Reference Book Name

Faculty Name
Subject code Subject name
GSM
Reference book name
Faculty Name
Topics covered
GSM Overview
Services
Architecture
Cell management
TDMA, FDMA
Orientation
Handover
Authentications
HSCSD, GPRS
Reference book name
Faculty Name
GSM: Overview
GSM
formerly: Groupe Spciale Mobile (founded 1982)
now: Global System for Mobile Communication
Pan-European standard (ETSI, European Telecommunications Standardisation
Institute)
simultaneous introduction of essential digital cellular services in three phases
(1991, 1994, 1996) by the European telecommunication administrations,
seamless roaming within Europe possible
today many providers all over the world use GSM (more than 130 countries in
Asia, Africa, Europe, Australia, America)
more than 100 million subscribers
Reference book name
Faculty Name
Performance characteristics of GSM
Communication
mobile, wireless digital communication; support for voice and data
services
Total mobility
international access, chip-card enables use of access points of
different providers
Worldwide connectivity
one number, the network handles localization
High capacity
better frequency efficiency, smaller cells, more customers per cell
High transmission quality
high audio quality
uninterrupted phone calls at higher speeds (e.g., from cars, trains)
better handoffs and
Security functions
access control, authentication via chip-card and PIN
Reference book name
Faculty Name
Disadvantages of GSM
There is no perfect system!!
no end-to-end encryption of user data
no full ISDN bandwidth of 64 kbit/s to the user, no transparent B-channel
abuse of private data possible
roaming profiles accessible

high complexity of the system
several incompatibilities within the GSM standards
Reference book name
Faculty Name
GSM: Mobile Services
GSM offers
several types of connections

voice connections, data connections, short message service
multi-service options (combination of basic services)
Three service domains

Bearer Services interface to the physical medium (transparent for example in the case
of voice or non transparent for data services)
Telematic Services services provided by the system to the end user (e.g., voice, SMS,
fax, etc.)
Supplementary Services associated with the tele services: call forwarding,
redirection, etc.
bearer services
MS
TE
MT
R, S
GSM-PLMN
Um
transit
network
(PSTN, ISDN)
source/
destination
network
TE
(U, S, R)
tele services
Reference book name
Faculty Name
CONTD
A mobile station MS is connected to the GSM

public land mobile network (PLMN) via the Um
interface.
(GSM-PLMN is the infrastructure needed for the
GSM network.) This network is connected to
transit networks, e.g., integrated services digital
network(ISDN) or traditional public switched
telephone network (PSTN).
There might be an additional network, the
source/destination network, before another terminal
TE is connected.
Reference book name
Faculty Name
Bearer Services
Telecommunication services to transfer data between access points
R and S interfaces interfaces that provide network independent data
transmission from end device to mobile termination point.
U interface provides the interface to the network (TDMA, FDMA, etc.)
Specification of services up to the terminal interface (OSI layers 1-3)
Transparent no error control of flow control, only FEC
Non transparent error control, flow control
Different data rates for voice and data (original standard)
voice service (circuit switched)
synchronous: 2.4, 4.8 or 9.6 Kbps.
data service (circuit switched)
synchronous: 2.4, 4.8 or 9.6 kbit/s
asynchronous: 300 - 1200 bit/s
data service (packet switched)
synchronous: 2.4, 4.8 or 9.6 kbit/s
asynchronous: 300 - 9600 bit/s
Reference book name
Faculty Name
Tele Services
I enable
Telecommunication
services that
voice communication via mobile phones
All these basic services have to obey cellular
functions, security measures etc.
Offered voice related services
mobile telephony
primary goal of GSM was to enable mobile telephony offering the
traditional bandwidth of 3.1 kHz
Emergency number
common number throughout Europe (112); mandatory for all service
providers; free of charge; connection with the highest priority (preemption
of other connections possible)
Multinumbering
several ISDN phone numbers per user possible
Reference book name
Faculty Name
Tele
Services
II
Additional services: Non-Voice-Teleservices
group 3 fax
voice mailbox (implemented in the fixed network supporting the mobile
terminals)
electronic mail (MHS, Message Handling System, implemented in the fixed
network)
Short Message Service (SMS)
alphanumeric data transmission to/from the mobile terminal using the
signaling channel, thus allowing simultaneous use of basic services and SMS
(160 characters)
Reference book name
10
Faculty Name
Supplementary
Services
in addition to the services
basic services,
cannot be offered stand-alone
May differ between different service
providers, countries and protocol versions
Important services
identification: forwarding of caller number

suppression of number forwarding
automatic call-back
conferencing with up to 7 participants
locking of the mobile terminal (incoming or outgoing calls)
Reference book name
11
Faculty Name
Architecture of the GSM system

