Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
GSM
Faculty Name
Topics covered
GSM Overview
Services
Architecture
Cell management
TDMA, FDMA
Orientation
Handover
Authentications
HSCSD, GPRS
Faculty Name
GSM: Overview
GSM
formerly: Groupe Spciale Mobile (founded 1982)
now: Global System for Mobile Communication
Pan-European standard (ETSI, European Telecommunications Standardisation
Institute)
simultaneous introduction of essential digital cellular services in three phases
(1991, 1994, 1996) by the European telecommunication administrations,
seamless roaming within Europe possible
today many providers all over the world use GSM (more than 130 countries in
Asia, Africa, Europe, Australia, America)
more than 100 million subscribers
Faculty Name
Communication
mobile, wireless digital communication; support for voice and data
services
Total mobility
international access, chip-card enables use of access points of
different providers
Worldwide connectivity
one number, the network handles localization
High capacity
better frequency efficiency, smaller cells, more customers per cell
High transmission quality
high audio quality
uninterrupted phone calls at higher speeds (e.g., from cars, trains)
better handoffs and
Security functions
access control, authentication via chip-card and PIN
Reference book name
Faculty Name
Disadvantages of GSM
There is no perfect system!!
no end-to-end encryption of user data
no full ISDN bandwidth of 64 kbit/s to the user, no transparent B-channel
Faculty Name
GSM offers
bearer services
MS
TE
MT
R, S
GSM-PLMN
Um
transit
network
(PSTN, ISDN)
source/
destination
network
TE
(U, S, R)
tele services
Faculty Name
CONTD
Faculty Name
Bearer Services
Telecommunication services to transfer data between access points
R and S interfaces interfaces that provide network independent data
transmission from end device to mobile termination point.
U interface provides the interface to the network (TDMA, FDMA, etc.)
Specification of services up to the terminal interface (OSI layers 1-3)
Transparent no error control of flow control, only FEC
Non transparent error control, flow control
Different data rates for voice and data (original standard)
voice service (circuit switched)
synchronous: 2.4, 4.8 or 9.6 Kbps.
data service (circuit switched)
synchronous: 2.4, 4.8 or 9.6 kbit/s
asynchronous: 300 - 1200 bit/s
data service (packet switched)
synchronous: 2.4, 4.8 or 9.6 kbit/s
asynchronous: 300 - 9600 bit/s
Reference book name
Faculty Name
Tele Services
I enable
Telecommunication
services that
voice communication via mobile phones
All these basic services have to obey cellular
functions, security measures etc.
Offered voice related services
mobile telephony
primary goal of GSM was to enable mobile telephony offering the
traditional bandwidth of 3.1 kHz
Emergency number
common number throughout Europe (112); mandatory for all service
providers; free of charge; connection with the highest priority (preemption
of other connections possible)
Multinumbering
several ISDN phone numbers per user possible
Reference book name
Faculty Name
Tele
Services
II
Additional services: Non-Voice-Teleservices
group 3 fax
voice mailbox (implemented in the fixed network supporting the mobile
terminals)
electronic mail (MHS, Message Handling System, implemented in the fixed
network)
Short Message Service (SMS)
alphanumeric data transmission to/from the mobile terminal using the
signaling channel, thus allowing simultaneous use of basic services and SMS
(160 characters)
10
Faculty Name
Supplementary
Services
in addition to the services
basic services,
cannot be offered stand-alone
May differ between different service
providers, countries and protocol versions
Important services
11
Faculty Name
MS (mobile station)
BS (base station)
MSC (mobile switching center)
LR (location register)
subsystems
12
Faculty Name
CONTD
Mobile station (MS):
The MS comprises all user equipment and software needed for communication
with a GSM network.
An MS consists of user independent hard- and software and of the subscriber
identity module (SIM), which stores all user-specific data that is relevant to
GSM.
While an MS can be identified via the international mobile equipment identity
(IMEI), a user can personalize any MS using his or her SIM, i.e., user-specific
mechanisms like charging and authentication are based on the SIM, not on the
device itself.
Device-specific mechanisms, e.g., theft protection, use the device specific
IMEI. Without the SIM, only emergency calls are possible.
13
Faculty Name
The SIM card contains many identifiers and tables, such as card-type, serial
number, a list of subscribed services, a personal identity number (PIN), a PIN
unblocking key (PUK), an authentication key Ki, and the international mobile
subscriber identity (IMSI) (ETSI, 1991c).
