microsoft powerpoint - 2g_gprs_3g
Post on 05-Dec-2014
2.769 Views
Preview:
DESCRIPTION
TRANSCRIPT
1
Chap 52G GSM System
2
Outlines
IntroductionGSM ArchitectureAir InterfaceLocation Tracking and Call SetupHandOffSecuritySummary
3
Introduction
4
IntroductionGlobal System for Mobile Communications (GSM) is a digitalwireless network standardIt was developed by Group Special Mobile of Conference Europeenne des Postes et Telecommunications (CEPT) and European Telecommunications Standards Institute (ETSI)GSM Phases 1 and 2 define digital cellular telecommunications systemGSM Phase 2+ targets on Speech Codec and Data Service
5
Basic Requirements set out by GSMOriginal text as written by the committee in 1985
ServicesQuality of Services and SecurityRadio Frequency UtilizationNetworkCost
The Basic Requirements of GSM
6
GSM Architecture
7
SS
BSSMS
GSM System Structure
OMC
BSCRBS
AUC
HLR
EIR
ILR
GMSC
DTIMSCVLR
PSTNPSTN
8
GSM Architecture
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
9
Also called Mobile Terminal (MT)The MS consists of two parts
Subscriber Identity Module (SIM)Mobile Equipment (ME)
Mobile Station (MS)
10
A SIM contains subscriber-related informationA list of abbreviated and customized short dialing numbersShort message Names of preferred Networks to provide service
Personal Identity Number (PIN)
SIM
11
SIMSIM contains important information including
IMSIKiTMSIAccess Control CodeKcLAI
SIM information can be modifiedBy the subscriber either by keypad or a PC using an RS232 connectionBy sending codes through short messages (network operators)
12
Mobile Equipment (ME)
ME non-customer-related hardware and software specific to the radio interfaceME can not be used if no SIM is on the MS
Except for emergency callsThe SIM-ME design supports portability
The MS is the property of the subscriberThe SIM is the property of the service provider
13
Base Station System (BSS)
The Base Station System (BSS) connects the MS and NSSBSS contains
Base transceiver station (BTS)Base station controller (BSC)
14
BTS
Base Transceiver Station (BTS) containsTransmitterReceiverSignaling equipment specific to the radio interface in order to contact the MSs TranscoderRate Adapter Unit (TRAU)
GSM-specific speech encodingdecoding and rate adaptation in data transmission
15
GSM 900
GSM 1800
Lightning conductor
Omni-directional Antenna
16
GSM 900
GSM 1800
Lightningconductor
Directional Antenna
17
Directional Antenna
18
Base Station Controller (BSC)Radio channel assignmentHandoff managementConnect to an MSCConnect to several BTSs
Maintain cell configuration data of these BTSsThe BSC communicates with the BTSs via the A-bis
BSC (12)
19
BSC (22)The processor load of a BSC
Call activities (around 20-25)Paging and short message service (around 10-15)Mobility management (handoff and location update around 20-25Hardware checkingnetwork-triggered events (around 15-20)
When a BSC is overloaded it first rejects location update next MS originating calls then handoff
20
Network and Switching Subsystem (NSS) Telephone switching functionsSubscriber profilesMobility management
Components in NSSMSC provide basic switching functionGateway MSC (GMSC) route an incoming call to an MSC by interrogating the HLR directory
NSS (12)
21
NSS (22)
Components in NSS (continuous)HLR and VLR maintain the current location of the MSAuthentication Center (AuC) is used in the security managementEquipment Identity Register (EIR) is used for the registration of MS equipment
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
2
Outlines
IntroductionGSM ArchitectureAir InterfaceLocation Tracking and Call SetupHandOffSecuritySummary
3
Introduction
4
IntroductionGlobal System for Mobile Communications (GSM) is a digitalwireless network standardIt was developed by Group Special Mobile of Conference Europeenne des Postes et Telecommunications (CEPT) and European Telecommunications Standards Institute (ETSI)GSM Phases 1 and 2 define digital cellular telecommunications systemGSM Phase 2+ targets on Speech Codec and Data Service
5
Basic Requirements set out by GSMOriginal text as written by the committee in 1985
ServicesQuality of Services and SecurityRadio Frequency UtilizationNetworkCost
The Basic Requirements of GSM
6
GSM Architecture
7
SS
BSSMS
GSM System Structure
OMC
BSCRBS
AUC
HLR
EIR
ILR
GMSC
DTIMSCVLR
PSTNPSTN
8
GSM Architecture
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
9
Also called Mobile Terminal (MT)The MS consists of two parts
Subscriber Identity Module (SIM)Mobile Equipment (ME)
Mobile Station (MS)
10
A SIM contains subscriber-related informationA list of abbreviated and customized short dialing numbersShort message Names of preferred Networks to provide service
Personal Identity Number (PIN)
SIM
11
SIMSIM contains important information including
IMSIKiTMSIAccess Control CodeKcLAI
SIM information can be modifiedBy the subscriber either by keypad or a PC using an RS232 connectionBy sending codes through short messages (network operators)
12
Mobile Equipment (ME)
ME non-customer-related hardware and software specific to the radio interfaceME can not be used if no SIM is on the MS
Except for emergency callsThe SIM-ME design supports portability
The MS is the property of the subscriberThe SIM is the property of the service provider
13
Base Station System (BSS)
The Base Station System (BSS) connects the MS and NSSBSS contains
Base transceiver station (BTS)Base station controller (BSC)
14
BTS
Base Transceiver Station (BTS) containsTransmitterReceiverSignaling equipment specific to the radio interface in order to contact the MSs TranscoderRate Adapter Unit (TRAU)
GSM-specific speech encodingdecoding and rate adaptation in data transmission
15
GSM 900
GSM 1800
Lightning conductor
Omni-directional Antenna
16
GSM 900
GSM 1800
Lightningconductor
Directional Antenna
17
Directional Antenna
18
Base Station Controller (BSC)Radio channel assignmentHandoff managementConnect to an MSCConnect to several BTSs
Maintain cell configuration data of these BTSsThe BSC communicates with the BTSs via the A-bis
BSC (12)
19
BSC (22)The processor load of a BSC
Call activities (around 20-25)Paging and short message service (around 10-15)Mobility management (handoff and location update around 20-25Hardware checkingnetwork-triggered events (around 15-20)
When a BSC is overloaded it first rejects location update next MS originating calls then handoff
20
Network and Switching Subsystem (NSS) Telephone switching functionsSubscriber profilesMobility management
Components in NSSMSC provide basic switching functionGateway MSC (GMSC) route an incoming call to an MSC by interrogating the HLR directory
NSS (12)
21
NSS (22)
Components in NSS (continuous)HLR and VLR maintain the current location of the MSAuthentication Center (AuC) is used in the security managementEquipment Identity Register (EIR) is used for the registration of MS equipment
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
3
Introduction
4
IntroductionGlobal System for Mobile Communications (GSM) is a digitalwireless network standardIt was developed by Group Special Mobile of Conference Europeenne des Postes et Telecommunications (CEPT) and European Telecommunications Standards Institute (ETSI)GSM Phases 1 and 2 define digital cellular telecommunications systemGSM Phase 2+ targets on Speech Codec and Data Service
5
Basic Requirements set out by GSMOriginal text as written by the committee in 1985
ServicesQuality of Services and SecurityRadio Frequency UtilizationNetworkCost
The Basic Requirements of GSM
6
GSM Architecture
7
SS
BSSMS
GSM System Structure
OMC
BSCRBS
AUC
HLR
EIR
ILR
GMSC
DTIMSCVLR
PSTNPSTN
8
GSM Architecture
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
9
Also called Mobile Terminal (MT)The MS consists of two parts
Subscriber Identity Module (SIM)Mobile Equipment (ME)
Mobile Station (MS)
10
A SIM contains subscriber-related informationA list of abbreviated and customized short dialing numbersShort message Names of preferred Networks to provide service
Personal Identity Number (PIN)
SIM
11
SIMSIM contains important information including
IMSIKiTMSIAccess Control CodeKcLAI
SIM information can be modifiedBy the subscriber either by keypad or a PC using an RS232 connectionBy sending codes through short messages (network operators)
12
Mobile Equipment (ME)
ME non-customer-related hardware and software specific to the radio interfaceME can not be used if no SIM is on the MS
Except for emergency callsThe SIM-ME design supports portability
The MS is the property of the subscriberThe SIM is the property of the service provider
13
Base Station System (BSS)
The Base Station System (BSS) connects the MS and NSSBSS contains
Base transceiver station (BTS)Base station controller (BSC)
14
BTS
Base Transceiver Station (BTS) containsTransmitterReceiverSignaling equipment specific to the radio interface in order to contact the MSs TranscoderRate Adapter Unit (TRAU)
GSM-specific speech encodingdecoding and rate adaptation in data transmission
15
GSM 900
GSM 1800
Lightning conductor
Omni-directional Antenna
16
GSM 900
GSM 1800
Lightningconductor
Directional Antenna
17
Directional Antenna
18
Base Station Controller (BSC)Radio channel assignmentHandoff managementConnect to an MSCConnect to several BTSs
Maintain cell configuration data of these BTSsThe BSC communicates with the BTSs via the A-bis
BSC (12)
19