GSM is a PLMN (Public Land Mobile Network)
several providers setup mobile networks following the GSM standard within each country
components
MS (mobile station)
BS (base station)
MSC (mobile switching center)
LR (location register)
subsystems
RSS (radio subsystem): covers all radio aspects

NSS (network and switching subsystem): call forwarding,
handover, switching
OSS (operation subsystem): management of the network
Reference book name
12
Faculty Name
CONTD
Mobile station (MS):
The MS comprises all user equipment and software needed for communication
with a GSM network.
An MS consists of user independent hard- and software and of the subscriber
identity module (SIM), which stores all user-specific data that is relevant to
GSM.
While an MS can be identified via the international mobile equipment identity
(IMEI), a user can personalize any MS using his or her SIM, i.e., user-specific
mechanisms like charging and authentication are based on the SIM, not on the
device itself.
Device-specific mechanisms, e.g., theft protection, use the device specific
IMEI. Without the SIM, only emergency calls are possible.
Reference book name
13
Faculty Name
The SIM card contains many identifiers and tables, such as card-type, serial
number, a list of subscribed services, a personal identity number (PIN), a PIN
unblocking key (PUK), an authentication key Ki, and the international mobile
subscriber identity (IMSI) (ETSI, 1991c).
The PIN is used to unlock the MS. Using the wrong PIN three times will lock
the SIM. In such cases, the PUK is needed to unlock the SIM.
The MS stores dynamic information while logged onto the GSM system, such
as, e.g., the cipher key Kc and the location information consisting of a
temporary mobile subscriber identity (TMSI) and the location area
identification (LAI).
Reference book name
14
Faculty Name
OMC, EIR,
AUC
GSM: overview
HLR
NSS
with OSS
VLR
MSC
GMSC
VLR
fixed network
MSC
BSC
BSC
RSS
Reference book name
15
Faculty Name
GSM: elements and interfaces

radio cell
MS
BSS
MS
Um
radio cell
MS
BTS
RSS
BTS
Abis
BSC
BSC
A
MSC
NSS
MSC
VLR
signaling
VLR
HLR
GMSC
IWF
ISDN, PSTN
PDN
O
OSS
Reference book name
EIR
AUC
OMC
16
Faculty Name
GSM: system architecture

radio
subsystem
MS
network and
switching subsystem
MS
ISDN
PSTN
MSC
Um
BTS
fixed
partner networks
Abis
EIR
SS7
BTS
BSC
VLR
BTS
BTS
BSS
HLR
BSC
A
MSC
IWF
ISDN
PSTN
PSPDN
CSPDN
Reference book name
17
Faculty Name
System architecture: radio

subsystem
radio
subsystem
MS
network and switching

subsystem
MS
MS (Mobile Station)
BSS (Base Station Subsystem):
consisting of
Um
BTS
Abis
BTS
BSC
BTS (Base Transceiver Station):

sender and receiver
BSC (Base Station Controller):
controlling several transceivers
MSC
BTS
BTS
Components
BSC
BSS
Reference book name
MSC
Interfaces
Um : radio interface
Abis : standardized, open interface with
16 kbit/s user channels
A: standardized, open interface with
64 kbit/s user channels
18
Faculty Name
network
subsystem
fixed partner
networks
Components
System architecture: network
and switching subsystem
ISDN
PSTN
MSC (Mobile Services Switching Center):

IWF (Interworking Functions)
MSC
SS7
EIR
ISDN (Integrated Services Digital Network)

PSTN (Public Switched Telephone Network)
PSPDN (Packet Switched Public Data Net.)
CSPDN (Circuit Switched Public Data Net.)
HLR
Databases
VLR
MSC
IWF
ISDN
PSTN
HLR (Home Location Register)

VLR (Visitor Location Register)
EIR (Equipment Identity Register)
PSPDN
CSPDN
Reference book name
19
Faculty Name
Radio subsystem
The Radio Subsystem (RSS) comprises the cellular mobile
network up to the switching centers
Components
Base Station Subsystem (BSS):
Base Transceiver Station (BTS): radio components including sender, receiver,

antenna - if directed antennas are used one BTS can cover several cells
Base Station Controller (BSC): switching between BTSs, controlling BTSs,
managing of network resources, mapping of radio channels (U m) onto
terrestrial channels (A interface)
BSS = BSC + sum(BTS) + interconnection
Mobile Stations (MS)
Reference book name
20
Faculty Name
GSM: cellular network
segmentation of the area into cells
possible radio coverage of the cell
cell
idealized shape of the cell
use of several carrier frequencies

not the same frequency in adjoining cells
cell sizes vary from some 100 m up to 35 km depending on user density,
geography, transceiver power etc.
hexagonal shape of cells is idealized (cells overlap, shapes depend on
geography)
if a mobile user changes cells
handover of the connection to the neighbor cell
Reference book name
21
Faculty Name
Base Transceiver Station and Base

