Chap 5 2G: GSM System
Outlines z z z z z z z
Introduction GSM Architecture Air Interface Location Tracking and Call Setup HandOff Security Summary
Introduction
Introduction z z
z z
Global System for Mobile Communications (GSM) is a digital wireless network standard. It was developed by Group Special Mobile of Conference Europeenne des Postes et Telecommunications (CEPT) and European Telecommunications Standards Institute (ETSI). GSM Phases 1 and 2 define digital cellular telecommunications system. GSM Phase 2+ targets on Speech Codec and Data Service.
The Basic Requirements of GSM Basic Requirements set out by GSM
z z
z z z z z
Original text as written by the committee in 1985
Services Quality of Services and Security Radio Frequency Utilization Network Cost
GSM Architecture
GSM System Structure AUC
PSTN PSTN
GMSC
ILR
SS
HLR EIR
DTI
MSC/ VLR
MS
BSS RBS
BSC
OMC
GSM Architecture BTS BTS ME
EIR BSC
HLR VLR
AUC
BTS Cloud
SIM MS
Abis interface
Um interface
Cloud
BTS BTS
GMSC
MSC
BSC
BTS Base Station Subsystems (BSS)
A interface
Network Network and and Switching Switching Subsystem Subsystem (NSS)
PSTN
Cloud
Cloud
Mobile Station (MS) z z
Also called Mobile Terminal (MT) The MS consists of two parts: z z
Subscriber Identity Module (SIM) Mobile Equipment (ME)
SIM z
A SIM contains subscriber-related information z
z z
z
A list of abbreviated and customized short dialing numbers Short message Names of preferred Networks to provide service
Personal Identity Number (PIN) .
SIM z
SIM contains important information including z z z z z z
z
IMSI Ki TMSI Access Control Code Kc LAI
SIM information can be modified: z z
By the subscriber either by keypad or a PC using an RS232 connection By sending codes through short messages (network operators)
Mobile Equipment (ME) z
z
ME: non-customer-related hardware and software specific to the radio interface ME can not be used if no SIM is on the MS. z
z
Except for emergency calls
The SIM-ME design supports portability: z z
The MS is the property of the subscriber. The SIM is the property of the service provider.
Base Station System (BSS) z
z
The Base Station System (BSS) connects the MS and NSS. BSS contains z z
Base transceiver station (BTS) Base station controller (BSC)
BTS z
Base Transceiver Station (BTS) contains z z z
z
Transmitter Receiver Signaling equipment specific to the radio interface in order to contact the MSs. Transcoder/Rate Adapter Unit (TRAU) z
GSM-specific speech encoding/decoding and rate adaptation in data transmission
Omni-directional Antenna GSM 1800 GSM 900
Lightning conductor
Directional Antenna Lightning conductor GSM 900
GSM 1800
Directional Antenna
BSC (1/2) z
Base Station Controller (BSC) z z z z
Radio channel assignment Handoff management Connect to an MSC Connect to several BTSs z z
Maintain cell configuration data of these BTSs. The BSC communicates with the BTSs via the A-bis.
BSC (2/2) z
The processor load of a BSC: z z
z
z
z
Call activities (around 20-25%) Paging and short message service (around 1015%) Mobility management (handoff and location update, around 20-25% Hardware checking/network-triggered events (around 15-20%)
When a BSC is overloaded, it first rejects location update, next MS originating calls, then handoff.
NSS (1/2) z
Network and Switching Subsystem (NSS) z z z
z
Telephone switching functions Subscriber profiles Mobility management
Components in NSS: z z
MSC: provide basic switching function Gateway MSC (GMSC): route an incoming call to an MSC by interrogating the HLR directory.
NSS (2/2) z
Components in NSS (continuous): z
z
z
HLR and VLR maintain the current location of the MS. Authentication Center (AuC) is used in the security management. Equipment Identity Register (EIR) is used for the registration of MS equipment.