BSC (22)The processor load of a BSC
Call activities (around 20-25)Paging and short message service (around 10-15)Mobility management (handoff and location update around 20-25Hardware checkingnetwork-triggered events (around 15-20)
When a BSC is overloaded it first rejects location update next MS originating calls then handoff
20
Network and Switching Subsystem (NSS) Telephone switching functionsSubscriber profilesMobility management
Components in NSSMSC provide basic switching functionGateway MSC (GMSC) route an incoming call to an MSC by interrogating the HLR directory
NSS (12)
21
NSS (22)
Components in NSS (continuous)HLR and VLR maintain the current location of the MSAuthentication Center (AuC) is used in the security managementEquipment Identity Register (EIR) is used for the registration of MS equipment
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
4
IntroductionGlobal System for Mobile Communications (GSM) is a digitalwireless network standardIt was developed by Group Special Mobile of Conference Europeenne des Postes et Telecommunications (CEPT) and European Telecommunications Standards Institute (ETSI)GSM Phases 1 and 2 define digital cellular telecommunications systemGSM Phase 2+ targets on Speech Codec and Data Service
5
Basic Requirements set out by GSMOriginal text as written by the committee in 1985
ServicesQuality of Services and SecurityRadio Frequency UtilizationNetworkCost
The Basic Requirements of GSM
6
GSM Architecture
7
SS
BSSMS
GSM System Structure
OMC
BSCRBS
AUC
HLR
EIR
ILR
GMSC
DTIMSCVLR
PSTNPSTN
8
GSM Architecture
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
9
Also called Mobile Terminal (MT)The MS consists of two parts
Subscriber Identity Module (SIM)Mobile Equipment (ME)
Mobile Station (MS)
10
A SIM contains subscriber-related informationA list of abbreviated and customized short dialing numbersShort message Names of preferred Networks to provide service
Personal Identity Number (PIN)
SIM
11
SIMSIM contains important information including
IMSIKiTMSIAccess Control CodeKcLAI
SIM information can be modifiedBy the subscriber either by keypad or a PC using an RS232 connectionBy sending codes through short messages (network operators)
12
Mobile Equipment (ME)
ME non-customer-related hardware and software specific to the radio interfaceME can not be used if no SIM is on the MS
Except for emergency callsThe SIM-ME design supports portability
The MS is the property of the subscriberThe SIM is the property of the service provider
13
Base Station System (BSS)
The Base Station System (BSS) connects the MS and NSSBSS contains
Base transceiver station (BTS)Base station controller (BSC)
14
BTS
Base Transceiver Station (BTS) containsTransmitterReceiverSignaling equipment specific to the radio interface in order to contact the MSs TranscoderRate Adapter Unit (TRAU)
GSM-specific speech encodingdecoding and rate adaptation in data transmission
15
GSM 900
GSM 1800
Lightning conductor
Omni-directional Antenna
16
GSM 900
GSM 1800
Lightningconductor
Directional Antenna
17
Directional Antenna
18
Base Station Controller (BSC)Radio channel assignmentHandoff managementConnect to an MSCConnect to several BTSs
Maintain cell configuration data of these BTSsThe BSC communicates with the BTSs via the A-bis
BSC (12)
19
BSC (22)The processor load of a BSC
Call activities (around 20-25)Paging and short message service (around 10-15)Mobility management (handoff and location update around 20-25Hardware checkingnetwork-triggered events (around 15-20)
When a BSC is overloaded it first rejects location update next MS originating calls then handoff
20
Network and Switching Subsystem (NSS) Telephone switching functionsSubscriber profilesMobility management
Components in NSSMSC provide basic switching functionGateway MSC (GMSC) route an incoming call to an MSC by interrogating the HLR directory
NSS (12)
21
NSS (22)
Components in NSS (continuous)HLR and VLR maintain the current location of the MSAuthentication Center (AuC) is used in the security managementEquipment Identity Register (EIR) is used for the registration of MS equipment
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
5
Basic Requirements set out by GSMOriginal text as written by the committee in 1985
ServicesQuality of Services and SecurityRadio Frequency UtilizationNetworkCost
The Basic Requirements of GSM
6
GSM Architecture
7
SS
BSSMS
GSM System Structure
OMC
BSCRBS
AUC
HLR
EIR
ILR
GMSC
DTIMSCVLR
PSTNPSTN
8
GSM Architecture
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
9
Also called Mobile Terminal (MT)The MS consists of two parts
Subscriber Identity Module (SIM)Mobile Equipment (ME)
Mobile Station (MS)
10
A SIM contains subscriber-related informationA list of abbreviated and customized short dialing numbersShort message Names of preferred Networks to provide service
Personal Identity Number (PIN)
SIM
11
SIMSIM contains important information including
IMSIKiTMSIAccess Control CodeKcLAI
SIM information can be modifiedBy the subscriber either by keypad or a PC using an RS232 connectionBy sending codes through short messages (network operators)
12
Mobile Equipment (ME)
ME non-customer-related hardware and software specific to the radio interfaceME can not be used if no SIM is on the MS
Except for emergency callsThe SIM-ME design supports portability
The MS is the property of the subscriberThe SIM is the property of the service provider
13
Base Station System (BSS)
The Base Station System (BSS) connects the MS and NSSBSS contains
Base transceiver station (BTS)Base station controller (BSC)
14
BTS
Base Transceiver Station (BTS) containsTransmitterReceiverSignaling equipment specific to the radio interface in order to contact the MSs TranscoderRate Adapter Unit (TRAU)
GSM-specific speech encodingdecoding and rate adaptation in data transmission
15
GSM 900
GSM 1800
Lightning conductor
Omni-directional Antenna
16
GSM 900
GSM 1800
Lightningconductor
Directional Antenna
17
Directional Antenna
18
Base Station Controller (BSC)Radio channel assignmentHandoff managementConnect to an MSCConnect to several BTSs
Maintain cell configuration data of these BTSsThe BSC communicates with the BTSs via the A-bis
BSC (12)
19
BSC (22)The processor load of a BSC
Call activities (around 20-25)Paging and short message service (around 10-15)Mobility management (handoff and location update around 20-25Hardware checkingnetwork-triggered events (around 15-20)
When a BSC is overloaded it first rejects location update next MS originating calls then handoff
20
Network and Switching Subsystem (NSS) Telephone switching functionsSubscriber profilesMobility management
Components in NSSMSC provide basic switching functionGateway MSC (GMSC) route an incoming call to an MSC by interrogating the HLR directory
NSS (12)
21
NSS (22)
Components in NSS (continuous)HLR and VLR maintain the current location of the MSAuthentication Center (AuC) is used in the security managementEquipment Identity Register (EIR) is used for the registration of MS equipment
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
6
GSM Architecture
7
SS
BSSMS
GSM System Structure
OMC
BSCRBS
AUC
HLR
EIR
ILR
GMSC
DTIMSCVLR
PSTNPSTN
8
GSM Architecture
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
9
Also called Mobile Terminal (MT)The MS consists of two parts
Subscriber Identity Module (SIM)Mobile Equipment (ME)
Mobile Station (MS)
10
A SIM contains subscriber-related informationA list of abbreviated and customized short dialing numbersShort message Names of preferred Networks to provide service
Personal Identity Number (PIN)
SIM
11
SIMSIM contains important information including
IMSIKiTMSIAccess Control CodeKcLAI
SIM information can be modifiedBy the subscriber either by keypad or a PC using an RS232 connectionBy sending codes through short messages (network operators)
12
Mobile Equipment (ME)
ME non-customer-related hardware and software specific to the radio interfaceME can not be used if no SIM is on the MS
Except for emergency callsThe SIM-ME design supports portability
The MS is the property of the subscriberThe SIM is the property of the service provider
13
Base Station System (BSS)
The Base Station System (BSS) connects the MS and NSSBSS contains
Base transceiver station (BTS)Base station controller (BSC)
14
BTS
Base Transceiver Station (BTS) containsTransmitterReceiverSignaling equipment specific to the radio interface in order to contact the MSs TranscoderRate Adapter Unit (TRAU)
GSM-specific speech encodingdecoding and rate adaptation in data transmission
15
GSM 900
GSM 1800
Lightning conductor
Omni-directional Antenna
16
GSM 900
GSM 1800
Lightningconductor
Directional Antenna
17
Directional Antenna
18
Base Station Controller (BSC)Radio channel assignmentHandoff managementConnect to an MSCConnect to several BTSs
Maintain cell configuration data of these BTSsThe BSC communicates with the BTSs via the A-bis
BSC (12)
19
BSC (22)The processor load of a BSC
Call activities (around 20-25)Paging and short message service (around 10-15)Mobility management (handoff and location update around 20-25Hardware checkingnetwork-triggered events (around 15-20)
When a BSC is overloaded it first rejects location update next MS originating calls then handoff
20
Network and Switching Subsystem (NSS) Telephone switching functionsSubscriber profilesMobility management
