Chapter 6 GSMGSM System

GSMGlobal System for Mobile CommunicationGroup Special MobileGSMGSMGSMGPRSUMTS

GSMGSMGSMGSMGSM

Section 6.1GSM GSM Overview

GSMGlobal System for Mobile CommunicationGroup Special Mobile European Telecommunications Standard InstituteETSI19993GPPthe 3rd Generation Partnership Project

61 GSM GSM 2EDGEGSM GPRSUMTSUMTS/HSDPA171.2 kbps473kbps2M bps10MbpsGSM 1

GSM (1/2)GSM 1circuit-switched transmissionGSM 2Short Message ServiceSMSbearer service GSM+High Speed Circuit Switched DataHSCSD115.2kbps General Packet Radio ServiceGPRSpacket-switched transmission171.2kbps

GSM (2/2)GSM++EDGEEnhanced Data rates for GSM Evolution 384kbps 3GUniversal Mobile Telecommunications SystemUMTSWCDMAWideband CDMA Quality of ServiceQoS High Speed Downlink Packet AccessHSDPA UMTS

Section 6.2GSM GSM Architecture

GSM Mobile StationMSBase Station SubsystemBSSNetwork and Switch SubsystemNSSOperation SubsystemOSS interface

62 GSM

Cloud

ME

SIM

Network and SwitchingSubsystem (NSS)

A interface

PSTN

Um interface

BTS

BTS

BTS

BTS

BTS

BTS

BSC

BSC

MSC

Base Station Subsystems (BSS)

HLR

VLR

AUC

Network and SwitchingSubsystem

MS

Abis interface

GMSC

EIR

Subscriber Identity ModuleSIM Mobile EquipmentME

Base Transceiver StationBTSBTSMS signal strength measurementBTSMSBSCBase Station ControllerBSC channel assignmenthandover

Transcoder/Rate Adapter UnitTRAUBSSGSM13kbpsGSM64kbpsPCMPulseCode Modulation GSMTRAUBTCTRAUMSCBTSBSCBTS

(1/2)switching system GSMcore network roaming managementSS7GSM MAPMobile Application PartNSSMobile Switching CenterMSC

(1/2)NSSGMSCGateway MSCMSCPCSPSTN Home Location RegisterHLRVisitor Location RegisterVLREquipment Identity RegisterEIR Authentication CenterAuCSIM

blocking rate redundancysubscriber managementcall charging

Section 6.3GSM GSM Radio Interface

(1/2)GMSK GPRS/GSM coding Gaussian Modular Shift Keymodulation13kbps RPE-LTP full-rate5.6kbps VSELP Frequency Division DuplexFDDuplink890-915 MHzdownlink935-960 MHz200 KHz124

(2/2)Time Division Multiple AccessTDMA4.615msecframeGSMframe number 0.577msec8timeslotchannel

63 GSM TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4892.2 MHzFrameFrame (TDMA)892.4 MHzDownlinkTS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4Control channelTraffic channelC0C1FDMAMSC1TS1

DCS 1800GSM1710-1785 MHz uplink1805-1880 MHzdownlinkDCS 1800Digital Cellular Standard 1800GSM18001900MHzGSMDCS1900GSM1900GSMDCS1800/microcell/macrocell

GSM GSMburstburstguard timeBurst Normal burst F burstMS S burstMS A burstA burst

64 Normal Burst

65 GSM Bursts

Time AdvanceTA) BTSMSBTSMSburst BTSMSMSBTSround-trip propagation delay MSround trip propagation delayTime AdvanceTA

66 Time Advance892.2 MHz (downlink)937.2 MHz (uplink)MSBSTA/2 0 1 2 3 4 5 6 70 1 2 3 4 5 6 45 MHzTA/23 timeslot -TA

physical channelBTSMSlogical channelTraffic CHannelTCHControl CHannelCCH 6-7

67 GSM

LogicalChannel

TCH

TCH/F

TCH/H

CCH

CCCH

DCCH

PCH

AGCH

RACH

SDCCH

SACCH

FACCH

CBCH

FCCH

SCH

BCCH

BCH

Traffic CHannelTCHFull rate TCHTCH/F13kbps1263.6kbpsNormal Burst1/2Half rate TCHTCH/H7kbps63.6kbpsNormal burstData

