2G Mobile Communication Systems

(1)

2G Mobile Communication Systems

 2G Review: GSM  Services  Architecture  Protocols  Call setup  Mobility management  Security  HSCSD  GPRS  EDGE

(2)

2 Andreas Mitschele-Thiel, Jens Mückenheim Oct-13

References

Jochen Schiller: Mobile Communications (German and English), Addison-Wesley, 2000

(most of the material covered in this chapter is based on the book) Michel Mouly, Marie-Bernadette Pautet: The GSM System for Mobile

Communications. Telecom Pub, Juni 1992

Jörg Eberspaecher, u. a.: GSM Switching, Services and Protocols. John Wiley and Sons Ltd, 2001

Siegmund Redl, u. a.: GSM and Personal Communications Handbook. Artech House, 1998

Gunnar Heine: GSM Networks: Protocols, Terminology, and Implementation. Artech House Mobile Communications Library. Artech House Publishers, 1998

(3)

Public Land Mobile Network (PLMN)

Definition:

 a network established and operated by an administration to provide

land-based mobile telecommunications services to the public

 a PLMN may be regarded as an extension of a network (e.g. an ISDN)

 a PLMN consists of a collection of areas within a common numbering

plan (e.g. same National Destination Code) and a common routing plan

 PLMNs are independent telecommunications entities

(4)

GSM: Mobile Services

GSM offers

 several types of connections  voice connections

 data connections

 short message service

 multi-service options (combination of basic services)

Three service domains (a “mobile” model of ISDN)

 Bearer Services  Teleservices  Supplementary Services GSM-PLMN transit network (PSTN, ISDN) source/ destination network TE TE bearer services teleservices R, S U_m (U, S, R) MT MS

PLMN: Public Land Mobile Network

PSTN: Public Switched Telephone Network ISDN: Integrated Services Digital Network

MS: Mobile Station

MT: Mobile Termination (radio-specific part) TE: Terminal

(5)

Bearer Services

Telecommunication services to transfer data between access points Specification of services up to the terminal interface (OSI layers 1-3) Different data rates for voice and data (original standard)

 data service (circuit switched)

 synchronous: 2.4, 4.8 or 9.6 kbit/s  asynchronous: 300 - 1200 bit/s

 data service (packet switched) –> superseded by GPRS  synchronous: 2.4, 4.8 or 9.6 kbit/s

(6)

Teleservices

Telecommunication services that enable voice communication via mobile phones

 mobile telephony

primary goal of GSM was to enable mobile telephony offering nearly ISDN quality (bandwidth of 7 kHz);

 Today: Fullrate codec (FR–13kb/s), halfrate (HR-5.6kb/s), Enhanced Fullrate

(EFR-12.2kb/s)

 emergency number

common number throughout Europe (112); mandatory for all service providers; free of charge; connection with the highest priority (preemption of other

connections possible)

 multinumbering

several ISDN phone numbers per user possible Non-Voice Teleservices

 group 3 fax

 voice mailbox (implemented in the GSM network)  Short Message Service (SMS)

alphanumeric data transmission to/from the mobile terminal using the signaling channel, thus allowing simultaneous use of basic services and SMS

(7)

Supplementary services

Services in addition to the basic services

 cannot be offered stand-alone

 similar to ISDN services besides lower bandwidth due to the radio link  may differ between different service providers, countries and protocol

versions

Important services

 call forwarding

 identification: forwarding of caller number

 suppression of number forwarding (CLIP, CLIR)  automatic call-back

 conferencing with up to 7 participants

 locking of the mobile terminal (incoming or outgoing calls)  ...

(8)

Architecture of the GSM system

GSM is a PLMN (Public Land Mobile Network)

 several providers setup mobile networks following the GSM standard

within each country

GSM system comprises 3 subsystems

 RSS (radio subsystem): covers all radio aspects  MS (mobile station)

 BSS (base station subsystem) or RAN (radio access network)  BTS (base transeiver station)

 BSC (base station controller)

 NSS (network and switching subsystem): call forwarding, handover,

switching

 MSC (mobile services switching center)  LR (location register): HLR and VLR

 OSS (operation subsystem): management of the network  OMC (operation and maintenance centre)

 AuC (authentication centre)

(9)

GSM: overview

fixed network BSC BSC MSC MSC GMSC OMC, EIR, AUC VLR HLR NSS with OSS RSS VLR BTS _BTS BTS  BSC: n:1 (tree) BSC  MSC: n:1 (tree) MSC – VLR: 1:1 MSC – MSC : meshed network

(10)