GSM Interfaces BTS BTS ME
EIR BSC
HLR VLR
AUC
BTS MAP interface
SIM MS
Abis interface
Um interface
Cloud
BTS BTS
GMSC
MSC
BSC
BTS Base Station Subsystems (BSS)
A interface
Network Network and and Switching Switching Subsystem Subsystem (NSS)
Cloud
PSTN
Cloud
Cloud
Air Interface
Radio Interface-Um (1/3) z
The GSM radio link uses TDMA/FDD technology. z z z z z z
890-915 MHz (uplink) 935-960 MHz (downlink) 124 pairs × 200 KHz 8 time slots (bursts) per carrier A frame consists 8 timeslots (each 0.577 msec for a time slot). The length of GSM frame in a frequency carrier is 4.615 msec.
Radio Interface-Um (2/3) Downlink FDMA C0 C1
TS0 TS1 TS2 TS3 TS4 TS0 TS1 TS2 TS3 TS4
TS5 TS6 TS7 TS5 TS6 TS7
Frame MS Control channel Traffic channel
TS0 TS1 TS2 TS0 TS1 TS2
TS3 TS4 TS3 TS4
Frame (TDMA)
892.2 MHz 892.4 MHz
GSM Normal Burst Tailing 3
Data 57 bits
Flag Training Flag 1
26 bits
1
Data 57 bits
Tailing Guard 3
8.25 bits
Burst (148 bits/0.564 msec) Time Slot (156.25 bits or 0.577 msec)
z z
z
Begin with 3 head bits, and end with 3 bits. Two groups are separated by an equalizer training sequence of 26 bits. The flags indicates whether the information carried is for speech/data, or signaling.
Logical Channels
Traffic Channel (TCH) z
TCHs are intended to carry user information (speech or data). z
Full-rate TCH (TCH/F) z z z
z
Transmission speed: 13 Kbps for speech Transmission speed: 9.6, 4.8 or 2.4 Kbps for data Enhanced full-rate (EFR) speech coders for improving the speech quality
Half-rate TCH (TCH/H) z z
Transmission speed: 6.5 Kbps speech Transmission speed: 4.8 or 2.4 Kbps of data.
Control Channels (CCH) z z
CCHs: to carry signaling information Three types of CCHs : z z z
Broadcast channel (BCH) Common control channel (CCCH) Dedicated control channel (DCCH)
Broadcast Channels (BCHs) z
z
BTS broadcasts system information to the MSs through BCHs. Two types in BCH: z
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH) z
z
The information allows the MS to acquire and stay synchronized with the BSS.
Broadcast Control Channel (BCCH) (downlink) z z
z
Access information for the selected cell Information related to the surrounding cells to support cell selection Location registration procedures in an MS
Common Control Channel (CCCH) z
Three types in CCCH: z
Random Access Channel (RACH) (uplink) z z z
z
Access Grant Channel (AGCH) (downlink) z
z
Used by the MSs for initial access to the network Collision may occurs. Slotted Aloha protocol is used to resolve access collision. Used by the network to indicate radio link allocation upon prime access of an MS
Paging Channel (PCH) (downlink) z
Used by the network to page the destination MS in call termination
Dedicated Control Channel (DCCH) (1/2) z z
DCCH is for dedicated use by a specific MS. Four types in DCCH: z
Standalone Dedicated Control Channel (SDCCH) (down/uplink) z
z
used only for signaling and for short message
Slow Associated Control Channel (SACCH) (down/uplink) z z z
z
Associated with either a TCH or an SDCCH For non-urgent procedures Power and time alignment control information (downlink) Measurement reports from the MS (uplink)
Dedicated Control Channel (DCCH) (2/2) z
Four types in DCCH (continuous): z
Fast Associated Control Channel (FACCH) (down/uplink) z
z z
z
Used for time-critical signaling, such as callestablishing progress, authentication of subscriber, or handoff. FACCH use TCH during a call. May cause user data loss.
Cell Broadcast Channel (CBCH) (downlink) z
Carries only the short message service cell broadcast messages, which use the same time slot as the SDCCH.
