The document provides an overview of various mobile communication network standards and technologies: [1] It defines key mobile network acronyms and standards including GSM, UMTS, AMPS, DECT, TETRA, ERMES, 802.11, Bluetooth, Inmarsat, and Teledesic. [2] It describes the technological development of mobile networks from analog to digital cellular networks to GSM and UMTS. Key milestones and frequency ranges are outlined. [3] Examples of mobile network providers in Germany including subscriber numbers for T-Mobile, Vodafone, and E-Plus are given for 2001-2003.

1. GSM (Global System for Mobile Communications): worldwide standard for
digital, cellular Mobile Radio Networks
UMTS (Universal Mobile Telecommunications System): European Standard
for future digital Mobile Radio Networks
AMPS (Advanced Mobile Phone System): analog Mobile Radio Networks in
USA
DECT (Digital Enhanced Cordless Telecommunications): European standard
for cordless phones
TETRA (Terrestrial Trunked Radio): European standard for circuit switched
radio networks
ERMES (European Radio Message System): European standard for radio
paging systems (Pager)
802.11: International standard for Wireless Local Networks
Bluetooth: wireless networking in close/local area
Inmarsat: geostationary satellite systems
Teledesic: planned satellite system on a non-geostationary orbit
Mobile Communication Networks: Examples
1

2. Used Acronyms
CT2: Cordless Telephone 2. Generation
HSCSD: High Speed Circuit Switched Data
GPRS: General Packet Radio Service
EDGE: Enhanced Data Rates for GSM Evolution
IMT2000: International Mobile Telecommunications by the year 2000
MBS: Mobile Broadband System
2

3. Mobile Radio Networks:
Overview

4. General technological development
in mobile telephony
before 1970 1970 1980 2000 2005
Analog
Networks...150Mhz
1990
Anal. cellular
Networks...450 Mhz
Anal. cellular
Networks...900 Mhz
Digital cellular
Networks...900 Mhz
Digital cellular
Networks...1800 Mhz
GSM Phase II+
UMTS
Satellite Systems (LEO)
Prognoses
Development of Mobile Radio
4

5. Correspondent data rates
1995 2000 2005 2010
10kbit/s GSM
HSCSD/
GPRS
EDGE
100kbit/s
1Mbit/s
10Mbit/s
UMTS
(pico cell)
UMTS
(macro cell)
DAB
Satelliten
DECT
(GEO)
Satellites (GEO)
5

6. Frequency Assignment
TETRA
380-400
410-430
NMT
453-457
463-467
CT2
864-868
CT1+
885-887 890-915
GSM900 CT1+
930-932
GSM900
935-960
TFTS (Pager, aircraft phones) GSM1800
1670-1675 1710-1785 1800-1805
TFTS
1805-1880
GSM1800 DECT
1880-1900 (1885-2025
2110-2200)
TETRA
450-470
(nationally different)
UMTS
IEEE 802.11b
2400-2483
HIPERLAN1
5176-5270
MHz
Bluetooth
2402-2480
HIPERLAN2
(ca.5200,5600)
WLAN
2412-2472
HomeRF...(approx.2400)
Circuit Switched Radio Mobile Phones Cordless Phones Wireless LANs
Notes: - 2,4 GHz license free, nationally different
- () written : Prognoses!
- today speech over license free frequencies up to
61Ghz -> interesting for high data rates
(ca.17000)
HIPER-Link
1GHz
500Mhz
TFTS - Terrestrial Flight Telephone
System
IEEE 802.11a: 5,15-5,25; 5,25-5,35; 5,725-5,825
6

7. GSM: Global System for Mobile
Communications

8. GSM: Properties
• cellular radio network (2nd Generation)
• digital transmission, data communication up to 9600 Bit/s
• Roaming (mobility between different net operators, international)
• good transmission quality (error detection and -correction)
• scalable (large number of participants possible)
• Security mechanisms (authentication, authorization, encryption)
• good resource use (frequency and time division multiplexing)
• integration within ISDN and fixed network
• standard (ETSI, European Telecommunications Standards Institute)
8

9. Providers in Germany (1)
• D1 T-Mobile
– subscribers: 24,6 Mio (Stand 2003)
• Vodafone D2
– old name: Mannesmann Mobilfunk D2
– subscribers: 22,7 Mio (Stand 2003)
• E-plus
• O2
– old name: VIAG Interkom
9

10. Providers in Germany (2)
Providers Subscribers, millions
2001 2002 2003 World-wide
by 2003
D1 T-Mobile 22,6 23,1 24,6 82
Vodafone D2 21,9 - 22,7 112,5
E-Plus - 7,5 - -
O2 VIAG
Interkom
- 3,66 - -

11. AuC Authentication Centre
BSS Base Station Subsystem
BSC Base Station Controller
BTS Base Transceiver Station
EIR Equipment Identity Register
HLR Home Location Register
MS Mobile Station
(G)MSC (Gateway) Mobile Switching Centre
OMC Operation and Maintenance Centre
PSTN Public Switched Telephone Network
VLR Visitor Location Register
ISDN Integrated Services Digital Network
Fixed network Switching Subsystems
VLR
Radio Subsystems
HLR AuC EIR
(G)MSC
OMC
BTS
BTS
BSC
BSS
MS
MS
Network Management
Call Management
Data
networks
PSTN/
ISDN
MS
GSM: structure

12. GSM: Structure
Operation and Maintenance Centre (OMC)
• logical, central structure with HLR, AuC und EIR
Authentication Centre (AuC)
• authentication, storage of symmetrical keys, generation of encryption
keys
Equipment Identity Register (EIR)
• storage of device attributes of allowed, faulty and jammed devices
(white, grey, black list)
Mobile Switching Centre (MSC)
• arrangement centre, partial as gateways to other nets, assigned to
one VLR each
Base Station Subsystem (BSS): technical radio centre
• Base Station Controller (BSC): control centre
• Base Transceiver Station (BTS): radio tower / antenna

13. 1 TDMA-Frame, 144 Bit in 4,615 ms
8 TDMA-channels, together 271 kBit/s inclusive
error protection information
124 radio frequency channels (carrier), each 200 kHz
2 frequency wavebands, for each 25 MHz, divided into radio cells
890
935
915 MHz
960 MHz
downlink
uplink
Radio technical structure
• One or several carrier frequencies per BSC
• Physical channels defined by number and position of time slots

14. GSM: protocols, incoming call
VLR
BSS
BSS MSC GMSC
HLR
BSS
BSS
(4)
(2)
(4)
(5)
(3)
(10)
(6)
(11)
(7)
(8)
(8)
(9)
(12)
(8)
(1)
(12)
(9)
(8)
PSTN/
ISDN
(1) Call from fixed network was switched via GMSC
(2) GMSC finds out HLR from phone number and transmits need of conversation
(3) HLR checks whether participant for a corresponding service is authorized and
asks for MSRN at the responsible VLR
(4) MSRN will be returned to GMSC, can now contact responsible MSC