Components in NSSMSC provide basic switching functionGateway MSC (GMSC) route an incoming call to an MSC by interrogating the HLR directory
NSS (12)
21
NSS (22)
Components in NSS (continuous)HLR and VLR maintain the current location of the MSAuthentication Center (AuC) is used in the security managementEquipment Identity Register (EIR) is used for the registration of MS equipment
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
7
SS
BSSMS
GSM System Structure
OMC
BSCRBS
AUC
HLR
EIR
ILR
GMSC
DTIMSCVLR
PSTNPSTN
8
GSM Architecture
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
9
Also called Mobile Terminal (MT)The MS consists of two parts
Subscriber Identity Module (SIM)Mobile Equipment (ME)
Mobile Station (MS)
10
A SIM contains subscriber-related informationA list of abbreviated and customized short dialing numbersShort message Names of preferred Networks to provide service
Personal Identity Number (PIN)
SIM
11
SIMSIM contains important information including
IMSIKiTMSIAccess Control CodeKcLAI
SIM information can be modifiedBy the subscriber either by keypad or a PC using an RS232 connectionBy sending codes through short messages (network operators)
12
Mobile Equipment (ME)
ME non-customer-related hardware and software specific to the radio interfaceME can not be used if no SIM is on the MS
Except for emergency callsThe SIM-ME design supports portability
The MS is the property of the subscriberThe SIM is the property of the service provider
13
Base Station System (BSS)
The Base Station System (BSS) connects the MS and NSSBSS contains
Base transceiver station (BTS)Base station controller (BSC)
14
BTS
Base Transceiver Station (BTS) containsTransmitterReceiverSignaling equipment specific to the radio interface in order to contact the MSs TranscoderRate Adapter Unit (TRAU)
GSM-specific speech encodingdecoding and rate adaptation in data transmission
15
GSM 900
GSM 1800
Lightning conductor
Omni-directional Antenna
16
GSM 900
GSM 1800
Lightningconductor
Directional Antenna
17
Directional Antenna
18
Base Station Controller (BSC)Radio channel assignmentHandoff managementConnect to an MSCConnect to several BTSs
Maintain cell configuration data of these BTSsThe BSC communicates with the BTSs via the A-bis
BSC (12)
19
BSC (22)The processor load of a BSC
Call activities (around 20-25)Paging and short message service (around 10-15)Mobility management (handoff and location update around 20-25Hardware checkingnetwork-triggered events (around 15-20)
When a BSC is overloaded it first rejects location update next MS originating calls then handoff
20
Network and Switching Subsystem (NSS) Telephone switching functionsSubscriber profilesMobility management
Components in NSSMSC provide basic switching functionGateway MSC (GMSC) route an incoming call to an MSC by interrogating the HLR directory
NSS (12)
21
NSS (22)
Components in NSS (continuous)HLR and VLR maintain the current location of the MSAuthentication Center (AuC) is used in the security managementEquipment Identity Register (EIR) is used for the registration of MS equipment
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
8
GSM Architecture
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
9
Also called Mobile Terminal (MT)The MS consists of two parts
Subscriber Identity Module (SIM)Mobile Equipment (ME)
Mobile Station (MS)
10
A SIM contains subscriber-related informationA list of abbreviated and customized short dialing numbersShort message Names of preferred Networks to provide service
Personal Identity Number (PIN)
SIM
11
SIMSIM contains important information including
IMSIKiTMSIAccess Control CodeKcLAI
SIM information can be modifiedBy the subscriber either by keypad or a PC using an RS232 connectionBy sending codes through short messages (network operators)
12
Mobile Equipment (ME)
ME non-customer-related hardware and software specific to the radio interfaceME can not be used if no SIM is on the MS
Except for emergency callsThe SIM-ME design supports portability
The MS is the property of the subscriberThe SIM is the property of the service provider
13
Base Station System (BSS)
The Base Station System (BSS) connects the MS and NSSBSS contains
Base transceiver station (BTS)Base station controller (BSC)
14
BTS
Base Transceiver Station (BTS) containsTransmitterReceiverSignaling equipment specific to the radio interface in order to contact the MSs TranscoderRate Adapter Unit (TRAU)
GSM-specific speech encodingdecoding and rate adaptation in data transmission
15
GSM 900
GSM 1800
Lightning conductor
Omni-directional Antenna
16
GSM 900
GSM 1800
Lightningconductor
Directional Antenna
17
Directional Antenna
18
Base Station Controller (BSC)Radio channel assignmentHandoff managementConnect to an MSCConnect to several BTSs
Maintain cell configuration data of these BTSsThe BSC communicates with the BTSs via the A-bis
BSC (12)
19
BSC (22)The processor load of a BSC
Call activities (around 20-25)Paging and short message service (around 10-15)Mobility management (handoff and location update around 20-25Hardware checkingnetwork-triggered events (around 15-20)
When a BSC is overloaded it first rejects location update next MS originating calls then handoff
20
Network and Switching Subsystem (NSS) Telephone switching functionsSubscriber profilesMobility management
Components in NSSMSC provide basic switching functionGateway MSC (GMSC) route an incoming call to an MSC by interrogating the HLR directory
NSS (12)
21
NSS (22)
Components in NSS (continuous)HLR and VLR maintain the current location of the MSAuthentication Center (AuC) is used in the security managementEquipment Identity Register (EIR) is used for the registration of MS equipment
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
9
Also called Mobile Terminal (MT)The MS consists of two parts
Subscriber Identity Module (SIM)Mobile Equipment (ME)
Mobile Station (MS)
10
A SIM contains subscriber-related informationA list of abbreviated and customized short dialing numbersShort message Names of preferred Networks to provide service
Personal Identity Number (PIN)
SIM
11
SIMSIM contains important information including
IMSIKiTMSIAccess Control CodeKcLAI
SIM information can be modifiedBy the subscriber either by keypad or a PC using an RS232 connectionBy sending codes through short messages (network operators)
12
Mobile Equipment (ME)
ME non-customer-related hardware and software specific to the radio interfaceME can not be used if no SIM is on the MS
Except for emergency callsThe SIM-ME design supports portability
The MS is the property of the subscriberThe SIM is the property of the service provider
13
Base Station System (BSS)
The Base Station System (BSS) connects the MS and NSSBSS contains
Base transceiver station (BTS)Base station controller (BSC)
14
BTS
Base Transceiver Station (BTS) containsTransmitterReceiverSignaling equipment specific to the radio interface in order to contact the MSs TranscoderRate Adapter Unit (TRAU)
GSM-specific speech encodingdecoding and rate adaptation in data transmission
15
GSM 900
GSM 1800
Lightning conductor
Omni-directional Antenna
16
GSM 900
GSM 1800
Lightningconductor
Directional Antenna
17
Directional Antenna
18
Base Station Controller (BSC)Radio channel assignmentHandoff managementConnect to an MSCConnect to several BTSs
Maintain cell configuration data of these BTSsThe BSC communicates with the BTSs via the A-bis
BSC (12)
19
BSC (22)The processor load of a BSC
Call activities (around 20-25)Paging and short message service (around 10-15)Mobility management (handoff and location update around 20-25Hardware checkingnetwork-triggered events (around 15-20)
When a BSC is overloaded it first rejects location update next MS originating calls then handoff
20
Network and Switching Subsystem (NSS) Telephone switching functionsSubscriber profilesMobility management
Components in NSSMSC provide basic switching functionGateway MSC (GMSC) route an incoming call to an MSC by interrogating the HLR directory
NSS (12)
21
NSS (22)
Components in NSS (continuous)HLR and VLR maintain the current location of the MSAuthentication Center (AuC) is used in the security managementEquipment Identity Register (EIR) is used for the registration of MS equipment
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
10
A SIM contains subscriber-related informationA list of abbreviated and customized short dialing numbersShort message Names of preferred Networks to provide service
Personal Identity Number (PIN)
SIM
11
SIMSIM contains important information including
IMSIKiTMSIAccess Control CodeKcLAI
SIM information can be modifiedBy the subscriber either by keypad or a PC using an RS232 connectionBy sending codes through short messages (network operators)
12
Mobile Equipment (ME)
ME non-customer-related hardware and software specific to the radio interfaceME can not be used if no SIM is on the MS
Except for emergency callsThe SIM-ME design supports portability
The MS is the property of the subscriberThe SIM is the property of the service provider
13
Base Station System (BSS)
The Base Station System (BSS) connects the MS and NSSBSS contains
Base transceiver station (BTS)Base station controller (BSC)
14
BTS
Base Transceiver Station (BTS) containsTransmitterReceiverSignaling equipment specific to the radio interface in order to contact the MSs TranscoderRate Adapter Unit (TRAU)
GSM-specific speech encodingdecoding and rate adaptation in data transmission
