Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Services. The system shall provide service portability, i.e., mobile stations (MSs) or mobile phones
can be used in all participating countries. The system shall oer services that exist in the
wireline network as well as services specic to mobile communications. In addition to vehicle-
mounted stations, the system shall provide service to MSs used by pedestrians and/or onboard
ships.
Quality of Services and Security. The quality for voice telephony of GSM shall be at least as
good as the previous analog systems over the practical operating range. The system shall be
capable of oering information encryption without signicantly aecting the costs to users
who do not require such facility.
Radio Frequency Utilization. The system shall permit a high level of spectrum eciency and
state-of-the-art subscriber facilities. The system shall be capable of operating in the entire
allocated frequency band, and co-exist with the earlier systems in the same frequency band.
Network. The identication and numbering plans shall be based on relevant ITU recommenda-
tions. An international standardized signaling system shall be used for switching and mobility
management. The existing xed public networks should not be signicantly modied.
143
144 CHAPTER 9. GSM SYSTEM OVERVIEW
NSS
MSC
A Interface
BSC BSS
A-bis
BSS
BTS BTS
Radio Interface
ME MS
MS MS
SIM
Cost. The system parameters shall be chosen with a view to limiting the cost of the complete
system, in particular the MSs.
This chapter provides an overview of the GSM system. We rst introduce the GSM architecture,
then give details of the radio interface in the architecture. We discuss how the locations of the
MSs are tracked, and how phone calls are delivered to these MSs in a GSM network. Finally we
describe the security and data service aspects of GSM.
a smart card that can be performed, which contains a plug-in SIM that can be broken out of
it.
The SIM is protected by a personal identity number (PIN) of length between four to eight digits.
The PIN is loaded by the network operator at the subscription time. This PIN can be deactivated
or changed by the user. To use the MS, the user is asked to enter the PIN. If the number is not
correctly entered in three consecutive times, the SIM is blocked and therefore the MS can not be
used. To unblock the SIM, the user is asked to enter the 8-digit PIN Unblocking Key (PUK).
A SIM contains the subscriber-related information including the PIN and PUK codes. the subscriber-
related data also include a list of abbreviated and customized dialing numbers, short messages re-
ceived when the subscriber is not present, and names of preferred networks to provide service, and
so on. Parts of the SIM information can be modied by the subscriber either by using the keypad
of an MS or a personal computer using an RS232 connection. Figure 9.2 illustrates an example of
the SIM data retrieved by using the software. Subscriber related data are sent to the ME during
operation, which are deleted after the removal of the SIM or deactivation of the MS.
The SIM card can be updated over the air through SIM Toolkit. With SIM Toolkit, network
operators can remotely upgrade an MS by sending codes through the short messages described in
Chapter 12. These messages are issued form a SimCard server and are received by MSs equipped
with SIM-Toolkit capability. SIM Toolkit provides security-related functions so that SIM cards
are not falsely modied. In some networks, for example D1 T-Mobil in Germany, every new MS
146 CHAPTER 9. GSM SYSTEM OVERVIEW
Figure 9.2: SIM Data Retrieved from a Software Tool (Edited Version)
9.1. GSM ARCHITECTURE 147
connected to the network has been SIM Toolkit compliant, which will be used for high-security
applications such as mobile banking.
The ME contains the non-customer-related hardware and software specic to the radio interface.
When the SIM is removed from an MS, the remaining ME cannot be used for reaching the service
except for emergency calls. SIMs may be attached to MEs with dierent characteristics. At every
new connection between MS (SIM) and the network, the characteristic indication of the ME, called
classmark , is given to the network. This SIM-ME design supports portability as well as enhancing
security. Usually the ME is the property of the subscriber. The SIM, although loaned to the
subscriber, is the property of the service provider.