15. GSM: protocols, incoming call
VLR
BSS
BSS MSC GMSC
HLR
BSS
BSS
(4)
(2)
(4)
(5)
(3)
(10)
(6)
(11)
(7)
(8)
(8)
(9)
(12)
(8)
(1)
(12)
(9)
(8)
PSTN/
ISDN
(5) GMSC transmits call to current MSC
(6) ask for the state of the mobile station
(7) Information whether end terminal is active
(8) Call to all cells of the Location Area (LA)
(9) Answer from end terminal
(10 - 12) security check and connection construction

16. GSM: protocols, outgoing call
VLR
BSS
BSS MSC GMSC
HLR
BSS
(5)
(3)
(4)
(2)
(1)
(1) Demand on connection
(2) Transfer by BSS
(3-4) Control for authorization
(5) Switching of the call demand to fixed net

17. GSM: channel strucure
Traffic Channel
• speech- / data channel (13 kbit/s brutto; differential encoding)
• units of 26 TDMA - Frames
• Half-rate traffic channel: for more efficient speech encoding with 7
kbit/s
Control Channel
• Signal information
• Monitoring of the BSCs for reconnaissance of Handover
Broadcast Control Channel
• BSC to MS (identity, frequency order etc.)
Random Access Channel
• Steering of channel entry with Aloha-procedure
Paging Channel
• signalize incoming calls

18. Databases
Home Location Register (HLR), stores data of participants, which are
reported in an HLR-area
– Semi-permanent data:
• Call number (Mobile Subscriber International ISDN Number) - MSISDN, e.g.
+49/171/333 4444 (country, net, call number)
• identity (International Mobile Subscriber Identity) - IMSI: MCC = Mobile
Country Code (262 for .de) + MNC = Mobile Network Code (01-D1, 02-
Vodafone-D2, 03-eplus, 07-O2) + MSIN = Mobile Subscriber Identification
Number
• Personal data (name, address, mode of payment)
• Service profile ( call transfer, Roaming-limits etc.)
– Temporary data:
• MSRN (Mobile Subscriber Roaming Number) (country, net, MSC)
• VLR-address, MSC-address
• Authentication Sets of AuC (RAND (128 Bit), SRES (128 Bit), KC (64Bit))
• charge data
18

19. Databases
Visitor Location Register (VLR)
• local database of each MSC with following data:
– IMSI, MSISDN
– service profile
– accounting information
– TMSI (Temporary Mobile Subscriber Identity) - pseudonym for data
security
– MSRN
– LAI (Location Area Identity)
– MSC-address, HLR-address
19

20. MSC-area = VLR-area
radio-
cell
with
BTS
Location Area (LA)
LA = smallest
addressable unit
Handover
GSM: mobile telephone areas
20

21. MSC-area
HLR
VLR
Location
area
advantage of the architecture:
Location Update at limited mobility,
as a rule only at VLR, rarely at
(perhaps far remote) HLR
Connection HLR, VLR
21

22. LA 5
LA 3
LA 2
LA 3
VLR 10 VLR 9
IMSI LA 2
HLR 26
32311 VLR 9 IMSI
participant call number
in HLR
country code number
net-entry code
Provider
+49 0177-26 32311
0x62F220 01E5
z.B.
Localization at GSM
22

23. Data transmission
• each GSM-channel configurable as a data channel; similar structure like ISDN-B and
-D-channels
• data rates up to 9600 bit/s now
• delay approximately 200 ms
• speech channels have as a rule higher priority as data channels
• kinds of channels:
– transparent (without error correction; however FEC; fixed data rate; error rate 10-3 up to
10-4)
– non-transparent (repeat of faulty data frames; very low error rate, but also less
throughput)
• Short-Message-Service (SMS)
– connectionless transmission (up to 160 Byte) on signal channel
• Cell Broadcast (CB)
– connectionless transmission (up to 80 Byte) on signal channel to all participants, e.g. one
cell
23

24. MSC
BSC
UDI
BTS
IWF
TA
ISDN
Modem
PSTN
Internet
Modem
IWF - Inter Working Function
UDI - Unspecified Digital
TA - Terminal Adapter
Data transmission - structure
24

25. Chip-card (Smart Cart) to personalize a mobile subscriber
(MS):
• IMSI (International Mobile Subscriber Identity)
• participant special symmetric key Ki, stored also at AuC
• algorithm “A3” for Challenge-Response-Authentication
• algorithm “A8” for key generation of Kc for content data
• PIN (Personal Identification Number) for entry control
Temporary data:
• TMSI (Temporary Mobile Subscriber Identity)
• LAI (Location Area Identification)
• Encryption key Kc
Security aspects: Subscriber Identity
Module (SIM)
25

26. Security in GSM-networks
SIM
• Entry control and cryptographic algorithms
Single-sided authentication (participant against network)
• Challenge-Response-method (cryptographic algorithm: A3)
Pseudonyms of participants at the Radio interface
• Temporary Mobile Subscriber Identity (TMSI)
Connection encoding on the Radio interface
• Key generation: A8
• Encryption: A5
26

27. Security aspects: Authentication
MSC, VLR, AuC
MS
Authentication Request
RAND (128 Bit)
Random number
generator
i
K
A3
SRES
SRES (32 Bit)
A3
i
K
Authentication Response
=
• Location Registration
• Location Update with VLR-change
• Call setup (in both directions)
• SMS (Short Message Service)
max. 128 Bit
27

28. Security aspects: Session Key
Netz
MS
Authentication Request
RAND (128 Bit)
Random number
generator
i
K
A8
A8
i
K
c
K 64 Bit
c
K
• Key generation: Algorithm A8
– Stored on SIM and in AuC
– with Ki parametric one way function
– no (Europe, world wide) standard
– can be determined by net operator
– Interfaces are standardized
– combination A3/A8 known as COMP128
28

29. Security aspects: encryption at the Radio
interface
Net
MS
Ciphering Mode Command
A5
A5
• Data encryption through algorithm A5:
– stored in the Mobile Station
– standardized in Europe and world wide
– weaker algorithm A5* or A5/2 for specific countries
c
K
c
K
TDMA-frame-
number
TDMA-frame-
number
Key block
+
Plain text block
+
Plain text block
Ciphering Mode Complete
Encrypted Text
114 Bit
29

30. GSM-Security: assessment
• cryptographic methods secret, so they are not „well
examined“
• symmetric procedure
– consequence: storage of user special secret keys with net
operators required
• low key length Ki with max. 128 Bit (could be hacked by using
Brute Force Attack in 8-12 hours)
• no mutual authentication intended
– consequence: Attacker can pretend a GSM-Net
• no end-to-end encryption
• no end-to-end authentication
• Key generation and -administration not controlled by the
participants
30

31. GPRS: General Packet Radio
Service
31

32. Properties
• Packet switching service (end- to- end)
• Data rates up to 171,2 kbit/s (theoretical)
• Effective and flexible administration of the radio interface
• adaptive channel encoding
• Internetworking with IP- and X.25 nets standardized
• dynamic sharing of resources with „classical“ GSM speech
services
• Advantage: Billing and Accounting according to data volume
• Disadvantage: cost intensive additional net hardware
necessary
32

