29c3 openbts workshop - mini-workshop
DESCRIPTION
Event: https://events.ccc.de/congress/2012/wiki/OpenBTS_workshop Video: http://www.youtube.com/playlist?list=PLifX8tOt8ajpmUnIabqsqMD0MxcCHNI08TRANSCRIPT
OpenBT
S® Mini-
Workshop
OpenBT
S is a registered trademark of R
ange Netw
orks, Inc.
1
1Saturday, August 6, 2011
GSM
Basics
2
2Saturday, August 6, 2011
GSM
History
•1982 - C
EPT establishes G
SM group
•1987 - Basic param
eters selected
•1989 - G
SM standardization process m
oved to ETSI
•1990 - Phase 1 spec frozen
•1992 - First com
mercial service
•1995 - Phase 2 spec frozen
•2001 - 500M
GSM
users world-w
ide
•2009 - A
ccounts for about 80% of all cellular service
•2011 - 3G
UM
TS displacing 2G
GSM
in some places, but all 3G
U
MT
S phones still support 2G G
SM
3
3Saturday, August 6, 2011
GSM
Layers
•Layers sim
ilar to OSI m
odel.
•L1 - physical layer - bits and w
aveforms
•L2 - data link layer - m
akes the link reliable
•L3 - connection m
anagement layer - w
here m
ost of the cellular telephone application happens
4
4Saturday, August 6, 2011
Physical Layer (L1)
5
5Saturday, August 6, 2011
Cellular C
oncepts:FD
MA
•Frequency division m
ultiple access: users on different radio frequencies.
•T
he only MA
type in older analog systems.
6
Time
Freq
6Saturday, August 6, 2011
Cellular C
oncepts:T
DM
A•
Tim
e division multiple access: users share a channel,
using it at different times.
•C
an be sync or async (802.11).
7
Time
Freq
7Saturday, August 6, 2011
Cellular C
oncepts:FD
MA
and
TD
MA
•G
SM is both FD
MA
and TD
MA
.
•200 kH
z radio channel spacing
•8 tim
eslots per channel
8
Time
Freq
8Saturday, August 6, 2011
Tim
eslots
from “G
SM for D
umm
ies”, with perm
ission
9
9Saturday, August 6, 2011
The “A
RFC
N”
•A
bsolute Radio Frequency C
hannel N
umber
•200 kH
z radio channel spacing
•270.833 kH
z radio channel bandwidth
•C
annot use adjacent AR
FCN
s in the same
cell because they overlap.
•A
ssigned in fixed uplink/downlink pairs.
10
10Saturday, August 6, 2011
Frequency Duplexing
from “G
SM for D
umm
ies”, with perm
ission11
11Saturday, August 6, 2011
Com
mon G
SM Bands
12
Nam
eU
pD
own
AR
FCN
sR
egions
P-GSM
900890-915
935-9601-124
1, 3
E-GSM
900880-915
925-9600-125,
975-10231, 3
GSM
850824-849
869-894128-251
2
DC
S 18001710-1785
1805-1880512-885
1, 3
PCS 1900
1850-19101930-1990
512-8102
12Saturday, August 6, 2011
Duplexing
•H
andset and BTS cannot transm
it on the same
frequency at the same tim
e.
•T
DD
- Tim
e Division D
uplexing - Handset and BT
S tim
e transmissions to avoid conflict. T
his is cheapest.
•FD
D - Frequency D
ivision Duplexing - H
andset and BT
S operate on different frequencies. This requires
special RF filters.
•G
SM is FD
D in the BT
S, and both FDD
and
TD
D
for the handset.
13
13Saturday, August 6, 2011
Frequency Duplexing
from “G
SM for D
umm
ies”, with perm
ission14
14Saturday, August 6, 2011
Frequency Duplexing
15
“Cavity D
uplexer”
15Saturday, August 6, 2011
Tim
ing and Power
Control
•BT
S controls output power level of the
handset to maxim
ize battery life and optim
ize receiver performance.
•BT
S controls timing advance of the handset
to prevent collisions of arriving radio bursts.
•T
his happens on the SAC
CH
.
