GSM networks divide coverage areas into a hierarchy of locations to efficiently manage subscriber location and enable call delivery. The largest division is the Public Land Mobile Network (PLMN). Within a PLMN are Mobile Switching Center/Visitor Location Register (MSC/VLR) service areas, which are further divided into Location Areas (LA) containing groups of cells. As subscribers move between areas, they perform location updates to inform the network of their position. This allows more efficient paging for call delivery. [END SUMMARY]

1. i
i d
ad
H
GSM Network Areas...
Public Land Mobile Network (PLMN)
MSC / VLR Area
Location Area
Cell

2. i
i d
ad
H
GSM Network Areas...
Public Land Mobile Network (PLMN)

3. i
i d
ad
H
GSM Network Areas...
MSC/VLR Service Area
MSC

4. i
i d
ad
H
GSM Network Areas...
Location Area
MSC/VLR Service Area
LUP
.1
Paging
.2

5. i
i d
ad
H
GSM Network Areas...
Cell
LA
CGI)
(BSIC)
CGI : Cell Global ID
BSIC : Basic Station Identity Code

6. i
i d
ad
H

MSISDN - Mobile subscriber International ISDN Number
•
•
International number for mobile subscriber that includes at most 15 digits
Mapping to Mobile Station Roaming Number (MSRN) by HLR
Country Code (CC + National Destination Code (NDC + Subscriber Number (SN
Example: 98912347658

IMSI - International Mobile Subscriber Identity


International number that Uniquely Identifies the User (SIM Card) and is stored in SIM
Card, HLR and VLR
unique 15 digits assigned
Mobile Country Code (MCC) + Mobile Network Code (MNC) + Mobile Subscriber
Identification Number (MSIN)
Example : 432111234567890
432(MCC)----11(MNC)----1234567890(MSIN)

7. i
i d
ad
H

TMSI - Temporary Mobile Subscriber Identity
32-bit number assigned by VLR to uniquely identify a mobile station within a VLR’s area
 32 Bits

Local Number Allocated By VLR
 May Be Changed Periodically

Hides The IMSI Over The Air Interface (Transmitted Instead Of IMSI)

MSRN - Mobile Station Roaming Number
Is used for routing
 Generated By VLR For All Visiting Users (HLR asks VLR to assign this number for
called party)

Helps HLR To Determine Current Location Area
 Hides The IMSI Inside The Network
Visitor Country Code (VCC) + Visitor National Destination Code (VNDC) + Current MSC
Code + Temporary Subscriber Number
Example : 989110100 to 989110107 for one MSC


8. i
i d
ad
H
IMSI
MSISDN
MSC Address
2- MSISDN
1- MSISDN
PSTN
GMSC
HLR
5- MSRN
3- IMSI
4-MSRN
MSC/VLR

9. i
i d
ad
H
International Mobile Station Equipment Identity (IMEI)
Unique 15 digits assigned by equipment manufacturer
(TYPE APPROVAL CODE) TAC
(FINAL ASSEMBLY CODE) FAC
(SERIAL NUNBER) SNR
SP

.1
.2
.3
.4
IMEI=TAC+FAC+SNR+SP
LAI
CI
357,087,008,609,717 (USSD= *#06#)
Cell Global Identity (CGI)
LA
(LOCATION AREA IDENTITY) LAI
(CELL IDENTITY) CI

.1
.2
CGI=MCC+MNC+LAC+CI
Base Station Identity Code (BSIC)
(NATIONAL COUNTRY CODE) NCC
(BASE STATION COUNTRY CODE) BCC
BSIC=NCC+BCC

.1
.2

10. i
i d
ad
H
Personal Identity Number ( PIN)

PIN
,
IMSI
SIM
,
Location Area Identity( LAI)

Based on international ISDN numbering plan that is broadcast regularly by the BTS
on broadcast channel
(MOBILE COUNTRY CODE) MCC
(MOBILE NETWORK CODE) MNC
(LOCATION AREA CODE) LAC
LAI=MCC+MNC+LAC
.1
.2
.3

11. i
i d
ad
H
Location Updating…





Location updating is used to reduce the area over which paging
must be undertaken in a cellular system.
The cellular coverage area is divided up into a number of
location areas.
All cells broadcast the identity of their Location Area (LAI).
Each time a mobile station observes that it has moved into a new
location area it informs the network by performing a location
update; this enables the network to perform paging over a
smaller area than would otherwise be necessary.
In the extreme case each cell could be a location area, the
system would know very precisely where a mobile was but at the
expense of a very high level of location update signalling. As a
compromise location areas are generally defined as a group of
cells.

12. i
i d
ad
H
Location Update (LU)

MS is aware of location
•
•

Events which determine a current location update
•
•

BTS broadcasts Location Area Identification (LAI) on BCCH
SIM stores current LAI and TMSI
MS is switched on and current LAI equals stored LAI
a timer set by the network expires and MS reports position (TMSI may be
updated and stored in SIM)
Events which determine a new location update
•
•
MS is switched on and current LAI differs from stored LAI
MS enters a new location area (TMSI and LAI are updated and stored in
SIM)

13. i
i d
ad
H
Location Update (LU)
In practice, there are three types of location updates:
Location Registration (Power On)
Generic
3. Periodic
1.
2.