33. Properties
– point-to-point-Packet transfer service
• PTP-CONS (PTP Connection oriented Network Service)
– connection oriented, similar to X.25
• PTP- CLNS (PTP Connectionless Network Service)
– connectionless, similar to IP
– point- to- multipoint
- group communication
33

34. MSC
BSC
BTS
Internet
GPRS: Structure
HLR
GSM
GPRS Backbone
Frame Relay / ATM
GGSN
GGSN
SGSN
Border
Gateway
GPRS Nets
other operators
other packet
switching
networks
SGSN - Serving GPRS Support Node
GGSN - Gateway GPRS Support Node
signalization data
user data 34

35. GMSC
Circuit switched traffic
HLR/AuC
GPRS register
MAP
MAP
A
GGSN
GPRS: Changes
Abis
Gb
Gn
Gi
other packet
switching
networks
public
remote fixed nets
Packet arranged
traffic
Gs
Um
n time slots (TCH) per
TDMA frame
(theoretically max. 8)
per packet!
modified network components
new components or extensively modified components
Existing components
PCU - Packet Control Unit
SGSN
MSC
BSC
BTS
PCU
35

36. SGSN:
- mobility management
- session management
- QoS
- security
External Data Domain
Intranet
SGSN
HLR
Internet
MAP
Signalization
(SGSN)
Tasks: SGSN, GGSN
BSS
PCU
BSS
PCU
BSS
PCU
Client
GGSN
Client
Server
MAP
Signalization
(GGSN)
SGSN, GGSN:
- Routing
- Signalization
- Resource management
SGSN
36

37. Tasks of the SGSN
• Packet delivery
• mobility management
– apply/ sign off of terminals
– localization
• LLC (Logical Link Control) management
• authentication
• billing
37

38. Tasks of the GGSN
• mediator between GPRS backbone and
external data networks (Internet, X-25 etc.)
• converts GPRS packets, data Protocol (PDP)
into the corresponding structure
• also converts PDP addresses of incoming
packets into GSM address of the receiver
• saves current data for the SGSN address of the
participant as well as their profile and data for
authentication and invoice
38

39. Radio Link Control (RLC)
• Segmentation of the LLC-Frames in RLC blocks
• Block size dependent on short-term channel conditions
• Backward error correction and data flow control by
Automatic Repeat Request (ARQ) protocol
– repeating not repairable RLC blocks selectively
Medium Access Control ( MAC)
• Channel reservation contains:
- one/several time slots (Packet Data Channels PDCH) of
one
frequency
– one uplink status flag (USF) per Packet Data Channel (PDCH),
channel partition of up to 8 ms
GPRS: air interface
39

40. Medium Access Control ( MAC)
• Reservation in the uplink (MS to BSS):
• MS sends reservation request on a Random Access
Channel (Slotted ALOHA)
– BTS allocates a (split) channel and sends packet assignment
– MS sends data depending on the current priority (USF flag)
• Reservation in the Downlink (BSS to MS):
– BTS displays transmitting request and informs about the reserved channel
– MS supervises the reserved channel and receives
GPRS: air interface
40

41. Physical Link Control
• adaptive forward error correction (FEC) dependent on short-term
channel conditions
• temporal scrambling (Interleaving) of the bursts and Mapping on
reserved PDCH (Packet Data Channel)
• procedure to recognize overbooking situations on the physical
channel
GPRS: air interface
GPRS Channel Encoding
Scheme Code
Rate
Payload BCS Pre-
coded
USF
Tail bits Coded
bits
Punctured
bits
Data
rate
(kbit/s)
CS-1 1/2 181 40 3 4 456 0 9.05
CS-2 ~ 2/3 268 16 6 4 588 132 13.4
CS-3 ~ 3/4 312 16 6 4 676 220 15.6
CS-4 1 428 16 12 0 456 0 21.4
41

42. Quality of Service
• QoS profile agrees service parameters inside the whole network
• Agreed for the duration of one PDP (Packet Data Protocol) context
(session, end terminal is obtainable for the duration of the context,
e.g. obtainable over Internet ) :
– temporary address (IP) for mobile station
– tunneling information, among others GGSN, which is used for access to
corresponding packet arranged network
– type of the connection
– QoS profile
• QoS profile commits:
– precedence class, priority against other services (high, normal, low)
– packet delay class, times are valid for traffic inside the GPRS- network
– reliability class
– peak throughput class
– mean throughput class
42

43. Quality of Service
Size 128 octets 1024 octets
Class Mean Delay 95% Delay Mean Delay 95% Delay
1 (predictive) < 0,5 s < 1,5 s < 2 s < 7 s
2 (predictive) < 5 s < 25 s < 15 s < 75 s
3 (predictive) < 50 s < 250 s < 75 s < 375 s
4 (best effort) Best effort
Probability for
Class Lost packet
Duplicated
packet
Out of
Sequence
packet
Corrupted
packet
1 10
-9
10
-9
10
-9
10
-9
2 10
-4
10
-5
10
-5
10
-6
3 10
-2
10
-5
10
-5
10
-2
Packet delay classes
Security classes
43

44. Quality of Service
GPRS- using data rates
Coding # of timeslots
Scheme 1 2 3 4 5 6 7 8
CS-1 9,05 18,1 27,15 36,2 45,25 54,3 63,35 72,4
CS-2 13,4 26,8 40,2 53,6 67 80,4 93,8 107,2
CS-3 15,6 31,2 46,8 62,4 78 93,6 109,2 124,8
CS-4 21,4 42,8 64,2 85,6 107 128,4 149,8 171,2
• CS 3 and CS 4 are only reasonable in the second phase of GPRS
introduction
• They will be used adaptively at corresponding good quality of radio
connection
• CS 4 does not comprise error correction, code rate = 1!
44

45. Assessment of GPRS
+ An up to 4 times higher data rate in comparison to ordinary GSM- data
services
+ better resource management through packet arranged service
+ „always on” data service (email, etc.)
+ GPRS is a more suitable carrier for services like WAP
- IP-derivate, no true guaranties (QoS)
- development of the network infrastructure is relatively expensive,
particularly regarding introduction to UMTS (return of investment)
- GPRS doesn’t give such data rates like advertising has sometimes
promised
45

46. 9.6 kbit/s
Data
rate
26.4 kbit/s
13.2 kbit/s
HSCSD
Channel
packing,
NT
39.6 kbit/s
CS 1
GPRS
Packet
arranged
9 kbit/s
18.1 kbit/s
27.2 kbit/s
13.4 kbit/s
26.8 kbit/s
40.2 kbit/s
CS 2
Development of the GSM-data services
flow
46