16
16Saturday, August 6, 2011
Link Layer (L2)
17
17Saturday, August 6, 2011
The Link Layer
•L3 has variable-length m
essages and assum
es reliable delivery.
•L1 has fixed-length fram
es and loses them
sometim
es.
•L2 connects these so that L3 can use L1.
18
18Saturday, August 6, 2011
Connection
Managem
ent Layer (L3)
19
19Saturday, August 6, 2011
GSM
Layer 3
•T
his is where things start to look like a
telephone system.
•Sublayers:
•R
adio Resource (R
R)
•M
obility Managem
ent (MM
)
•C
all Control (C
C)
•Short M
essage Service (SMS)
20
20Saturday, August 6, 2011
GSM
L3 RR
•R
adio Resource m
anagement.
•A
ssign and release radio channels.
•Page handsets for service.
•G
enerate the beacon.
•D
ata elements are descriptions of physical
layer parameters.
21
21Saturday, August 6, 2011
GSM
L3 MM
•M
obility Managem
ent.
•K
eep track of what part of the netw
ork is serving a given handset.
•A
uthenticate users.
•D
ata elements are subscriber identities and
authentication tokens.
22
22Saturday, August 6, 2011
GSM
L3 CC
•C
all Control.
•C
onnect the handset to the telephone sw
itch.
•N
early identical to ISDN
’s Q.931.
•D
ata elements are phone num
bers, call status codes and bearer capability descriptions.
23
23Saturday, August 6, 2011
GSM
L3 SMS
•SM
S L3 is just a connection layer for SMS
L4.
•Just a pass-through. N
othing really happens in SM
S until you hit L5.
24
24Saturday, August 6, 2011
Addressing in G
SM
•IM
SI: International Subscriber Mobile
Identity. A 14- 15-digit num
ber in the SIM
that uniquely identifies the subscriber. Encodes identity of issuing carrier, too.
•T
MSI: Tem
porary Subscriber Mobile
Identity. A 32-bit num
ber assigned by the netw
ork that uniquely identifies the subscriber w
ithin that network.
25
25Saturday, August 6, 2011
Addressing in G
SM
(cont.)
•IM
EI: International Mobile Equipm
ent Identity. A
15-digit number that uniquely
identifies the handset. Encodes m
anufacturer and model. N
ot used much in
GSM
except for fraud detection.
•M
SISDN
: The subscriber’s telephone
number.
26
26Saturday, August 6, 2011
Addressing in G
SM
(cont.)
•T
he MSISD
N-IM
SI association exists only in the netw
ork, not in the handset.
•T
here is no MSISD
N-IM
EI association.
•If a phone is “locked” that usually m
eans that it w
ill accept SIMs only from
a specific carrier.
27
27Saturday, August 6, 2011
Introduction to VoIP
28
28Saturday, August 6, 2011
The O
ld Analog PST
N•
Phone numbers form
an address space, like any other address space.
•A
phone line’s address is determined by w
here it is physically connected to the netw
ork.
•D
ialed numbers (“signaling”) are encoded as tones
in the audio stream (“in-band signaling”).
•T
he switch decodes signaling to connect com
pleted physical circuits betw
een phones.
•“C
ircuit Switched Telephony”
29
29Saturday, August 6, 2011
70’s-era Analog Sw
itch30
30Saturday, August 6, 2011
SS7•
Signaling System 7 (SS7) replaced analog lines w
ith synchronous digital ones, but it’s still circuit-sw
itched.
•Signaling and m
edia travel on different logical channels (“out-of-band signaling”).
•Telephony is just an application in the SS7 netw
ork.
•...so is the G
SM core netw
ork.
•T
he switch is just a com
puter, shuffling frames betw
een m
edia channels as instructed by the signaling.
•Phone num
bers are no longer physical addresses, but entries in a routing database.
31
31Saturday, August 6, 2011
Q.931 C
all SignalingSubscriber
Network
SE
TU
P
CA
LL P
RO
CE
ED
ING
ALE
RT
ING
CO
NN
EC
T
CO
NN
EC
T A
CK
DIS
CO
NN
EC
T
RE
LE
AS
E
RE
LE
AS
E C
OM
PLE
TE
32
Subscriber dials number.