The BSS connects the MS and the NSS. The BSS consists of two parts: the base transceiver station
(BTS) and the base station controller (BSC). The BTS contains transmitter, receiver, and signal-
ing equipment specic to the radio interface in order to contact the MSs. An important part of
the BTS is the transcoder/rate adapter unit (TRAU) that carries out GSM-specic speech encod-
ing/decoding and rate adaption in data transmission. The BSC is responsible for the switching
functions in the BSS, and is in turn connected to an MSC in the NSS. The BSC supports radio
channel allocation/release and hando management (to be described in Section 9.3). A BSC may
connect to several BTSs and maintain cell conguration data of these BTSs. The BSC communi-
cates with the BTSs using ISDN protocols via the A-bis interface. In GSM BSS design, a BSC may
only connect to one BTS, in which case they are likely to be collocated. In this scenario, the BSC
and the BTS may be integrated without the A-bis interface.
Capacity planning for BSC is very important. In busy hours, the processor load of a BSC is
roughly distributed in call activities (around 20-25%), paging and short message service (around
10-15%), mobility management (hando and location update; around 20-25%), and hardware
checking/network-triggered events (around 15-20%). A BSC is typically engineered at 80% uti-
lization. When a BSC is overloaded, it rst rejects location update, then MS originating calls, and
then handos.
148 CHAPTER 9. GSM SYSTEM OVERVIEW
9.1.3 Network and Switching Subsystem
The NSS supports the switching functions, subscriber proles, and mobility management. The
basic switching function in the NSS is performed by the MSC. This interface follows a signaling
protocol used in the telephone network. The MSC also communicates with other network elements
external to GSM utilizing the same signaling protocol. The current location of an MS is usually
maintained by the HLR and VLR (as described in Section 2.2). When an MS moves from the home
system to a visited system, its location is registered at the VLR of the visited system. The VLR
then informs the MS's HLR of its current location. The authentication center (AuC) is used in the
security data management for the authentication of subscribers. The AuC may be collocated with
the HLR.
An incoming call is routed to an MSC, unless the xed network is able to interrogate the HLR
directly. That MSC is called the gateway MSC (GMSC). An MSC can function as a GMSC by
including appropriate software and HLR interrogation information, and by provisioning interface
and the signaling link to the HLR. The GMSC obtains the location information and routes the
calls to the visited MSC of the subscribers to receive the calls. The details will be elaborated in
Section 11.1.
same time. However, due to propagation delays, especially when the MS is far away from the BTS,
the three-time-slot delay cannot be accurately maintained. The solution is to compute the timing
advance value so that the exact shift between downlink and uplink seen by the MS is three time
slots minus the timing advance value. This timing advance value is calculated by the BSS based
on the bursts received from the MS and is signaled to the MS twice per second to inform the MS
of the appropriate timing value.
The GSM burst structure is illustrated in Figure 9.3. Every burst contains 148 bits (0.546 msec)
followed by 0.031 msec guard time (8.25 bits). The burst begins with 3 head bits and ends with
3 tail bits, all of which are logical zeros. Two groups of data bits are separated by an equalizer
training sequence of 26 bits. Each data group consists of 57 information bits and one
ag that
indicates whether the information bits are for user speech/data or signaling. Depending on the
information carried by a time slot, i.e., the information bits in Figure 9.3, two types of logical
channels are dened: the trac channels (TCHs) and the control channels (CCHs). TCHs are
intended to carry user information (speech or data). Two kinds of TCHs are dened:
Full rate TCH (TCH/F) provides transmission speed of 13 Kb/s for speech or 9.6, 4.8 or 2.4
Kb/s for data. Enhanced Full Rate (EFR) speech coders have been implemented to improve
the speech quality of a TCH/F.
Half rate TCH (TCH/H) allows transmission of 5.6 Kb/s speech or 4.8 or 2.4 Kb/s data.
The CCHs are intended to carry signaling information. Three types of CCHs are dened in GSM:
SDCCH(respond to paging)
Figure 9.4 shows the radio aspect of mobile call origination, which describes how the logical channels
are involved in the call setup procedure. To initiate the call setup, the MS sends a signaling channel
request to the network through RACH. The BSC informs the MS of the allocated signaling channel
(SDCCH) through AGCH. Then the MS sends the call origination request via SDCCH. The MSC
instructs the BSC to allocate a TCH for this call. Finally, both the MS and the BTS tune to the
TCH.
Figure 9.5 shows the radio aspect of mobile call termination. In this case the MSC requests the
BSS to page the MS. The BSCs instruct the BTSs in the desired LA to page the MS by using PCH.