Control channelCCH Broadcast CHannelBCH Common Control CHannelCCCH BTS Dedicated Control CHannelDCCHBTS

Broadcast CHannelBCHFrequency Correction CHannelFCCHF burstSynchronization CHannelSCHS burstMSBTSBroadcast Control CHannelBCCH

Common Control CHannelCCCH Paging CHannelPCHBTSPCHRandom Access CHannelRACHRACHA burstAccess Grant CHannelAGCHAGCH

DCCH (1/2)Stand along Dedicated Control CHannelSDCCH Slow Associated Control CHannelSACCHpower controltime alignment(measurement report)

DCCH (2/2)Fast Associated Control CHannelFACCHtime-critical signalingauthenticationhandoverFACCH Cell Broadcast CHannelCBCHshort message service cell broadcast messages

MSGSMMS BCCH MS FCCH BTS SCH BSIC BCCH PLMN MSMSC

RACH(request signaling channel)

MS

BSS

AGCH(assign signaling channel)

SDCCH(request call setup)

SDCCH message exchanges for call setup

SDCCH(assign TCH)

FACCH(complete assignment)

RACH(request signaling channel)

MS

BSS

PCH(page MS)

SDCCH(respond to paging)

SDCCH message exchanges for call setup

AGCH(assign signaling channel)

Section 6.4GSM GSM Mobility Management

GSM Call Origination ProcedureCall Termination Procedure

GSMLocation Area LALA BS MSC LA LA LAI (Location Area Identity) MS LAI MS cell CAI (Cell Global Identity)

68

MSC

MSC

LA 1

LA 2

LA 3

GSM Mobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)

Home Location RegisterHLRMSISDNIMSIVLR ISDNMSC ISDNsubscriber status Visitor Location RegisterVLRMSISDNIMSILAITMSIMSRNsubscriber status MSC 1HLRVLR 1VLR 2MSC 2

69

HLR

MSC 2

VLR 2

VLR 1

MSC 1

LA 1

LA 2

HLR

MSC 2

VLR 2

VLR 1

MSC 1

LA

3

LA 2

HLR

MSC 3

VLR 2

VLR 1

MSC 2

LA

3

LA

4

MSC 1

(a) Inter

-

LA

movement

(b) Inter

-

MSC movement

(c) Inter

-

VLR movement

MSBTS BTS BTS LAI BTS BCH BTS BTS LAIMS VLR

610 Inter-LA TMSI, old LAI, MSC, VLRTMSI, old LAI, new LAI, MSC

LA 1. MSC1 MS TMSI LAMSC VLR 2. MSC1 LA VLR1 MSC TMSILAILAI3. LA1 LA2 MSC1 VLR1 VLR1 LAI VLR14. MSC1

611 Inter-MSC TMSI, old LAI, MSC, VLRTMSI, old LAI, new LAI, MSCIMSI, new MSC , VLR

MSC 1.2. MSC2 LA VLR13. VLR1 LA1 LA2 VLR1 MS LAI MSC IMSI MS HLRVLR1HLR4. HLR IMSI MSC5.6. VLR1 LA MSC2MSC2

612 Inter-VLR TMSIMSs IMSI new TMSIHLR location updatederegistration VLRTMSI, old LAI, MSC, VLR

VLR 1. MSTMSIVLRMSCLAIVLR22.3. VLR2 TMSI VLR1MSVLR24.5. VLR2 HLR HLRVLR2 6. VLR2TMSI 7.8. 4HLRVLR1VLR1HLR

Periodical RegistrationMS roaming HLR GSM re-registration MS periodically registration period registration 624