15
GSM 900
GSM 1800
Lightning conductor
Omni-directional Antenna
16
GSM 900
GSM 1800
Lightningconductor
Directional Antenna
17
Directional Antenna
18
Base Station Controller (BSC)Radio channel assignmentHandoff managementConnect to an MSCConnect to several BTSs
Maintain cell configuration data of these BTSsThe BSC communicates with the BTSs via the A-bis
BSC (12)
19
BSC (22)The processor load of a BSC
Call activities (around 20-25)Paging and short message service (around 10-15)Mobility management (handoff and location update around 20-25Hardware checkingnetwork-triggered events (around 15-20)
When a BSC is overloaded it first rejects location update next MS originating calls then handoff
20
Network and Switching Subsystem (NSS) Telephone switching functionsSubscriber profilesMobility management
Components in NSSMSC provide basic switching functionGateway MSC (GMSC) route an incoming call to an MSC by interrogating the HLR directory
NSS (12)
21
NSS (22)
Components in NSS (continuous)HLR and VLR maintain the current location of the MSAuthentication Center (AuC) is used in the security managementEquipment Identity Register (EIR) is used for the registration of MS equipment
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
11
SIMSIM contains important information including
IMSIKiTMSIAccess Control CodeKcLAI
SIM information can be modifiedBy the subscriber either by keypad or a PC using an RS232 connectionBy sending codes through short messages (network operators)
12
Mobile Equipment (ME)
ME non-customer-related hardware and software specific to the radio interfaceME can not be used if no SIM is on the MS
Except for emergency callsThe SIM-ME design supports portability
The MS is the property of the subscriberThe SIM is the property of the service provider
13
Base Station System (BSS)
The Base Station System (BSS) connects the MS and NSSBSS contains
Base transceiver station (BTS)Base station controller (BSC)
14
BTS
Base Transceiver Station (BTS) containsTransmitterReceiverSignaling equipment specific to the radio interface in order to contact the MSs TranscoderRate Adapter Unit (TRAU)
GSM-specific speech encodingdecoding and rate adaptation in data transmission
15
GSM 900
GSM 1800
Lightning conductor
Omni-directional Antenna
16
GSM 900
GSM 1800
Lightningconductor
Directional Antenna
17
Directional Antenna
18
Base Station Controller (BSC)Radio channel assignmentHandoff managementConnect to an MSCConnect to several BTSs
Maintain cell configuration data of these BTSsThe BSC communicates with the BTSs via the A-bis
BSC (12)
19
BSC (22)The processor load of a BSC
Call activities (around 20-25)Paging and short message service (around 10-15)Mobility management (handoff and location update around 20-25Hardware checkingnetwork-triggered events (around 15-20)
When a BSC is overloaded it first rejects location update next MS originating calls then handoff
20
Network and Switching Subsystem (NSS) Telephone switching functionsSubscriber profilesMobility management
Components in NSSMSC provide basic switching functionGateway MSC (GMSC) route an incoming call to an MSC by interrogating the HLR directory
NSS (12)
21
NSS (22)
Components in NSS (continuous)HLR and VLR maintain the current location of the MSAuthentication Center (AuC) is used in the security managementEquipment Identity Register (EIR) is used for the registration of MS equipment
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
12
Mobile Equipment (ME)
ME non-customer-related hardware and software specific to the radio interfaceME can not be used if no SIM is on the MS
Except for emergency callsThe SIM-ME design supports portability
The MS is the property of the subscriberThe SIM is the property of the service provider
13
Base Station System (BSS)
The Base Station System (BSS) connects the MS and NSSBSS contains
Base transceiver station (BTS)Base station controller (BSC)
14
BTS
Base Transceiver Station (BTS) containsTransmitterReceiverSignaling equipment specific to the radio interface in order to contact the MSs TranscoderRate Adapter Unit (TRAU)
GSM-specific speech encodingdecoding and rate adaptation in data transmission
15
GSM 900
GSM 1800
Lightning conductor
Omni-directional Antenna
16
GSM 900
GSM 1800
Lightningconductor
Directional Antenna
17
Directional Antenna
18
Base Station Controller (BSC)Radio channel assignmentHandoff managementConnect to an MSCConnect to several BTSs
Maintain cell configuration data of these BTSsThe BSC communicates with the BTSs via the A-bis
BSC (12)
19
BSC (22)The processor load of a BSC
Call activities (around 20-25)Paging and short message service (around 10-15)Mobility management (handoff and location update around 20-25Hardware checkingnetwork-triggered events (around 15-20)
When a BSC is overloaded it first rejects location update next MS originating calls then handoff
20
Network and Switching Subsystem (NSS) Telephone switching functionsSubscriber profilesMobility management
Components in NSSMSC provide basic switching functionGateway MSC (GMSC) route an incoming call to an MSC by interrogating the HLR directory
NSS (12)
21
NSS (22)
Components in NSS (continuous)HLR and VLR maintain the current location of the MSAuthentication Center (AuC) is used in the security managementEquipment Identity Register (EIR) is used for the registration of MS equipment
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
13
Base Station System (BSS)
The Base Station System (BSS) connects the MS and NSSBSS contains
Base transceiver station (BTS)Base station controller (BSC)
14
BTS
Base Transceiver Station (BTS) containsTransmitterReceiverSignaling equipment specific to the radio interface in order to contact the MSs TranscoderRate Adapter Unit (TRAU)
GSM-specific speech encodingdecoding and rate adaptation in data transmission
15
GSM 900
GSM 1800
Lightning conductor
Omni-directional Antenna
16
GSM 900
GSM 1800
Lightningconductor
Directional Antenna
17
Directional Antenna
18
Base Station Controller (BSC)Radio channel assignmentHandoff managementConnect to an MSCConnect to several BTSs
Maintain cell configuration data of these BTSsThe BSC communicates with the BTSs via the A-bis
BSC (12)
19
BSC (22)The processor load of a BSC
Call activities (around 20-25)Paging and short message service (around 10-15)Mobility management (handoff and location update around 20-25Hardware checkingnetwork-triggered events (around 15-20)
When a BSC is overloaded it first rejects location update next MS originating calls then handoff
20
Network and Switching Subsystem (NSS) Telephone switching functionsSubscriber profilesMobility management
Components in NSSMSC provide basic switching functionGateway MSC (GMSC) route an incoming call to an MSC by interrogating the HLR directory
NSS (12)
21
NSS (22)
Components in NSS (continuous)HLR and VLR maintain the current location of the MSAuthentication Center (AuC) is used in the security managementEquipment Identity Register (EIR) is used for the registration of MS equipment
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
14
BTS
Base Transceiver Station (BTS) containsTransmitterReceiverSignaling equipment specific to the radio interface in order to contact the MSs TranscoderRate Adapter Unit (TRAU)
GSM-specific speech encodingdecoding and rate adaptation in data transmission
15
GSM 900
GSM 1800
Lightning conductor
Omni-directional Antenna
16
GSM 900
GSM 1800
Lightningconductor
Directional Antenna
17
Directional Antenna
18
Base Station Controller (BSC)Radio channel assignmentHandoff managementConnect to an MSCConnect to several BTSs
Maintain cell configuration data of these BTSsThe BSC communicates with the BTSs via the A-bis
BSC (12)
19
BSC (22)The processor load of a BSC
Call activities (around 20-25)Paging and short message service (around 10-15)Mobility management (handoff and location update around 20-25Hardware checkingnetwork-triggered events (around 15-20)
When a BSC is overloaded it first rejects location update next MS originating calls then handoff
20
Network and Switching Subsystem (NSS) Telephone switching functionsSubscriber profilesMobility management
Components in NSSMSC provide basic switching functionGateway MSC (GMSC) route an incoming call to an MSC by interrogating the HLR directory
NSS (12)
21
NSS (22)
Components in NSS (continuous)HLR and VLR maintain the current location of the MSAuthentication Center (AuC) is used in the security managementEquipment Identity Register (EIR) is used for the registration of MS equipment
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
15
GSM 900
GSM 1800
Lightning conductor
Omni-directional Antenna
16
GSM 900
GSM 1800
Lightningconductor
Directional Antenna
17
Directional Antenna
18
Base Station Controller (BSC)Radio channel assignmentHandoff managementConnect to an MSCConnect to several BTSs
Maintain cell configuration data of these BTSsThe BSC communicates with the BTSs via the A-bis
BSC (12)
19
BSC (22)The processor load of a BSC
Call activities (around 20-25)Paging and short message service (around 10-15)Mobility management (handoff and location update around 20-25Hardware checkingnetwork-triggered events (around 15-20)
When a BSC is overloaded it first rejects location update next MS originating calls then handoff
20
Network and Switching Subsystem (NSS) Telephone switching functionsSubscriber profilesMobility management