When the destination MS receives the paging message, it requests for a SDCCH. The BTS assigns
the SDCCH, which is used to set up the call as in the call origination case.
HLR
3
5
OLD NEW
VLR 2 VLR
4
1
The HLR must also be informed about this registration. To access the MS, the HLR is queried to
nd the current VLR of the MS. The details will be provided in the next section. When the MS
moves from one VLR to another VLR, the registration process is illustrated in Figure 9.6 and is
described in the following steps.
Step 1. The MS periodically listens to the BCCH broadcast from the BSS. If the MS detects that
it has entered a new location area, it sends a registration message to the new VLR by using
the SDCCH channel.
Step 2. The new VLR communicates with the old VLR to nd the HLR of the MS. Details of this
operation will be elaborated in Section 11.1.
The new VLR then performs the authentication process to be described in Section 9.3.
Step 3. After the MS is authenticated, the new VLR sends a registration message to the HLR. If
the registration request is accepted, the HLR provides the new VLR all relevant subscriber
information for call handling.
Step 4. The new VLR informs the MS of the successful registration.
Step 5. After Step 3, the HLR sends a deregistration (cancellation) message to the old VLR. The
old VLR cancels the record for the MS and replies an acknowledgement to the HLR for the
cancellation.
9.2. LOCATION TRACKING AND CALL SETUP 153
1 1
1 GMSC HLR VLR
1 2 2
other
switches 3
MSC
other 3
switches 3
When the MS is inactive due to switching o or SIM removal, it transmits a detach to deregister
from the network. The MS may also periodically send registration messages to the network. The
period may range from 6 minutes to slightly more than 24 hours. Periodical registration is useful for
fault tolerance purposes as described in Chapter 11. If the VLR or HLR fails, periodic registration
will speed up the recovery of the databases.
The GSM call control is similar to IS-41. The radio aspect of mobile call origination is described
in Section 9.1.4. The network aspect of this procedure is described in Section 11.1.2. For a GSM
mobile call termination or call delivery, the MS ISDN number (MSISDN) of the subscriber is dialed.
MSISDN is part of the ISDN numbering plan dened in ITU-T Recommendation E.164. This
number points to the subscriber's record in the HLR. The HLR record contains the information
to locate the MSC where the subscriber is currently located. Details of the information elds
maintained in the HLR are described in Section 11.2. The basic call termination procedure is
described in the following steps and is shown in Figure 9.7.
Step 1. When the MSISDN is dialed, the call is forwarded to the GMSC, a switch that has the
capability to interrogate the HLR for routing information. The HLR requests the current VLR
of the MS to provide the routable address called a mobile station roaming number (MSRN).
Step 2. The VLR returns the MSRN to the GMSC through the HLR.
Step 3. The GMSC uses the MSRN to route the call to the MS through the visited MSC.
154 CHAPTER 9. GSM SYSTEM OVERVIEW
The MS may be engaged in another communication when a call arrives. If the mobile user has
subscribed to the call waiting service, then the MSC proceeds directly to connect the call to the
MS. Dierent communication sessions may be associated with an MS at the same time. These
sessions are distinguished by their transaction identiers .
9.3 Security
GSM security is addressed in two aspects: authentication and encryption. Authentication avoids
fraudulent access of a cloned MS. Encryption avoids unauthorized listening.
A secret key Ki is used to achieve authentication. Ki is stored in the AuC as well as in the SIM.
The Ki value is unknown to the subscriber. To initiate the authentication process, the home system
of the MS generates a 128-bit random number called RAND . This number is sent to the MS. By
exercising an algorithm A3, both the network (AuC) and the MS (SIM) use Ki and RAND to
produce a signed result (SRES) as shown in Figure 9.8. The SRES generated by the MS is sent
to the home system and is compared with the SRES generated by the AuC. Note that if SRES
and RAND generated by the AuC are sent from the HLR to the visited VLR in advance, then the
SRES comparison can be done at the visited VLR. If they are not identical, then the access request
is rejected. Algorithm A3 is dependent on the GSM service provider. Since the visited system may
not know the A3 algorithm of a roaming MS, authentication result SRES is generated at the home
system of the MS. In IS-41, the authentication process may be done locally in the visited system
as in the S scheme explained in Section 6.2.