Tasks of a BSS are distributed over BSC
Station
Controller
and BTS
BTS
comprises radio specific BTS
functions
Functions
BSC
Management of radio channels
X
Frequency
hopping
(FH)
X radio
X
BSC
is
the
switching
center
for
Management of terrestrial channels
X
Mapping of terrestrial onto radio channels
X
channels
Channel coding and decoding
X
Rate adaptation
Encryption and decryption
Paging
Uplink signal measurements
Traffic measurement
Authentication
Location registry, location update
Handover management
Reference book name
X
X
X
X
X
X
X
X
X
X
22
Faculty Name
Mobile station
Terminal for the use of GSM services

A mobile station (MS) comprises several functional groups
MT (Mobile Terminal):
offers common functions used by all services the MS offers
corresponds to the network termination (NT) of an ISDN access
end-point of the radio interface (Um)
TA (Terminal Adapter):
terminal adaptation, hides radio specific characteristics (TE connects via modem, Bluetooth,
IrDA etc. to MT)
TE (Terminal Equipment):
peripheral device of the MS, offers services to a user
Can be a headset, microphone, etc.
does not contain GSM specific functions
SIM (Subscriber Identity Module):

personalization of the mobile terminal, stores user parameters
TE
TA
R
Reference book name
MT
S
Um
23
Faculty Name
Network and switching subsystem

NSS is the main component of the public mobile network GSM
switching, mobility management, interconnection to other networks, system control
Components
Mobile Services Switching Center (MSC)
controls all connections via a separated network to/from a mobile terminal within the domain of the MSC several BSC can belong to a MSC
Databases (important: scalability, high capacity, low delay)
Home Location Register (HLR)

central master database containing user data, permanent and semi-permanent
data of all subscribers assigned to the HLR (one provider can have several
HLRs)
Visitor Location Register (VLR)
local database for a subset of user data - data about all users currently visiting
in the domain of the VLR
Reference book name
24
Faculty Name
Mobile Services Switching Center

The MSC (mobile switching center) plays a central
role in GSM
switching functions
additional functions for mobility support
management of network resources
interworking functions via Gateway MSC (GMSC)
integration of several databases
Functions of a MSC
specific functions for paging and call forwarding

termination of SS7 (signaling system no. 7)
mobility specific signaling
location registration and forwarding of location information
provision of new services (fax, data calls)
support of short message service (SMS)
generation and forwarding of accounting and billing information
Reference book name
25
Faculty Name
Operation subsystem
The OSS (Operation Subsystem) enables centralized operation,
management, and maintenance of all GSM subsystems
Components
Authentication Center (AUC)
generates user specific authentication parameters on request of a VLR

authentication parameters used for authentication of mobile terminals and
encryption of user data on the air interface within the GSM system
Equipment Identity Register (EIR)
registers GSM mobile stations and user rights

stolen or malfunctioning mobile stations can be locked and sometimes even
localized
Operation and Maintenance Center (OMC)
different control capabilities for the radio subsystem and the network subsystem
Reference book name
26
Faculty Name
Radio Interface
GSM implements SDMA using cells with BTS and assigns an MS to a BTS
Media access combines TDMA and FDMA.
In GSM 900, 124 channels, each 200 kHz wide, are used for FDMA,
whereas GSM 1800 uses, 374 channels.
Due to technical reasons, channels 1 and 124 are not used for transmission
in GSM 900.
Typically, 32 channels are reserved for organizational data; the remaining
90 are used for customers.
Each BTS then manages a single channel for organizational data and, e.g.,
up to 10 channels for user data.
The following example is based on the GSM 900 system, but GSM works
in a similar way at 1800 and 1900 MHz.
Reference book name
27
Faculty Name
Contd
The next slide shows the TDM used.
Each of the 248 channels is additionally separated in time via
a GSM TDMA frame, i.e., each 200 kHz carrier is subdivided
into frames that are repeated continuously. The duration of a
frame is 4.615 ms.
frame is again subdivided into 8 GSM time slots, where each
slot represents a physical TDM channel and lasts for 577 s.
Each TDM channel occupies the 200 kHz carrier for 577 s
every 4.615 ms.
Data is transmitted in small portions, called bursts.
Reference book name
28
Faculty Name
Contd
In the diagram, the burst is only 546.5 s long and contains 148 bits.
The remaining 30.5 s are used as guard space to avoid overlapping
with other bursts due to different path delays and to give the
transmitter time to turn on and off.
The first and last three bits of a normal burst (tail) are all set to 0 and
can be used to enhance the receiver performance.
The training sequence in the middle of a slot is used to adapt the
parameters of the receiver to the current path propagation
characteristics and to select the strongest signal in case of multi-path
propagation.
A flag S indicates whether the data field contains user or network
control data.
Reference book name
29
Faculty Name
Contd
Apart from the normal burst, ETSI (1993a) defines four more
bursts for data transmission:
a frequency correction burst allows the MS to correct the local
oscillator to avoid interference with neighboring channels,
a synchronization burst with an extended training sequence
synchronizes the MS with the BTS in time,
an access burst is used for the initial connection setup
between MS and BTS,
and finally a dummy burst is used if no data is available for a
slot.
Reference book name
30
Faculty Name
GSM Radio Interface TDMA/FDMA
qu
en
c
935-960 MHz
124 channels (200 kHz)
downlink
fre
890-915 MHz
124 channels (200 kHz)
uplink
higher GSM frame structures