Components in NSSMSC provide basic switching functionGateway MSC (GMSC) route an incoming call to an MSC by interrogating the HLR directory
NSS (12)
21
NSS (22)
Components in NSS (continuous)HLR and VLR maintain the current location of the MSAuthentication Center (AuC) is used in the security managementEquipment Identity Register (EIR) is used for the registration of MS equipment
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
16
GSM 900
GSM 1800
Lightningconductor
Directional Antenna
17
Directional Antenna
18
Base Station Controller (BSC)Radio channel assignmentHandoff managementConnect to an MSCConnect to several BTSs
Maintain cell configuration data of these BTSsThe BSC communicates with the BTSs via the A-bis
BSC (12)
19
BSC (22)The processor load of a BSC
Call activities (around 20-25)Paging and short message service (around 10-15)Mobility management (handoff and location update around 20-25Hardware checkingnetwork-triggered events (around 15-20)
When a BSC is overloaded it first rejects location update next MS originating calls then handoff
20
Network and Switching Subsystem (NSS) Telephone switching functionsSubscriber profilesMobility management
Components in NSSMSC provide basic switching functionGateway MSC (GMSC) route an incoming call to an MSC by interrogating the HLR directory
NSS (12)
21
NSS (22)
Components in NSS (continuous)HLR and VLR maintain the current location of the MSAuthentication Center (AuC) is used in the security managementEquipment Identity Register (EIR) is used for the registration of MS equipment
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
17
Directional Antenna
18
Base Station Controller (BSC)Radio channel assignmentHandoff managementConnect to an MSCConnect to several BTSs
Maintain cell configuration data of these BTSsThe BSC communicates with the BTSs via the A-bis
BSC (12)
19
BSC (22)The processor load of a BSC
Call activities (around 20-25)Paging and short message service (around 10-15)Mobility management (handoff and location update around 20-25Hardware checkingnetwork-triggered events (around 15-20)
When a BSC is overloaded it first rejects location update next MS originating calls then handoff
20
Network and Switching Subsystem (NSS) Telephone switching functionsSubscriber profilesMobility management
Components in NSSMSC provide basic switching functionGateway MSC (GMSC) route an incoming call to an MSC by interrogating the HLR directory
NSS (12)
21
NSS (22)
Components in NSS (continuous)HLR and VLR maintain the current location of the MSAuthentication Center (AuC) is used in the security managementEquipment Identity Register (EIR) is used for the registration of MS equipment
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
18
Base Station Controller (BSC)Radio channel assignmentHandoff managementConnect to an MSCConnect to several BTSs
Maintain cell configuration data of these BTSsThe BSC communicates with the BTSs via the A-bis
BSC (12)
19
BSC (22)The processor load of a BSC
Call activities (around 20-25)Paging and short message service (around 10-15)Mobility management (handoff and location update around 20-25Hardware checkingnetwork-triggered events (around 15-20)
When a BSC is overloaded it first rejects location update next MS originating calls then handoff
20
Network and Switching Subsystem (NSS) Telephone switching functionsSubscriber profilesMobility management
Components in NSSMSC provide basic switching functionGateway MSC (GMSC) route an incoming call to an MSC by interrogating the HLR directory
NSS (12)
21
NSS (22)
Components in NSS (continuous)HLR and VLR maintain the current location of the MSAuthentication Center (AuC) is used in the security managementEquipment Identity Register (EIR) is used for the registration of MS equipment
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
19
BSC (22)The processor load of a BSC
Call activities (around 20-25)Paging and short message service (around 10-15)Mobility management (handoff and location update around 20-25Hardware checkingnetwork-triggered events (around 15-20)
When a BSC is overloaded it first rejects location update next MS originating calls then handoff
20
Network and Switching Subsystem (NSS) Telephone switching functionsSubscriber profilesMobility management
Components in NSSMSC provide basic switching functionGateway MSC (GMSC) route an incoming call to an MSC by interrogating the HLR directory
NSS (12)
21
NSS (22)
Components in NSS (continuous)HLR and VLR maintain the current location of the MSAuthentication Center (AuC) is used in the security managementEquipment Identity Register (EIR) is used for the registration of MS equipment
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
20
Network and Switching Subsystem (NSS) Telephone switching functionsSubscriber profilesMobility management
Components in NSSMSC provide basic switching functionGateway MSC (GMSC) route an incoming call to an MSC by interrogating the HLR directory
NSS (12)
21
NSS (22)
Components in NSS (continuous)HLR and VLR maintain the current location of the MSAuthentication Center (AuC) is used in the security managementEquipment Identity Register (EIR) is used for the registration of MS equipment
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
21
NSS (22)
Components in NSS (continuous)HLR and VLR maintain the current location of the MSAuthentication Center (AuC) is used in the security managementEquipment Identity Register (EIR) is used for the registration of MS equipment
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
22
GSM Interfaces
Network and SwitchingSubsystem
MS
BTS
BTS
BTS
BTS
BTS
BTS
BSC
BSC
Abis interface
Um interface
Base StationSubsystems (BSS)
ME
SIM
Cloud
MSC
HLR VLR AUC
A interface
Network and SwitchingSubsystem (NSS)
Cloud
CloudCloud
PSTNGMSC
EIR
MAP interface
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
23
Air Interface
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
24
Radio Interface-Um (13)
The GSM radio link uses TDMAFDDtechnology
890-915 MHz (uplink)935-960 MHz (downlink)124 pairs times 200 KHz 8 time slots (bursts) per carrierA frame consists 8 timeslots (each 0577 msec for a time slot)The length of GSM frame in a frequency carrier is 4615 msec
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
25
Radio Interface-Um (23)
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
8922 MHz
Frame Frame (TDMA)
8924 MHz
Downlink
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7 TS0 TS1 TS2 TS3 TS4
Control channel
Traffic channel
C0
C1
FDMA
MS
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
26
GSM Normal Burst
Begin with 3 head bits and end with 3 bitsTwo groups are separated by an equalizer training sequence of 26 bitsThe flags indicates whether the information carried is for speechdata or signaling
3 57 bits 1 26 bits 1 57 bits 3 825 bits
Tailing Data Flag Training Flag Data Tailing Guard
Burst (148 bits0564 msec)
Time Slot (15625 bits or 0577 msec)
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
27
Logical Channels
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
28
Traffic Channel (TCH)
TCHs are intended to carry user information (speech or data)
Full-rate TCH (TCHF)Transmission speed 13 Kbps for speechTransmission speed 96 48 or 24 Kbps for dataEnhanced full-rate (EFR) speech coders for improving the
speech qualityHalf-rate TCH (TCHH)
Transmission speed 65 Kbps speechTransmission speed 48 or 24 Kbps of data
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
29
Control Channels (CCH)
CCHs to carry signaling informationThree types of CCHs
Broadcast channel (BCH)Common control channel (CCCH)Dedicated control channel (DCCH)
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
30
Broadcast Channels (BCHs)BTS broadcasts system information to the MSsthrough BCHsTwo types in BCH
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
The information allows the MS to acquire and stay synchronized with the BSS
Broadcast Control Channel (BCCH) (downlink)Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
31
Three types in CCCHRandom Access Channel (RACH) (uplink)
Used by the MSs for initial access to the networkCollision may occurs Slotted Aloha protocol is used to resolve access collision
Access Grant Channel (AGCH) (downlink) Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink)Used by the network to page the destination MS in call
termination
Common Control Channel (CCCH)
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
32
DCCH is for dedicated use by a specific MSFour types in DCCH
Standalone Dedicated Control Channel (SDCCH) (downuplink)
used only for signaling and for short messageSlow Associated Control Channel (SACCH) (downuplink)
Associated with either a TCH or an SDCCHFor non-urgent proceduresPower and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (12)
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
33
Four types in DCCH (continuous)Fast Associated Control Channel (FACCH)(downuplink)
Used for time-critical signaling such as call-establishing progress authentication of subscriber or handoffFACCH use TCH during a call May cause user data loss
Cell Broadcast Channel (CBCH) (downlink)Carries only the short message service cell broadcast messages which use the same time slot as the SDCCH
Dedicated Control Channel (DCCH) (22)
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
34
GSM Burst Structure