GSM: elements and interfaces

NSS MS MS BTS BSC GMSC IWF OMC BTS BSC MSC MSC Abis U_m EIR HLR VLR VLR A BSS PDN ISDN, PSTN RSS radio cell radio cell MS AUC OSS signaling O U_m Interface (MS and BTS): radio, air interface

A_bis Interface (BTS and BSC)

Interfaces B,...,H within NSS (between MSC, VLR and HLR) A Interface (BSC and MSC) o

(11)

Radio subsystem

The Radio Subsystem (RSS) comprises the cellular mobile network up to the switching centers

Components

 Base Station Subsystem (BSS)

 Base Transceiver Station (BTS)

 radio components including sender, receiver, antenna  one BTS can cover several cells

 Base Station Controller (BSC)  switching between BTSs,  controlling BTSs,

 managing of network resources,

 mapping of radio channels (U_m) onto terrestrial channels

(A interface)

BSS = BSC + sum(BTS) + interconnection

(12)

Base Transceiver Station and Base Station Controller

Tasks of a BSS are distributed over BSC and BTS

 BTS comprises radio specific functions of lower layers (PHY, MAC)

 BSC manages and controls the radio channels in the BTS and terrestrial

channels to BTS and MSC

 Design Principle: “central intelligence” = BSC, “dumb radio station” = BTS

Functions BTS BSC

Management of radio channels X Frequency hopping (FH) X X Management of terrestrial channels X Mapping of terrestrial onto radio channels X Channel coding and decoding X

Rate adaptation X

Encryption and decryption X X

Paging X X

Uplink signal measurements X

Traffic measurement X

Authentication X

Location registry, location update X Handover management X

(13)

possible radio coverage of the cell

idealized shape of the cell

cell

segmentation of the area into cells

GSM: cellular network

 use of several carrier frequencies

 not the same frequency in neighboring cells

 cell radius varies from some 100 m up to 35 km depending on

user density, geography, transceiver power etc.

 hexagonal shape of cells is idealized (cells overlap, shapes depend

on geography)

 if a mobile user changes cells

(14)

GSM: Air Interface

FDMA (Frequency Division Multiple Access) / FDD (Frequency Division Duplex)

123 124 . . . 890 MHz _{915 MHz} 123 124 . . . 935 MHz _{960 MHz} 200 kHz Uplink Downlink frequency

TDMA (Time Division Multiple Access)

time Downlink 8 7 6 5 4 3 2 1 4,615 ms = 1250 bit Uplink 8 7 6 5 4 3 2 1

(15)

Framing Modulation (GMSK)

GSM: Voice Coding

Voice coding Channel

coding Framing Modulation (GMSK) 114 bit/slot

114 + 42 bit

Guard (8.25 bits): avoid overlap with other time slots (different time offset of neighboring slot) Training sequence: select the best radio path in the receiver and train equalizer

Tail: needed to enhance receiver performance

1 2 3 4 5 6 7 8

GSM TDMA frame

GSM time-slot (normal burst)

4.615 ms

546.5 µs 577 µs

tail user data S Training guard

space S user data tail

guard space

(16)

GSM hierarchy of frames

0 1 2 ... 2045 2046 2047 hyperframe 0 1 2 ... 48 49 50 superframe 0 1 ... 6 7 frame burst slot 577 µs 4.615 ms 120 ms 6.12 s 3 h 28 min 53.76 s traffic multiframe 0 1 ... 24 25 0 1 2 ... 48 49 50 235.4 ms control multiframe 0 1 ... 24 25

traffic multiframe: 24 frames (22.8 kbps) used for traffic channel (user data), or fast signaling 1 frame (950 bps) used for slow signaling, 1 frame unused

(17)

Mobile station

Terminal for the use of GSM services

A mobile station (MS) comprises several functional groups

 MT (Mobile Termination):

 offers common functions used by all services the MS offers

 corresponds to the network termination (NT) of an ISDN access  end-point of the radio interface (U_m)

 TA (Terminal Adapter):

 terminal adaptation, hides radio specific characteristics

 TE (Terminal Equipment):

 peripheral device of the MS, offers services to a user  does not contain GSM specific functions

 SIM (Subscriber Identity Module):

 personalization of the mobile terminal, stores user parameters, and

security algorithm

R S Um

(18)

Network and switching subsystem (NSS)

NSS is the main component of the public mobile network GSM

 switching, mobility management, interconnection to other networks,

system control Components

 Mobile Services Switching Center (MSC)

controls all connections via a separated network to/from a mobile terminal within the domain of the MSC - several BSC can belong to a MSC