If the MS is accepted for access, an encryption key Kc is produced by an algorithm A8 with Ki and
RAND as inputs shown in Figure 9.8. Like A3, A8 is specic to the home system. After the home
system has generated Kc , this encryption key is sent to the visited system. Kc and the TDMA
frame number encoded in the data bits (see Figure 9.3) are used by an algorithm A5 to cipher and
decipher the data stream between the MS and the visited system. The same A5 algorithm may be
used in all systems participating in the GSM service.
MS Home System
RAND
Ki Ki
A8 A3 reject A3 A8
no
SRES equal SRES
?
yes
accept Kc
Authentication
Encryption
Visited System
Kc
frame number Kc
A5 A5
data data
ciphering deciphering
ciphered
data* information
deciphering ciphering data*
High Speed Circuit Switched Data (HSCSD) for high speed le transfers and mobile video
applications and
General Packet Radio Service (GPRS) for bursty data applications such as email and WWW.
The data rates are expected to be raised from 9.6 Kb/s to 28.8 Kb/s or higher. In the near term,
the baseline standard for mobile professionals will probably be 19.2 Kb/s.
HSCSD is a circuit-switched protocol for large le transfer and multimedia applications. The
physical layer of HSCSD is the same as that for the Phase 2 GSM data services. The data
rate of HSCSD has been increased by using multiple TDMA time slots (up to 8) instead
of one time slot in the current data applications. The data rate can also be increased by
data compression techniques. The HSCSD architecture is illustrated in Figure 9.9. The data
computing session is performed at a terminal equipment (TE) such as a computer connected
to the MT. The network interworking function (IWF) supports adaption between GSM and
the external networks. Thus, TAF and IWF are sensitive to the end-to-end services. On the
9.4. DATA SERVICES 157
PSTN
radio PSDN
MS MSC
TE
TE interface ISDN
TAF IWF
BSS
other hand, the GSM entities between TAF and IWF are independent of the services. They
only provide the bearer capabilities required to transport the corresponding data
ow.
The radio interface is the same as that of the current GSM system except that multiple,
independent time slots can be utilized to provide high speed link as previously described.
The radio link protocol (RLP) has been enhanced in HSCSD to support multi-link (time
slot) operation. The protocol may or may not recover the frame errors between TAF and
IWF.
The problem of multiple time slot assignment is that the blocking rate of the system will be
increased, i.e, fewer customers can share the GSM services if more radio resources are assigned
to individual customers. This problem can be reduced by
exible resource assignment where
the service or the customers specify the maximum capacity and the minimum capacity. Based
on the current available capacity of a BS, a customer will be assigned any rate between the
maximum and the minimum capacities.
GPRS is a packet-switched protocol for applications such as WWW where the user spends most
of the time in reading the information, and the bursty data are transferred through the link
when the server is changed. Unlike HSCSD, the GSM circuit switching architecture cannot
satisfy the packet switching nature of GPRS. Thus, GPRS requires its own transport network.
Figure 9.10 illustrates the GPRS architecture.
GPRS introduces two new entities, namely, Serving GPRS support node (SGSN) and gateway
GPRS support node (GGSN), to the GSM architecture. SGSN receives and transmits packets
158 CHAPTER 9. GSM SYSTEM OVERVIEW
MSC
TE VLR HLR
signaling link
PSTN
radio GGSN PSDN
TAF interface ISDN
SGSN IWF
MS
BSS
between the MSs and their counterparts in the public switched data network (PSDN). GGSN
interworks with the PSDN using connectionless network protocols, such as Internet protocol
and the OSI connectionless network protocol, or connection oriented protocols such as X.25.
SGSN and GGSN interact with the GSM location databases, including the HLR and the
VLRs, to track the location of the MSs. The GPRS data units are routed to the destination
MSs based on location information. Both SGSN and GGSN may be equipped with cache
memories containing location information to speed up the routing procedure.