Call Origination Procedure

(1/3)MS MSCMSCVLRVLRMSCMSCPSTN MS RACH BSCBSC AGCH MS MS SDCCHMS SDCCH MSC

(2/3)MSC VLR MSC BSS trunk BSS TCH MSBSS SDCCH MS TCHMSMSCFACCH MS FACCH BSC TCH MSC

(3/3)MSC PSTN ISUP MSC trunkring-back tone

Call Termination ProcedureMSISDNMSRNMSRNMSISDNMSISDNPSTNIMSI

(1/4)1. PSTN GSM MSISDN MSISDNMS PLMN SS7 ISUP IAM PLMN GMSC 2. GMSC MSISDN MS HLR HLR3. HLR MSISDN IMSIVLR IMSI VLR

(2/4)4.5. VLR MS ? MSRN HLR GMSCMSRN MSC6. GMSC MSRN MSCMSC MSRN VLR MS LAI TMSIMSC LAI LA BSSBSS MSMS

(3/4) 6. MSC LA BTS PCH MS TMSI MS TMSI RACH BSC AGCH MS SDCCH MS SDCCH BSCBSC MSCMSC VLR MS

(41/4) BSC TCH MS MSC MS MSC ACM PSTNMSC PSTN ANM MSC VLR

Mobile-Assisted HandoffMAHOMSBTSBTSMS Serving BSCHandoff Target BSC

Intra-BSS handoverBTSBSCIntra-MSC handoverBTSBSCMSCinter-BSS handover6-15Inter-MSC handoverBTSMSC 6-16

615 Intra-MSC Handover MS target BSSBSS handoffMSMSC target BSSMSC Target BSS: Cell IDMSC-BSS trunk ID Target BSC MS radio channel IDMS radio channel Target BSC Target BSC handoff MSC BSC

MSC (1/3) Inter-MSC handoff Intra-MSC Serving BSC handoff MSC MS target BSSsMSC ( serving MSC) MS MSC( target MSC) Serving MSC target MSC trunk.Target MSC VLR MS

MSC (2/3)VLR TMSI MS target MSCTarget MSC Target BSS: Cell IDMSC-BSS trunk ID BSS MSC radio channel ID MSMS new radio channel target BSS target MSC target BSS Target BSS target MSC handoff

MSC (3/3)Target MSC Serving MSChandoff MS new radio channel Target MSC Serving MSC serving BSS radio channelserving MSC target MSCTarget MSC VLR handoff

616 Inter-MSC Handover

Section 6.5Security Issue

GSMauthenticationGSMencryption

A3. AuC SIM A8. (encryption key) AuC SIM A5. visited system ( BSS, VLR) (ciphering) (deciphering)

Ki AuC SIM RAND AuC 128-bit SRES A3 AuC SIM SRES MS Kc A8 Frame Number.TDMA

617 GSM

Triplets Ki AuC AuC MS VLR AuC tripletTriplet 3RAND SRESKcHLR RAND SRES Kc triplet VLR RAND MStriplet SRES MS SRES VLR Kc BTSKc

Section 6.6GSM GSM Functional Planes

GSM GSM GSM GSM GSM GSM GSM GSM

618 GSM

transmission planemodulationcodingmultiplexingformat data

619 GSM CM

MM

RR

TransmissionMS BTS BSC MSC/VLR HLR GMSC

Radio Resource managementRRRR MS MSC connection MS RR MS BSC MSC inter-MSC handover RR

Mobility ManagementMMMM HLRAuCSIM MM MM CM MM MM

(1/2)Connection ManagementCMCM 3 Call ControlCCSupplementary Service managementSSShort Message ServiceSMS

(2/2)CC HLRMSC/VLR GMSC CC SS GSM SMS GSM

OperationsAdministration & MaintenanceOA&MOSS BSS NSS OA&M

GSM Radio ch.LAPDmLAPDMTP 1SCCPBSSMAPMTP 1SCCPMAP/E64 kbit/s ch.MTP 3MTP 2MTP 2MTP 3MTP 1SCCPMAP/DMTP 2MTP 3MSRIL3-MMRIL3-CMBTSBSCHLRCMMMRRRIL3-RRTCAPRSM

