2g_gprs_3g
TRANSCRIPT
-
8/3/2019 2G_GPRS_3G
1/150
1
Chap 5
2G: GSM System
-
8/3/2019 2G_GPRS_3G
2/150
2
Outlines
IntroductionGSM ArchitectureAir InterfaceLocation Tracking and Call SetupHandOff
SecuritySummary
-
8/3/2019 2G_GPRS_3G
3/150
3
Introduction
-
8/3/2019 2G_GPRS_3G
4/150
4
IntroductionG lobal System for M obile Communications ( GSM ) is a digital
wireless network standard.It was developed by Group Special Mobile of ConferenceEuropeenne des Postes et Telecommunications (CEPT) andEuropean Telecommunications Standards Institute (ETSI) .GSM Phases 1 and 2 define digital cellulartelecommunications system.GSM Phase 2+ targets on Speech Codec and Data Service.
-
8/3/2019 2G_GPRS_3G
5/150
5
Basic Requirements set out by GSMOriginal text as written by the committee in 1985
Services
Quality of Services and SecurityRadio Frequency Utilization
Network Cost
The Basic Requirements of GSM
-
8/3/2019 2G_GPRS_3G
6/150
6
GSM Architecture
-
8/3/2019 2G_GPRS_3G
7/150
7
SS
BSSMS
GSM System Structure
OMC
BSCRBS
AUC
HLR
EIR
ILR
GMSC
DTIMSC/ VLR
PSTNPSTN
-
8/3/2019 2G_GPRS_3G
8/150
8
GSM Architecture
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTSBTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
-
8/3/2019 2G_GPRS_3G
9/150
9
Also called Mobile Terminal (MT)The MS consists of two parts:
Subscriber Identity Module (SIM)
Mobile Equipment (ME)
Mobile Station (MS)
-
8/3/2019 2G_GPRS_3G
10/150
10
A SIM contains subscriber-related informationA list of abbreviated and customized short dialingnumbersShort messageNames of preferred Networks to provide service
Personal Identity Number (PIN) .
SIM
-
8/3/2019 2G_GPRS_3G
11/150
11
SIMSIM contains important information including
IMSIK iTMSIAccess Control Code
K cLAI
SIM information can be modified:By the subscriber either by keypad or a PC using an RS232connectionBy sending codes through short messages (network operators)
-
8/3/2019 2G_GPRS_3G
12/150
12
Mobile Equipment (ME)
ME: non-customer-related hardware and softwarespecific to the radio interfaceME can not be used if no SIM is on the MS.
Except for emergency callsThe SIM-ME design supports portability:
The MS is the property of the subscriber.
The SIM is the property of the service provider.
-
8/3/2019 2G_GPRS_3G
13/150
13
Base Station System (BSS)
The Base Station System (BSS) connects the MSand NSS.BSS contains
Base transceiver station (BTS)Base station controller (BSC)
-
8/3/2019 2G_GPRS_3G
14/150
14
BTS
Base Transceiver Station (BTS) containsTransmitterReceiver
Signaling equipment specific to the radio interface inorder to contact the MSs.Transcoder/Rate Adapter Unit (TRAU)
GSM-specific speech encoding/decoding and rateadaptation in data transmission
-
8/3/2019 2G_GPRS_3G
15/150
15
GSM 900
GSM 1800
Lightningconductor
Omni-directional Antenna
-
8/3/2019 2G_GPRS_3G
16/150
16
GSM 900
GSM 1800
Lightning
conductor
Directional Antenna
-
8/3/2019 2G_GPRS_3G
17/150
17
Directional Antenna
-
8/3/2019 2G_GPRS_3G
18/150
18
Base Station Controller (BSC)Radio channel assignmentHandoff management
Connect to an MSCConnect to several BTSs
Maintain cell configuration data of these BTSs.
The BSC communicates with the BTSs via the A-bis.
BSC (1/2)
-
8/3/2019 2G_GPRS_3G
19/150
19
BSC (2/2)The processor load of a BSC:
Call activities (around 20-25%)Paging and short message service (around 10-15%)Mobility management (handoff and location update,
around 20-25%Hardware checking/network-triggered events (around15-20%)
When a BSC is overloaded, it first rejects locationupdate, next MS originating calls, then handoff.
-
8/3/2019 2G_GPRS_3G
20/150
20
Network and Switching Subsystem (NSS)Telephone switching functionsSubscriber profilesMobility management
Components in NSS:MSC : provide basic switching function
Gateway MSC (GMSC): route an incoming call to anMSC by interrogating the HLR directory.
NSS (1/2)
-
8/3/2019 2G_GPRS_3G
21/150
21
NSS (2/2)
Components in NSS (continuous):HLR and VLR maintain the current location of the MS.Authentication Center (AuC) is used in the securitymanagement.Equipment Identity Register (EIR) is used for theregistration of MS equipment.
-
8/3/2019 2G_GPRS_3G
22/150
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
-
8/3/2019 2G_GPRS_3G
23/150
23
Air Interface
-
8/3/2019 2G_GPRS_3G
24/150
24
Radio Interface Um (1/3)
The GSM radio link uses TDMA/FDDtechnology.