Like HSCSD, GPRS air interface requires a new radio link protocol to guarantee fast call setup
procedure and low bit error rate for data transfer between the MSs and the BSs. Furthermore,
GPRS needs to implement a packet radio media access control (MAC) for packet switching
(see Chapter 18).
Based on the above discussion, HSCSD and GPRS have very dierent cost and revenue proles.
GPRS typically supports up to 100 users with 1-8 channels, while HSCSD typically supports fewer
users where a user may utilize 2-8 channels. GPRS supports broadcast and multi-sessions, while
HSCSD supports point-to-point sessions. GPRS requires to invest on new infrastructure. On the
9.5. UNSTRUCTURED SUPPLEMENTARY SERVICE DATA 159
sent by the MS will instruct the network to forward all incoming calls to that Ms to the phone
number 528 8128. The above USSD string is sent out in the same manner as placing a call.
Furthermore, most MSs can store several USSD strings and allows sending these strings through
speed dialing keys.
The USSD architecture is illustrated in Figure 9.11. The USSD provides interaction between a
160 CHAPTER 9. GSM SYSTEM OVERVIEW
GSM Network
1 2 3
MSC
VLR HLR
USSD 5
Gateway App.
Server
GSM node (MSC, VLR, or HLR) and the MS. If the USSD service node is an MSC, then the USSD
messages are exchanged through path (1) in Figure 9.11. If the service node is a VLR (or HLR), then
the messages are exchanged through path (1)$ (2) (or (1) $ (2) $ (3)) in Figure 9.11. Suppose
that a new USSD service enabling subscribers to obtain real-time stock quotes is implemented at the
home network. To utilize this service USSD messages would be exchanged between the MS and the
HLR. Since the MS communicates directly with the HLR, the subscriber can monitor stock values
even when roaming to another country. However, it is probably not practical to support this stock
query service in HLR. The HLR is expensive to modify, maintain and test, and may not have extra
processing power required to handle services. Thus, a reasonable solution is to introduce a USSD
gateway that connects to the application (i.e., stock query) server. The USSD gateway connects to
HLR using GSM MAP and to application servers by TCP/IP. When the subscriber issues a stock
query request encoded in a USSD string, the MS sends it to the HLR via SS7. The HLR routes
the USSD message directly to the USSD gateway ((4) in Figure 9.11) without any interpretation.
The USSD gateway translates the USSD format and sends the query to the application server ((5)
in Figure 9.11). The server then returns the results to the MS for display.
In terms of turnaround time for interactive applications, USSD is better than SMS. According to
Nokia, USSD can be up to seven times faster than SMS for performing a two-way transaction.
9.6. SUMMARY 161
9.6 Summary
This chapter introduced the GSM system. Details of the GSM network signaling will be discussed
in the subsequent chapters. Other GSM references can be found in [Lin95b, Lyc91, Hau94, Mou92].
Descriptions of GSM 1800, the GSM system operated at 1.8GHz, can be found in [Ram94]. The
radio interface of PCS 1900, the GSM version at 1.9 GHz, was standardized in the Joint Tech-
nical Committee (JTC) [Coo94]. The network portion of PCS 1900 was introduced into TR46
for adaption to meet ANSI standards. MSISDN numbering is dened in ITU-T Recommendation
E.164 [CCI91]. Solutions for
exible resource assignment in HSCSD can be found in [Jen97, Jen98a].
Details of GPRS are described in Chapter 18. Details of USSD can be found in [ETS97i], [ETS96b],
and [ETS97j]. GSM SIM Toolkit is specied in [ETS97h].
The whole set of ocial GSM specications generated by ETSI is structured in 12 series [Mou92]:
(1) General, (2) Service Aspects, (3) Network Aspects, (4) MS-BSS Interface and Protocols, (5)
Physical Layer on the Radio Path, (6) Speech Coding Specication, (7) Terminal Adaptors for
Mobile Stations, (8) BSS to MSC Interfaces, (9) Network Interworking, (10) empty (originally
planned for service interworking specications), (11) Equipment and Type Approval Specication,
(12) Operation and Maintenance. GSM documents can be down loaded without charge from ETSI
web site at http://www.etsi.org.