GSM Burst Structure Tailing 3
Data
Flag Training Flag
57 bits
1
26 bits
1
Data
Tailing Guard
57 bits
3
8.25 bits
Normal Burst Tailing
Fixed Bits
3
Tailing Guard
142 bits
3
8.25 bits
Frequency Correction Burst Tailing 3
Data
Training
39 bits
64 bits
Data
Tailing Guard
39 bits
Synchronization Burst Tailing 3
Synch. Seq. 41 bits
Data 36 bits
Access Burst
Tailing 3
Guard 68.25 bits
3
8.25 bits
Example of Channel Usage (GSM Call Origination)
Example of Channel Usage (GSM Call Termination)
Mobility Databases
Mobility Databases z
The hierarchical databases used in GSM. z
z
The home location register (HLR) is a database used for MS information management. The visitor location register (VLR) is the database of the service area visited by an MS. HLR VLR 1 MSC 1
MSC 2
VLR 2
Key Terms z
GSM uses some identifiers z z z z z
z z
Mobile system ISDN (MSISDN) Mobile Station Roaming Number (MSRN) International Mobile Subscriber Identity (IMSI) Temporary Mobile Subscriber Identity (TMSI) International Mobile station Equipment Identity (IMEI) Location Area Identity (LAI) Cell Global Identity (CAI)
MSISDN z
Mobile System ISDN z
z
MSISDN uses the same format as the ISDN address (based on ITU-T Recommendation E.164). HLR uses MSISDN to provide routing instructions to other components in order to reach the subscriber. Total up to 15 digits
Country code (CC)
National destination code (NDC)
Subscriber number (SN)
MSRN z z
Mobile Station Roaming Number The routing address to route the call to the MS through the visited MSC. z
MSRN=CC+NDC+SN
IMSI z
International Mobile Subscriber Identity z
z
z
Each mobile unit is identified uniquely with an IMSI. IMSI includes the country, mobile network, mobile subscriber. Total up to 15 digits 3 digits
1- 2 digits
Up to 10 digits
Mobile country Mobile network Mobile subscriber code (MCC) code (MNC) identification code (MSIC)
TMSI z
Temporary Mobile Subscriber Identify z z
TMSI is an alias used in place of the IMSI. This value is sent over the air interface in place of the IMSI for purposes of security.
IMEI z
International Mobile Station Equipment Identity z z
z
IMEI is assigned to the GSM at the factory. When a GSM component passes conformance and interoperability tests, it is given a TAC. Up to 15 digits 3 digits
2 digits
Up to 10 digits
Type approval Final assembly Serial number (MSIC) code (FAC) code (FAC) Spare 1 digit
LAI z
Location Area Identity z z
z
LAI identifies a location area (LA). When an MS roams into another cell, if it is in the same LAI, no information is exchanged. Total up to 15 digits
3 digits
1-2 digits
Up to 10 digits
Mobile country Mobile network Location area code (LAC) code (MCC) code (MNC)
CGI z z
Cell Global Identity CGI = LAI + CI = MCC + MNC + LAC + CI z
CI : Cell Identity
Home Location Register (HLR) z
An HLR record consists of 3 types of information: z
Mobile station information z z
z
Location information z z
z
IMSI (used by the MS to access the network) MSISDN (the ISDN number-“Phone Number” of the MS) ISDN number of the VLR (where the MS resides) ISDN number of the MSC (where the MS resides)
Service information z z z
service subscription service restrictions supplementary services
Visitor Location Register (VLR) z
The VLR information consists of three parts: z
Mobile Station Information z z z
z
Location Information z z
z
IMSI MSISDN TMSI MSC Number Location Area ID (LAI)
Service Information z
A subset of the service Information stored in HLR
Identifiers and Components 號碼 MSISDN
HLR VLR/MSC BSC
BTS
9
MS 9
9
MSRN
9
9
TMSI
9
9
LAI
9
IMSI
9
9 9
CGI MSC號碼
9
9
Location Tracking (Mobility Management)
Location Update
BS 1
BS 2
BS 3
Two-level Hierarchical Strategy z
The current location of an MS is maintained by a two-level hierarchical strategy with the HLR and the VLRs. HLR VLR 1 MSC 1
MSC 2
VLR 2
Location Area z
Location area (LA) is the basic unit for location tracking.
MSC
MSC
MSC
LA 2 LA 3 LA 1
GSM Location Area Hierarchy HLR
VLR1
MSC1
MSC2
LA2
LA1 MS
VLR2
HLR : HOME Location Register VLR : VISITOR Location Register MSC : Mobile Switching Center LA : Location Area MS : Mobile Station
Location Update Concept z
Registration: the location update procedure initiated by the MS: z
z
z
Step 1. BS periodically broadcasts the LA address. Step 2. When an MS finds the LA of BS different from the one stored in it memory, it sends a registration message to the network. Step 3. The location information is update.