3 57 bits 1Normal Burst
26 bits 1 57 bits 3 825 bitsTailing Data Flag Training Flag Data Tailing Guard
3 142 bitsFrequency Correction Burst
3 825 bitsTailing Fixed Bits Tailing Guard
3 39 bitsSynchronization Burst
64 bits 39 bits 3 825 bitsTailing Data Training Data Tailing Guard
3 41 bitsAccess Burst
36 bits 3 6825 bitsTailing Synch Seq Data Tailing Guard
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
35
Example of Channel Usage(GSM Call Origination)
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
36
Example of Channel Usage (GSM Call Termination)
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
37
Mobility Databases
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
38
Mobility Databases
The hierarchical databases used in GSMThe home location register (HLR) is a database used for MS information managementThe visitor location register (VLR) is the database of the service area visited by an MS
MSC 1
HLR
VLR 1 VLR 2
MSC 2
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
39
Key Terms
GSM uses some identifiersMobile system ISDN (MSISDN)Mobile Station Roaming Number (MSRN)International Mobile Subscriber Identity (IMSI)Temporary Mobile Subscriber Identity (TMSI)International Mobile station Equipment Identity (IMEI)Location Area Identity (LAI)Cell Global Identity (CAI)
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
40
MSISDN
Mobile System ISDNMSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E164)HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
Total up to 15 digits
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
41
MSRN
Mobile Station Roaming NumberThe routing address to route the call to the MS through the visited MSC
MSRN=CC+NDC+SN
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
42
IMSI
International Mobile Subscriber IdentityEach mobile unit is identified uniquely with an IMSIIMSI includes the country mobile network mobile subscriberTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Mobile subscriber identification code (MSIC)
3 digits 1- 2 digits Up to 10 digits
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
43
TMSI
Temporary Mobile Subscriber IdentifyTMSI is an alias used in place of the IMSIThis value is sent over the air interface in place of the IMSI for purposes of security
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
44
IMEI
International Mobile Station Equipment IdentityIMEI is assigned to the GSM at the factoryWhen a GSM component passes conformance and interoperability tests it is given a TACUp to 15 digits
Type approval code (FAC)
Final assembly code (FAC) Serial number (MSIC)
3 digits 2 digits Up to 10 digits
Spare 1 digit
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
45
LAI
Location Area IdentityLAI identifies a location area (LA)When an MS roams into another cell if it is in the same LAI no information is exchangedTotal up to 15 digits
Mobile country code (MCC)
Mobile network code (MNC)
Location area code (LAC)
3 digits 1-2 digits Up to 10 digits
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
46
CGI
Cell Global IdentityCGI = LAI + CI
= MCC + MNC + LAC + CI CI Cell Identity
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
47
Home Location Register (HLR)An HLR record consists of 3 types of information
Mobile station informationIMSI (used by the MS to access the network)MSISDN (the ISDN number-ldquoPhone Numberrdquo of the MS)
Location informationISDN number of the VLR (where the MS resides)ISDN number of the MSC (where the MS resides)
Service informationservice subscriptionservice restrictionssupplementary services
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
48
Visitor Location Register (VLR)
The VLR information consists of three partsMobile Station Information
IMSIMSISDNTMSI
Location InformationMSC NumberLocation Area ID (LAI)
Service InformationA subset of the service Information stored in HLR
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
49
Identifiers and Components
MSC號碼
CGILAI
TMSIIMSI
MSRNMSISDN
MSBTSBSCVLRMSCHLR號碼
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
50
Location Tracking(Mobility Management)
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
51
Location Update
BS 2
BS 1
BS 3
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
52
Two-level Hierarchical Strategy
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs
MSC 1
HLR
VLR 1 VLR 2
MSC 2
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
53
Location Area
Location area (LA) is the basic unit for location tracking
MSC MSC
MSC
LA 1
LA 2
LA 3
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
54
GSM Location Area Hierarchy
HLR
VLR2VLR1
MSC1 MSC2
LA1 LA2
MS
HLR HOME Location RegisterVLR VISITOR Location RegisterMSC Mobile Switching CenterLA Location AreaMS Mobile Station
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
55
Location Update Concept
Registration the location update procedure initiated by the MS
Step 1 BS periodically broadcasts the LA addressStep 2 When an MS finds the LA of BS different from the one stored in it memory it sends a registration message to the networkStep 3 The location information is update
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
56
Periodically Registration
The MS periodically send registration messages to the networkThe period is 6 minutes to 24 hoursPeriodic registration is useful for fault-tolerance purposes
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
57
GSM Basic Location Update Procedure
In GSM registration or location update occurs when an MS moves from one LA to anotherThree cases of location update
Case 1 Inter-LA MovementCase 2 Inter-MSC MovementCase 3 Inter-VLR Movement
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
58
GSM Basic Location Update Procedure
Case 1 Inter-LA Movement
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
59
Current State of Mobile PhoneHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4TMSI=0105
LAI=LA1
LAI=LA1
MSC=MSC1
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
60
Intra-MSC (Inter-LA)HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
61
Intra-MSC當手機自BTS2rarrBTS3因聽見的LAI與紀錄的LAI不同因此觸發註冊程序(Registration)
Step 1手機送出TMSI=0105舊LAI=LA1新LAI=LA2
Step 2手機update SIM LAI=LA2
Step 3當MSC1收到註冊要求後check TMSI是否在記錄中此例存在表示本次移動僅更換LAI未更換MSC
Step 4MSC1更新記錄中新的LAI為LA2
LA4
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
62
Intra-MSCSteps 5MSC1送一註冊要求至VLR1內含
送者=MSC1TMSI=0105舊LAI=LA1新LAI=LA2
Steps 6VLR發現記錄中MSC與送者相同rarr確定不更正MSCVLR更改記錄中LAIlarrLA2
Steps 7VLR回ACK給MSC
Steps 8MSCrarrBSC rarrBTS rarrMSACK ACK ACK
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3
moving
LA4
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
63
GSM Basic Location Update Procedure
Case 2 Inter-MSC Movement
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
64
Inter-MSCHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
65
Inter-MSC假設手機目前在BTS3並往BTS4移動手機目前處於待機
Step 1手機移至BTS4手機聽見LA3與其SIM卡中的LAI不同觸發Registration procedure
Step 2手機送出(給BTS4)TMSI=0105舊LAI=LA2新LAI=LA3
Step 3 BTS4轉送給BSC3再轉送MSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
66
Inter-MSCStep 4MSC2發現TMSI資料不存在MSC2往上傳給VLR1
送者=MSC2TMSI=0105舊LAI=LA2新LAI=LA3
Step 5 VLR1 check TMSI已存在送者MSC與紀錄不同確定此次移動為跨MSC但未跨VLRVLR update紀錄MSClarrMSC2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
67
Inter-MSCStep 6
(1)VLR1上送HLR送者=VLR1新MSC=MSC2IMSI=hellip
(2)VLR2下送MSC2IMSI=hellipTMSI=0105LAI=LA3
(3)VLR下送註冊取消命令給MSC1IMSI=hellipTMSI=0105
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
68
Inter-MSCStep 7HKR以IMSI check VLR欄rarr相同因此只update MSClarrMSC2並ACK VLR1
Step 8MSC2新增一筆紀錄
Step 9 MSC1將TMSI0105紀錄刪除並ACK VLR1
Step 10 VLR1rarrMSC2rarrBSC3rarrBTS4rarr手機
Step 11手機update LAIlarrLA3
ACK ACK ACK ACK
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
69
GSM Basic Location Update Procedure
Case 3 Inter-VLR Movement
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
70
Inter-VLRHLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
moving
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
71
Inter-VLRStep 1MS update LAIlarrLA4觸發Registration手機送MSrarrBTS5larrBSC4larrMSC3
TMSI=0105舊LAI=LA3新LAI=LA4
Step 2MSC3 check無此資料送給VLR2送者=MSC3TMSI=0105舊LAI=LA3新LAI=LA4
Step 3VLR2 check無此紀錄依TMSI反推舊VLR=VLR1VLR2送一訊息給VLR1目的(1)check TMSI正確否(2)索取IMSIVLR1收到後check TMSI存在取出IMSI回送VLR2VLR2新增一筆紀錄
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
72
Inter-VLRStep 4VLR2以IMSI反推HLR=HLR1VLR2網上送給HLR1
送者=VLR2新MSC=MSC3IMSI=hellip
Step 5HLR1一IMSI進行updateVLRlarrVLR2MSC larrMSC3HLR rarrVLR2
moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
ACK
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
73
Inter-VLRStep 6VLR2 rarr VLR1VLR1刪除此資料並通知MSC2近刪除
Step 7VLR2製造依新的TMSI=0208update自己TMSI=0208
Step 8VLR2下傳MSC3新TMSI=0208LAI=LA4IMSI=hellip
Step 9新增一筆資料
Step 10MSC3rarrBSC4rarrBTS5rarrMS
Step 11手機update TMSI=0208moving
HLR1
VLR1 VLR2
MSC1 MSC2 MSC3
BTS1 BTS2 BTS3 BTS4 BTS5 BTS6
BSC1 BSC2 BSC3 BSC4
LA1 LA2 LA3 LA4
TMSI
刪除
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
74
Call Origination and Termination
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
75
Call Origination OperationV L R V 2
M S C
u 1
C loudC loud
P S T N
V L RT erm in a tin g
S w itch M S C
2 M A P _S E N D _ IN F O _ F O R _O U T G O IN G _ C A L L
3 M A P _S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _a ck
4 IA M
2
3
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
76
GSM Basic Call Origination