Rem
ote phone ringing.
Rem
ote party answers.
Subscriber hangs up.
Dial tone.
Call connected.
32Saturday, August 6, 2011
VoIP
•R
eplace circuit-switched SS7 w
ith packet-switched
IP.
•Signaling and m
edia can follow entirely different
paths and use entirely different protocols.
•Telephony is an application running on the internet.
•T
he switch is just a com
puter shuffling packets as directed by the signaling.
•IP netw
ork gives additional layer of addressing.
33
33Saturday, August 6, 2011
VoIP Specifics: SIP & RT
P
•Session Initiation Protocol (SIP), R
FC-3261,
for signaling.
•SIP header design sim
ilar to HT
TP.
•R
eal-Tim
e Protocol (RTP), R
FC-3550, for
media.
•Both protocols already used internally by m
any telecom carriers, all renam
ed “IMS”.
34
34Saturday, August 6, 2011
SIP Call Flow
35
SubscriberNetw
orkINVITE
Trying 100Ringing 180
OK 200ACK
BYEACK
Subscriber dials number.
Rem
ote phone ringing.
Rem
ote party answers.
Subscriber hangs up.
Dial tone.
Call connected.
35Saturday, August 6, 2011
Putting it Together:O
penBTS =
GSM
+ VoIP
36
36Saturday, August 6, 2011
OpenBT
S Design
Principles
•Put as little functionality as possible into the G
SM-specific softw
are.
•Translate protocols to open standards w
henever possible.
•Exploit external applications w
henever possible.
37
37Saturday, August 6, 2011
OpenBT
S Design
Principles
•Term
inate L3 RR
inside OpenBT
S to elim
inate the need for a BSC.
•Translate M
M, C
C and SM
S to SIP and let the VoIP softw
are deal with them
.
•M
ost new features w
ill be external modules
on socket interfaces.38
38Saturday, August 6, 2011
OpenBT
S VoIP Principles
•O
penBTS itself is invisible. T
he VoIP netw
ork sees only the phones.
•Each handset appears as a SIP endpoint at the IP address of its serving BT
S.
•Each handset is a SIP user called “IM
SIxxxxxxxxxxxxxxxx”, where
“xxxxxxxxxxxxxxx” is the IMSI of the SIM
in the handset.
39
39Saturday, August 6, 2011
Mobile-O
riginated Call
40
SIP
Sw
itch
Op
en
BT
SH
an
dset
IMM
ED
. AS
SIG
N.
CH
AN
. RE
Q.
RT
P tra
ffic
GS
M tra
ffic
CM
SV
C. R
EQ
.
CM
SV
C. A
CC
EP
T
SE
TU
P
INV
ITE
CA
LL P
RO
CE
ED
ING
Sta
tus: 1
82
Rin
gin
gA
LE
RT
ING
Sta
tus: 2
00
OK
CO
NN
EC
T
CO
NN
EC
T A
CK
.
Sta
tus: 1
00
Try
ing
40Saturday, August 6, 2011
SIP
Sw
itch
Op
en
BT
SH
an
dset
IMM
ED
. AS
SIG
N.
CH
AN
. RE
Q.
RT
P tra
ffic
GS
M tra
ffic
CM
SV
C. R
EQ
.
CM
SV
C. A
CC
EP
T
SE
TU
P
INV
ITE
CA
LL P
RO
CE
ED
ING
Sta
tus: 1
82
Rin
gin
gA
LE
RT
ING
Sta
tus: 2
00
OK
CO
NN
EC
T
CO
NN
EC
T A
CK
.
Sta
tus: 1
00
Try
ing
Mobile-O
riginated Call
41
RR
MM
CC
This is w
here we skip
the encryption step.
41Saturday, August 6, 2011
SIP
Sw
itch
Op
en
BT
SH
an
dset
IMM
ED
. AS
SIG
N.
CH
AN
. RE
Q.
RT
P tra
ffic
GS
M tra
ffic
CM
SV
C. R
EQ
.
