ACK
CP-ACK
CHANNEL RELEASE
68
Saturday, August 6, 2011 68

69. MT-SMS
OpenMessage OpenBTS MS
MESSAGE
PAGING REQ.
CHAN. REQ.
IMMED. ASSIGN.
PAGING RESP.
CP-DATA/RP-DATA
CP-ACK
CP-DATA/RP-ACK
OK
CP-ACK
CHANNEL RELEASE
69
Saturday, August 6, 2011 69

70. MT-SMS
OpenMessage OpenBTS MS
MESSAGE
PAGING REQ.
CHAN. REQ.
IMMED. ASSIGN.
PAGING RESP.
CP-DATA/RP-DATA
CP-ACK
CP-DATA/RP-ACK
OK
CP-ACK
CHANNEL RELEASE
70
Saturday, August 6, 2011 70

71. Short Codes
• Short codes are special SMS addresses that
go to programs instead of to other users.
• Short codes can be used to build
interactive applications based on SMS.
• Smqueue supports sort codes, but the
functions must be hard-coded into the
system.
71
Saturday, August 6, 2011 71

72. Short Code Example:
Auto-Provisioning
• Short code function adds a new SIP user
and a new dialplan entry in the Subscriber
Registry.
• Can be used for automatic provisioning in
some applications.
• Only effective if used with open
registration.
72
Saturday, August 6, 2011 72

73. Connecting SMS to the
Outside World
• Email gateways
• the return address problem
• SIP RFC-3428 gateways
• the registration problem
• SMPP
• The dual-address problem.
• New trends in combined VoIP services (Voxbone
and Voxeo).
73
Saturday, August 6, 2011 73

74. Connecting to the
PSTN
74
Saturday, August 6, 2011 74

75. VoIP Carrier Services
• Route outbound calls to the PSTN
(“origination”)
• Lease DID (“direct inbound dialed”) E.164
addresses (“telephone numbers”)
• Route inbound calls from PSTN to DIDs
(“termination”)
• Generate billing records (CDRs)
75
Saturday, August 6, 2011 75

76. VoIP Carrier Prices
• DID leases typically run $0.25/mo - $5/mo
depending on
• quantity
• where numbers are located
• Calling rates typically run $0.003/min - $0.050/
min. depending on
• quantity
• call destination
76
Saturday, August 6, 2011 76

77. VoIP Carrier Technical
Connection
• Nearly all support SIP/RTP; many support
IAX, too.
• Nearly all support G.711 (a-law/mu-law)
and G.729 (ADPCM); some support GSM
full-rate directly.
• The interface to the carrier appears as a
SIP or IAX user in the gateway switch
configuration.
77
Saturday, August 6, 2011 77

78. Putting It All Together
78
Saturday, August 6, 2011 78

79. Full-Band
Digital Radio
Transceiver
IP Network
USB2
smqueue
"Transcevier"
RFC-3428 SIP/RTP
Radiomodem
SMS Processor IAX
HTTP/S
SIP SMTP
UDP SIP SQL
SMTP
"OpenBTS"
SIP subscriber registry SIP IP Network
GSM/SIP
SQL Database/Server HTTP/S Interface
Protocol Processor
SIP/RTP
SIP/RTP SQL
IAX
SIP/IAX
Softswitch
Inside Each BTS Node
79
Saturday, August 6, 2011 79

80. smqueue public IP
SMTP network
SIP/RTP
IAX SIP
HTTP/S SIP/RTP SIP/RTP
SMTP IAX IAX
SIP/RTP
OpenBTS private IP SIP switch &
cell sites network
IAX
subscriber registry VoIP Carriers
HTTP/S
ISDN/SS7
ISDN/SS7
HTTP/S
other PSTN
services
A Full Network
80
Saturday, August 6, 2011 80

81. Mobility
81
Saturday, August 6, 2011 81

82. Some Confusion
• Handover - The ability to transfer a live
call from one cell to another. And in GSM
it’s call “handover”, not “handoff”.
• Roaming - The ability to integrate call
routing and billing with other carriers.
• Mobility - The ability to transfer service
as a handset moves from one cell to
another.
82
Saturday, August 6, 2011 82

83. Dependencies
• You need mobility to support handover.
• You do not need handover to support
mobility.
• You need mobility to support roaming.
• You do not need handover to support
roaming.
• You do not need roaming to support
mobility.
83
Saturday, August 6, 2011 83

84. public IP
A Central network
OpenBTS Server
APs
B private IP
network
SIP switch PSTN
C subscriber registry
smqueue
Simple Mobility
84
Saturday, August 6, 2011 84

85. Good
• Leverages existing dynamic-host support
for SIP users.
• SIP core network needs no information
about the BTS units.
• RTP traffic can still be shortest-path
routing.
85
Saturday, August 6, 2011 85

86. Not So Good
• Handsets must register every time they
change cells.
• Central server is a central point of failure.
• Loss of backhaul shuts down a cell.
86
Saturday, August 6, 2011 86

87. 1A
public IP
1B S1 network
1C
SIP switch
private IP
OpenBTS subscriber registry network
CS
APs smqueue
2A SIP switch PSTN
subscriber registry
2B smqueue
S2
2C
SIP switch
subscriber registry
smqueue
Better Mobility
87
Saturday, August 6, 2011 87