The PIN is used to unlock the MS. Using the wrong PIN three times will lock
the SIM. In such cases, the PUK is needed to unlock the SIM.
The MS stores dynamic information while logged onto the GSM system, such
as, e.g., the cipher key Kc and the location information consisting of a
temporary mobile subscriber identity (TMSI) and the location area
identification (LAI).
14
Faculty Name
OMC, EIR,
AUC
GSM: overview
HLR
NSS
with OSS
VLR
MSC
GMSC
VLR
fixed network
MSC
BSC
BSC
RSS
15
Faculty Name
BSS
MS
Um
radio cell
MS
BTS
RSS
BTS
Abis
BSC
BSC
A
MSC
NSS
MSC
VLR
signaling
VLR
HLR
GMSC
IWF
ISDN, PSTN
PDN
O
OSS
EIR
AUC
OMC
16
Faculty Name
network and
switching subsystem
MS
ISDN
PSTN
MSC
Um
BTS
fixed
partner networks
Abis
EIR
SS7
BTS
BSC
VLR
BTS
BTS
BSS
HLR
BSC
A
MSC
IWF
ISDN
PSTN
PSPDN
CSPDN
17
Faculty Name
radio
subsystem
MS
MS
MS (Mobile Station)
BSS (Base Station Subsystem):
consisting of
Um
BTS
Abis
BTS
BSC
MSC
BTS
BTS
Components
BSC
BSS
MSC
Interfaces
Um : radio interface
Abis : standardized, open interface with
16 kbit/s user channels
A: standardized, open interface with
64 kbit/s user channels
18
Faculty Name
network
subsystem
fixed partner
networks
Components
System architecture: network
and switching subsystem
ISDN
PSTN
MSC
SS7
EIR
HLR
Databases
VLR
MSC
IWF
ISDN
PSTN
PSPDN
CSPDN
19
Faculty Name
Radio subsystem
The Radio Subsystem (RSS) comprises the cellular mobile
network up to the switching centers
Components
Base Station Subsystem (BSS):
20
Faculty Name
cell
21
Faculty Name
X
X
X
X
X
X
X
X
X
X
22
Faculty Name
Mobile station
TA (Terminal Adapter):
terminal adaptation, hides radio specific characteristics (TE connects via modem, Bluetooth,
IrDA etc. to MT)
TE (Terminal Equipment):
peripheral device of the MS, offers services to a user
Can be a headset, microphone, etc.
does not contain GSM specific functions
TE
TA
R
MT
S
Um
23
Faculty Name
Components
Mobile Services Switching Center (MSC)
controls all connections via a separated network to/from a mobile terminal within the domain of the MSC several BSC can belong to a MSC
Databases (important: scalability, high capacity, low delay)
24
Faculty Name
switching functions
additional functions for mobility support
management of network resources
interworking functions via Gateway MSC (GMSC)
integration of several databases
Functions of a MSC
25
Faculty Name
Operation subsystem
The OSS (Operation Subsystem) enables centralized operation,
management, and maintenance of all GSM subsystems
Components
Authentication Center (AUC)
different control capabilities for the radio subsystem and the network subsystem
26
Faculty Name
Radio Interface
GSM implements SDMA using cells with BTS and assigns an MS to a BTS
Media access combines TDMA and FDMA.
In GSM 900, 124 channels, each 200 kHz wide, are used for FDMA,
whereas GSM 1800 uses, 374 channels.
Due to technical reasons, channels 1 and 124 are not used for transmission
in GSM 900.
Typically, 32 channels are reserved for organizational data; the remaining
90 are used for customers.
Each BTS then manages a single channel for organizational data and, e.g.,
up to 10 channels for user data.
The following example is based on the GSM 900 system, but GSM works
in a similar way at 1800 and 1900 MHz.
27
Faculty Name
Contd
The next slide shows the TDM used.
Each of the 248 channels is additionally separated in time via
a GSM TDMA frame, i.e., each 200 kHz carrier is subdivided
into frames that are repeated continuously. The duration of a
frame is 4.615 ms.
frame is again subdivided into 8 GSM time slots, where each
slot represents a physical TDM channel and lasts for 577 s.
Each TDM channel occupies the 200 kHz carrier for 577 s
every 4.615 ms.
Data is transmitted in small portions, called bursts.
Reference book name
28
Faculty Name
Contd
In the diagram, the burst is only 546.5 s long and contains 148 bits.
The remaining 30.5 s are used as guard space to avoid overlapping
with other bursts due to different path delays and to give the
transmitter time to turn on and off.