CM
SV
C. A
CC
EP
T
SE
TU
P
INV
ITE
CA
LL P
RO
CE
ED
ING
Sta
tus: 1
82
Rin
gin
gA
LE
RT
ING
Sta
tus: 2
00
OK
CO
NN
EC
T
CO
NN
EC
T A
CK
.
Sta
tus: 1
00
Try
ing
Mobile-O
riginated Call
42
42Saturday, August 6, 2011
Backhaul Loading
•G
SM FR
codec is about 13 kbit/sec/call.
•A
sterisk can transcode to other codecs ranging from
2.4-64 kbit/sec/call, with
varying quality.
•R
egardless of codec type, RTP overhead is
about 17 kbit/sec/call.
•IA
X overhead is closer to 20 kbit/sec/call,
but can be shared across multiple calls.
43
43Saturday, August 6, 2011
Backhaul Requirem
ents
44
6.6
.B
AC
KH
AU
LC
APA
CIT
YR
EQ
UIR
EM
EN
TS
61
Table
6.1
:B
ackhaul
bandw
idth
for
vario
us
codec/trunkin
gconfiguratio
ns.
All
rates
inkbit
/sec
and
as-
sum
ing
20
ms
fram
ing.
Codec
per
call
per
call
7calls
7calls
speech
raw
rate
over
RT
Pover
RT
PIA
Xtrunkin
gquality
G.7
11
64
81
567
468
toll-q
uality
GSM
-FR
13
30
210
124
toll-q
uality
G.7
29
825
175
97
near-t
oll-q
uality
Speex
825
175
97
near-t
oll-q
uality
Speex
421
147
60
not
toll-q
uality
LP
C-1
02.4
20
136
37
not
toll-q
uality
OpenBTSAPs
SIP/RTPLocalSw
itchSIP/RTP
SIP/RTP
Rem
oteSw
itch
Satellite-Based Site
PSTN
VoIP
VoIP
T1IAX
IAXIAX
IAX
Fig
ure
6.5
:Pair
ed
OpenSw
itch
servers
for
IAX
trunkin
gin
satellit
e-b
ased
applic
atio
ns. 44
Saturday, August 6, 2011
Using IA
X on V
SAT Links
45
6.6
.B
AC
KH
AU
LC
APA
CIT
YR
EQ
UIR
EM
EN
TS
61
Table
6.1
:B
ackhaul
bandw
idth
for
vario
us
codec/trunkin
gconfiguratio
ns.
All
rates
inkbit
/sec
and
as-
sum
ing
20
ms
fram
ing.
Codec
per
call
per
call
7calls
7calls
speech
raw
rate
over
RT
Pover
RT
PIA
Xtrunkin
gquality
G.7
11
64
81
567
468
toll-q
uality
GSM
-FR
13
30
210
124
toll-q
uality
G.7
29
825
175
97
near-t
oll-q
uality
Speex
825
175
97
near-t
oll-q
uality
Speex
421
147
60
not
toll-q
uality
LP
C-1
02.4
20
136
37
not
toll-q
uality
OpenBTSAPs
SIP/RTPLocalSw
itchSIP/RTP
SIP/RTP
Rem
oteSw
itch
Satellite-Based Site
PSTN
VoIP
VoIP
T1IAX
IAXIAX
IAX
Fig
ure
6.5
:Pair
ed
OpenSw
itch
servers
for
IAX
trunkin
gin
satellit
e-b
ased
applic
atio
ns.
45Saturday, August 6, 2011
Subscriber Registry
46
46Saturday, August 6, 2011
The A
uthentication Problem
•T
he IMSI is exposed in m
any places.
•M
aking a SIM w
ith a controlled IMSI is
trivial.
47
47Saturday, August 6, 2011
GSM
Authentication
•C
hallenge-Response based on shared secret key K
i.
•N
etwork generates 128-bit random
string (RA
ND
) to send to phone.
•Phone encrypts R
AN
D w
ith Ki and a hash function
(A3) to produce SR
ES.
•N
etwork perform
s identical SRES calculation w
ith sam
e RA
ND
, Ki and A
3.
•Phone returns SR
ES and network com
pares results.