Location registration:
•

Generic:
•

takes place when a mobile station is turned on.This is also known as
IMSI Attach because as soon as the mobile station is switched on, it
informs the Visitor Location Register(VLR)that it is now back in service
and is able to receive calls.As a result of a successful registration,the
network sends the mobile station two numbers that are stored in the
SIM(Subscriber Identity Module)card of the mobile station.
Every time the mobile receives data through the control channels,it
reads the LAI and compares it with the LAI stored in its SIM card. A
Generic location update is performed if they are different.The mobile
starts a location Update process by accessing the MSC/VLR that sent
the location data.
Periodic:
•
Periodic Location Update is carried out when the network does not
receive any location update request from the mobile in a specified time.

14. i
i d
ad
H
Location Updating…
Location never update (no cost).
Location updates for every cell
crossing (high cost).
Need to page every cells (high
cost).
Need to page only one cell (low
cost).
Location
update
Partition the region
into different
location areas.

15. i
i d
ad
H
Location Updating…
Location update is
performed when there
is a boundary crossing.
LA-1
LA-2
No location
update
Location update
How to
determine
the size of
a LA?

16. i
i d
ad
H
Location Update (LUP)

17. i
i d
ad
H

Paging
Paging is a process of broadcasting a message which alerts a specific mobile to take some action, for
example if there is an incoming call to be received.

If the system does not know the precise cell in which a mobile is located it must perform paging in a
number of cells.

An extreme approach would be to undertake paging throughout the entire coverage area of a cellular
system whenever a mobile is to be alerted; however, in anything but the smallest system this would
be wasteful of valuable signalling capacity, particularly over the air interface.

The problem is addressed by the use of location areas and location updating.

18. i
i d
ad
H
Paging

19. i
i d
ad
H
GSM Call Delivery Procedure…
HLR
(5)
VLR
MSC
(3)
(2)
(6)
(4)
MSC
VLR
(7)
Mobile
Switching
Center
(1)
Calling
MS
Called
MS

20. i
i d
ad
H
GSM Call Delivery Procedure…
1.
2.
3.
4.
5.
6.
7.
Calling MS sends a call initiation signal to MSC through BS.
MSC sends a location request to HLR of the called MS
HLR determines serving VLR of called MS and sends a route
request message to it.
MSC allocates a temporary ID to MS and sends this ID to HLR
HLR forwards the ID to MSC of the calling MS
Calling MSC requests a call set up to the called MSC
Paging messages are sent to cells within the LA.

21. i
i d
ad
H
GSM Mobile Terminated Call













1: calling a GSM subscriber
2: forwarding call to GMSC
3: signal call setup to HLR
4, 5: request MSRN from VLR
6: forward responsible
MSC to GMSC
7: forward call to
current MSC
8, 9: get current status of MS
10, 11: paging of MS
12, 13: MS answers
14, 15: security checks
16, 17: set up connection

22. i
i d
ad
H





Handover…
Handover is the means of maintaining a call when a user
moves outside the coverage area of the serving cell.
The call must be switched to an alternative cell to provide
service, automatically and without loss of service.
Handover is a complex process requiring synchronisation of
events between the mobile station and the network.
In particular, there is the need to route the call to the new cell
before handover can be effected whilst maintaining the old
connection until the new connection is known to have
succeeded.
Handover is a time critical process requiring action to be taken
before the existing radio link degrades to such an extent that
the call is lost.

23. i
i d
ad
H
Handover…

24. i
i d
ad
H
Intra-cell Handover
BTS
BTS

25. i
i d
ad
H
Inter-cell Intra-BSC Handover


BSC


BSC
BTS
BTS

26. i
i d
ad
H
Inter-BSC Intra-MSC Handover
BSC
MSC
VLR
B
T
S
B
T
S
BSC
B
T
S
B
T
S
B
T
S
B
T
S
B
T
S
B
T
S
B
T
S

27. i
i d
ad
H
Inter-BSC Inter-MSC Handover
BSC
MSC1
VLR
B
T
S
B
T
S
B
T
S
B
T
S
MSC2
B
T
S
BSC
B
T
S
B
T
S
B
T
S
B
T
S
VLR

28. i
i d
ad
H
Handover
Downlink
Uplink
MS
Handover
Handover
1.
HO because Interference (uplink or downlink)
2.
HO because Uplink quality
3.
HO because Downlink quality
4.
HO because Uplink level
5.
HO because Downlink level
6.
HO because MS-BS distance
7.
HO because Turn-around-corner MS
8.
HO because Rapid field drop
9.
HO because Fast/Slow-moving MS
10.
HO because Better cell (PBGT or Umbrella)
11.
HO because Good C/I ratio
BTS