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs 200 KHz8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0.577 msec for atime slot).The length of GSM frame in a frequency carrier is4.615 msec.
-
8/3/2019 2G_GPRS_3G
25/150
25
Radio Interface Um (2/3)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
892.2 MHz
Frame Frame (TDMA)
892.4 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
-
8/3/2019 2G_GPRS_3G
26/150
26
GSM Normal Burst
Begin with 3 head bits, and end with 3 bits.
Two groups are separated by an equalizer trainingsequence of 26 bits.The flags indicates whether the informationcarried is for speech/data, or signaling.
3 57 bits 1 26 bits 1 57 bits 3 8.25 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits/0.564 msec)
Time Slot (156.25 bits or 0.577 msec)
-
8/3/2019 2G_GPRS_3G
27/150
27
Logical Channels
-
8/3/2019 2G_GPRS_3G
28/150
28
Traffic Channel (TCH)
TCHs are intended to carry user information(speech or data).
Full-rate TCH (TCH/F)Transmission speed: 13 Kbps for speechTransmission speed: 9.6, 4.8 or 2.4 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech quality
Half-rate TCH (TCH/H )Transmission speed: 6.5 Kbps speechTransmission speed: 4.8 or 2.4 Kbps of data.
-
8/3/2019 2G_GPRS_3G
29/150
29
Control Channels (CCH)
CCHs: to carry signaling informationThree types of CCHs :
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
-
8/3/2019 2G_GPRS_3G
30/150
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHs.Two types in BCH:
Frequency Correction Channel (FCCH) and
Synchronization Channel (SCH)The information allows the MS to acquire and staysynchronized with the BSS.
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cellInformation related to the surrounding cells to support cellselectionLocation registration procedures in an MS
-
8/3/2019 2G_GPRS_3G
31/150
31
Three types in CCCH:Random Access Channel (RACH) (uplink)
Used by the MSs for initial access to the network Collision may occurs.Slotted Aloha protocol is used to resolve access collision.
Access Grant Channel (AGCH) (downlink)Used by the network to indicate radio link allocation uponprime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
-
8/3/2019 2G_GPRS_3G
32/150
32
DCCH is for dedicated use by a specific MS.Four types in DCCH:
Standalone Dedicated Control Channel (SDCCH)(down/uplink)
used only for signaling and for short message
Slow Associated Control Channel (SACCH)(down/uplink)
Associated with either a TCH or an SDCCH
For non-urgent proceduresPower and time alignment control information (downlink)Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (1/2)
-
8/3/2019 2G_GPRS_3G
33/150
33
Four types in DCCH (continuous):Fast Associated Control Channel (FACCH)(down/uplink)
Used for time-critical signaling, such as call-establishing
progress, authentication of subscriber, or handoff.FACCH use TCH during a call.May cause user data loss.
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcastmessages, which use the same time slot as the SDCCH.
Dedicated Control Channel
(DCCH) (2/2)
-
8/3/2019 2G_GPRS_3G
34/150
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 8.25 bits
Tailing Data Flag Training Flag Data Tailing Guard
3 142 bits
Frequency Correction Burst
3 8.25 bitsTailing Fixed Bits Tailing Guard
3 39 bits
Synchronization Burst
64 bits 39 bits 3 8.25 bitsTailing Data Training Data Tailing Guard
3 41 bits
Access Burst
36 bits 3 68.25 bitsTailing Synch. Seq. Data Tailing Guard
-
8/3/2019 2G_GPRS_3G
35/150
35
Example of Channel Usage
(GSM Call Origination)
-
8/3/2019 2G_GPRS_3G
36/150
36
Example of Channel Usage
(GSM Call Termination)
-
8/3/2019 2G_GPRS_3G
37/150
37
Mobility Databases
-
8/3/2019 2G_GPRS_3G
38/150
38
Mobility DatabasesThe hierarchical databases used in GSM.
The home location register (HLR) is a database usedfor MS information management.The visitor location register (VLR) is the database of
the service area visited by an MS.
MSC 1
HLR
VLR 1 VLR 2
MSC 2
-
8/3/2019 2G_GPRS_3G
39/150
39
Key TermsGSM uses some identifiers
Mobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
-
8/3/2019 2G_GPRS_3G
40/150
40
MSISDNMobile System ISDN
MSISDN uses the same format as the ISDN address(based on ITU-T Recommendation E.164).HLR uses MSISDN to provide routing instructions to
other components in order to reach the subscriber.
Country code(CC)
National destinationcode (NDC)
Subscribernumber (SN)
Total up to 15 digits
-
8/3/2019 2G_GPRS_3G
41/150
41
MSRNMobile Station Roaming Number
The routing address to route the call to the MSthrough the visited MSC.
MSRN=CC+NDC+SN
-
8/3/2019 2G_GPRS_3G
42/150
42
IMSIInternational Mobile Subscriber Identity
Each mobile unit is identified uniquely with an IMSI.IMSI includes the country, mobile network, mobilesubscriber.