48
48Saturday, August 6, 2011
Cache-Based
Authentication
•C
an be used in OpenBT
S when you don’t know
Ki
or A3 for a SIM
.
•Perform
RA
ND
-SRES exchange and save the result.
•A
ssume the first exchange is valid and allow
access.
•U
se the same R
AN
D for subsequent exchanges
and see if you get the same SR
ES.
•N
ot full authentication, but better than nothing.
49
49Saturday, August 6, 2011
SIM Param
eters•
To perform R
AN
D-SR
ES authentication, you must
know K
i and the A3 algorithm
used by the SIM.
•SIM
s do not disclose Ki; it is norm
ally known only
by the party that issues the SIM.
•A
3 is usually a variant of CO
MP-128; the current
industry standard is v3.
•To perform
full authentication you must by able to
issue SIMs and have the softw
are to implem
ent the A
3 in those SIMs.
50
50Saturday, August 6, 2011
Subscriber Registry
•“R
ealtime” A
sterisk using external databases.
•C
ore is an sqlite3 database file, /var/lib/asterisk/sqlite3dir/sqlite3.db.
•H
TT
P interface for remote access.
•SIP interface for registration.
•C
aching Behavior.
51
51Saturday, August 6, 2011
Subscriber Registry
sip_buddies Table•
Based on pre-existing Asterisk “sip-buddies”
schema w
ith extra per-subscriber fields:
•K
i, the SIM secret key for this subscriber
•R
AN
D, SR
ES, the most recent challenge-
response pair used with this subscriber
•a3a8, the A
3/A8 algorithm
to be used with
this subscriber
52
52Saturday, August 6, 2011
Subscriber Registry
dialdata_table
•U
sed by Asterisk dialplan for realtim
e num
ber resolution.
•A
simple IM
SI-number m
apping.
•C
alls to unresolvable numbers get passed
up to a higher-level switch.
53
53Saturday, August 6, 2011
SR R
AN
D-SR
ES A
uthentication via SIP
•SIP Interface; follow
s form of R
FC-2543
Section 14, using
•R
AN
D as the nonce
•A
3 instead of MD
5
•SR
ES as the response
54
54Saturday, August 6, 2011
SIP-Style Authentication
55
MS
OpenBTS
RegistryCHAN. REQ
.
IMM
ED. ASSIGN.
LOC. UPDATE REQ
.REG
ISTER
401 Unauthorized
LOC. UPDATE ACCEPT
CHAN. REL.
AUTH. REQ.
AUTH. RESP.REG
ISTER
200 OK
55Saturday, August 6, 2011
SR A
uthentication via H
TT
P
•H
TT
P Interface
•A
d hoc but easy to implem
ent
•Send IM
SI in UR
L, get RA
ND
result.
•Send IM
SI, RA
ND
and SRES in U
RL, get
success/failure result.
56
56Saturday, August 6, 2011
HT
TP-Based A
uthentication
57
MS
OpenBTS
RegistryCHAN. REQ
.
IMM
ED. ASSIGN.
LOC. UPDATE REQ
.HTTP G
ET
200 OK
LOC. UPDATE ACCEPT
CHAN. REL.
AUTH. REQ.
AUTH. RESP.HTTP G
ET
200 OK
57Saturday, August 6, 2011
Generating SIM
s
•For full authentication, you m
ust know K
i.
•T
he only way to know
Ki is to put it there
yourself.
•Program
mable SIM
s with w
rite-only Ki
records!
•SIM
-programm
ing SW w
rites new entries
directly in to SR database.
58
58Saturday, August 6, 2011
SIM Security
•C
OM
P128 and cracking
•SIM
protection
•C
OM
P128v3
•Fraud detection
59
59Saturday, August 6, 2011
Netw
ork Security
•SR
caching makes isolated nodes robust.
•SR
caching also moves a lot of sensitive
information around the netw
ork.
•Securing the backhaul is critical.
60
60Saturday, August 6, 2011
Subscriber Security
•C
2.8 generates TM
SIs on a per-BTS basis.
•G
ood: TM
SIs not globally significant
•Bad: Lots of T
MSI reassignm
ents
•C
2.8 does not support A5/x. Future
versions will.