47. Enhanced Services - EMS (enhanced message
service)
• Uses widespread existing infrastructure (SMS)
• new Mobile telephones necessary
• allows sending and receiving of messages with formatted texts, melodies,
graphics (32 x 32 Pixel) and animations (16 x 16 Pixel) – e.g. NOKIA
• new applications like Mobile Ticketing
• tickets will be transferred to mobile phone like a bar code and checked at
the admission
• EMS enables transition to MMS (multimedia messaging service), which
allows transmission of multimedia enriched messages over UMTS-
Network (photos, parts of videos)
• MMS requires new network elements in the Infrastructure of the
operators
47

48. MMS - architecture
. . .
MMS
Relay
MMS User
Agent
MMS User
Databases
MMS Server
(e.g. E-Mail)
MMS Server
(other service)
alien MMS
Relay
SMTP
LDAP GSM-MAP or IS-
41-MAP or TCP/IP
SMTP, HTTP,
POP3, IMAPv4
WAP or MExE
(e.g. Java and TCP/IP)
HLR
MMS Server
(e.g. Fax)
Based on materials from 3GPP, http://www.3gpp.org
48

49. 49
IMT-2000
• IMT-2000 stands for
IMT: International Mobile Communications
2000: the frequency range of 2000 MHz and the year 2000
• In total, 17 proposals for different IMT-2000 standards were submitted by
regional SDOs to ITU in 1998. 11 proposals for terrestrial systems and 6 for
mobile satellite systems (MSSs).
• All 3G standards have been developed by regional standard developing
organizations (SDOs).
• Evaluation of the proposals was completed in 1998, and negotiations to build
a consensus among different views were completed in mid 1999. All 17
proposals have been accepted by ITU as IMT-2000 standards. The specification
for the Radio Transmission Technology (RTT) was released at the end of 1999.

50. 50
IMT-2000
• The (IMT-2000), consists of 3 operating modes based on Code
Division Multiple Access (CDMA) technology.
• 3G CDMA modes are most commonly known as:
– CDMA2000,
– WCDMA (called UMTS) and
– TD-SCDMA
(Time Division-Synchronous Code Division Multiple Access)

51. 51
High-Speed Packet Data Services
• 2 Mbps in fixed or in-building environments (very
short distances, in the order of metres)
• 384 kbps in pedestrian or urban environments
• 144 kbps in wide area mobile environments
• Variable data rates in large geographic area systems
(satellite)

52. 52

53. 53
Network Elements from UMTS
UMTS differs from GSM Phase 2+ (GSM +GPRS) mostly in the new principles for
the air interface transmission
WCDMA instead of TDMA/FDMA
Therefore a new RAN (Radio Access Network) called:
UTRAN (UMTS Terrestrial Radio Access Network) must be
introduced with UMTS
Only minor modifications are needed in the CN (Core Network) to
accommodate the change

54. 54
UTRA: UMTS Terrestrial Radio Access
The most significant change in REL. ´99 was the “UTRAN”, a W-CDMA radio interface
for land-based communications.
UTRAN supports time (TDD) and frequency division duplex (FDD).
The TDD mode is optimized for public micro and pico cells and unlicensed cordless
applications.
The FDD mode is optimized for wide-area coverage, i.e. public macro and micro cells.
Both modes offer flexible and dynamic data rates up to 2 Mbps.

55. 55
UMTS architecture
UTRAN (UTRA NETWORK)
• Radio Network Subsystem (RNS)
UE (User Equipment)
CN (Core Network)
Uu Iu
CN
UTRAN
UE

56. GSM Evolution to 3G
GSM
9.6kbps (one timeslot)
GSM Data
Also called CSD
GSM
General Packet Radio Services
Data rates up to ~ 115 kbps
Max: 8 timeslots used as any one time
Packet switched; resources not tied up all the time
Contention based. Efficient, but variable delays
GSM / GPRS core network re-used by WCDMA
(3G)
GPRS
HSCSD
High Speed Circuit Switched Data
Dedicate up to 4 timeslots for data connection ~ 50
kbps
Good for real-time applications c.w. GPRS
Inefficient -> ties up resources, even when nothing
sent
Not as popular as GPRS (many skipping HSCSD)
EDGE
Enhanced Data Rates for Global Evolution
Uses 8PSK modulation
3x improvement in data rate on short distances
Can fall back to GMSK for greater distances
Combine with GPRS (EGPRS) ~ 384 kbps
Can also be combined with HSCSD
WCDMA

57. UMTS
• Universal Mobile Telecommunications System
(UMTS)
• UMTS is an upgrade from GSM via GPRS or EDGE
• The standardization work for UMTS is carried out
by Third Generation Partnership Project (3GPP)
• Data rates of UMTS are:
– 144 kbps for rural
– 384 kbps for urban outdoor
– 2048 kbps for indoor and low range outdoor
• Virtual Home Environment (VHE)

58. UMTS Frequency Spectrum
• UMTS Band
– 1900-2025 MHz and 2110-2200 MHz for 3G
transmission
– In the US, 1710–1755 MHz and 2110–2155 MHz will
be used instead, as the 1900 MHz band was already
used.

59. UMTS Architecture
SD
Mobile Station
MSC/
VLR
Base Station
Subsystem
GMSC
Network Subsystem
AUC
EIR HLR
Other Networks
Note: Interfaces have been omitted for clarity purposes.
GGSN
SGSN
BTS
BSC
Node
B
RNC
RNS
UTRAN
SIM
ME
USIM
ME
+
PSTN
PLMN
Internet

60. UMTS Network Architecture
• UMTS network architecture consists of three
domains
– Core Network (CN): Provide switching, routing and
transit for user traffic
– UMTS Terrestrial Radio Access Network (UTRAN):
Provides the air interface access method for user
equipment.
– User Equipment (UE): Terminals work as air interface
counterpart for base stations. The various identities
are: IMSI, TMSI, P-TMSI, TLLI, MSISDN, IMEI, IMEISV

61. UTRAN
• Wide band CDMA technology is selected for UTRAN air
interface
– WCDMA
– TD-SCDMA
• Base stations are referred to as Node-B and control
equipment for Node-B is called as Radio Network Controller
(RNC).
– Functions of Node-B are
• Air Interface Tx/Rx
• Modulation/Demodulation
– Functions of RNC are:
• Radio Resource Control
• Channel Allocation
• Power Control Settings
• Handover Control
• Ciphering
• Segmentation and reassembly

62. 62
UTRAN
Two new network elements
are introduced in UTRAN
• RNC
• Node B
UTRAN is subdivided into
individual radio network
systems (RNSs), where
each RNS is controlled by
an RNC.
The RNC is connected to
a set of Node B elements,
each of which can serve
one or several cells.