Total up to 15 digits
Mobile countrycode (MCC)
Mobile network code (MNC)
Mobile subscriberidentification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
-
8/3/2019 2G_GPRS_3G
43/150
43
TMSITemporary Mobile Subscriber Identify
TMSI is an alias used in place of the IMSI.This value is sent over the air interface in place of theIMSI for purposes of security.
-
8/3/2019 2G_GPRS_3G
44/150
44
IMEIInternational Mobile Station Equipment Identity
IMEI is assigned to the GSM at the factory.When a GSM component passes conformance andinteroperability tests, it is given a TAC.
Up to 15 digits
Type approvalcode (FAC)
Final assemblycode (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
-
8/3/2019 2G_GPRS_3G
45/150
45
LAILocation Area Identity
LAI identifies a location area (LA).When an MS roams into another cell, if it is in thesame LAI, no information is exchanged.
Total up to 15 digits
Mobile countrycode (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
-
8/3/2019 2G_GPRS_3G
46/150
46
CGICell Global Identity
CGI = LAI + CI= MCC + MNC + LAC + CI
CI : Cell Identity
-
8/3/2019 2G_GPRS_3G
47/150
47
Home Location Register (HLR)An HLR record consists of 3 types of information:
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number Phone Number of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service information
service subscriptionservice restrictionssupplementary services
-
8/3/2019 2G_GPRS_3G
48/150
48
Visitor Location Register (VLR)The VLR information consists of three parts:
Mobile Station InformationIMSIMSISDN
TMSILocation Information
MSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
-
8/3/2019 2G_GPRS_3G
49/150
49
Identifiers and Components
MSC
CGI
LAI
TMSIIMSI
MSRN
MSISDN
MSBTSBSCVLR/MSCHLR
-
8/3/2019 2G_GPRS_3G
50/150
50
Location Tracking
(Mobility Management)
-
8/3/2019 2G_GPRS_3G
51/150
51
Location Update
BS 2
BS 1
BS 3
-
8/3/2019 2G_GPRS_3G
52/150
52
Two-level Hierarchical StrategyThe current location of an MS is maintained by a
two-level hierarchical strategy with the HLR andthe VLRs.
MSC 1
HLR
VLR 1 VLR 2
MSC 2
-
8/3/2019 2G_GPRS_3G
53/150
53
Location AreaLocation area (LA) is the basic unit for location
tracking.
MSC MSC
MSC
LA 1
LA 2
LA 3
-
8/3/2019 2G_GPRS_3G
54/150
54
GSM Location Area HierarchyHLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR : HOME Location RegisterVLR : VISITOR Location RegisterMSC : Mobile Switching CenterLA : Location AreaMS : Mobile Station
-
8/3/2019 2G_GPRS_3G
55/150
55
Location Update Concept
Registration: the location update procedureinitiated by the MS:
Step 1. BS periodically broadcasts the LA address.Step 2.
When an MS finds the LA of BS differentfrom the one stored in it memory, it sends aregistration message to the network.Step 3. The location information is update.
-
8/3/2019 2G_GPRS_3G
56/150
56
Periodically RegistrationThe MS periodically send registration messages
to the network.The period is 6 minutes to 24 hours.Periodic registration is useful for fault-tolerancepurposes.
-
8/3/2019 2G_GPRS_3G
57/150
-
8/3/2019 2G_GPRS_3G
58/150
58
GSM Basic Location
Update ProcedureCase 1. Inter-LA Movement
-
8/3/2019 2G_GPRS_3G
59/150
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
-
8/3/2019 2G_GPRS_3G
60/150
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
-
8/3/2019 2G_GPRS_3G
61/150
61
Intra-MSCBTS2 BTS3 LAI
LAI (Registration)
Step 1:TMSI=0105
LAI=LA1
LAI=LA2
Step 2: update SIM LAI=LA2
Step 3: MSC1 check TMSI
LAI MSC
Step 4: MSC1 LAI LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
-
8/3/2019 2G_GPRS_3G
62/150
62
Intra-MSCSteps 5: MSC1 VLR1
=MSC1
TMSI=0105LAI=LA1LAI=LA2
Steps 6: VLR MSC
MSCVLR LAI LA2
Steps 7: VLR ACK MSC
Steps 8: MSC BSC BTS MSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
-
8/3/2019 2G_GPRS_3G
63/150
63
GSM Basic Location
Update ProcedureCase 2. Inter-MSC Movement
-
8/3/2019 2G_GPRS_3G
64/150
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
-
8/3/2019 2G_GPRS_3G
65/150