Periodically Registration z
z z
The MS periodically send registration messages to the network. The period is 6 minutes to 24 hours. Periodic registration is useful for faulttolerance purposes.
GSM Basic Location Update Procedure z
z
In GSM, registration or location update occurs when an MS moves from one LA to another. Three cases of location update: z z z
Case 1. Inter-LA Movement Case 2. Inter-MSC Movement Case 3. Inter-VLR Movement
Inter-LA Registration
Inter-LA Movement (1/2) z z
Two LAs belong to the same MSC. Four major steps: z
Step 1. MS sends a location update request message (MS→BTS→MSC) . z
z
z
z
z
Parameters included: TMSI, Previous LA, target LA, previous MSC and previous VLR. IMSI (International Mobile Subscriber Identity) is used to identify MS. However, the MS identifies itself by the Temporary Mobile Subscriber Identity (TMSI). TMSI is used to avoid sending the IMSI on the radio path. TMSI is temporary identity is allocated to an MS by the VLR at inter-VLR registration.
Inter-LA Movement (2/2) z
The Process continues: z
Step 2. The MSC forwards the location update request to the VLR by a TCAP message, MAP_UPDATE_LOCATION_AREA. z
z
Parameter includes: Address of the MSC, TMSI, previous Location Area Identification (LAI), target LAI, Other related information
Steps 3 and 4. z
z z
Part I. The VLR find that both LA1 and LA2 belong to the same MSC. Part II. The VLR updates the LAI field of the MS. Part III. The VLR replies an ACK to the MS through the MSC.
Inter-MSC Registration
Inter-MSC Movement (1/2) z
z
The two LAs belong to different MSCs of the same VLR. The process is: z
z
Steps 1 and 2. MS sends a location update request message (MS→BTS→MSC) . Step 3. z
z z
Part I. VLR1 finds that the LA1 and LA2 belong to MSC1 and MSC2, respectively. Two MSCs are connected to VLR1. Part II. VLR1 updates the LAI and MSC fields of MS. Part III. The VLR1 derives the HLR address of the MS from the MS’s IMSI.
Inter-MSC Movement (2/2) z
The process continues: z
Step 3. z
z
z
z
Part IV. The VLR1 sends the MAP_UPDATE_LOCATION to the HLR. Parameter includes: IMSI, previous MSC Address, target MSC Address, VLR Address, other related information
Step 4. HLR updates the MSC number field of the MS. An acknowledgement is sent to VLR1. Steps 5 and 6. The acknowledgement is forwarded to the MS.
Inter-VLR Registration Message Flow f 5
HLR
7
g
VLR2
4
VLR1
8 3
h c
1 2
6
MSC2
MSC1
6 1
LA2
LA1
MS
MSC2
VLR2
HLR
VLR2
1. MAP_UPDATE_LOCATION_AREA 2. MAP_SEND_IDENTIFICATION 3. MAP_SEND_IDENTIFICATION_ack 4. MAP_UPDATE_LOCATION 5. MAP_UPDATE_LOCATION_ack 6. MAP_UPDATE_LOCATION_AREA_ack
7. MAP_CANCEL_LOCATION 8. MAP_CANCEL_LOCATION_ack
MS Registration Process (2/2) HLR
deregistration 消除VLR內資料 5
Old VLR
認證成功後向 HLR進行 3 location update
TMSI
New VLR
2
MS’s IMSI 及其他認證資料 1
TMSI
4
new TMSI
Inter-VLR Movement (1/2) z
z
Two LAs belong to MSCs connected to different VLRs. The process is: z
z
Step 1. MS sends a location update request. MSC2 sends MAP_UPDATE_LOCATION_AREA to VLR 2 with MS’s TMSI. Steps 2 and 3. z z
z
VLR2 does not have the record of MS. VLR2 identifies the address the VLR1 and sends MAP_SEND_IDENTIFICATION (with TMSI) to VLR1. VLR1 sends IMSI to VLR2.