The first and last three bits of a normal burst (tail) are all set to 0 and
can be used to enhance the receiver performance.
The training sequence in the middle of a slot is used to adapt the
parameters of the receiver to the current path propagation
characteristics and to select the strongest signal in case of multi-path
propagation.
A flag S indicates whether the data field contains user or network
control data.
Reference book name
29
Faculty Name
Contd
Apart from the normal burst, ETSI (1993a) defines four more
bursts for data transmission:
a frequency correction burst allows the MS to correct the local
oscillator to avoid interference with neighboring channels,
a synchronization burst with an extended training sequence
synchronizes the MS with the BTS in time,
an access burst is used for the initial connection setup
between MS and BTS,
and finally a dummy burst is used if no data is available for a
slot.
30
Faculty Name
qu
en
c
935-960 MHz
124 channels (200 kHz)
downlink
fre
890-915 MHz
124 channels (200 kHz)
uplink
8
4.615 ms
tail
3 bits
user data
S Training S
user data
57 bits
1 26 bits 1
57 bits
guard
tail space
546.5 s
577 s
31
Faculty Name
32
Faculty Name
33
Faculty Name
A TCH/F has a data rate of 22.8 kbit/s,whereas TCH/H only has 11.4
kbit/s.
With the voice codecs available at the beginning of the GSM
standardization, 13 kbit/s were required, whereas the remaining capacity
of the TCH/F (22.8 kbit/s) was used for error correction (TCH/FS).
Improved codes allow for better voice coding and can use a TCH/H.
Using these TCH/HSs doubles the capacity of the GSM system for voice
transmission.
speech quality decreases in TCH/HSs
Reference book name
34
Faculty Name
35
Faculty Name
36
Faculty Name
37
Faculty Name
38
Faculty Name
Contd
Finally, if more signaling information needs to
be transmitted and a TCH already exists, GSM
uses a fast associated dedicated control
channel (FACCH).
The FACCH uses the time slots which are
otherwise used by the TCH.
39
Faculty Name
...
superframe
0
...
48
...
49
24
50
6.12 s
25
multiframe
0
...
0
24
2
120 ms
25
...
48
49
50
235.4 ms
frame
0
...
4.615 ms
slot
burst
577 s
40
Faculty Name
Abis
MS
BTS
BSC
MSC
CM
CM
MM
MM
BSSAP
RR
BTSM
RR
BTSM
LAPDm
RR
LAPDm
LAPD
LAPD
radio
radio
PCM
PCM
16/64 kbit/s
BSSAP
SS7
SS7
PCM
PCM
64 kbit/s /
2.048 Mbit/s
41
Faculty Name
Contd
The main interest lies in the Um interface, as the other interfaces
occur between entities in a fixed network.
Layer 1, the physical layer, handles all radio-specific functions.
This includes the creation of bursts according to the five different
formats, multiplexing of bursts into a TDMA frame,
synchronization with the BTS, detection of idle channels, and
measurement of the channel quality on the downlink.
The physical layer at Um uses GMSK(Gaussian Minimum Shift
Keying) for digital modulation and performs
encryption/decryption of data, i.e., encryption is not performed
end-to-end, but only between MS and BSS over the air interface.
Reference book name
42
Faculty Name
Contd
Synchronization also includes the correction of the individual
path delay between an MS and the BTS.
All MSs within a cell use the same BTS and thus must be
synchronized to this BTS.
The BTS generates the time-structure of frames, slots etc.
A problematic aspect in this context are the different round trip
times (RTT).
An MS close to the BTS has a very short RTT, whereas an MS
35 km away already exhibits an RTT of around 0.23 ms.
The BTS sends the current RTT to the MS, which then adjusts its
access time so that all bursts reach the BTS within their limits.
Reference book name
43
Faculty Name
Contd
Signaling between entities in a GSM network requires higher layers.
For this purpose, the LAPDm protocol has been defined at the Um
interface for layer two.
LAPDm, as the name already implies, has been derived from link
access procedure for the D-channel (LAPD) in ISDN systems, which
is a version of HDLC.
LAPDm is a lightweight LAPD because it does not need
synchronization flags or checksumming for error detection.
LAPDm offers reliable data transfer over connections, re-sequencing
of data frames, and flow control.
Further services provided by LAPDm include segmentation and
reassembly of data and acknowledged/unacknowledged data transfer.
Reference book name
44
Faculty Name
Contd
The lowest sublayer is the radio resource management (RR).