65
Inter-MSCBTS3 BTS4
Step 1: BTS4 LA3 SIM LAI Registration procedure
Step 2: ( BTS4)TMSI=0105
LAI=LA2LAI=LA3
Step 3: BTS4 BSC3 MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
-
8/3/2019 2G_GPRS_3G
66/150
66
Inter-MSCStep 4: MSC2 TMSI MSC2 VLR1
=MSC2
TMSI=0105LAI=LA2LAI=LA3
Step 5: VLR1 check TMSI MSC
MSC VLRVLR update MSC MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
-
8/3/2019 2G_GPRS_3G
67/150
67
Inter-MSCStep 6:
(1)VLR1 HLR=VLR1
MSC=MSC2IMSI=
(2)VLR2 MSC2IMSI=TMSI=0105LAI=LA3
(3)VLR MSC1IMSI=TMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
-
8/3/2019 2G_GPRS_3G
68/150
68
Inter-MSCStep 7: HKR IMSI check VLR
update MSC MSC2 ACK VLR1
Step 8: MSC2
Step 9: MSC1 TMSI:0105 ACK VLR1
Step 10: VLR1 MSC2 BSC3 BTS4
Step 11: update LAI LA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
-
8/3/2019 2G_GPRS_3G
69/150
69
GSM Basic Location
Update ProcedureCase 3. Inter-VLR Movement
-
8/3/2019 2G_GPRS_3G
70/150
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
-
8/3/2019 2G_GPRS_3G
71/150
71
Inter-VLRStep 1: MS update LAI LA4 RegistrationMS BTS5 BSC4 MSC3
TMSI=0105LAI=LA3LAI=LA4
Step 2: MSC3 check VLR2=MSC3
TMSI=0105LAI=LA3LAI=LA4
Step 3: VLR2 check
TMSI VLR=VLR1VLR2 VLR1 (1)check TMSI (2) IMSIVLR1 check TMSI
IMSI VLR2VLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
-
8/3/2019 2G_GPRS_3G
72/150
72
Inter-VLRStep 4: VLR2 IMSI HLR=HLR1 VLR2 HLR1
=VLR2MSC=MSC3
IMSI=
Step 5: HLR1 IMSI updateVLR VLR2MSC MSC3
HLR VLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
-
8/3/2019 2G_GPRS_3G
73/150
73
Inter-VLRStep 6: VLR2 VLR1 VLR1 MSC2
Step 7: VLR2 TMSI=0208 update TMSI=0208
Step 8: VLR2 MSC3TMSI=0208
LAI=LA4IMSI=
Step 9:
Step 10: MSC3 BSC4 BTS5 MS
Step 11: update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
-
8/3/2019 2G_GPRS_3G
74/150
74
Call Origination and
Termination
-
8/3/2019 2G_GPRS_3G
75/150
75
Call Origination OperationV L R V 2
M S C
u 1
CloudCloudP S T N
V L RTe r m i n a t i n g
S w i t c h M S C
2 . M A P _ S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L
3 . M A P _ SE N D _ I N F O _ F O R _ O U T G O I N G _ C A L L _ a ck
4 . IA M
2
3
-
8/3/2019 2G_GPRS_3G
76/150
76
GSM Basic Call OriginationThe process is
Step 1. MS sends the call origination request to MSC.Step 2 . MSC forwards the request to VLR withmessage
MAP_SEND_INFO_FOR_OUTGOING_CALL .Step 3 . VLR checks MSs profile and sendsMAP_SEND_INFO_FOR_OUTGOING_CALL_ack
to MSC to grant the call request.Step 4. MSC sets up the trunk according to thestandard PSTN call setup procedure.
-
8/3/2019 2G_GPRS_3G
77/150
77
Call Termination Message Flow
-
8/3/2019 2G_GPRS_3G
78/150
78
Call Termination (1/2)Routing information for call termination can beobtained form the serving VLR.The basic call termination process:
Step 1. A MSs ISDN ( MSISDN ) number is dialedby a PSTN user. The call is routed to a gateway MSCby an SS7 ISUP IAM message.Step 2. GMSC sends
MAP_SEND_ROUTING_INFORMATION with theMSISDN to HLR.
Call Termination (2/2)
-
8/3/2019 2G_GPRS_3G
79/150
79
The process continues:Step 3. HLR sends a
MAP_PROVIDE_ROAMING_NUMBER to VLR.Parameter included: IMSI of the MS, the MSC number.
Steps 4 and 5. VLR creates Mobile SubscriberRoaming Number (MSRN) by using the MSCnumber stored in the VLR record.
MSRN is sent back to the gateway MSC through HLR.MSRN provides the address of the target MSC where the
MS resides.Step 6. An SS7 ISUP IAM message is directed fromthe gateway MSC to the target MSC to setup the voicetrunk.
The Mobile Call Termination
-
8/3/2019 2G_GPRS_3G
80/150
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
(Delivery) Procedure
MSISDN
MSRN MSRN
MSISDN
MSISDN
PSTN
IMSI
-
8/3/2019 2G_GPRS_3G
81/150
81
Handoff (Handover)
-
8/3/2019 2G_GPRS_3G
82/150
82
Handoff
Two Aspects of Mobility in a PCSNetwork
-
8/3/2019 2G_GPRS_3G
83/150
83
Handoff Link transfer, or Handover
A mobile user moves from one coverage area of anold BS to the coverage area of a new BS during theconversation .