The process isStep 1 MS sends the call origination request to MSCStep 2 MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALLStep 3 VLR checks MSrsquos profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ackto MSC to grant the call requestStep 4 MSC sets up the trunk according to the standard PSTN call setup procedure
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
77
Call Termination Message Flow
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
78
Call Termination (12)
Routing information for call termination can be obtained form the serving VLRThe basic call termination process
Step 1 A MSrsquos ISDN (MSISDN) number is dialed by a PSTN user The call is routed to a gateway MSC by an SS7 ISUP IAM messageStep 2 GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
79
Call Termination (22)
The process continuesStep 3 HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR
Parameter included IMSI of the MS the MSC numberSteps 4 and 5 VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record
MSRN is sent back to the gateway MSC through HLRMSRN provides the address of the target MSC where the MS resides
Step 6 An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
80
CloudCloud
Cloud
OtherSwitches
HLR
1
3
GMSC
MSC
VLR
CloudCloud
Cloud
OtherSwitches
1
1 1
22
3
3
The Mobile Call Termination (Delivery) Procedure
MSISDN
MSRN MSRN
MSISDNMSISDN
依據PSTN正常程序建立電話
IMSI
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
81
Handoff (Handover)
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
82
Handoff
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
83
Two Aspects of Mobility in a PCS Network
Handoff Link transfer or HandoverA mobile user moves from one coverage area of an old BS to the coverage area of a new BS during theconversationThe radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation
RoamingWhen a mobile user moves from one system to another the user location should tell the PCS system
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
84
BS Coverage Area
BS coverage areairregularIn the cell boundary
Signal from a neighboring BS Signal from the serving BS
Otherwise Forced termination
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
85
Handoff Cost
Handoffs are expensiveSpecial for the system with small cell sizesSmall cell size for
To increase the capacity of the systems To reduce power requirements of MSs
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
86
Issues for Handoff Management
Handoff detectionWho and how
Channel assignment Radio link transfer
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
87
Handoff Detection
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
88
Strategies for Handoff Detection
Who makes a decision for handoffThree handoff detection schemes
Mobile-Controlled Handoff (MCHO)Network-Controlled Handoff (NCHO)Mobile-Assisted Handoff (MAHO)Others
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
89
MCHO is used in DECT and PACSPart I The MS continuously monitors the signals of the surrounding BSsPart II The MS initiates the handoff process when some handoff criteria are met
Mobile-Controlled Handoff (MCHO)
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
90
Network-Controlled Handoff (NCHO)
Used in CT-2+ and AMPSPart I The surrounding BSs measure the signal from the MSPart II The network initiates the handoff process when some handoff criteria are metMSC controls the handoff
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
91
Mobile-Assisted Handoff (MAHO)
Used in GSM IS-136 and IS-95Part I The network asks the MS to measure the signal from the surrounding BSsPart II The network makes the handoff decision based on the reports from the MS
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
92
Channel Assignment for Handoff Calls
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
93
Channel Assignment
Purposeto achieve a high degree of spectrum utilization for a given grade of service
ExTo reduce forced terminations
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
94
Forced Terminations
Blocked callInitial access requests failFor new callNo available channels on the visited BS
Forced terminationsHandoff requests failFor handoff callNo available channel on the selected BSs
Which one is serious new call blocking or force terminating
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
95
Some trade-offs
Service qualitySpectrum utilizationImplementation complexity of the channel assignment algorithmNumber of database lookups
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
96
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available
Channel assigned
yes
no Channel blocked
Ongoing call
Channel released
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
97
Flowchart for Reserved Channel Scheme
New call arrival
Normal channel available
Channel assigned
Handoff call arrival
Normal channel available
Reserved channel available
yes yes
yes
no
no no
Channel blocked
Ongoing call
Channel released
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
98
Link Transfer
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
99
Link Transfer
Two operationsThe radio link is transferred from the old BS to the new BSThe network bridges the trunk to the new BS and drop the trunk to the old BS
MSC
Old BS New
BS
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
100
Five Distinct Link Transfer Cases (13)
1 Intra-BTS handoff or intra-cell handoff 2 Inter-BTS handoff or inter-cell handoff 3 Inter-BSC handoff4 Inter-MSC handoff or intersystem handoff5 Intersystem handoff between two PCS networks
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
101
Inter-BSC Handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
(a) Before handoff (b) After handoff
MSC 1
Old BS
New BS
BSC 2BSC 1
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
Intra-MSCMS Target BSSMSCServing BSS
4 HAND_REQ_ACK3 HAND_REQ
2 HAND_REQ1 STRN_MEAS
5 HAND_COMM6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP12 REL_RCH
13 REL_RCH_COMP
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
103
Inter-MSC Link Transfer
MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(a) Before handoff
trunk MSC B
BS 1
MSC A
BS 2
PSTNPSTN
(b) After handoff
trunk
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
Inter-MSC (12)
MS Serving MSC
Serving BSS
1 STRN_MEAS
Target MSC
Target BSS
Target VLR
2 HAND_REQ3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK8 HAND_PER_ACK
9 NET_SETUP10 SETUP_COMP
11 HAND_COMM12 HAND_COMM
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
Inter-MSC (22)MS Serving
MSCServing BSS
13 HAND_ACC
Target MSC
Target BSS
Target VLR
14 CHH_INFO
16 HAND_COMP15 HAND_DET
18 SEND_ENDING
17 HAND_COMP
19 ANSWER
24 ERL_HAND_NUM
20 REL_RCH
21 REL_RCH_COMP
23 NET_REL
22 END_SIGNAL
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
106
Anchor MSC
MSC A MSC B MSC C
BS 1 BS 2
BS 3 BS 4 BS 5
1 2
3
4
MSC A is the anchor MSC1 inter-BS handoff 2 handoff forward3 handoff back 4 handoff to the third
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
107
Path MinimizationMSCA MSCB MSCA MSCB
(a) Handoff forwad (a) Handoff Backwad
MSCA
MSCB
(c) Handoff to the Third
MSCcMSCA
MSCB
(d) Path Minimization
MSCc
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
108
Radio Link Transfer
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
109
Hard Handoff
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
110
Hard Handoff
MS connects with only one BS at a time Interruption in the conversation occursUsed in TDMA and FDMA systemsWe will study the signaling of handoff
MCHO Link Transfer MAHONCHO Link TransferSubrating MCHO Link Transfer
MSC
Old BS
New BS
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
111
Hard Handoff Link Transfer for MCHO
A handoff request message is initiated by the MSThe network can initiate the handoff But always MS chooses the BS
MS selects a new radio channelIf a handoff failure occurs the MS link-quality maintenance process must decide what to do next
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
112
Soft Handoff
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
113
Soft Handoff
MS connects to multiple BSssimultaneouslyBSs use the same frequencyBSs must be synchronizedThe network must combine the signals form the multiple BSssimultaneouslySoft handoff is more complicated than hard handoff
MSC
BS 1 BS 2
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
114
Mobility Management
Mobility management procedures begin when a system detects the presence of a visiting terminal
(1) serving base station rarr serving MSC (inform MSC the terminalrsquos action)(2) MSC records that the terminal is in its operating area(3) MSC send this information to its VLR(4) VLR notifies the terminalrsquos HLR(5) HLR notifies the old VLR to erase record
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
HomeMSC
BSBS
VisitedMSC
BS
BS
VLR
HLR
---------
Poweron
profile request result
VLR
Registration notification invokecontains MIN ECN SID addressof VLR
Registration cancellation invoke profile request invoke
CSS
Registration notification invokecontains MIN ECN SID
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
Figure 44 Registration of a terminal in a visited service area
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
PriorMSC
PriorVLR HLR
ServingVLR
Figure 44 Registration of a terminal in a visited service area