time
GSM TDMA frame

1
8
4.615 ms
GSM time-slot (normal burst)

guard
space
tail
3 bits
user data
S Training S
user data
57 bits
1 26 bits 1
57 bits
Reference book name
guard
tail space
546.5 s
577 s
31
Faculty Name
Logical channels and frame

hierarchy
logical channels and a hierarchy of frames based on the

combination of these physical channels.
A physical channel consists of a slot, repeated every 4.615
ms.
Think of a logical channel C1 that only takes up every
fourth slot and another logical channel C2 that uses every
other slot.
Both logical channels could use the same physical channel
with the pattern C1C2xC2C1C2xC2C1 etc. (The x indicates
that the physical channel still has some capacity left.)
Reference book name
32
Faculty Name
GSM - Two basic groups of logical

channels
Traffic channels (TCH)

Control channels (CCH)
Broadcast control channel (BCCH)

Common control channel (CCCH)
Dedicated control channel (DCCH)
Reference book name
33
Faculty Name
Traffic channels (TCH)

GSM uses a TCH to transmit user data (e.g., voice, fax).
2 types
Full-rate TCH(TCH/F)
Half-rate TCH (TCH/H)
A TCH/F has a data rate of 22.8 kbit/s,whereas TCH/H only has 11.4
kbit/s.
With the voice codecs available at the beginning of the GSM
standardization, 13 kbit/s were required, whereas the remaining capacity
of the TCH/F (22.8 kbit/s) was used for error correction (TCH/FS).
Improved codes allow for better voice coding and can use a TCH/H.
Using these TCH/HSs doubles the capacity of the GSM system for voice
transmission.
speech quality decreases in TCH/HSs
Reference book name
34
Faculty Name
The standard codecs for voice are called full rate(FR, 13

kbit/s) and half rate(HR, 5.6 kbit/s).
A newer codec, enhanced full rate(EFR), provides better voice
quality than FR as long as the transmission error rate is lo
An additional increase in voice quality is provided by the socalled tandem free operation (TFO).
This mode can be used if two MSs exchange voice data.
In this case, coding to and from PCM encoded voice (standard
in ISDN) can be skipped and the GSM encoded voice data is
directly exchanged.
Reference book name
35
Faculty Name
Control channels (CCH)

Broadcast control channel (BCCH)
A BTS uses this channel to signal information to all MSs within a cell.
Information transmitted in this channel is, e.g., the cell identifier,
options available within this cell (frequency hopping), and frequencies
available inside the cell and in neighboring cells.
The BTS sends information for frequency correction via the frequency
correction channel (FCCH) and information about time
synchronization via the synchronization channel (SCH), where both
channels are sub channels of the BCCH.
Reference book name
36
Faculty Name
Common control channel (CCCH)

All information regarding connection setup between MS and BS is
exchanged via the CCCH.
For calls toward an MS, the BTS uses the paging channel (PCH)for
paging the appropriate MS.
If an MS wants to set up a call, it uses the random access channel
(RACH)to send data to the BTS.
The RACH implements multiple access (all MSs within a cell may
access this channel) using slotted Aloha.
This is where a collision may occur with other MSs in a GSM
system.
The BTS uses the access grant channel (AGCH)to signal an MS that
it can use a TCH or SDCCH for further connection setup.
Reference book name
37
Faculty Name
Dedicated control channel (DCCH)