The radio link to the old BS is disconnected and aradio link to the new BS should be established tocontinue the conversation.
RoamingWhen a mobile user moves from one system toanother, the user location should tell the PCS system.
BS Coverage Area
-
8/3/2019 2G_GPRS_3G
84/150
84
BS coverage area irregular.In the cell boundary
Signal from a neighboring BSSignal from the serving BS
Otherwise: Forced termination
-
8/3/2019 2G_GPRS_3G
85/150
85
Handoff CostHandoffs are expensive.
Special for the system with small cell sizesSmall cell size for
To increase the capacity of the systemsTo reduce power requirements of MSs.
-
8/3/2019 2G_GPRS_3G
86/150
86
Issues for Handoff ManagementHandoff detection
Who and howChannel assignmentRadio link transfer
-
8/3/2019 2G_GPRS_3G
87/150
87
Handoff Detection
-
8/3/2019 2G_GPRS_3G
88/150
88
Strategies for Handoff DetectionWho makes a decision for handoff
Three handoff detection schemes:Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)
Mobile-Assisted Handoff (MAHO)Others
Mobile-Controlled Handoff
-
8/3/2019 2G_GPRS_3G
89/150
89
MCHO is used in DECT and PACS.
Part I. The MS continuously monitors the signalsof the surrounding BSs.Part II. The MS initiates the handoff processwhen some handoff criteria are met.
(MCHO)
Network-Controlled Handoff
-
8/3/2019 2G_GPRS_3G
90/150
90
(NCHO)Used in CT-2+ and AMPS
Part I. The surrounding BSs measure the signalfrom the MS.Part II. The network initiates the handoff processwhen some handoff criteria are met.MSC controls the handoff.
bil i d d ff ( O)
-
8/3/2019 2G_GPRS_3G
91/150
91
Mobile-Assisted Handoff (MAHO)Used in GSM, IS-136 and IS-95
Part I .. The network asks the MS to measure thesignal from the surrounding BSs.Part II . The network makes the handoff decisionbased on the reports from the MS.
-
8/3/2019 2G_GPRS_3G
92/150
92
Channel Assignment forHandoff Calls
Ch l A i
-
8/3/2019 2G_GPRS_3G
93/150
93
Channel AssignmentPurpose to achieve a high degree of spectrumutilization for a given grade of service
Ex To reduce forced terminations
F d T i ti
-
8/3/2019 2G_GPRS_3G
94/150
94
Forced TerminationsBlocked call Initial access requests fail
For new callNo available channels on the visited BS
Forced terminations Handoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious, new call blocking or forceterminating?
S t d ff
-
8/3/2019 2G_GPRS_3G
95/150
95
Some trade-offsService quality
Spectrum utilizationImplementation complexity of the channelassignment algorithmNumber of database lookups
Flowchart for Non-prioritized
S h
-
8/3/2019 2G_GPRS_3G
96/150
96
Scheme
New orhandoff call arrival
Channelavailable?
Channelassigned
yes
no Channelblocked
Ongoingcall
Channelreleased
Flowchart for Reserved Channel
Scheme
-
8/3/2019 2G_GPRS_3G
97/150
97
Scheme
New
callarrival
Normal
channelavailable?
Channelassigned
Handoff callarrival
Normalchannelavailable?
Reservedchannelavailable?
yes yes
yes
no
no no
Channelblocked
Ongoingcall Channelreleased
-
8/3/2019 2G_GPRS_3G
98/150
98
Link Transfer
Link Transfer
-
8/3/2019 2G_GPRS_3G
99/150
99
Link TransferTwo operations:
The radio link istransferred from the oldBS to the new BS.
The network bridges thetrunk to the new BS anddrop the trunk to the oldBS.