BSC
Handover
•

29. i
i d
ad
H
Handover
Downlink Uplink
Downlink
•
Uplink
Intra-Cell
-85dbm
Inter-Cell
Handover


30. i
i d
ad
H
Downlink
QDR
QUR
(Inter-cell Handover)



Uplink
Downlink
Handover
QDR: Downlink Rx quality threshold
QUR: Uplink Rx quality threshold
QMRG: HO margin quality
Handover
•
Uplink
Handover
QMRG


31. i
i d
ad
H
Downlink Uplink
LUR
(Inter-cell
Downlink
Handover
Handover
•
Uplink
Handover
LMRG
LDR
Handover)

LDR: Downlink Rx Level threshold

LUR: Uplink Rx Level threshold

LMRG: HO margin Level


32. i
i d
ad
H
Power Budge
Uplink
Handover
BSC
PMRG
SACCH
Power budget
Handover
) Power Budget
PBGT
Downlink
BTS MS
PMRG
n
PBGT
Power Budget
Handover
BSC
6db
PBGT
6*120mSec
MS
Handover
MIH
Handover
PBGT
Handover
•
•


33. i
i d
ad
H
B
S
C
PBGT(BTS1--BTS2)=7db
Defined PMRG for BTS1 is 6db
7db>6db then Handover command To MS
Because Power Budget
Copyright
© 1996
Northern
Telecom
MS
BTS1
(900MHz)
BTS2
(900MHz)

34. i
i d
ad
H
Umbrella
Handover
•
Umbrella
Handover
Handover
Upper layer
Handover
Lower layer
Handover
BSC
Handover
•
AUCL
MS
Handover
Dual
Handover
AUCL
BTS
Umbrella
AUCL
•
Handover
band
•
AUCL:HO level umbrella


35. i
i d
ad
H
AUCL (900-> 1800) = -75db
B
S
C
AUCL (1800-> 900) = -68db
Level of BTS2 =-70
-70dbm >-75dbm then
Command for Handover from
BTS1(900) to BTS2(1800)
Copyright
© 1996
Northern
Telecom
MS
BTS1
(900MHz)
BTS2
(1800MHz)

36. i
i d
ad
H
Handover
•
Handover
Handover
rapid field
Downlink
Uplink


Handover
Turn-around-corner MS drop



37. i
i d
ad
H
Mobile-Assisted Handover (MAHO)

38. i
i d
ad
H
1.
GSM Security (1)
Ciphering
is used across the air interface to provide speech and signaling encryption. When the
authentication procedure has been completed successfully ,the BTS and the mobile
station are ready to start the ciphering procedure for signaling and speech/data
transmission
2.
Authentication
is a procedure used in checking the validity and integrity of subscriber data. With the
help of authentication procedure the operator prevents the use of false SIM modules
in the network. The authentication procedure is based on an identity key “Ki” ,that is
issued to each subscriber when his data are established in the HLR. The
authentication procedure verifies that the “Ki” is exactly the same on the subscriber
side as on the network side. The Authentication Center generates information that
can be used for all the security purpose during one transaction. This information is
called an Authentication Triplet.

39. i
i d
ad
H
GSM Security (1)
3.
access control/authentication
•
•
user SIM (Subscriber Identity Module): secret PIN (Personal Identification
Number)
SIM network: challenge - response method
confidentiality
4.
•
voice and signaling encrypted on the wireless link (after successful
authentication)
anonymity
5.
•
•
•
TMSI - Temporary Mobile Subscriber Identity
newly assigned at each new location update
encrypted transmission
3 algorithms specified in GSM
6.
•
•
•
A3 for authentication (“secret”, open interface)
A5 for encryption (standardized)
A8 for encryption key generation

40. i
i d
ad
H
Security in GSM…

41. i
i d
ad
H

GSM Security
The authentication triplet consists of three number:
RAND
1.
RAND is a Random number

SRES
2.
SRES (Signed Response) is a result that the algorithm A3 produces on the basis of certain source information

Kc
3.

Kc is a ciphering key that A8 generates on the basis of certain source information.

42. i
i d
ad
H
GSM - authentication…

43. i
i d
ad
H
GSM – authentication…

44. i
i d
ad
H
Authentication
HLR
SRES
VLR
SRES
Ki
VLR
VLR
AUC
A3
(Ki,SRES,RAND)
MS
RAND
SIM
Ki
HLR
MSC
A3
MSC
MS
.1
HLR
AUC
.2
AUC
VLR
MS
.4
SRES
MSC
.7
.3
.5
.6
.8

45. i
i d
ad
H
Authentication Algorithms






XOR
COMP128-1
COMP128-2
COMP128-3
COMP128-4
OPERATORE’S SPECIAL ALGORITHM

46. i
i d
ad
H
GSM - key generation and encryption

47. i
i d
ad
H
.1
MSC
Kc
VLR
BSS ---- MSC
MS ---- BSS
MS
MSC
BSS
.2
.3
.4
.5
.6

48. i
i d
ad
H
Any Questions & Comments ?