Inter-VLR Movement (2/2) z
The process continues: z
Steps 4 and 5. z z z z
z
Step 6. z
z
VLR2 creates a VLR record for the MS. VLR2 sends a registration message to HLR. HLR updates the record of the MS. HLR sends an acknowledge back to VLR2. VLR2 generates a new TMSI and sends it to the MS.
Steps 7 and 8. z
The obsolete record of the MS in VLR1 is deleted.
Call Origination and Termination
Call Origination Operation VLR V2
u1 2 3
PC ST loN ud C lo u d
VLR
M SC
T e r m in a tin g S w itc h 2 . M A P _ S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L 3 . M A P _ S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _ a c k 4 . IA M
M SC
GSM Basic Call Origination z
The process is z
z
z
z
Step 1. MS sends the call origination request to MSC. Step 2. MSC forwards the request to VLR with message MAP_SEND_INFO_FOR_OUTGOING_CALL. Step 3. VLR checks MS’s profile and sends MAP_SEND_INFO_FOR_OUTGOING_CALL_ac k to MSC to grant the call request. Step 4. MSC sets up the trunk according to the standard PSTN call setup procedure.
Call Termination Message Flow
Call Termination (1/2) z z
Routing information for call termination can be obtained form the serving VLR. The basic call termination process: z
z
Step 1. A MS’s ISDN (MSISDN) number is dialed by a PSTN user. The call is routed to a gateway MSC by an SS7 ISUP IAM message. Step 2. GMSC sends MAP_SEND_ROUTING_INFORMATION with the MSISDN to HLR.
Call Termination (2/2) z
The process continues: z
Step 3. HLR sends a MAP_PROVIDE_ROAMING_NUMBER to VLR. z
z
Steps 4 and 5. VLR creates Mobile Subscriber Roaming Number (MSRN) by using the MSC number stored in the VLR record. z z
z
Parameter included: IMSI of the MS, the MSC number.
MSRN is sent back to the gateway MSC through HLR. MSRN provides the address of the target MSC where the MS resides.
Step 6. An SS7 ISUP IAM message is directed from the gateway MSC to the target MSC to setup the voice trunk.
The Mobile Call Termination (Delivery) Procedure IMSI MSISDN
1 1
1
MSISDN
IMSI
GMSC
HLR
2
2
MSRN
Cloud Other Cloud Cloud Switches
1
VLR
MSRN
3
依據PSTN正常 程序建立電話
Cloud Other Cloud Cloud Switches
3
MSC
3
Handoff (Handover)
Handoff
Two Aspects of Mobility in a PCS Network z
Handoff z z
z
z
Link transfer, or Handover A mobile user moves from one coverage area of an old BS to the coverage area of a new BS during the conversation. The radio link to the old BS is disconnected and a radio link to the new BS should be established to continue the conversation.
Roaming z
When a mobile user moves from one system to another, the user location should tell the PCS system.
BS Coverage Area z z
BS coverage area:irregular. In the cell boundary: z z
z
Signal from a neighboring BS u Signal from the serving BS v
Otherwise: Forced termination
Handoff Cost z z z
Handoffs are expensive. Special for the system with small cell sizes Small cell size for z z
To increase the capacity of the systems To reduce power requirements of MSs.
Issues for Handoff Management z
Handoff detection z
z z
Who and how
Channel assignment Radio link transfer
Handoff Detection
Strategies for Handoff Detection z z
Who makes a decision for handoff? Three handoff detection schemes: z z z z
Mobile-Controlled Handoff (MCHO) Network-Controlled Handoff (NCHO) Mobile-Assisted Handoff (MAHO) Others
Mobile-Controlled Handoff (MCHO) z z
z
MCHO is used in DECT and PACS. Part I. The MS continuously monitors the signals of the surrounding BSs. Part II. The MS initiates the handoff process when some handoff criteria are met.
Network-Controlled Handoff (NCHO) z z
z
z
Used in CT-2+ and AMPS Part I. The surrounding BSs measure the signal from the MS. Part II. The network initiates the handoff process when some handoff criteria are met. MSC controls the handoff.
Mobile-Assisted Handoff (MAHO) z z
z
Used in GSM, IS-136 and IS-95 Part I. The network asks the MS to measure the signal from the surrounding BSs. Part II. The network makes the handoff decision based on the reports from the MS.