MSC
OldBS New
BS
Five Distinct Link Transfer
Cases (1/3)
-
8/3/2019 2G_GPRS_3G
100/150
100
Cases (1/3)1. Intra-BTS handoff or intra-cell handoff
2. Inter-BTS handoff or inter-cell handoff 3. Inter-BSC handoff 4. Inter-MSC handoff or intersystem handoff 5. Intersystem handoff between two PCS networks
Inter BSC Handoff
-
8/3/2019 2G_GPRS_3G
101/150
101
Inter-BSC Handoff
MSC 1
OldBS
NewBS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
OldBS
NewBS
BSC 2BSC 1
Intra-MSC
-
8/3/2019 2G_GPRS_3G
102/150
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
Inter-MSC Link Transfer
-
8/3/2019 2G_GPRS_3G
103/150
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (1/2)
ServingServing Target Target Target
-
8/3/2019 2G_GPRS_3G
104/150
MS ServingMSC
ServingBSS
1 STRN_MEAS
TargetMSC
TargetBSS
TargetVLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ7 HAND_REQ_ACK
8 HAND_PER_ACK
9 NET_SETUP
10 SETUP_COMP
11 HAND_COMM
12 HAND_COMM
Inter-MSC (2/2)
MSServingMSC
ServingBSS
TargetMSC
TargetBSS
TargetVLR
-
8/3/2019 2G_GPRS_3G
105/150
13 HAND_ACC
14 CHH_INFO
16 HAND_COMP
15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
Anchor MSC
-
8/3/2019 2G_GPRS_3G
106/150
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC.1: inter-BS handoff 2: handoff forward3: handoff back 4: handoff to the third
Path Minimization
-
8/3/2019 2G_GPRS_3G
107/150
107
Path MinimizationMSC A MSC B MSC A MSC B
(a) Handoff forwad(a) Handoff Backwad
MSC A
MSC B
(c) Handoff to the Third
MSC cMSC A
MSC B
(d) Path Minimization
MSC c
-
8/3/2019 2G_GPRS_3G
108/150
108
Radio Link Transfer
-
8/3/2019 2G_GPRS_3G
109/150
109
Hard Handoff
Hard Handoff
-
8/3/2019 2G_GPRS_3G
110/150
110
MS connects with only one BSat a time .Interruption in the conversationoccurs
Used in TDMA and FDMAsystemsWe will study the signaling of
handoff:MCHO Link TransferMAHO/NCHO Link TransferSubrating MCHO Link Transfer
MSC
OldBS
NewBS
Hard Handoff Link Transfer forMCHO
-
8/3/2019 2G_GPRS_3G
111/150
111
A handoff request message is initiated by the MS.The network can initiate the handoff.But always MS chooses the BS.
MS selects a new radio channel.
If a handoff failure occurs, the MS link-qualitymaintenance process must decide what to do next.
-
8/3/2019 2G_GPRS_3G
112/150
112
Soft Handoff
Soft Handoff
-
8/3/2019 2G_GPRS_3G
113/150
113
MS connects to multiple BSssimultaneously.BSs use the same frequency.BSs must be synchronized.
The network must combine thesignals form the multiple BSssimultaneously.Soft handoff is morecomplicated than hard handoff.
MSC
BS 1 BS 2
Mobility Management
Mobility management procedures begin whent d t t th f i iti g
-
8/3/2019 2G_GPRS_3G
114/150
114
a system detects the presence of a visitingterminal.
(1) serving base station serving MSC (informMSC the terminals action)(2) MSC records that the terminal is in its operatingarea(3) MSC send this information to its VLR.(4) VLR notifies the terminals HLR.(5) HLR notifies the old VLR to erase record.
VisitedBS
VLR
HLR
------
---
Power
onCSS
-
8/3/2019 2G_GPRS_3G
115/150
HomeMSC
BSBS
VisitedMSC
BS
: profile request result
:
:
VLR
Registration notification invoke,contains MIN, ECN, SID, addressof VLR.
Registration cancellation invoke: profile request invoke
:
Registration notification invoke,contains MIN, ECN, SID
Figure 4.4 Registration of a terminal in a visited service area.
-
8/3/2019 2G_GPRS_3G
116/150
PriorMSC
PriorVLR HLR
ServingVLR
-
8/3/2019 2G_GPRS_3G
117/150
Figure 4.4 Registration of a terminal in a visited service area
Handoff Categories
IS-41 specifies three handoff protocols:handoff forward handoff back and handoff to third
-
8/3/2019 2G_GPRS_3G
118/150
118
handoff forward , handoff back , and handoff to third .
Intersystem handoff requires dedicatedcommunication links between a pair of MSCs:
voice trunks: for carrying user information in callshanded from one MSC to anotherdata links: for carrying control messages betweenthe two switch.
Handoff forward:The terminal moves into the
service area of system Bcausing MSC-A and MSC-B
-
8/3/2019 2G_GPRS_3G
119/150
to perform a handoff.MSC-A is the anchor MSC
MSC-A is responsible forrouting the call to the remoteparty.MSC-B is the serving MSC
because it currently hascontrol of the call.After handoff, MSC-B is thetarget MSC.
Figure 4.8 The situation after a handoff forward from system A(anchor system) tosystem B(serving system).
Handoff Back:The terminal can return to
the service area of system A.MSC-B recognizes that the
-
8/3/2019 2G_GPRS_3G
120/150
call arrived from system Aand it initiates a handoff back
protocol, which releases thevoice circuit between MSC-A and MSC-B.Without this protocol, thesystems would tie up twovoice trunks
one taking the call fromsystem A to system Bthe other taking it fromsystem B to system A.
Handoff forward:It is possible that the terminalwill move from system B to a
third system C.This produces two possibilities
-
8/3/2019 2G_GPRS_3G
121/150
in Figures 4.9 and 4.10.In Figure 4.9, MSC-B and
MSC-C perform a handoff forward procedure the one thatmoved the call from system Ato system B.
System B provides a path fromMSC-A to MSC-C.The situation can continue,adding more and more MSCs
to the chain, up to a limitestablished by the anchorsystem.Figure 4.9 Call path after handoff forward to
system C
Handoff to third:An alternative occurs whenthere is a direct connection
between systems A and C.IS-41 includes a protocol
-
8/3/2019 2G_GPRS_3G
122/150
referred to as handoff to third ,which establishes a direct link
between MSC-A and MSC-Cand release the link between Aand B.