While the previous channels have all been unidirectional, the
following channels are bidirectional.
As long as an MS has not established a TCH with the BTS, it
uses the stand-alone dedicated control channel
(SDCCH)with a low data rate (782 bit/s) for signaling.
This can comprise authentication, registration or other data
needed for setting up a TCH.
Each TCH and SDCCH has a slow associated dedicated
control channel (SACCH)associated with it, which is used to
exchange system information, such as the channel quality and
signal power level.
Reference book name
38
Faculty Name
Contd
Finally, if more signaling information needs to
be transmitted and a TCH already exists, GSM
uses a fast associated dedicated control
channel (FACCH).
The FACCH uses the time slots which are
otherwise used by the TCH.
Reference book name
39
Faculty Name
GSM hierarchy of frames

hyperframe
2045 2046 2047 3 h 28 min 53.76 s
...
superframe
0
...
48
...
49
24
50
6.12 s
25
multiframe
0
...
0
24
2
120 ms
25
...
48
49
50
235.4 ms
frame
0
...
4.615 ms
slot
burst
Reference book name
577 s
40
Faculty Name
GSM protocol layers for signaling

Um
Abis
MS
BTS
BSC
MSC
CM
CM
MM
MM
BSSAP
RR
BTSM
RR
BTSM
LAPDm
RR
LAPDm
LAPD
LAPD
radio
radio
PCM
PCM
16/64 kbit/s
Reference book name
BSSAP
SS7
SS7
PCM
PCM
64 kbit/s /
2.048 Mbit/s
41
Faculty Name
Contd
The main interest lies in the Um interface, as the other interfaces
occur between entities in a fixed network.
Layer 1, the physical layer, handles all radio-specific functions.
This includes the creation of bursts according to the five different
formats, multiplexing of bursts into a TDMA frame,
synchronization with the BTS, detection of idle channels, and
measurement of the channel quality on the downlink.
The physical layer at Um uses GMSK(Gaussian Minimum Shift
Keying) for digital modulation and performs
encryption/decryption of data, i.e., encryption is not performed
end-to-end, but only between MS and BSS over the air interface.
Reference book name
42
Faculty Name
Contd
Synchronization also includes the correction of the individual
path delay between an MS and the BTS.
All MSs within a cell use the same BTS and thus must be
synchronized to this BTS.
The BTS generates the time-structure of frames, slots etc.
A problematic aspect in this context are the different round trip
times (RTT).
An MS close to the BTS has a very short RTT, whereas an MS
35 km away already exhibits an RTT of around 0.23 ms.
The BTS sends the current RTT to the MS, which then adjusts its
access time so that all bursts reach the BTS within their limits.
Reference book name
43
Faculty Name
Contd
Signaling between entities in a GSM network requires higher layers.
For this purpose, the LAPDm protocol has been defined at the Um
interface for layer two.
LAPDm, as the name already implies, has been derived from link
access procedure for the D-channel (LAPD) in ISDN systems, which
is a version of HDLC.
LAPDm is a lightweight LAPD because it does not need
synchronization flags or checksumming for error detection.
LAPDm offers reliable data transfer over connections, re-sequencing
of data frames, and flow control.
Further services provided by LAPDm include segmentation and
reassembly of data and acknowledged/unacknowledged data transfer.
Reference book name
44
Faculty Name
Contd
The lowest sublayer is the radio resource management (RR).
Only a part of this layer, RR, is implemented in the BTS,
the remainder is situated in the BSC.
The functions of RR are supported by the BSC via the BTS
management (BTSM). The main tasks of RR are setup,
maintenance, and release of radio channels.
RR also directly accesses the physical layer for radio
information and offers a reliable connection to the next
higher layer.
Reference book name
45
Faculty Name
Contd
Mobility management (MM)contains functions
for
registration,
authentication,
identification,
location updating,
and the provision of a temporary mobile subscriber identity (TMSI)that
replaces the international mobile subscriber identity (IMSI)and which hides the
real identity of an MS user over the air interface.
While the IMSI identifies a user, the TMSI is valid only in the current location
area of a VLR.
MM offers a reliable connection to the next higher layer.
Reference book name
46
Faculty Name
Mobility Management
Reference book name
47
Faculty Name
Contd
Finally, the call management (CM) layer contains three entities: call
control (CC), short message service (SMS), and supplementary service
(SS).
SMS allows for message transfer using the control channels SDCCH and
SACCH (if no signaling data is sent),
CC provides a point-to-point connection between two terminals and is
used by higher layers for call establishment, call clearing and change of
call parameters.
This layer also provides functions to send in-band tones, called dual tone
multiple frequency (DTMF), over the GSM network.
Additional protocols are used at the Abis and A interfaces .
Data transmission at the physical layer typically uses pulse code
modulation (PCM) systems.
Reference book name
48
Faculty Name
Contd
Signaling System No. 7 (SS7) is used for
signaling between an MSC and a BSC.
This protocol also transfers all management
information between MSCs, HLR, VLRs,
AuC, EIR, and OMC.
An MSC can also control a BSS via a BSS
application part (BSSAP).
Reference book name
49
Faculty Name
Localization and calling