63. UTRAN architecture
UTRAN comprises several RNSs
Node B can support FDD or TDD or
both
RNC is responsible for handover
decisions requiring signaling to the
UE
Cell offers FDD or TDD
RNC: Radio Network Controller
RNS: Radio Network Subsystem
Node B
Node B
RNC
Iub
Node B
UE1
RNS
CN
Node B
Node B
RNC
Iub
Node B
RNS
Iur
Node B
UE2
UE3
Iu

64. 64
UTRAN functions
• Admission control
• Congestion control
• Radio channel encryption
• Handover
• Radio network configuration
• Channel quality measurements
• Radio resource control
• Data transmission over the radio interface
• Outer loop power control (FDD and TDD)
• Channel coding

65. Core network
BTS
Node B
BSC
Abis
BTS
BSS
MSC
Node B
Node B
RNC
Iub
Node B
RNS
Node B
SGSN GGSN
GMSC
HLR
VLR
IuPS
IuCS
Iu
CN
EIR
Gn
Gi
PSTN
AuC
GR
The Core Network (CN) and the Interface Iu, are separated into two logical domains:
Circuit Switched Domain (CSD)
• Circuit switched service incl. signaling
• Resource reservation at connection setup
• GSM components (MSC, GMSC, VLR)
• IuCS
Packet Switched Domain (PSD)
• GPRS components (SGSN, GGSN)
• IuPS

66. Access method CDMA
•CDMA (Code Division Multiple Access)
– all terminals send on the same frequency probably at
the same time and can use the whole bandwidth of
the transmission channel
– each sender has a unique random number, the sender
XORs the signal with this pseudo random number
– the receiver can “tune” into this signal if it knows the
pseudo random number, tuning is done via a
correlation function

67. GSM/GPRS network architecture
GSM/GPRS core network
Radio access network
BSS
database
IP Backbone
Internet
PSTN,
ISDN
BTS
BTS
BSC
MSC
VLR
SGSN
GMSC
HLR
AuC
EIR
GGSN
MS
PCU

68. 3GPP Rel.’99 network architecture
Core network (GSM/GPRS-based)
Radio access network
UTRAN
UE
Iu CS
Iur
Iub
Uu
Gn
Iu PS
database
IP Backbone
Internet
PSTN
BS
BS
RNC
RNC
MSC
VLR
SGSN
GMSC
HLR
AuC
EIR
GGSN
Iub

69. 3GPP Rel.’99 network architecture
Radio access network
UTRAN
UE Iur
Iub
Uu
BS
BS
RNC
RNC
Iub
2G => 3G MS => UE (User
Equipment), often also called (user)
terminal
New air (radio) interface based on
WCDMA access technology
New RAN architecture
(Iur interface is available for soft
handover,
BSC => RNC)

70. 3GPP Rel.’99 network architecture
Core network (GSM/GPRS-based)
Iu CS
Gn
Iu PS
IP Backbone
Internet
PSTN
MSC
VLR
SGSN
GMSC
HLR
AuC
EIR
GGSN
Changes in the core
network:
MSC is upgraded to 3G MSC
SGSN is upgraded to 3G
SGSN
GMSC and GGSN remain the
same
AuC is upgraded (more
security features in 3G)

71. 3GPP Rel.4 network architecture
Circuit Switched (CS) core
network
UTRAN
(UMTS Terrestrial Radio
Access Network)
PSTN
MSC
Server
New option in Rel.4:
GERAN
(GSM and EDGE Radio
Access Network)
PS core as in Rel.’99
GMSC
Server
SGW
MGW
SGW
MGW

72. 3GPP Rel.4 network architecture
Circuit Switched (CS) core
network
PSTN
MSC
Server
PS core as in Rel.’99
GMSC
Server
SGW
MGW
SGW
MGW
MSC Server takes care of call
control signalling
The user connections are set up
via MGW (Media GateWay)
“Lower layer” protocol
conversion in SGW (Signalling
GateWay)
RANAP / ISUP
SS7 MTP IP Sigtran

73. 3GPP Rel.5 network architecture
CS core
PSTN
SGSN GGSN
MGW
Internet
HSS
IMS (IP
Multimedia
System)
PS core
UTRAN
(UMTS Terrestrial Radio
Access Network)
GERAN
(GSM and EDGE Radio
Access Network)
New core
network part:

74. 3GPP Rel.5 network architecture
CS core
PSTN
SGSN GGSN
Internet
/
other
IMS
HSS
PS core
The IMS can establish
multimedia sessions (using IP
transport) via PS core between
UE and Internet (or another
IMS)
Call/session control using SIP
(Session Initiating Protocol)
Interworking with the PSTN
may be required for some time
...
IMS (IP
Multimedia
System)
MGW

75. UMTS protocol stacks (user plane)
apps. &
protocols
MAC
radio
MAC
radio
RLC SAR
Uu
IuCS
UE UTRAN 3G
MSC
RLC
AAL2
ATM
AAL2
ATM
SAR
apps. &
protocols
MAC
radio
MAC
radio
PDCP GTP
Uu IuPS
UE UTRAN 3G
SGSN
RLC
AAL5
ATM
AAL5
ATM
UDP/IP
PDCP
RLC UDP/IP UDP/IP
Gn
GTP GTP
L2
L1
UDP/IP
L2
L1
GTP
3G
GGSN
IP, PPP,
…
IP, PPP,
…
IP tunnel
Circuit
switched
Packet
switched

76. Evolution : From 2G to 3G
76
• Fully specified and world-widely valid,
Major interfaces should be standardized and open.
• Supports multimedia and all of its components.
• Wideband radio access.
• Services must be independent from radio access technology
and is not limited by the network infrastructure.
Primary Requirements of a 3G Network

77. Standardization of WCDMA / UMTS
Multiple Access Method DS-CDMA
Duplexing Method FDD/TDD
Base Station Synchronization Asychronous Operation
Channel Separation 5MHz
Chip Rate 3.84 Mcps
Frame Length 10 ms
Service Multiplexing Multiple Services with different QoS
Requirements Multiplexed on one
Connection
Multirate Concept Variable Spreading Factor and
Multicode
Detection Coherent, using Pilot Symbols or
Common Pilot
Multiuser Detection, Smart
Antennas
Supported by Standard, Optional in
Implementation
77
WCDMA Air Interface, Main Parameters

78. 78
UMTS System Architecture
USIM
ME
Node B
Node B
RNC
Node B
Node B
RNC
MSC/
VLR
GMSC
SGSN GGSN
HLR
UTRAN CN
UE
External
Networks
Cu
Uu Iu
Iub
Iur

79. 79
UMTS QoS Classes
Traffic class Conversational
class
Streaming
class
Interactive
class
Background
Fundamental
characteristics
Preserve time
relation between
information
entities of the
stream
Conversational
pattern (stringent
and low delay)
Preserve time
relation
between
information
entities of the
stream
Request
response
pattern
Preserve data
integrity
Destination is
not expecting
the data within
a certain time
Preserve data
integrity
Example of the
application
Voice,
videotelephony,
video games
Streaming
multimedia
Web browsing,
network games
Background
download of
emails

80. Codes in WCDMA
• Channelization Codes (=short code)
– Used for
• channel separation from the single source in downlink
• separation of data and control channels from each other in the uplink
– Same channelization codes in every cell / mobiles and therefore the additional
scrambling code is needed
• Scrambling codes (=long code)
– Very long (38400 chips = 10 ms =1 radio frame), many codes available
– Does not spread the signal
– Uplink: to separate different mobiles
– Downlink: to separate different cells
– The correlation between two codes (two mobiles/Node Bs) is low
• Not fully orthogonal