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
118
Handoff CategoriesIS-41 specifies three handoff protocols
handoff forward handoff back and handoff to thirdIntersystem handoff requires dedicated communication links between a pair of MSCs
voice trunks for carrying user information in calls handed from one MSC to anotherdata links for carrying control messages between the two switch
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
Handoff forwardThe terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoffMSC-A is the anchor MSCMSC-A is responsible for routing the call to the remote partyMSC-B is the serving MSC because it currently has control of the callAfter handoff MSC-B is the target MSC
Figure 48 The situation after a handoffforward from system A(anchor system) tosystem B(serving system)
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
Handoff BackThe terminal can return to the service area of system AMSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol which releases the voice circuit between MSC-A and MSC-BWithout this protocol the systems would tie up two voice trunks
one taking the call from system A to system Bthe other taking it from system B to system A
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
Handoff forwardIt is possible that the terminal will move from system B to a third system CThis produces two possibilities in Figures 49 and 410In Figure 49 MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system BSystem B provides a path from MSC-A to MSC-CThe situation can continue adding more and more MSCsto the chain up to a limit established by the anchor systemFigure 49 Call path after handoff forward to
system C
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
Handoff to thirdAn alternative occurs when there is a direct connection between systems A and CIS-41 includes a protocol referred to as handoff to third which establishes a direct link between MSC-A and MSC-C and release the link between A and B
Figure 410 If there are circuits connecting MSC-Aand MSC-C the system performs handoff to third
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
Handoff ProtocolsThere are two phases to every handoff procedure
Location phasethe serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminalWhen measurements are required from one or more cells in a system adjacent to the serving system the adjacent system becomes a candidate systemThe serving MSC and a candidate MSC exchange handoff measurement request messages
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
A HANDOFF MEASUREMENT REQUEST INVOKE message transmitted by the serving MSC includes
information about the terminal (station class mark SCM indicates the capabilities of the terminal)information about the serving base station (SAT and a base station identifier) andinformation about the radio channel carrying the call (channel number)
Based on the identity of the serving base station the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurementsThe serving MSC selects a target cell for the handoffIf the target cell is served by a candidate MSC this MSC becomes the target MSC for the handoffThe handoff procedure then moves from the location phase to the handoff phase
Handoff phasethe serving MSC determines the type of handoff to initiate (forward back or handoff to third)
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
Handoff Forward ProtocolThe serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSCThis message contains
information about the terminal (SCM MIN ESN)information about the call
billing ID (established by the anchor MSC at the beginning of the call)inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC)inter-switch count (the total number of MSCs through which the call will pass after the handoff)
information about the call status (serving cell serving channel) andtarget cell identifier (based on measurement reports from the get MSC)
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
If the target MSC accepts the handoff it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSCThis message contains information about the new channel
channel number SAT and transmit power level (VMAC)On receiving this message the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cellWhen the target base station detects the SAT it sends a messageto the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
Figure 411 Message sequence and system operations for handoff forward
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
Figure 411 Message sequence and system operations for handoff forward
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
Handoff Back ProtocolIf the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal the serving MSC initiates a handoff back procedureIt (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A) which is now the target MSC of the handoff protocolThe message plays the same role as the FACILITIES DIRECTIVE INVOKE messageThe target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B)This message contains the same information as the FACILITIES DIRECTIVE RESULT message
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B)This message identifies the voice trunk that carries the call between the two MSCsOn receiving this message the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSCAny two MSCs in a chain can perform the handoff back protocol
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
Handoff to third ProtocolHandoff to third protocol is an example of path minimization procedure in which the system reduces the number of voice trunks carrying a call through three or more systems
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
135
Security
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
136
Security
GSM security is addressed in two aspects authentication and encryption
Authentication avoids fraudulent access by a cloned MSEncryption avoids unauthorized listening
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
137
Parameters
ParametersKi is used to achieve authentication
Ki is stored in the AuC and SIMKi is not known to the subscriber
RANDA 128-bit random number generated by the home system
SRES is generated by algorithm A3Kc is generated by algorithm A8 for the encryptionFrame Number
A TDMA frame number encoded in the data bits
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
138
AlgorithmsAuthentication Algorithms
A3Authentication functionIn AuC and SIM
Encryption AlgorithmsA8
To generate the encryption KeyIn AuC and SIM
A5An algorithm stored in the MS (handset hardware) and the visited systemUsed for the data ciphering and deciphering
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
139
Authentication and Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
140
Authentication by Triplet
Triplet RAND SRES KcAuCrarrHLRrarrVLR in advance
Example Authentication in registrationNew VLR uses LAI to find old VLROld VLR sends triplets to new VLRNew VLR challenges MS by using RAND and SRES
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
141
Encryption
Ki
RAND
A3 A8
Equal
SRES
Yes
No
reject
accept
A5
Kc
Ki
FrameNumber
A8 A3
SRES
Kc
A5 DataCiphered DataData
Mobile Station Home System
Visited System
authentication encryption
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
142
Summary
GSM ArchitectureMS BSS NSSRadio Interface
GSM Radio and ChannelsLocation TrackingHand OffSecurity
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
143
Chap 625G GPRS
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
144
General Packet Radio Service (GPRS)A packet-switched protocol GPRS radio link protocol
To guarantee fast call setup procedure and low-bit error rate for data transfer between the MSs and the BSs
A new infrastructure is introduced to GPRS for the packet services
25G GPRS
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
145
GPRS Architecture
MS
TAF
TE MSC
PSTNPSDN
ISDN
HLR Home Location Register
VLR Visitor Location Register
BSS Base Station Subsystem
TAF Terminal Adaption Function
TE Terminal Equipment
BSS
radiointerface
PSTN Public Switched Telephone Network
PSDN Public Switched Data Network
SGSN GGSN
HLRSignaling link
MSC Mobile Switching Center
SGSN Serving GPRS Support NodeGGSN Gateway GPRS Support Node
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
146
Chap 73G WCDMA
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
147
Spread Spectrum Technique3G WCDMA
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
148
Scheme of CDMA(uplink)
s1(t)
s2(t)
s(t) = s1(t) +s2(t) d1(t)+c1(t)s2(t)
c2(t)s1(t)+d2(t)
LPF
LPF
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
149
Principle of CDMA
4 spread codes for users ABCD to send one bit dataA 00011011 A (-1-1-1+1+1-1+1+1)B 00101110 B (-1-1+1-1+1+1+1-1)C 01011100 C (-1+1-1+1+1+1-1-1)D 01000010 D (-1+1-1-1-1-1+1-1)
ExampleA S1=(-1-1-1+1+1-1+1+1) =gt S1bullA=(1+1+1+1+1+1+1+1)8=1B+C S2=(-2 0 0 0+2+2 0-2) =gt S2bullC=(2+0+0+0+2+2+0+2)8=1A+B+C+D S3=(-2-2 0-2 0-2+4 0) =gt S3bullC=(2-2+0-2+0-2-4+0)8=-1
ProofSbullC =(B+C)bullC = BbullC + CbullC = 0 + 1 = 1
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
150
Orthogonal Variable Spreading Factor
S F = 1 S F = 2 S F = 4
C ch1 0 = (1 )
C ch2 0 = (1 1 )
C ch2 1 = (1 -1 )
C ch4 0 = (1 1 1 1 )
C ch4 1 = (1 1 -1 -1 )
C ch4 2 = (1 -1 1 -1 )
C ch4 3 = (1 -1 -1 1 )
Orthogonalbull Same tree path non-orthogonal
top related