•A
5/1 export restrictions
•A
5/2 depreciation
61
61Saturday, August 6, 2011
SMS Text M
essaging
62
62Saturday, August 6, 2011
GSM
SMS
•Session-less transfer over D
m channel.
•A
ddress is ISDN
/E.164 or e-mail.
•M
aximum
payload is 140 bytes, 160 characters in G
SM 7-bit alphabet.
•SM
SC acts as a store-and-forw
ard server, since handsets are only interm
ittently connected.
•SM
S defined in 5 layers on Um
, but 2 of them
are just relays.
63
63Saturday, August 6, 2011
SIP RFC
-3428
•Session-less transfer over an IP channel.
•A
llows for interm
ediary store-and-forward
servers.
•A
ddressing is same as any other SIP.
•O
penBTS uses M
IME-encoded R
PDU
(application/vnd.3gpp.sm
s).
64
64Saturday, August 6, 2011
SMS in O
penBTS
•Term
inate SMS L3 and L4 locally.
•Translate SM
S L5 to SIP RFC
-3428 with vnd.
3gpp.sms content.
•O
utgoing RFC
-3428 addressed numerically.
•Inbound R
FC-3428 addressed to IM
SI-derived SIP users.
•C
annot send directly from one handset to
another.
65
65Saturday, August 6, 2011
Smqueue
•R
FC-3428 store-and-forw
ard server.
•U
ses vnd.3gpp.sms content, m
aking it payload-agnostic.
•Translates SU
MBIT
TPD
Us into D
ELIVER
TPD
Us.
•A
ccepts numeric addresses, resolves to SIP users
with the Subscriber R
egistry.
•In C
2.8, must be running on the sam
e computer
as the subscriber registry.
66
66Saturday, August 6, 2011
MO
-SMS
smqueue
OpenBTS
Handset
AS
SIG
NM
EN
T
CH
AN
. RE
Q.
CM
SV
C. R
EQ
.
CM
SV
C. A
CC
EP
T
CP
-DA
TA
/RP
-DA
TA
ME
SS
AG
E
CP
-AC
K
CP
-DA
TA
/RP
-AC
K
OK
CP
-AC
K
CH
AN
NE
L R
ELE
AS
E
67
67Saturday, August 6, 2011
MO
-SMS
smqueue
OpenBTS
Handset
AS
SIG
NM
EN
T
CH
AN
. RE
Q.
CM
SV
C. R
EQ
.
CM
SV
C. A
CC
EP
T
CP
-DA
TA
/RP
-DA
TA
ME
SS
AG
E
CP
-AC
K
CP
-DA
TA
/RP
-AC
K
OK
CP
-AC
K
CH
AN
NE
L R
ELE
AS
E
68
68Saturday, August 6, 2011
OpenM
essageOpenBTS
MS
MESSAG
EPAG
ING REQ
.
PAGING
RESP.IM
MED. ASSIG
N.CHAN. REQ
.
CP-DATA/RP-DATACP-ACK
CP-DATA/RP-ACK
CP-ACKCHANNEL RELEASE
OK M
T-SMS
69
69Saturday, August 6, 2011
OpenM
essageOpenBTS
MS
MESSAG
EPAG
ING REQ
.
PAGING
RESP.IM
MED. ASSIG
N.CHAN. REQ
.
CP-DATA/RP-DATACP-ACK
CP-DATA/RP-ACK
CP-ACKCHANNEL RELEASE
OK M
T-SMS
70
70Saturday, August 6, 2011
Short Codes
•Short codes are special SM
S addresses that go to program
s instead of to other users.
•Short codes can be used to build interactive applications based on SM
S.
•Sm
queue supports sort codes, but the functions m
ust be hard-coded into the system
.
71
71Saturday, August 6, 2011
Short Code Exam
ple: A
uto-Provisioning•
Short code function adds a new SIP user
and a new dialplan entry in the Subscriber
Registry.
•C
an be used for automatic provisioning in
some applications.
•O
nly effective if used with open
registration.