81. 81
UTRAN UE UTRAN CN
Node B
Node B
RNC
Node B
Node B
RNC
Iub
Iur
UTRAN
RNS
RNS
 Two Distinct Elements :
Base Stations (Node B)
Radio Network Controllers (RNC)
 1 RNC and 1+ Node Bs are group together
to form a Radio Network Sub-system (RNS)
 Handles all Radio-Related Functionality
 Soft Handover
 Radio Resources Management Algorithms
 Maximization of the commonalities of the
PS and CS data handling
UMTS Terrestrial Radio Access Network, Overview

82. 82
UTRAN UE UTRAN CN
Node B
Node B
RNC
Logical Roles of the RNC
Controlling RNC (CRNC)
Responsible for the load and
congestion control of its own cells
CRNC
Node B
Node B
SRNC
Serving RNC (SRNC)
Terminates : Iu link of user data,
Radio Resource Control Signalling
Performs : L2 processing of data
to/from the radio interface, RRM
operations (Handover, Outer Loop
Power Control)
Drift RNC (DRNC)
Performs : Macrodiversity
Combining and splitting
Node B
Node B
DRNC
Node B
Node B
SRNC
Node B
Node B
DRNC
UE
UE
Iu
Iu
Iu
Iu
Iur
Iur

83. 83
Core Network UE UTRAN CN
MSC/
VLR
GMSC
SGSN GGSN
HLR
External
Networks
Iu-cs
Core Network, Release ‘99
 CS Domain :
 Mobile Switching Centre (MSC)
 Switching CS transactions
 Visitor Location Register (VLR)
 Holds a copy of the visiting user’s
service profile, and the precise info
of the UE’s location
 Gateway MSC (GMSC)
 The switch that connects to
external networks
 PS Domain :
 Serving GPRS Support Node (SGSN)
 Similar function as MSC/VLR
 Gateway GPRS Support Node (GGSN)
 Similar function as GMSC
 Register :
 Home Location Register (HLR)
 Stores master copies of
users service profiles
 Stores UE location on the
level of MSC/VLR/SGSN
Iu-ps

84. Radio Resources Management
84
• Network Based Functions
– Admission Control (AC)
• Handles all new incoming traffic. Check whether new connection can be admitted to the system and
generates parameters for it.
– Load Control (LC)
• Manages situation when system load exceeds the threshold and some counter measures have to be
taken to get system back to a feasible load.
– Packet Scheduler (PS)
• Handles all non real time traffic, (packet data users). It decides when a packet transmission is initiated
and the bit rate to be used.
• Connection Based Functions
– Handover Control (HC)
• Handles and makes the handover decisions.
• Controls the active set of Base Stations of MS.
– Power Control (PC)
• Maintains radio link quality.
• Minimize and control the power used in radio interface, thus maximizing the call capacity.
Source : Lecture Notes of S-72.238 Wideband CDMA systems, Communications Laboratory, Helsinki University of Technology

85. 85
Connection Based Function
Power Control
 Prevent Excessive Interference and
Near-far Effect
 Open-Loop Power Control
 Rough estimation of path loss from
receiving signal
 Initial power setting, or when no
feedback channel is exist
 Fast Close-Loop Power Control
 Feedback loop with 1.5kHz cycle to
adjust uplink / downlink power to its
minimum
 Even faster than the speed of
Rayleigh fading for moderate mobile
speeds
 Outer Loop Power Control
 Adjust the target SIR setpoint in base
station according to the target BER
 Commanded by RNC
Fast Power Control
If SIR < SIRTARGET, send
“power up” command to
MS
Outer Loop Power Control
If quality < target, increases
SIRTARGET

86. 86
Connection Based Function
Handover
 Softer Handover
 A MS is in the overlapping coverage
of 2 sectors of a base station
 Concurrent communication via 2 air
interface channels
 2 channels are maximally combined
with rake receiver
 Soft Handover
 A MS is in the overlapping coverage
of 2 different base stations
 Concurrent communication via 2 air
interface channels
 Downlink: Maximal combining with
rake receiver
 Uplink: Routed to RNC for selection
combining, according to a frame
reliability indicator by the base station
 A Kind of Macrodiversity

87. UMTS bearer service architecture
TE MT UTRAN CN Iu
edge node
TE
CN
gateway
End-to-end service
UMTS bearer service
Radio access bearer service CN b.s.
Local b.s. Ext. b.s.
Radio b.s. Iu b.s. Backbone
Radio Access Bearer
Radio Bearer
UE Core network

88. What is a bearer?
Bearer: a bearer capability of defined capacity, delay and bit error rate, etc. (as
defined in 3GPP specs.)
Bearer is a flexible concept designating some kind of ”bit pipe”
 at a certain network level (see previous slide)
 between certain network entities
 with certain QoS attributes, capacity, and traffic
flow characteristics
Four UMTS QoS Classes
 conversational, streaming, interactive, background

89. UMTS QoS (service) classes
Conversational Streaming Interactive Background
low delay
low delay variation
video
telephony/
conferencing
speech
video streaming
audio streaming
low round-trip delay
www applications
delay is not critical
store-and- forward
applications
(e-mail, SMS)
file transfer
reasonably low
delay
basic applications
basic QoS requirements

90. Four UMTS QoS (service) classes
Conversational Streaming Interactive Background
• speech (using AMR = Adaptive Multi-Rate speech coding)
• video telephony / conferencing:
ITU-T Rec. H.324 (over circuit switched connections)
ITU-T Rec. H.323 or IETF SIP (over packet switched connections)
• low delay (< 400 ms) and low delay variation
• BER requirements not so stringent
• in the radio network => real-time (RT) connections

91. Adaptive Multi-Rate coding
kbit/s
12.2 (= GSM EFR)
10.2
7.95
7.40 (= US TDMA)
6.70 (= PDC EFR)
5.90
5.15
4.75
Adaptive
<=>
During the call, the
AMR bit rate can be
changed, using the
values at the right
EFR = Enhanced Full
Rate
Codec negotiation between
transcoders
<=>

92. Transcoding
UE MSC GMSC User B
TC
Transcoder (AMR/PCM) should be located as far as possible to the right
(transmission capacity savings)
TC
Transcoding should be avoided altogether (better signal quality)
TFO = Tandem Free Operation (2G)
TrFO = Transcoder Free Operation (3G)
(possible only if same coding is used at both ends of
connection)
(e.g. in PSTN)

93. Four UMTS QoS (service) classes
Conversational Streaming Interactive Background
• video streaming
• audio streaming
• reasonably low delay and delay variation
• BER requirements quite stringent
• traffic management important (variable bit rate)
• in the radio network => real-time (RT) connections
UE Source
video or audio information is buffered in the UE,
large delay => buffer is running out of content!
Buffer

94. Four UMTS QoS (service) classes
Conversational Streaming Interactive Background
• web browsing
• interactive games
• location-based services (LCS)
• low round-trip delay (< seconds)
• delay variation is not important
• BER requirements stringent
• in the radio network => non-real-time (NRT) connections