Section 6.7 Short Message ServiceSMS

(1/2)SDCCHSACCH140 store and forward SMSCShort Message Service CenterIWMSC SMS GMSC GMSC SMS

(2/2)SMS CM GSM MM RR SDCCH GSM MAP Low capacity CheaperBest-EffortNon Real-TimeRadio Resource (RR) ManagementMobility Management(MM)CommunicationManagement (CM)SMS

620 SMS BST: Base Station Transiver BSC: Base Station Controller MSC: Mobile Switch Center GMSC: Gateway MSC IWMSC: Interworking MSC SM-SC: SMS center

LuqTx

Cloud

IBM Compatible

BTS

BSC

BTS

BSC

MSC

BTS

SM-SC

SMS GMSC

IWMSC

GSM network

GSM network

Short Message Sender

Original MS

Terminating MS

Section 6.8Summary

SummaryGSMGSMGSMSIMGSManytimeanywhere

Homework

GSM MAPSS7NSSGSM MAPSS7 F BurstFrequency Correction BurstF burstFCCHData1420MSBTSS BurstSynchronization BurstSCH64 bitsTraining sequenceMSS burstMSdemodulationburstF burstdemodulationS bursttraining sequenceDataBase Station Identity CodeBSICFrame numberMSBTSframe structureA BurstAccess Burst RACHRACHA burstMSRACHtime slotA burstcollisionMSA burstMSBTSMSBTSA burstBTSA burstBTSA burstMSA burstGuard timeBTSA bursttime slotA burstA burst83 bitstime slot156.25 bitsD BurstDummy BurstBTSburstMixed bitmodulating bit states

BTS MS physical channel. physical channel , logical channels.GSMlogical channels logical Traffic channel control channel .

MS logic channel.MS RACH BSC SDCCH MS, AGCH MSMS SDCCH BSS , ., BSS TCH MS, SDCCH.MS FACCH BSS . call origination, call termination, user service, location update, radio link . mobile initialization, RACH , MS radio resource request BSC. BSC BTS , MS. BTS response MS AGCH. call termination, network initialization, paging . MS logic channel.BSC LA BTS PCH MS TMSI. (PERM_PAGE)PCH paging request message TMSI, page 4 MS.MS TMSI, RACH (CHH_REQ)BSC SDCCH MS, AGCH MS (DSCH_ASS) IAM MS TCH , MS SDCCH BSC.MS SDCCH call setup PAGE_RESP BSS, TMSI LAI.BSC PAGE_RESP MSCMSC VLR MS .(PAGE_RESP)BSC TCHMS, voice. cell TCH , BSC cell TCH .Note: BSCchannel assignment.

GSMLocation AreaLAGSM MS LA registration, location update, LA Registration Area. LA , VLR (i.e., LA address). LAI (Location Area Identity) ( Location Area, LA) . LA a cell a group of cells, MSC LAs.LAI call termination MS LA, LA cells page MS. LA ( cells) LA ( cells) . cell CGI (cell global identity), LAI CI Example: cell CGI = 466-01-91-1 466-01-91-2 MS GSM , MS BS CGI LAI CI. LA, MSC/VLR MS . Registration Location Update.MS , CGI . LA registration. , BTS.

MSISDN (Mobile Station ISDN Number) ()MSISDN=CC+NDC+SN, --.GSMISDNMobile Station ISDN Number MSISDNMSISDN CCITT Recommendation E.164 MSRN MS , i.e., MSC, VLR , .MSRN = CC+NDC+SN MSISND . MSRN MS MSC . MSC MSRN, . GMSC MSRN , MSC .IMSI IMSN (International Subscriber Number), International Mobile Subscriber IdentityIMSI IMSI SIM , HLR, AUC, VLR . International Mobile Subscriber IdentityIMSI IMSI air interface , TMSI identify MS itself.TMSI MS new LA , ( IMSI), registration (location update) . , MSC paging a MS, LA BS PCH broadcast the TMSI of MS.IMEI,,.,*#06#,IMEI. My IMEI=449 20 8300251418.