Figure 4.10 If there are circuits connecting MSC-Aand MSC-C, the system performs handoff to third.
Handoff Protocols
There are two phases to every handoff procedure
-
8/3/2019 2G_GPRS_3G
123/150
procedure.Location phase
the serving MSC collects measurement reports fromcells in the neighborhood of the cell presentlyoccupied by a terminal.
When measurements are required from one or morecells in a system adjacent to the serving system, theadjacent system becomes a candidate system .The serving MSC and a candidate MSC exchangehandoff measurement request messages.
A HANDOFF MEASUREMENT REQUESTINVOKE message, transmitted by the serving MSCincludes:
-
8/3/2019 2G_GPRS_3G
124/150
includes:information about the terminal (station class mark, SCM,
indicates the capabilities of the terminal)information about the serving base station (SAT and abase station identifier), andinformation about the radio channel carrying the call
(channel number).Based on the identity of the serving base station, thecandidate MSC selects one or more candidate cellsand transmits a HANDOFF MEASUREMENTREQUEST RESULT message to the serving MSC.
The HANDOFF MEASUREMENT REQUEST RESULTmessage contains identities of candidate cells and
associated signal strength measurements.The serving MSC selects a target cell for the handoff.
-
8/3/2019 2G_GPRS_3G
125/150
If the target cell is served by a candidate MSC, this MSC
becomes the target MSC for the handoff.The handoff procedure then moves from the location phaseto the handoff phase.
Handoff phase:the serving MSC determines the type of handoff to initiate(forward, back, or handoff to third).
Handoff Forward Protocol:The serving MSC sends a FACILITIES DIRECTIVE INVOKE
message to the target MSC.This message contains:
f
-
8/3/2019 2G_GPRS_3G
126/150
information about the terminal (SCM, MIN, ESN)information about the call:
billing ID (established by the anchor MSC at the beginning of thecall);inter-MSC circuit (voice trunk that will carry the call from theserving MSC to the target MSC);inter-switch count (the total number of MSCs through which thecall will pass after the handoff);
information about the call status (serving cell, serving channel); andtarget cell identifier (based on measurement reports from the getMSC).
If the target MSC accepts the handoff, it selects a channel tohandle the call in the new cell and then sends a FACILITIESDIRECTIVE RESULT message to the serving MSC.This message contains information about the new channel:
channel number SAT and transmit power level (VMAC)
-
8/3/2019 2G_GPRS_3G
127/150
channel number, SAT, and transmit power level (VMAC).
On receiving this message, the serving MSC sends an AMPS
HANDOFF message to the terminal through the serving cell.When the target base station detects the SAT, it sends a messageto the target MSC which completes the handoff forwardoperation by sending a MOBILE ON CHANNEL INVOKEmessage to the prior serving MSC.
Figure 4.11 Message sequence and system operations for handoff forward.
-
8/3/2019 2G_GPRS_3G
128/150
-
8/3/2019 2G_GPRS_3G
129/150
Figure 4.11 Message sequence and system operations for handoff forward.
Handoff Back Protocol:If the location phase results in a determination by the serving
MSC(MSC-B) that the call would best be handled in thesystem(system A) previously occupied by the terminal, theserving MSC initiates a handoff back procedure.
-
8/3/2019 2G_GPRS_3G
130/150
g pIt (MSC-B) sends a HANDOFF BACK INVOKE message to
the previous MSC (MSC-A), which is now the target MSC of the handoff protocol.The message plays the same role as the FACILITIESDIRECTIVE INVOKE message.The target MSC (MSC-A) sends HANDOFF BACK RESULTmessage to the serving MSC (MSC-B).This message contains the same information as the FACILITIES
DIRECTIVE RESULT message.
When the target MSC(MSC-A) learns that the terminal hasarrived on the assigned channel at the target base station, itsends a FACILITIES RELEASE INVOKE message to theserving MSC (MSC-B).This message identifies the voice trunk that carries the call
-
8/3/2019 2G_GPRS_3G
131/150
between the two MSCs.
On receiving this message, the serving MSC (MSC-B) releasesthe voice trunk and sends a FACILITIES RELEASE RESULTmessage to the target MSC.Any two MSCs in a chain can perform the handoff back protocol.
-
8/3/2019 2G_GPRS_3G
132/150
Handoff to third Protocol:Handoff to third protocol is an example of path minimization
procedure, in which the system reduces the number of voicetrunks carrying a call through three or more systems.
-
8/3/2019 2G_GPRS_3G
133/150
-
8/3/2019 2G_GPRS_3G
134/150
-
8/3/2019 2G_GPRS_3G
135/150
135
Security
Security
GSM security is addressed in two aspects:
-
8/3/2019 2G_GPRS_3G
136/150
136
y pauthentication and encryption.
Authentication avoids fraudulent access by a clonedMS.Encryption avoids unauthorized listening.