One fundamental feature of the GSM system is the
automatic, worldwide localization of users.
The system always knows where a user currently is, and
the same phone number is valid worldwide.
GSM performs periodic location updates even if a user
does not use the mobile.
The HLR always contains information about the current
location (only the location area, not the precise
geographical location), and the VLR currently responsible
for the MS informs the HLR about location changes.
Reference book name
50
Faculty Name
As soon as an MS moves into the range of a new VLR (a

new location area), the HLR sends all user data needed
to the new VLR.
Changing VLRs with uninterrupted availability of all
services is also called roaming.
Roaming can take place within the network of one
provider, between two providers in one country (national
roaming is,often not supported due to competition
between operators), but also between different providers
in different countries (international roaming).
Reference book name
51
Faculty Name
To locate an MS and to address the MS,

several numbers are needed:
Mobile station international ISDN number
(MSISDN)
International mobile subscriber identity (IMSI)
Temporary mobile subscriber identity (TMSI)
Mobile station roaming number (MSRN)
Reference book name
52
Faculty Name
Mobile station international ISDN

number (MSISDN)
The only important number for a user of GSM is the phone

number.
Remember that the phone number is not associated with a
certain device but with the SIM, which is personalized for a
user.
The MSISDN follows the ITU-T standard E.164 for
addresses as it is also used in fixed ISDN networks.
This number consists of the country code (CC) (e.g., +91 984
3677515 with 91 for India), the national destination code
(NDC) (i.e., the address of the network provider, e.g., 984),
and the subscriber number (SN).
Reference book name
53
Faculty Name
International mobile subscriber

identity (IMSI)
GSM uses the IMSI for internal unique

identification of a subscriber.
IMSI consists of a mobile country code
(MCC) (e.g., 404 , 405 for India ), the mobile
network code (MNC) (i.e., the code of the
network provider ex: 40 airtel chennai ),
and finally the mobile subscriber identification
number (MSIN).
Reference book name
54
Faculty Name
Temporary mobile subscriber

identity (TMSI)
To hide the IMSI, which would give away the

exact identity of the user signaling over the air
interface, GSM uses the 4 byte TMSI for local
subscriber identification.
TMSI is selected by the current VLR and is only
valid temporarily and within the location area of
the VLR.
Additionally, a VLR may change the TMSI
periodically.
Reference book name
55
Mobile station roaming number

(MSRN)
Faculty Name
Another temporary address that hides the identity and

location of a subscriber is MSRN.
The VLR generates this address on request from the MSC,
and the address is also stored in the HLR.
MSRN contains the
current visitor country code (VCC),
the visitor national destination code (VNDC),
the identification of the current MSC together with the subscriber number .
The MSRN helps the HLR to find a subscriber for an

incoming call.
Reference book name
56
Faculty Name
Mobile Terminated Call

1: calling a GSM subscriber
2: forwarding call to GMSC
3: signal call setup to HLR
4, 5: request MSRN from VLR
6: forward responsible
MSC to GMSC
7: forward call to
current MSC
8, 9: get current status of MS
10, 11: paging of MS
12, 13: MS answers
14, 15: security checks
16, 17: set up connection
Reference book name
HLR
4
5
3 6
calling
station 1
PSTN
GMSC
10
VLR
8 9
14 15
MSC
10 13
16
10
BSS
BSS
BSS
11
11
11
11 12
17
MS
57
Faculty Name
Mobile Terminated Call (MTC)

Step 1 : a user dials the phone number of a GSM
subscriber.
Step 2 : The fixed network (PSTN) notices (looking at the
destination code) that the number belongs to a
user in the GSM
network and forwards the call
setup to the Gateway MSC.
Step 3 : The GMSC identifies the HLR for the subscriber
(which is coded in the phone number) and signals
the call
setup to the HLR.
Step 4 :The HLR now checks whether the number exists
and
whether the user has subscribed to the
requested services,
and requests an MSRN from
the current VLR.
Reference book name
58
Faculty Name
Contd
Step 5 & 6 : After receiving the MSRN (5), the HLR can
determine the MSC responsible for the MS and
forwards this
information to the GMSC.
Step 7
: The GMSC can now forward the call setup
request
to the MSC indicated.
After this point the MSC is responsible for further steps
Step 8 :
First, it requests the current status of the MS
from the VLR.
Step 9 & 10: If the MS is available, the MSC initiates
paging
in all cells it is responsible for
LA(location area).As
searching for the right cell
would be too time
consuming .
Reference book name
59
Faculty Name
Contd
Step 11 : The BTSs of all BSSs transmit this
paging signal
to the MS.
Step 12 &13 : If the MS answers, the VLR has to
perform
security checks (set up
encryption etc.).
Step 14 & 15 : security checks
Step 16 & 17 : The VLR then signals to the MSC
to set up a
connection to the MS
(steps 15 to 17).
Reference book name
60
Faculty Name
Mobile Terminated Call