Channel Assignment for Handoff Calls
Channel Assignment z
Purpose:to achieve a high degree of spectrum utilization for a given grade of service z
Ex:To reduce forced terminations
Forced Terminations z
Blocked call:Initial access requests fail z z
z
Forced terminations:Handoff requests fail z z
z
For new call No available channels on the visited BS For handoff call No available channel on the selected BSs
Which one is serious, new call blocking or force terminating?
Some trade-offs z z z
z
Service quality Spectrum utilization Implementation complexity of the channel assignment algorithm Number of database lookups
Flowchart for Non-prioritized Scheme
New or handoff call arrival
Channel available?
no
Channel blocked
yes Channel assigned
Ongoing call
Channel released
Flowchart for Reserved Channel Scheme New call arrival
Normal channel available?
no
Channel blocked
yes Channel assigned
Ongoing call
yes Handoff call arrival
Normal channel available?
Channel released
yes no
Reserved channel available?
no
Link Transfer
Link Transfer z
Two operations: z
z
The radio link is transferred from the old BS to the new BS. The network bridges the trunk to the new BS and drop the trunk to the old BS.
MSC Old BS
New BS
Five Distinct Link Transfer Cases (1/3) 1. 2. 3. 4. 5.
Intra-BTS handoff or intra-cell handoff Inter-BTS handoff or inter-cell handoff Inter-BSC handoff Inter-MSC handoff or intersystem handoff Intersystem handoff between two PCS networks
Inter-BSC Handoff (a) Before handoff
(b) After handoff MSC 1
MSC 1 BSC 1
BSC 1
BSC 2
New BS
New BS Old BS
BSC 2
Old BS
Intra-MSC MS
Serving BSS
MSC
Target BSS
1 STRN_MEAS 2 HAND_REQ 3 HAND_REQ 4 HAND_REQ_ACK 5 HAND_COMM 6 HAND_COMM 7 HAND_ACC 8 CHH_INFO 9 HAND_DET 10 HAND_COMP 11 HAND_COMP 12 REL_RCH 13 REL_RCH_COMP
Inter-MSC Link Transfer (a) Before handoff
(b) After handoff
PSTN PSTN
PSTN PSTN
MSC A
trunk
MSC B
MSC A
BS 2 BS 1
trunk
MSC B
BS 2 BS 1
Inter-MSC (1/2) MS
Serving BSS
Serving MSC
Target MSC
Target BSS
1 STRN_MEAS 2 HAND_REQ 3 HAND_PER 4 HAND_NUM 5 HAND_NUM_COMP 6 HAND_REQ 7 HAND_REQ_ACK 8 HAND_PER_ACK 9 NET_SETUP 10 SETUP_COMP 11 HAND_COMM 12 HAND_COMM
Target VLR
Inter-MSC (2/2) MS
Serving BSS
Serving MSC
Target MSC
Target BSS
13 HAND_ACC 14 CHH_INFO 15 HAND_DET 16 HAND_COMP 17 HAND_COMP
18 SEND_ENDING 19 ANSWER 20 REL_RCH 21 REL_RCH_COMP 22 END_SIGNAL 23 NET_REL 24 ERL_HAND_NUM
Target VLR
Anchor MSC
MSC A BS 1
MSC B
MSC C
BS 2 BS 3
BS 4
BS 5
4 1
2 3
MSC A is the anchor MSC. 1: inter-BS handoff 2: handoff forward 3: handoff back 4: handoff to the third
Path Minimization MSCA
MSCB
MSCA
(a) Handoff forwad
(a) Handoff Backwad
MSCB MSCA
(c) Handoff to the Third
MSCB
MSCB MSCc
MSCA
(d) Path Minimization
MSCc
Radio Link Transfer
Hard Handoff
Hard Handoff z z z z
MS connects with only one BS at a time. Interruption in the conversation occurs Used in TDMA and FDMA systems We will study the signaling of handoff: z z z
MCHO Link Transfer MAHO/NCHO Link Transfer Subrating MCHO Link Transfer
MSC Old BS
New BS
Hard Handoff Link Transfer for MCHO z
A handoff request message is initiated by the MS. z z
z z
The network can initiate the handoff. But always MS chooses the BS.