Parameters
Parameters:K
i is used to achieve authentication.K i d i h A C d SIM
-
8/3/2019 2G_GPRS_3G
137/150
137
K i is stored in the AuC and SIM.
K i is not known to the subscriber.RAND
A 128-bit random number generated by the home
system.SRES is generated by algorithm A3.K
c is generated by algorithm A8 for the encryption.
Frame NumberA TDMA frame number encoded in the data bits.
Algorithms
Authentication Algorithms:A3.
A h i i f i
-
8/3/2019 2G_GPRS_3G
138/150
138
Authentication function.
In AuC and SIMEncryption Algorithms:
A8.
To generate the encryption KeyIn AuC and SIM
A5.
An algorithm stored in the MS (handset hardware) and thevisited system.Used for the data ciphering and deciphering
Authentication and Encryption
Ki
RAND
Ki
Mobile Station Home System
-
8/3/2019 2G_GPRS_3G
139/150
139
A3 A8
Equal? SRES
Yes
Noreject
accept
A5
Kc
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
VisitedSystem
authenticationencryption
Authentication by Triplet
Triplet: RAND SRES Kc
-
8/3/2019 2G_GPRS_3G
140/150
140
Triplet: RAND, SRES, Kc
AuC HLR VLR in advanceExample: Authentication in registration
New VLR uses LAI to find old VLR.
Old VLR sends triplets to new VLR.New VLR challenges MS by using RAND andSRES.
Encryption
Ki
RAND
Ki
Mobile Station Home System
-
8/3/2019 2G_GPRS_3G
141/150
141
A3 A8
Equal? SRES
Yes
No
reject
accept
A5
Kc
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
VisitedSystem
authenticationencryption
Summary
GSM Architecture
-
8/3/2019 2G_GPRS_3G
142/150
142
MS, BSS, NSSRadio Interface
GSM Radio and Channels
Location TrackingHand Off Security
Chap 62 5G: GPRS
-
8/3/2019 2G_GPRS_3G
143/150
143
2.5G: GPRS
General Packet Radio Service (GPRS)
2.5G: GPRS
-
8/3/2019 2G_GPRS_3G
144/150
144
A packet-switched protocolGPRS radio link protocol
To guarantee fast call setup procedure and low-bit error
rate for data transfer between the MSs and the BSsA new infrastructure is introduced to GPRS forthe packet services.
GPRS Architecture
TEM SC HLR
Si li li k
-
8/3/2019 2G_GPRS_3G
145/150
145
MS
TAF
PSTNPSDN
ISDN
HLR : Home Location Register
VLR : Visitor Location Register
BSS : Base Station Subsystem
TAF : Term inal Adaption Function
TE : Terminal Equipment
BSS
radiointerface
PSTN : Public Switched Telephone Network
PSDN : Public Switched Data Network
SGSN GGSN
Signaling link
MSC : Mobile Switching Center
SGSN : Serving GPRS Support NodeGGSN : Gateway GPRS Support Node
Chap 73G: WCDMA
-
8/3/2019 2G_GPRS_3G
146/150
146
3G: WCDMA
Spread Spectrum Technique3G: WCDMA
-
8/3/2019 2G_GPRS_3G
147/150
147
Scheme of CDMA(uplink)
s 1(t) s(t) = s 1(t) +s 2 (t) d 1(t)+c 1(t)s 2 (t)
LPF
-
8/3/2019 2G_GPRS_3G
148/150
148
s 2 (t)
c 2 (t)s 1(t)+d 2 (t)
LPF
Principle of CDMA4 spread codes for users A,B,C,D to send one bit data
A: 00011011 A: (-1-1-1+1+1-1+1+1)
-
8/3/2019 2G_GPRS_3G
149/150
149
B: 00101110 B: (-1-1+1-1+1+1+1-1)C: 01011100 C: (-1+1-1+1+1+1-1-1)D: 01000010 D: (-1+1-1-1-1-1+1-1)
Example: A S1=(-1-1-1+1+1-1+1+1) => S1A=(1+1+1+1+1+1+1+1)/8=1
B+C S2=(-2 0 0 0+2+2 0-2) => S2C=(2+0+0+0+2+2+0+2)/8=1 A+B+C+D S3=(-2-2 0-2 0-2+4 0) => S3C=(2-2+0-2+0-2-4+0)/8=-1
Proof:SC =(B+C)C = BC + CC = 0 + 1 = 1
Orthogonal Variable Spreading Factor
C ch,4 ,0 =(1 ,1 ,1 ,1)
-
8/3/2019 2G_GPRS_3G
150/150
150
S F = 1 S F = 2 S F = 4
C ch,1 ,0 = ( 1 )
C ch,2 ,0 = (1 ,1 )
C ch,2 ,1 = (1 , -1)
C ch,4 ,1 = (1 ,1 ,-1 , -1)
C ch,4 ,2 = (1 , -1 ,1 , -1)
C ch,4 ,3 = (1 , -1 , -1 ,1)
Orthogonal Same tree path non-orthogonal