72
72Saturday, August 6, 2011
Connecting SM
S to the O
utside World
•Em
ail gateways
•the return address problem
•SIP R
FC-3428 gatew
ays
•the registration problem
•SM
PP
•T
he dual-address problem.
•N
ew trends in com
bined VoIP services (Voxbone and Voxeo).
73
73Saturday, August 6, 2011
Connecting to the
PSTN74
74Saturday, August 6, 2011
VoIP Carrier Services
75
•R
oute outbound calls to the PSTN
(“origination”)
•Lease D
ID (“direct inbound dialed”) E.164
addresses (“telephone numbers”)
•R
oute inbound calls from PST
N to D
IDs
(“termination”)
•G
enerate billing records (CD
Rs)
75Saturday, August 6, 2011
VoIP Carrier Prices
•D
ID leases typically run $0.25/m
o - $5/mo
depending on
•quantity
•w
here numbers are located
•C
alling rates typically run $0.003/min - $0.050/
min. depending on
•quantity
•call destination
76
76Saturday, August 6, 2011
VoIP Carrier Technical
Connection
•N
early all support SIP/RTP; m
any support IA
X, too.
•N
early all support G.711 (a-law
/mu-law
) and G
.729 (AD
PCM
); some support G
SM
full-rate directly.
•T
he interface to the carrier appears as a SIP or IA
X user in the gatew
ay switch
configuration.
77
77Saturday, August 6, 2011
Putting It All Together
78
78Saturday, August 6, 2011
79
"Transcevier"Radiom
odem
Full-BandDigital RadioTransceiver
"OpenBTS"
GSM
/SIPProtocol Processor
USB2
UD
P
smqueue
RFC-3428SM
S Processor
SIP/IAXSoftswitch
subscriber registryDatabase/Server
IP NetworkInterface
SIP
SIPSQ
L
SIP/RTPSIP/RTP
IAX
SIPH
TTP/S
SIPSM
TPSQ
L
SQL
IP Netw
ork
SIP/RTPIAX
HTTP/S
SMTP
Inside Each BTS N
ode79
Saturday, August 6, 2011
private IP netw
ork
SIP/RTPIAX
HTTP/S
SMTP
OpenBTS
cell sites
SIP/RTPIAX
HTTP/S
public IP netw
ork
PSTN
SIP/RTPIAX
ISDN
/SS7
SIP switch &
subscriber registry
smqueue
SIP
SMTP
otherservices
HTTP/S
VoIP Carriers
SIP/RTPIAX
ISDN
/SS7
80
A Full N
etwork
80Saturday, August 6, 2011
Mobility
81
81Saturday, August 6, 2011
Some C
onfusion
•Handove
r - The ability to transfer a live
call from one cell to another. A
nd in GSM
it’s call “handover”, not “handoff”.
•Roaming - T
he ability to integrate call routing and billing w
ith other carriers.
•Mobility
- The ability to transfer service
as a handset moves from
one cell to another.
82
82Saturday, August 6, 2011
Dependencies
•You need m
obility to support handover.
•You do not need handover to support m
obility.
•You need m
obility to support roaming.
•You do not need handover to support roam
ing.
•You do not need roam
ing to support m
obility.
83
83Saturday, August 6, 2011
Simple M
obility84
AC Bprivate IP netw
ork
SIP switch
subscriber registrysm
queue
OpenBTSAPs
public IP netw
ork
PSTN
CentralServer
84Saturday, August 6, 2011
Good
•Leverages existing dynam
ic-host support for SIP users.
•SIP core netw
ork needs no information
about the BTS units.
•RT
P traffic can still be shortest-path routing.
85
85Saturday, August 6, 2011
Not So G
ood
•H
andsets must register every tim
e they change cells.
•C
entral server is a central point of failure.
•Loss of backhaul shuts dow
n a cell.
86
86Saturday, August 6, 2011
Better Mobility
87
1A
private IP netw
orkCS
OpenBTSAPs
2B
public IP netw
ork
PSTN
S1
SIP switch
subscriber registrysm
queue
S2
1B1C2A2CSIP sw
itchsubscriber registry
smqueue
SIP switch
subscriber registrysm
queue
87Saturday, August 6, 2011