Only a part of this layer, RR, is implemented in the BTS,
the remainder is situated in the BSC.
The functions of RR are supported by the BSC via the BTS
management (BTSM). The main tasks of RR are setup,
maintenance, and release of radio channels.
RR also directly accesses the physical layer for radio
information and offers a reliable connection to the next
higher layer.
45
Faculty Name
Contd
Mobility management (MM)contains functions
for
registration,
authentication,
identification,
location updating,
and the provision of a temporary mobile subscriber identity (TMSI)that
replaces the international mobile subscriber identity (IMSI)and which hides the
real identity of an MS user over the air interface.
While the IMSI identifies a user, the TMSI is valid only in the current location
area of a VLR.
MM offers a reliable connection to the next higher layer.
46
Faculty Name
Mobility Management
47
Faculty Name
Contd
Finally, the call management (CM) layer contains three entities: call
control (CC), short message service (SMS), and supplementary service
(SS).
SMS allows for message transfer using the control channels SDCCH and
SACCH (if no signaling data is sent),
CC provides a point-to-point connection between two terminals and is
used by higher layers for call establishment, call clearing and change of
call parameters.
This layer also provides functions to send in-band tones, called dual tone
multiple frequency (DTMF), over the GSM network.
Additional protocols are used at the Abis and A interfaces .
Data transmission at the physical layer typically uses pulse code
modulation (PCM) systems.
Reference book name
48
Faculty Name
Contd
Signaling System No. 7 (SS7) is used for
signaling between an MSC and a BSC.
This protocol also transfers all management
information between MSCs, HLR, VLRs,
AuC, EIR, and OMC.
An MSC can also control a BSS via a BSS
application part (BSSAP).
49
Faculty Name
50
Faculty Name
51
Faculty Name
52
Faculty Name
53
Faculty Name
54
Faculty Name
55
Faculty Name
56
Faculty Name
HLR
4
5
3 6
calling
station 1
PSTN
GMSC
10
VLR
8 9
14 15
MSC
10 13
16
10
BSS
BSS
BSS
11
11
11
11 12
17
MS
57
Faculty Name
58
Faculty Name
Contd
Step 5 & 6 : After receiving the MSRN (5), the HLR can
determine the MSC responsible for the MS and
forwards this
information to the GMSC.
Step 7
: The GMSC can now forward the call setup
request
to the MSC indicated.
After this point the MSC is responsible for further steps
Step 8 :
First, it requests the current status of the MS
from the VLR.
Step 9 & 10: If the MS is available, the MSC initiates
paging
in all cells it is responsible for
LA(location area).As
searching for the right cell
would be too time
consuming .
Reference book name
59
Faculty Name
Contd
Step 11 : The BTSs of all BSSs transmit this
paging signal
to the MS.
Step 12 &13 : If the MS answers, the VLR has to
perform
security checks (set up
encryption etc.).
Step 14 & 15 : security checks
Step 16 & 17 : The VLR then signals to the MSC
to set up a
connection to the MS
(steps 15 to 17).
Reference book name
60
Faculty Name
HLR
4
5
3 6
calling
station 1
PSTN
GMSC
10
VLR
8 9
14 15
MSC
10 13
16
10
BSS
BSS
BSS
11
11
11
11 12
17
MS
61
Faculty Name
VLR
3 4
PSTN
5
GMSC
MSC
8
2 9
MS
1
10
BSS
62
Faculty Name
MS
MTC
paging request
MTC/MOC
BTS
MS
MOC
BTS
channel request
channel request
immediate assignment
immediate assignment
paging response
service request
authentication request
authentication request
authentication response
authentication response
ciphering command
ciphering command
ciphering complete
ciphering complete
setup
setup
call confirmed
call confirmed
assignment command
assignment command
assignment complete
assignment complete
alerting
alerting
connect
connect
connect acknowledge
connect acknowledge
data/speech exchange
data/speech exchange
63
Faculty Name
Handover or handoff
Cellular systems require handover procedures, as single
cells do not cover the whole service area.
The smaller the cell size and the faster the movement of a
mobile station through the cells (up to 250 km/h for
GSM), the more handovers of ongoing calls are required.
handover should not cause a cut-off, also called call drop.
GSM aims at maximum handover duration of 60 ms.
two basic reasons for a handover:
moves out of the range
traffic in one cell is too high
Reference book name
64
Faculty Name
Contd
GSM uses mobile assisted hand-off (MAHO). Signal
strength measurements are sent to the BS from the
mobile.