MS (idle, )(roaming), BS , BCCH ( Broadcast control channel) CGI ( CI LAI). BS , MS BS channel. :New BS old BS LAI: paging area , MS MSC/VLR, new BS BCH (Broadcast channel) .New BS old BS LAI: (location update) registration. cases:Intra-MSC movement: BSs MSC , VLR , HLR. ( HLR LAI)Inter-MSC movement: BSs MSC VLR , VLR HLR , i.e., MS .Inter-VLR movement: BSs VLR , VLR HLR , i.e., MS . inter-VLR movement inter-MSC registration. HLR HLR, VLR identifiers .

Step 1: BCCH(LAC, Location code) SDCCH new VLR MS Temporary Mobile Subscriber Identity (TMSIVLR VLR MSC VLR : MSC, TMSI, old LAI, target LAI .Step 2:IMSI VLR VLR TMSI VLR IMSI VLR authentication TMSI IMSI Step 3: VLR HLR VLR IMSI MS PLMN, i.e., HLR HLR VLR Step 4: VLR TMSI Step 5:3HLR VLR VLR

Call termination call delivery.GSMIS-41 PSTN GSMISDNMobile Station ISDN Number MSISDNPSTN MSISDN MS PLMN, MSISDN PLMN GMSC . GMSC MSISDN MS HLR HLR MSC GSM Step 1:MSISDNMSISDN MSISDN MS PLMN IAM PLMN GMSCMSISDN GMSC HLR HLR HLR MSISDN IMSI VLR VLR routable address MSRN. Step 2:VLR MS active ()? If not, Mobile Station Roaming NumberMSRNMSRN HLR GMSCMSRN MSC Step 3:MSRNGMSC MSRN MSCMSCVLRMS TMSILAIMSC LAI BSSTMSI MSMS , VLRMSCMSCannouncement TCH BSC TCH MS STRN_MEAS serving BSS. . Serving BSC handoff.Serving BSS HAND_REQ MSC, MS target BSSs.MSC BSS candidate , BSS target BSS, intra-MSC handoff. resources, MSC target BSS truck, radio channel. MSC trunk HAND_REQ target BSS. cell area ID ( BTS), MSC-BSS trunk ID, encryption key Kc.BSS resource, HAND_REQ_ACK MSC, radio channel ID.MSC HAND_COMM serving BSS, target BSS new radio channel ID.Serving BSS HAND_COMM MS.MS new radio channel HAND_ACC target BSS .Target BSS CHH_INFO.Target BSS MSC handoff.Target BSS MS synchronization, time-slot . , MS HAND_COMP target BSS. MSC voice trunk target BSS. MS BSS synchronization signal, BSS HAND_COMP MSC, handoff .MSC REL_RCH serving BSS, old radio channel. serving BSS MS resource, REL_RCH_COMP MSC.GSM spec. open interval gap ( MS new radio channel synchronization) 90% 150ms.

* Intra-MSC handoff .MS STRN_MEAS serving BSS. .Serving BSC handoff.Serving BSS HAND_REQ MSC, MS target BSSs.*MSC ( serving MSC) MS , MSC( target MSC) , Serving MSC target MSC directory number target MSC trunk.*Target MSC HAND_NUM VLR, MS.*VLR TMSI HAND_NUM_COMP target MSC. Target MSC HAND_REQ target BSS. cell area ID ( BTS), MSC-BSS trunk ID, encryption key Kc.BSS resource, HAND_REQ_ACK MSC, radio channel ID.*Target MSC HAND_PER_ACK serving MSC, handoff.*Serving MSC NET_SETUP target MSC .*Target MSC serving MSC SETUP_COMP.Serving MSC HAND_COMM serving BSS, target BSS new radio channel ID.Serving BSS HAND_COMM MS.MS new radio channel HAND_ACC target BSS .Target BSS CHH_INFO.Target BSS Target MSC handoff.MS Target BSS time-slot HAND_COMP target BSS. target MSC voice trunk target BSS. MS BSS synchronization signal, BSS HAND_COMP MSC, handoff .*Target MSC SEND_ENDIG Serving MSC handoff .* MS new radio channel , Target MSC ANDWER Serving MSC.Serving MSC REL_RCH serving BSS, old radio channel. serving BSS MS resource, REL_RCH_COMP Serving MSC.*Serving MSC END_SIGNAL target MSC.*Serving MSC network resource, NET_REL target MSC.*Target MSC ERL_HAND_NUM VLR, VLR .