95. Four UMTS QoS (service) classes
Conversational Streaming Interactive Background
• SMS (Short Message Service) and other more advanced
messaging services (EMS, MMS)
• e-mail notification, e-mail download
• file transfer
• delay / delay variation is not an important issue
• BER requirements stringent
• in the radio network => non-real-time (NRT) connections

96. UMTS protocols
Different protocol stacks for user and control plane
User plane (for transport of user data):
Circuit switched domain: data within ”bit pipes”
Packet switched domain: protocols for implementing various QoS or traffic
engineering mechanisms
Control plane (for signalling):
Circuit switched domain: SS7 based (in core network)
Packet switched domain: IP based (in core network)
Radio access network: UTRAN protocols

97. Data streams
RLC
MAC
Phys.
UE UTRAN 3G MSC GMSC
Uu Iu Gn
User plane protocol stacks (CS domain)
RLC
MAC
Phys.
WCDMA
TDM
Frame Protocol (FP)
AAL2
ATM
Phys.
AAL2
ATM
Phys.
TDM

98. User plane protocol stacks (PS domain)
PDCP
RLC
GTP
UDP
IP
GTP
UDP
IP
IP IP
GTP
UDP
PDCP
RLC
MAC
Phys.
MAC
Phys.
AAL5
ATM
Phys.
AAL5
ATM
Phys.
IP
L2
L1
GTP
UDP
IP
L2
L1
UE UTRAN SGSN GGSN
Uu Iu Gn
WCDMA

99. Uu (air, radio) interface protocols
PHY
MAC
RLC
RRC
Signalling
radio bearers
(User plane)
radio bearers
e.g. MM, CC, SM
transparent to UTRAN
Logical channels
Transport channels
PDCP
L3
L2
L1

100. Main tasks of Uu interface protocols
MAC (Medium Access Control):
 Mapping between logical and transport channels
 Segmentation of data into transport blocks
RLC (Radio Link Control):
 Segmentation and reassembly
 Link control (flow & error control)
 RLC is often a transparent layer
PDCP (Packet Data Convergence Protocol):
 IP packet header compression (user plane only)

101. Main tasks of RRC protocol
Over the air interface, Radio Resource Control (RRC) messages carry all the
relevant information required for setting up a Signalling Radio Bearer (during
the lifetime of the RRC Connection) and setting up, modifying, and releasing
Radio Bearers between UE and UTRAN (all being part of the RRC Connection).
RRC also participates in the co-ordination of other Radio Resource
Management (RRM) operations, such as measurements and handovers.
In addition, RRC messages may carry in their payload higher layer signalling
information (MM, CC or SM) that is not related to the air interface or UTRAN.

102. General protocol model for UTRAN
Radio
Network
Layer
Transport
Network
Layer
Control Plane User Plane
Transport Netw.
Control Plane
Application
Protocol
Data Stream(s)
Signalling
Bearer(s)
Protocol
Data Bearer(s)
Transport Netw.
User Plane
Transport Netw.
User Plane
Signalling
Bearer(s)
Physical Layer

103. Control Plane (Iub, Iur and Iu interfaces)
Radio Network Layer: application protocols (NBAP, RNSAP and RANAP) are
used for the actual signalling between base stations, RNC and core network.
Transport Network Layer: signalling bearer for the transport of application
protocol messages is set up by O&M actions (i.e. on a permanent basis).
Transport Network Control Plane
A signalling bearer (set up by O&M actions) carries a protocol which is used
only for the task of setting up data bearers (e.g. AAL 2 connections).

104. User Plane (Iub, Iur and Iu interfaces)
The User Plane is employed for transport of
 user information (speech, video, IP packets ...)
 RRC signalling messages (Iub, Iur)
 higher-layer protocol information at Iu interface
(if not carried by RANAP).
User plane data is carried by data bearers which use AAL 5 in case of Iu PS
and AAL 2 in all other cases.
User data streams are packed in frame protocols (FP) which are used for
framing, error & flow control, and carrying of parallel data flows that form
the user data signal (e.g. AMR encoded speech).

105. Protocol structure at Iub interface
Radio
Network
Layer
Transport
Network
Layer
Control Plane
Transport Netw.
Control Plane
NBAP
Transport Netw.
User Plane
Transport Netw.
User Plane
Q.2630.1
Convergence
Protocols
AAL 5
Conv. Pr.
AAL 5 AAL 2
ATM
Physical Layer
RRC Data
RLC
MAC
Frame Protocol

106. Control Plane
Transport Netw.
Control Plane
RNSAP
Transport Netw.
User Plane
Transport Netw.
User Plane
Q.2630.1
Convergence
Protocols
AAL 5
Conv. Pr.
AAL 5 AAL 2
ATM
Physical Layer
Protocol structure at Iur interface
Radio
Network
Layer
Transport
Network
Layer
RRC Data
RLC
MAC
Frame Protocol

107. Radio
Network
Layer
Transport
Network
Layer
Control Plane User Plane
Transport Netw.
Control Plane
RANAP
Transport Netw.
User Plane
Transport Netw.
User Plane
Q.2630.1
Convergence
Protocols
AAL 5
Conv. Pr.
AAL 5
CS Channel
Iu UP
AAL 2
ATM
Physical Layer
Protocol structure at Iu CS interface

108. Radio
Network
Layer
Transport
Network
Layer
Control Plane User Plane
Transport Netw.
Control Plane
RANAP
Transport Netw.
User Plane
Convergence
Protocols
AAL 5
IP Application
Protocol structure at Iu PS interface
GTP
UDP
IP
AAL 5
ATM
Physical Layer
Iu UP

109. Application protocols in UTRAN
Iub interface (between RNC and base station)
NBAP (Node B Application Part)
Iur interface (between Serving RNC and Drift RNC)
RNSAP (Radio Network Subsystem Application Part)
- Link management for inter-RNC soft handover
Iu interface (between RNC and core network)
RANAP (Radio Access Network Application Part)
- Radio Access Bearer (RAB) management
- SRNS Relocation
- Transfer of higher-level signalling messages

110. Serving RNC and Drift RNC in UTRAN
Core network
Iu
Iur
Iub
Iub
DRNC
SRNC
UE
BS
BS
RNC
RNC
Concept needed for:
Soft handover between base stations belonging to different RNCs

111. Serving RNS (SRNS) Relocation
RNS = Radio Network Sub-system =
RNC + all base stations controlled by this RNC
SRNS Relocation means that the Serving RNC functionality is
transferred from one RNC (the “old” SRNC) to another (the “new”
SRNC, previously a DRNC) without changing the radio resources and
without interrupting the user data flow.
RANAP provides the signalling facilities over the two Iu interfaces
involved (Iu interfaces to “old” and “new” SNRC) for performing SRNC
Relocation in a co-ordinated manner.