1: calling a GSM subscriber
2: forwarding call to GMSC
3: signal call setup to HLR
4, 5: request MSRN from VLR
6: forward responsible
MSC to GMSC
7: forward call to
current MSC
8, 9: get current status of MS
10, 11: paging of MS
12, 13: MS answers
14, 15: security checks
16, 17: set up connection
Reference book name
HLR
4
5
3 6
calling
station 1
PSTN
GMSC
10
VLR
8 9
14 15
MSC
10 13
16
10
BSS
BSS
BSS
11
11
11
11 12
17
MS
61
Faculty Name
Mobile Originated Call

1, 2: connection request
3, 4: security check
5-8: check resources (free circuit)
9-10: set up call
VLR
3 4
PSTN
5
GMSC
MSC
8
2 9
MS
Reference book name
1
10
BSS
62
Faculty Name
MS
MTC
paging request
MTC/MOC
BTS
MS
MOC
BTS
channel request
channel request
immediate assignment
immediate assignment
paging response
service request
authentication request
authentication request
authentication response
authentication response
ciphering command
ciphering command
ciphering complete
ciphering complete
setup
setup
call confirmed
call confirmed
assignment command
assignment command
assignment complete
assignment complete
alerting
alerting
connect
connect
connect acknowledge
connect acknowledge
data/speech exchange
data/speech exchange
Reference book name
63
Faculty Name
Handover or handoff
Cellular systems require handover procedures, as single
cells do not cover the whole service area.
The smaller the cell size and the faster the movement of a
mobile station through the cells (up to 250 km/h for
GSM), the more handovers of ongoing calls are required.
handover should not cause a cut-off, also called call drop.
GSM aims at maximum handover duration of 60 ms.
two basic reasons for a handover:
moves out of the range
traffic in one cell is too high
Reference book name
64
Faculty Name
Contd
GSM uses mobile assisted hand-off (MAHO). Signal
strength measurements are sent to the BS from the
mobile.
The MSC decides when to do a handoff and it informs
the new BS and the mobile.
When a mobile switches to a new BS it sends a series
of shortened bursts to adjust its timing (giving the bS
time to calculate it and send it) and allow the new BS
to synchronize its receiver to the arrival time of the
messages.
Reference book name
65
Faculty Name
4 types of handover
1
MS
BTS
Reference book name
MS
MS
MS
BTS
BTS
BTS
BSC
BSC
BSC
MSC
MSC
66
Faculty Name
Contd
Four possible handover scenarios in GSM
Intra-cell handover
Within a cell, narrow-band interference could make transmission at
a certain frequency impossible. The BSC could then decide to
change the carrier frequency.
Inter-cell, intra-BSC handover

This is a typical handover scenario.
The mobile station moves from one cell to another, but stays within the
control of the same BSC.
The BSC then performs a handover, assigns a new radio channel in the
new cell and releases the old one.
Reference book name
67
Faculty Name
Inter-BSC, intra-MSC handover

As a BSC only controls a limited number of cells;
GSM also has to perform handovers between cells controlled by different
BSCs.
This handover then has to be controlled by the MSC (scenario 3).
Inter MSC handover

A handover could be required between two cells belonging to different
MSCs.
Now both MSCs perform the handover together.(scenario 4)
Reference book name
68
Faculty Name
Handover decision
receive level
BTSold
receive level
BTSnew
HO_MARGIN
MS
MS
BTSold
Reference book name
BTSnew
69
Faculty Name
Handover procedure
MS
BTSold
BSCold
measurement
measurement
report
result
MSC
BSCnew
BTSnew
HO decision
HO required
HO request
resource allocation
ch. activation
HO command
HO command
HO command
HO request ack ch. activation ack
HO access
Link establishment
clear command clear command
clear complete
Reference book name
HO complete
HO complete
clear complete
70
Faculty Name
Security in GSM
Security services
access control/authentication
user SIM (Subscriber Identity Module): secret PIN (personal

identification number)
SIM network: challenge response method
confidentiality
voice and signaling encrypted on the wireless link (after successful

authentication)
anonymity
temporary identity TMSI

(Temporary Mobile Subscriber Identity)
newly assigned at each new location update (LUP)
encrypted transmission
3 algorithms specified in GSM
secret:
A3 and A8
available via the
Internet
network providers
can use stronger
mechanisms
A3 for authentication (secret, open interface)