The MSC decides when to do a handoff and it informs
the new BS and the mobile.
When a mobile switches to a new BS it sends a series
of shortened bursts to adjust its timing (giving the bS
time to calculate it and send it) and allow the new BS
to synchronize its receiver to the arrival time of the
messages.
Reference book name
65
Faculty Name
4 types of handover
1
MS
BTS
MS
MS
MS
BTS
BTS
BTS
BSC
BSC
BSC
MSC
MSC
66
Faculty Name
Contd
Four possible handover scenarios in GSM
Intra-cell handover
Within a cell, narrow-band interference could make transmission at
a certain frequency impossible. The BSC could then decide to
change the carrier frequency.
67
Faculty Name
68
Faculty Name
Handover decision
receive level
BTSold
receive level
BTSnew
HO_MARGIN
MS
MS
BTSold
BTSnew
69
Faculty Name
Handover procedure
MS
BTSold
BSCold
measurement
measurement
report
result
MSC
BSCnew
BTSnew
HO decision
HO required
HO request
resource allocation
ch. activation
HO command
HO command
HO command
HO access
Link establishment
clear command clear command
clear complete
HO complete
HO complete
clear complete
70
Faculty Name
Security in GSM
Security services
access control/authentication
secret:
A3 and A8
available via the
Internet
network providers
can use stronger
mechanisms
71
Faculty Name
Authentication system
Authentication is based on the SIM, which stores
the individual authentication key Ki . the user
identification IMSI, and the algorithm used for
authentication A3.
challenge-response method
the access control AC generates a random number RAND as challenge, and the
SIM within the MS answers with SRES(signed response) as response.
The AuC performs the basic generation of random values RAND, signed
responses SRES, and cipher keys Kc for each IMSI, and then forwards this
information to the HLR.
The current VLR requests the appropriate values for RAND, SRES, and Kc
from the HLR.
Reference book name
72
Faculty Name
Contd
For authentication, the VLR sends the random
value RAND to the SIM.
Both sides, network and subscriber module,
perform the same operation with RAND and the
key Ki , called A3.
The MS sends back the SRES generated by the
SIM; the VLR can now compare both values.
If they are the same, the VLR accepts the
subscriber, otherwise the subscriber is rejected.
Reference book name
73
Faculty Name
GSM - authentication
SIM
mobile network
RAND
Ki
128 bit
AC
RAND
128 bit
RAND
AC Access
Control
RAND
RANDom
number
Ki
128 bit
128 bit
A3
A3
SIM
SRES* 32 bit
MSC
SRES* =? SRES
SRES
SRES
32 bit
32 bit
SRES
74
Faculty Name
Ki
AC
128 bit
RAND
128 bit
RAND
128 bit
A8
cipher
key
Ki
128 bit
SIM
A8
Kc
64 bit
Kc
64 bit
data
BTS
A5
encrypted
data
SRES
data
MS
A5
75
Faculty Name
Data Data
transmission
standardized
withIonly
services
in GSM
9.6 kbit/s
advanced coding allows 14.4 kbit/s
not enough for Internet and multimedia applications
3
4
76
Faculty Name
Frequency Allocation
Radio transmission can take place using many
different frequency bands.
Each frequency band exhibits certain
advantages and disadvantages.
77
Faculty Name
Contd
The above figure shows frequencies starting at 300 Hz
and going up to over 300 THz.
Directly coupled to the frequency is the wavelength
via the equation:
= c/f,
where c 3108 m/s (the speed of light in vacuum) and
f the frequency.
For traditional wired networks,
frequencies of up to several hundred kHz are used for
distances up to some km with twisted pair copper wires,
Reference book name
78
Faculty Name
Contd
while frequencies of several hundred MHz are used with
coaxial cable.
Fiber optics are used for frequency ranges of several hundred
THz.
79
Faculty Name
The medium frequency (MF) and high frequency (HF) ranges are
typical for transmission of hundreds of radio stations either as
amplitude modulation (AM) between 520 kHz and 1605.5 kHz,
as short wave (SW) between 5.9 MHz and 26.1 MHz, or as
frequency modulation (FM) between 87.5 MHz and 108 MHz.
The frequencies limiting these ranges are typically fixed by
national regulation and, vary from country to country.
Short waves are typically used for (amateur) radio transmission
around the world, enabled by reflection at the ionosphere.
Transmit power is up to 500 kW which is quite high compared
to the 1 W of a mobile phone
Reference book name
80
Faculty Name
81