112. SRNS Relocation (cont.)
Core network
Iu
Iur
Iub
Iub
DRNC
SRNC
UE
BS
BS
RNC
RNC Iu
SRNC
SRNC provides: 1) connection to core network
2) macrodiversity combining point

113. Soft handover concept
Iu
Iur
Iub
Iub
DRNC
SRNC
UE
BS
BS
RNC
RNC
Leg 1
Leg 3
Signal
combining
point is in
SRNC
(downlink: in
UE)
BS Leg 2
Legs 1 and 2: Iur interface is not needed
Leg 3 is added: Iur interface is needed!
Core network

114. Micro- / macrodiversity combining
Iu
Iur
Iub
Iub
DRNC
SRNC
UE
BS
BS
RNC
RNC
Macrodiversity combining
point in SRNC
Core network
Rake receiver
Multipath
propagation
Microdiversity combining point in base station
(uplink)

115. Micro- / macrodiversity combining
Microdiversity combining: multipath signal components are processed
in Rake “fingers” and combined (= summed) using MRC
(MRC = Maximum Ratio Combining)
Macrodiversity combining: the same bit sequences (with different bit
error positions) are combined at the SRNC (usually: selection
combining).
Hard handover: slow (a lot of signalling)
Soft handover: fast selection in SRNC
(uplink)

116. Radio Access Bearer (RAB) establishment
RAB assignment request
RAB assignment complete
RAB is configured to be used over
existing Radio Link(s)
(RANAP signaling)
UE BS RNC
(RRC signaling)
Core network

117. Signalling between UE and core network
UE BS RNC MSC or
SGSN
RRC RANAP
NAS signalling messages (NAS = Non Access Stratum = “not related to
UTRAN”) are sent transparently through UTRAN in the payload of
RRC/RANAP protocol messages

118. Security in UMTS
GSM UMTS
SIM authentication
(PIN code)
User authentication
Ciphering (air interface)
Signalling data integrity
IP security (e.g. IPSEC)
User authentication
Network authentication
USIM authentication (PIN code)
Ciphering (air interface)
KASUMI algorithm (known)
UMTS: larger key lengths than
in GSM

119. Security in digital networks: terminology
Authentication:
SIM authentication (PIN code)
user authentication (GSM, UMTS, DECT, TETRA)
network authentication (UMTS, TETRA)
Integrity:
signalling data integrity (UMTS)
Confidentiality ( privacy):
ciphering of signals over radio interface
hiding of user identifiers over radio interface
end-to-end encryption (offered by service provider)

120. Authentication
Authentication: Procedure of verifying the authenticity of an entity (user,
terminal, network, network element). In other words, is the entity the one it
claims to be?
SIM authentication is local (network is not involved)
In GSM, only user is authenticated
In UMTS, both user and network are authenticated
User/network is authenticated at the beginning of each user-network
transaction (e.g. location updating or connection set-up) and always
before ciphering starts.
See Security in GSM for
more details

121. Integrity
Data integrity: The property that data has not been altered in an
unauthorised manner.
“Man-in-the-middle” security attack, e.g. false BS
Data integrity checking is not done in GSM
In UMTS, signalling messages are appended with a 32 bit security field
(MAC-I) at the terminal or RNC before transmission and checked at the
receiving end
In UMTS, also volume of user data (not the user data itself) is integrity
protected

122. Signalling integrity protection in UMTS
Signalling message
Algorithm f 9
MAC-I
Integrity Key (IK) and
other keys/parameters
UE RNC
MAC-I generation MAC-I checking
MAC-I generation
MAC-I checking
Both in
terminal and
RNC

123. Confidentiality
Confidentiality: The property that information is not made available to
unauthorised individuals, entities or processes.
Example 1: Ciphering (encryption) over the air interface
Example 2: Preventing unencrypted transmission of user ID information such
as IMSI number over the air interface
=> Temporary Mobile Subscriber Identity (TMSI) is generated (at the end of
each MM or CM transaction) and is used at the beginning of the next
transaction instead of IMSI.

124. Example 1: ciphering (encryption)
BS
MS
UE
BTS BSC
RNC
SGSN
Core Network
Air interface
GPRS
UMTS
MS BTS BSC Core Network
GSM
Both CS and PS information
Signalling integrity protection

125. Network domain security
Circuit switched network => quite good
IP-based network (Internet) => rather poor at present
(security mechanisms are developed by IETF, 3GPP...)
Some security threats in IP-based network:
Sniffing (electronic eavesdropping)
Spoofing, session hijacking
Denial of service (DoS), ”spamming”
Confidentiality
Integrity

126. Spreading in WCDMA
Channel data
Channelization
code
Scrambling code
Channel bit
rate
Chip rate Chip rate
Usage of code Uplink Downlink
Channelization code
Scrambling code
User separation
User separation Cell separation
(always 3.84 million chips/s)

127. User data rate vs. channel bit rate
Channel bit rate (kb/s)
User data rate (kb/s)
Channel coding
Interleaving
Bit rate matching
Interesting for
user
Important for
system

128. CAMEL (Customised Applications for Mobile network Enhanced Logic) is a
set of “IN” type functions and procedures that make operator-specific IN
services available to subscribers who roam outside their home network.
CAMEL = IN technology + global mobility
CAMEL Service Environment (CSE) is a logical entity in the subscriber’s home
network which processes IN related procedures
CSE  SCP in home network
CAMEL (2G & 3G)

129. Virtual Home Environment (VHE)
Same subscriber profile & charging/numbering information can be utilised in any
UMTS network
Home PLMN Visited PLMN
UE
Certain subscriber profile Same subscriber profile

130. Supporting technologies and services
Positioning
SMS
USSD
MMS
LCS
SAT USAT
MExE
WAP
Location
UE
Transport
&
Content
i-Mode
- many are already possible in 2G
- will (perhaps) be extensively used in 3G

131. Location (based) services (LCS)
- may or may not use UE positioning techniques
- general LCS architecture in UMTS:
UE
PSTN
Internet
BS
LMU
RNC &
SMLC
MSC
GMLC
SGSN GGSN
HLR/AuC/EIR
GMSC
LCS External
Client

132. Location (based) services (cont.)
GMLC = Gateway Mobile Location Center
receives service requests from external LCS clients (or UE) and
manages the location information
SMLC = Serving Mobile Location Center
assists in positioning of the UE (e.g. performs calculations based on
measurement results), is usually integrated with RNC
LCS client = typically any server requesting location
information (to be able to provide the relevant location service to the
user), may also be the UE

133. Positioning methods
BS
BS
BS
UE
LMU
Cell ID based location information
- no expensive positioning solutions required
- inexpensive (and will
therefore be widely used)
E-OTD (2G), OTDOA (3G)
- differential delays measured
from which the position
is calculated (in SMLC)
Assisted GPS
- greatest precision, GPS receiver in UE
- network must “assist” in indoor environment
SMLC

134. Support of mobility:
macro diversity
• Multicasting of data via
several physical channels
– Enables soft handover
– FDD mode only
• Uplink
– simultaneous reception of
UE data at several Node
Bs
• Downlink
– Simultaneous
transmission of data via
different cells
CN
Node B RNC
Node B
UE