MS selects a new radio channel. If a handoff failure occurs, the MS link-quality maintenance process must decide what to do next.
Soft Handoff
Soft Handoff z
z z z
z
MS connects to multiple BSs simultaneously. BSs use the same frequency. BSs must be synchronized. The network must combine the signals form the multiple BSs simultaneously. Soft handoff is more complicated than hard handoff.
MSC BS 1
BS 2
Mobility Management z
Mobility management procedures begin when a system detects the presence of a visiting terminal. z
z
z z z
(1) serving base station → serving MSC (inform MSC the terminal’s action) (2) MSC records that the terminal is in its operating area (3) MSC send this information to its VLR. (4) VLR notifies the terminal’s HLR. (5) HLR notifies the old VLR to erase record.
VLR
HLR
VLR
BS
Power on
CSS
Visited MSC
Home MSC
-------
BS : Registration notification invoke,
BS
BS
contains MIN, ECN, SID : Registration notification invoke, contains MIN, ECN, SID, address of VLR.
:Registration cancellation invoke : profile request invoke : profile request result
Figure 4.4 Registration of a terminal in a visited service area.
Prior MSC
Prior VLR
HLR
Serving VLR
Figure 4.4 Registration of a terminal in a visited service area
Handoff Categories z
IS-41 specifies three handoff protocols: z
z
handoff forward, handoff back, and handoff to third.
Intersystem handoff requires dedicated communication links between a pair of MSCs: z
z
voice trunks: for carrying user information in calls handed from one MSC to another data links: for carrying control messages between the two switch.
z
Handoff forward:
Figure 4.8 The situation after a handoff forward from system A(anchor system) to system B(serving system).
The terminal moves into the service area of system B causing MSC-A and MSC-B to perform a handoff. MSC-A is the anchor MSC MSC-A is responsible for routing the call to the remote party. MSC-B is the serving MSC because it currently has control of the call. After handoff, MSC-B is the target MSC.
z
Handoff Back:
The terminal can return to the service area of system A. MSC-B recognizes that the call arrived from system A and it initiates a handoff back protocol, which releases the voice circuit between MSC-A and MSC-B. Without this protocol, the systems would tie up two voice trunks one taking the call from system A to system B the other taking it from system B to system A.
z
Handoff forward:
Figure 4.9 Call path after handoff forward to system C
It is possible that the terminal will move from system B to a third system C. This produces two possibilities in Figures 4.9 and 4.10. In Figure 4.9, MSC-B and MSC-C perform a handoff forward procedure the one that moved the call from system A to system B. System B provides a path from MSC-A to MSC-C. The situation can continue, adding more and more MSCs to the chain, up to a limit established by the anchor system.
z
Handoff to third:
Figure 4.10 If there are circuits connecting MSC-A and MSC-C, the system performs handoff to third.
An alternative occurs when there is a direct connection between systems A and C. IS-41 includes a protocol referred to as handoff to third, which establishes a direct link between MSC-A and MSC-C and release the link between A and B.
Handoff Protocols z
There are two phases to every handoff procedure. z
Location phase the serving MSC collects measurement reports from cells in the neighborhood of the cell presently occupied by a terminal. z When measurements are required from one or more cells in a system adjacent to the serving system, the adjacent system becomes a candidate system. z The serving MSC and a candidate MSC exchange handoff measurement request messages. z
z
A HANDOFF MEASUREMENT REQUEST INVOKE message, transmitted by the serving MSC includes:
z
information about the terminal (station class mark, SCM, indicates the capabilities of the terminal) information about the serving base station (SAT and a base station identifier), and information about the radio channel carrying the call (channel number).
Based on the identity of the serving base station, the candidate MSC selects one or more candidate cells and transmits a HANDOFF MEASUREMENT REQUEST RESULT message to the serving MSC.