 Databases (important: scalability, high capacity, low delay)  Home Location Register (HLR)

central master database containing user data, permanent and semi-permanent data of all subscribers assigned to the HLR (one provider can have several HLRs)

 Visitor Location Register (VLR)

local database for a subset of user data, including data about all user currently in the domain of the VLR

(19)

Operation subsystem

The OSS (Operation Subsystem) enables centralized operation, management, and maintenance of all GSM subsystems

Components

 Authentication Center (AUC)

 generates user-specific authentication parameters on request of a VLR  authentication parameters used for authentication of mobile terminals

and encryption of user data on the air interface within the GSM system

 Equipment Identity Register (EIR)

 registers GSM mobile stations and user rights

 stolen or malfunctioning mobile stations can be locked and sometimes

even localized

 Operation and Maintenance Center (OMC)

 different control capabilities for the radio subsystem and the network

(20)

Basic Functions in GSM Systems

 Connection Setup  Handover  Location management  Roaming  Authentication

(21)

Connection Setup & Radio Resource Assignment

(22)

Mobile Terminated Call (MTC)

PSTN calling station GMSC HLR VLR BSS BSS BSS MSC MS 1 2 3 4 5 6 7 8 9 10 11 12 13 16 10 10 11 11 11 14 15 17 1: calling a GSM subscriber 2: forwarding call to GMSC 3: signal call setup to HLR 4, 5: request MSRN from VLR 6: forward responsible

MSC to GMSC 7: forward call to current MSC

8, 9: get current status of MS 10, 11: paging of MS

12, 13: MS answers 14, 15: security checks 16, 17: set up connection

(23)

Mobile Originated Call (MOC)

PSTN _GMSC VLR BSS MSC MS 1 2 6 5 3 4 9 10 7 8 1, 2: connection request 3, 4: security check

5-8: check resources (free circuit) 9-10: set up call

(24)

Handover

The problem:

Change the cell while communicating

Reasons for handover:

 Quality of radio link

deteriorates

 Communication in other cell

requires less radio resources

 Supported radius is

exceeded (e.g. Timing advance in GSM)

 Overload in current cell  Maintenance Li nk qual it y

Link to cell 1 Link to cell 2 time cell 1 cell 2 Handover margin (avoid ping-pong effect) cell 1 cell 2

(25)

4 types of handover

(Anchor) MSC MSC BSC BSC BSC BTS BTS BTS BTS MS MS MS MS 1 2 3 4

• intra-cell handover: reason: quality, interference

• inter-cell handover/intra BSS: within same BSS, handled by BSC (reason mobility, receipt level, power budget, load)

• inter-cell handover/inter BSS: between BSC at the same MSC

• inter-cell handover/inter MSC: between BSC of different MSCs

(Anchor MSC: the initial MSC, which started the connection, keeps control)

(26)

X BS BS Before X BS BS During X BS BS After

GSM: Handover Principle

 “Hard” handover, “make before break”  Mobile assisted handoff/handover (MOHA):

 MS sends regular measurement reports to network (own cell, neighbor cells, every 480 ms)  Network (old BSC) decides upon handover (when, target cell)

 Network (old BSC) sets up new communication path

(27)

Handover procedure (change of BSC)

HO access BTS_old BSC_new measurement result BSC_old Link establishment MSC MS measurement report HO decision HO required BTS_new HO request resource allocation ch. activation ch. activation ack HO request ack HO command HO command HO command HO complete HO complete clear command clear command

clear complete _{clear complete}

„Make-before-break“ strategy

make

(28)

Security in GSM

Security service

 System was designed with a moderate level of security to authenticate the

subscriber using a pre-shared key and challenge-response.

 access control/authentication

 user  SIM (Subscriber Identity Module): secret PIN (personal identification

number)

 SIM  network: challenge response method  no authentication of network!

 confidentiality

 voice and signaling encrypted on the wireless link (after successful authentication)

 anonymity

 temporary identity TMSI

(Temporary Mobile Subscriber Identity)

 newly assigned at each new location update  encrypted transmission

3 algorithms specified in GSM

 A3 for authentication (“secret”, open interface)  A5 for encryption (standardized)

 A8 for key generation (“secret”, open interface)

“secret”: • A3 and A8

available in the Internet

• network providers can use stronger mechanisms

(29)

GSM - authentication

A3 RAND K_i 128 bit 128 bit RAND SRES* =? SRES A3 RAND K_i 128 bit 128 bit SRES 32 bit SRES

Authentication Request (RAND)

Authentication Response (SRES 32 bit) mobile network

AuC

MSC

SIM

K_i: individual subscriber authentication key SRES: signed response SRES* 32 bit

Challenge-Response:

• Authentication center provides RAND to Mobile • AuC generates SRES using Ki of subscriber and

RAND via A3

• Mobile (SIM) generates SRES using Ki and RAND • Mobile transmits SRES to network (MSC)

• network (MSC) compares received SRES with one generated by AuC

(30)

GSM - key generation and encryption

A8 RAND K_i 128 bit 128 bit K_c 64 bit A8 RAND K_i 128 bit 128 bit SRES RAND encrypted data mobile network (BTS) MS with SIM AuC BTS SIM A5 K_c 64 bit A5 MS data _data cipher key Ciphering:

• Data sent on air interface ciphered for security • A8 algorithm used to generate cipher key

• A5 algorithm used to cipher/decipher data • Ciphering Key is never transmitted on air

(31)

2G+: GSM Evolution

Limits of GSM

 limited capacity at the air interface:

data transmission standardized with only 9.6 kbit/s

 advanced coding allows 14,4 kbit/s

 not enough for Internet and multimedia applications

=> EDGE

 inappropriateness for bursty and non-symmetrical data traffic

=> GPRS

Extensions

 HSCSD (High-Speed Circuit Switched Data)  GPRS (General Packet Radio Service)

 EDGE (Enhanced Data Rate for GSM Evolution)  EGPRS (EDGE und GPRS)

(32)

HSCSD (High-Speed Circuit Switched Data)

 continuous use of multiple time slots for a single user

(on a single carrier frequency)

 asynchronous allocation of time slots between DL and UL

 gain: net data rate up to 115,2 kbps (allocation of all 8 traffic channels)

 mainly software update

 additional HW needed if more than 3 slots are used Uplink Downlink 7 1 2 3 4 5 6 8 1 2 7 1 2 3 4 5 6 8 1 2

(33)

GPRS (General Packet Radio Service)

 Introducing packet switching in the network

 Using shared radio channels for packet transmission over the air:

 multiplexing multiple MS on one time slot

 flexible (also multiple) allocation of timeslots to MS

(scheduling by PCU Packet Control Unit in BSC or BTS)

 using free slots only if data packets are ready to send

(e.g., 115 kbit/s using 8 slots temporarily)

 standardization 1998, introduction 2001

 advantage: first step towards UMTS, flexible data services carrier

TS

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7

(34)

connection-oriented packet switched core

GPRS architecture and interfaces

MS BSS SGSN GGSN MSC U_m EIR HLR/ GR VLR PDN / Internet G_b G_n G_i SGSN G_n o

(35)

EDGE (Enhanced Data Rates for GSM Evolution)

Enhanced spectral efficiency depends on:

 Size of frequency band  Duration of usage

 Level of interference with others (power)

EDGE Technology:

 EDGE can carry data speeds up to 236.8 kbit/s for 4

timeslots (theoretical maximum is 473.6 kbit/s for 8 timeslots)

 Adaptation of modulation depending

on quality of radio path

 GMSK (GSM standard – 1 bit per symbol)  8-PSK (3 bits per symbol)

 Adaptation of coding scheme (redundancy) depending

on quality of radio path (9 coding schemes)

 Gain: data rate (gross) up to 69,2 kbps (compare to

22.8 kbps for GSM)  complex extension of GSM! NodeB UE 1 UE 2 Near-far problem

(36)

2G to 3G Evolution: GSM - GPRS - UMTS

GSM RAN Base station Base station controller Base station Base station MSC ISDN GSM Core (Circuit switched) HLR AuC EIR GMSC Transmission ATM based

GSM

(37)

2G to 3G Evolution: GSM - GPRS - UMTS

GPRS Core (Packet Switched) SGSN GGSN Inter-net GSM RAN Base station Base station controller Base station Base station MSC ISDN GSM Core (Circuit switched) HLR AuC EIR GMSC Transmission ATM based

GSM+GPRS

(38)

2G to 3G Evolution: GSM - GPRS – UMTS R99

GPRS Core (Packet Switched) SGSN GGSN Inter-net GSM RAN Base station Base station controller Base station Base station UTRAN Radio network controller

Base station Base station

Base station MSC ISDN GSM Core (Circuit switched) HLR AuC EIR GMSC Transmission ATM based

GSM+GPRS+UMTS R99

(39)

2G to 3G Evolution: GSM - GPRS - UMTS R5 - IMS

GPRS Core (Packet Switched) SGSN GGSN Inter-net GSM RAN Base station Base station controller Base station Base station UTRAN Radio network controller

Base station Base station

Base station

Transmission IP based 3G Core GERAN