, , .secret keyKi128random numberRAND RAND KiRANDA3 A3 SRES SRES SRES

GSM functional plane GSM sites interface GSM . OSI model , functional planes, . GSM functions model 5 functional planes. entities (physical transmission) external users (lower layer) (upper layer)., lower layer short time scale, upper layer long time scale.Ex: bit modulation in Transmission plane microseconds ., entity ( signaling protocol), , function. GSM functional plane OSI layer protocol , function protocol.Example: CM Q.931 (layer 3), CM Q.931 , layers 1,2. signals , CM physical layer.GSM functional plane GSM sites OS calls program . programmer, designer GSM function planes operations .

GSM entity functional plane ., entity function. entity protocol , protocols functional plane .RIL3: Radio Interface Layer 3 MS BSC RIL3-RR, (TS GSM 04.08) radio resource management.MS NSS entities : RIL3-MM, RIL3-CM rules (protocol).BTSBSCA-bisRSM initial assignment procedure (ex: location updating, answer to paging) , MS BSC RR message:MS RACH RIL3-RR CHANEL REQUEST, BSC AGCH RIL3-RR IMMEDIATE ASIGNMENT.MSC/VLR authentication , MS MSC/VLR MM message:MS RACH RIL3-MM AUTHENTICATION REQUEST MSC/VLR, MSC/VLR RIL3-MM AUTHENTICATION RESPONSE MS. handover, BSC MSC message:old-BSC trigger event, communication path.inter-BSC: old-BSC BSSMAP HANDOVER REQUIRED MSC. MSCSCCP connection BSSMAP HANDOVER REQUEST new-BSC. handoff SCCP connection.inter-MSC: old-BSC BSSMAP HANDOVER REQUIRED old MSC, old MSC MAP/E PERFORM SUBSEQUENT HANDOVER anchor MSC. anchor MAP/E PERFORM HANDOVER new MSC.new-MSC BSSMAP HANDOVER REQ UEST new BSC..

SMS ,

160 char., :SMS concatenation: SMS , SMS compression: SMS signal bandwidth data. page #, low-capacitynot real time, low priority SM-MC, store-and-forward . sender receipt , SM-SCSM-SC scalable, available, reliable.A SM-SC GSM networks. A SM-SC SMS GMSC in a GSM network. SM-SC :Ex: Sema SM-SC is Compaq Alpha Server. Ericsson SM-SC is Sun SPARC. Nokia SM-SC is HP 9000.SM-SC TCP/IP ( Internet ), WAP .WAP: Wireless Application Protocol

SM-SC (Short Message Service Center) store and forward .IWMSC MS short message, SM-SC (Short Message Service Gateway MSCSMS GMSC) SM-SC , MS , MSC, MSC short message.MSC: broadcast the SMS to all its BSSs.BTS: page the MS. MS short message MS steps. (Mobile Originating)Step 1: MS short message IWMSC (Inter-working MSC).Step 2: short message SM-SC (Short Message Service Center) . Step 3: short message , ., , :Predictive Text Input Algorithm: hot key (ex: ), MS , key in .QWERTY keyboard: MS QWERTY keyboards SM-SC short message MS steps. MS , Internet PC page (Mobile Terminating)Step 2: SM-SC (Short Message Service Gateway MSCSMS GMSC) GSM SM-SC MSC.Step 3: GSM roaming protocol , GMSC MS MSC, short message MSC.Step 4: MSC BSS BTS short message broadcast .Step 5: MS software .