The HANDOFF MEASUREMENT REQUEST RESULT message contains identities of candidate cells and associated signal strength measurements. z The serving MSC selects a target cell for the handoff. z If the target cell is served by a candidate MSC, this MSC becomes the target MSC for the handoff. z The handoff procedure then moves from the location phase to the handoff phase. z
z
Handoff phase: z
the serving MSC determines the type of handoff to initiate (forward, back, or handoff to third).
z
Handoff Forward Protocol: The serving MSC sends a FACILITIES DIRECTIVE INVOKE message to the target MSC. z This message contains: z
information about the terminal (SCM, MIN, ESN) information about the call: billing ID (established by the anchor MSC at the beginning of the call); inter-MSC circuit (voice trunk that will carry the call from the serving MSC to the target MSC); inter-switch count (the total number of MSCs through which the call will pass after the handoff); information about the call status (serving cell, serving channel); and target cell identifier (based on measurement reports from the get MSC).
If the target MSC accepts the handoff, it selects a channel to handle the call in the new cell and then sends a FACILITIES DIRECTIVE RESULT message to the serving MSC. z This message contains information about the new channel: z
channel number, SAT, and transmit power level (VMAC).
On receiving this message, the serving MSC sends an AMPS HANDOFF message to the terminal through the serving cell. z When the target base station detects the SAT, it sends a message to the target MSC which completes the handoff forward operation by sending a MOBILE ON CHANNEL INVOKE message to the prior serving MSC. z
Figure 4.11 Message sequence and system operations for handoff forward.
Figure 4.11 Message sequence and system operations for handoff forward.
z
Handoff Back Protocol: If the location phase results in a determination by the serving MSC(MSC-B) that the call would best be handled in the system(system A) previously occupied by the terminal, the serving MSC initiates a handoff back procedure. z It (MSC-B) sends a HANDOFF BACK INVOKE message to the previous MSC (MSC-A), which is now the target MSC of the handoff protocol. z The message plays the same role as the FACILITIES DIRECTIVE INVOKE message. z The target MSC (MSC-A) sends HANDOFF BACK RESULT message to the serving MSC (MSC-B). z This message contains the same information as the FACILITIES DIRECTIVE RESULT message. z
When the target MSC(MSC-A) learns that the terminal has arrived on the assigned channel at the target base station, it sends a FACILITIES RELEASE INVOKE message to the serving MSC (MSC-B). z This message identifies the voice trunk that carries the call between the two MSCs. z On receiving this message, the serving MSC (MSC-B) releases the voice trunk and sends a FACILITIES RELEASE RESULT message to the target MSC. z Any two MSCs in a chain can perform the handoff back protocol. z
z
Handoff to third Protocol: z
Handoff to third protocol is an example of path minimization procedure, in which the system reduces the number of voice trunks carrying a call through three or more systems.
Security
Security z
GSM security is addressed in two aspects: authentication and encryption. z
z
Authentication avoids fraudulent access by a cloned MS. Encryption avoids unauthorized listening.
Parameters z
Parameters: z
Ki is used to achieve authentication. z z
z
RAND z
z z z
Ki is stored in the AuC and SIM. Ki is not known to the subscriber. A 128-bit random number generated by the home system.
SRES is generated by algorithm A3. Kc is generated by algorithm A8 for the encryption. Frame Number z
A TDMA frame number encoded in the data bits.
Algorithms z
Authentication Algorithms: z
A3. z z
z
Authentication function. In AuC and SIM
Encryption Algorithms: z
A8. z z
z
To generate the encryption Key In AuC and SIM
A5. z
z
An algorithm stored in the MS (handset hardware) and the visited system. Used for the data ciphering and deciphering
Authentication and Encryption Mobile Station
Home System RAND
Ki A8
Ki A3
reject
A3
A8
No
SRES
Equal ?
SRES Kc
Yes
authentication encryption
accept Visited System
Kc
Data
A5
Ciphered Data
Frame Number A5
Data
Authentication by Triplet z
Triplet: RAND, SRES, Kc z
z
AuC→HLR→VLR in advance
Example: Authentication in registration z z z
New VLR uses LAI to find old VLR. Old VLR sends triplets to new VLR. New VLR challenges MS by using RAND and SRES.
Encryption Mobile Station
Home System RAND
Ki A8
Ki A3
reject
A3
A8
No
SRES
Equal ?
SRES Kc
Yes
authentication encryption
accept Visited System
Kc
Data
A5
Ciphered Data
Frame Number A5
Data
Summary z
GSM Architecture z z
z z z z
MS, BSS, NSS Radio Interface
GSM Radio and Channels Location Tracking Hand Off Security