A5 for encryption (standardized)
A8 for key generation (secret, open interface)
Reference book name
71
Faculty Name
Authentication system
Authentication is based on the SIM, which stores
the individual authentication key Ki . the user
identification IMSI, and the algorithm used for
authentication A3.
challenge-response method
the access control AC generates a random number RAND as challenge, and the
SIM within the MS answers with SRES(signed response) as response.
The AuC performs the basic generation of random values RAND, signed
responses SRES, and cipher keys Kc for each IMSI, and then forwards this
information to the HLR.
The current VLR requests the appropriate values for RAND, SRES, and Kc
from the HLR.
Reference book name
72
Faculty Name
Contd
For authentication, the VLR sends the random
value RAND to the SIM.
Both sides, network and subscriber module,
perform the same operation with RAND and the
key Ki , called A3.
The MS sends back the SRES generated by the
SIM; the VLR can now compare both values.
If they are the same, the VLR accepts the
subscriber, otherwise the subscriber is rejected.
Reference book name
73
Faculty Name
GSM - authentication
SIM
mobile network
RAND
Ki
128 bit
AC
RAND
128 bit
RAND
AC Access
Control
RAND
RANDom
number
Ki
128 bit
128 bit
A3
A3
SIM
SRES* 32 bit
MSC
SRES* =? SRES
SRES
SRES
32 bit
Ki: individual subscriber authentication key
Reference book name
32 bit
SRES
SRES: signed response
74
Faculty Name
GSM - key generation and

encryption
MS with SIM
mobile network (BTS)

RAND
Ki
AC
128 bit
RAND
128 bit
RAND
128 bit
A8
cipher
key
Ki
128 bit
SIM
A8
Kc
64 bit
Kc
64 bit
data
BTS
A5
Reference book name
encrypted
data
SRES
data
MS
A5
75
Faculty Name
Data Data
transmission
standardized
withIonly
services
in GSM
9.6 kbit/s
advanced coding allows 14.4 kbit/s
not enough for Internet and multimedia applications
HSCSD (High-Speed Circuit Switched

Data)
already standardized
bundling of several time-slots to get higher
AIUR [kbit/s]
TCH/F4.8
TCH/F9.6
TCH/F14.4
AIUR (Air
Interface
User
Rate)
4.8
1
(e.g., 57.6
14.4 each) 1
9.6 kbit/s using 4 slots,
2
14.4
3
1
advantage:
ready
to
use,
constant
quality,
simple
19.2
4
2
28.8
2
disadvantage:
channels blocked for voice 3transmission
38.4
43.2
57.6
Reference book name
3
4
76
Faculty Name
Frequency Allocation
Radio transmission can take place using many
different frequency bands.
Each frequency band exhibits certain
advantages and disadvantages.
Reference book name
77
Faculty Name
Contd
The above figure shows frequencies starting at 300 Hz
and going up to over 300 THz.
Directly coupled to the frequency is the wavelength
via the equation:
= c/f,
where c 3108 m/s (the speed of light in vacuum) and
f the frequency.
For traditional wired networks,
frequencies of up to several hundred kHz are used for
distances up to some km with twisted pair copper wires,
Reference book name
78
Faculty Name
Contd
while frequencies of several hundred MHz are used with
coaxial cable.
Fiber optics are used for frequency ranges of several hundred
THz.
Radio transmission starts at several kHz, the very low

frequency (VLF) range.
These are very long waves. Waves in the low frequency
(LF) range are used by submarines, because they can
penetrate water and can follow the earth s surface.
Some radio stations still use these frequencies, e.g.,
between 148.5 kHz and 283.5 kHz in Germany.
Reference book name
79
Faculty Name
The medium frequency (MF) and high frequency (HF) ranges are
typical for transmission of hundreds of radio stations either as
amplitude modulation (AM) between 520 kHz and 1605.5 kHz,
as short wave (SW) between 5.9 MHz and 26.1 MHz, or as
frequency modulation (FM) between 87.5 MHz and 108 MHz.
The frequencies limiting these ranges are typically fixed by
national regulation and, vary from country to country.
Short waves are typically used for (amateur) radio transmission
around the world, enabled by reflection at the ionosphere.
Transmit power is up to 500 kW which is quite high compared
to the 1 W of a mobile phone
Reference book name
80
Faculty Name
analog TV is transmitted in ranges of 174230 MHz

and 470790 MHz using the very high frequency
(VHF) and ultra high frequency (UHF) .
Super high frequencies (SHF)
Satellite services
C-band (4 and 6 GHz), Ku-band (11 and 14 GHz), or
Kaband (19 and 29 GHz)
extremely high frequency (EHF)

Infra red transmission
Reference book name
81

Reference Book Name

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Reference Book Name

Caricato da

Copyright:

Formati disponibili

Faculty Name

Subject code Subject name