Anda di halaman 1dari 126

Cellular Networks and GSM

Week 11

Data Communication

www.del.ac.id

History of Wireless
Communications (1)

1896: Marconi
First demonstration of wireless telegraphy
Tx of radio waves to a ship at sea 29 km away
Long wave transmission, high power requirement (> 200 kW)
1901: Marconi
Telegraph across the Atlantic ocean
Close to 3000Km hop!
1907: Commercial transatlantic connections
Huge ground stations (30 by 100m antennas)
1915: wireless telephony established
NY San Fransisco
Virginia and Paris
1920: Marconi
Discovery of short waves (lambda < 100m)
Reflection at the ionosphere
(cheaper) smaller sender and receiver, possible due to the invention of the
vacuum tube (1906, Lee DeForest and Rover von Lieben)
10/19/16 11:10

Data Communication

History of Wireless
Communications (2)

1920s: radio broadcasting become popular


1928: many TV broadcast trials
1930s: TV broadcasting deployment
1946: First public mobile telephone service in US
St. Louis, Missouri (single cell system)
1960s: Bell Labs developed cellular concept
Brought mobile telephony to masses
Late 1970s: technology advances enable affordable cellular
telephony
Entering the modern cellular era
1974-1978: First field Trial for Cellular System
AMPS, Chicago
10/19/16 11:10

Data Communication

1st Generation (1G) Mobile System


Early Deployment

First system: NMT-450 (Nordic Mobile Telephone)

Scandinavian standard; adopted in most Europe


450MHz band, first European system (Sweden, October
1981)

Italian history:

1966: first experiments (CSELT) at 160MHz, RTMI (Radio


Telefono Mobile Italiano)
1985: first Italian cellular system, RMTS (Radio Telefono
Mobile di Seconda Generazione) at 450 MHz
1990: Evolution, TACS (Total Access Communication
System) at 900 MHz

10/19/16 11:10

Data Communication

1st Generation (1G) Mobile


System

First generation: 1980s


Analog transmission: frequency modulation
Several competing standards and bands

NMT (Nordic Mobile Telephone); Scandinavian standard,


adopted in most Europe, 450MHz first, 900MHz later; 1980
TACS (Total Access Communication System), UK standard,
a few of Europe, Asia and Japan; 900 MHz; 1985
AMPS (Advanced Mobile Telephone System); US standard
C-Netz; only in Germany
Radiocom 2000; only in France

10/19/16 11:10

Data Communication

2nd Generation (2G) Mobile


System

Four dominant systems:

Global System for Mobile (GSM)


Deployed worldwide, but slowly in US
Digital AMPS (D-AMPS): USA
Code Division Multiple Access (CDMA or IS-95):
Qualcomm, USA
Personal Digital Cellular (PDC)

Basic bands:

900MHz, 1800MHz (Digital Cellular System: DCS-1800),


1900MHz (Personal Communication System: PCS-1900,
US only)

10/19/16 11:10

Data Communication

2.5 Generation (2.5G) Mobile


System (GSM incremental extension)

High Speed Circuit Switched Data (HSCSD)

General Packet Radio Service (GPRS)

Circuit switched data communication


Uses up to 4 slots (1 slot = 9.6 or 14.4 Kbps)
Packet data (use spectrum only when needed)
Up to 115 Kbps (8 slots)

Enhanced Data-rates for Global Evolution (EDGE)

Higher data rate available on radio interface (3x)


Up to 384 Kbps (8 slots)
Uses new modulation scheme (8PSK), may coexist with
old GMSK

10/19/16 11:10

Data Communication

3rd Generation (3G) Mobile


System
UMTS

(Universal Mobile Telecommunication


System)

ITU standard: IMT-2000 (International Mobile


Telecommunication 2000)
UTMS forum created in 1996
Wideband CDMA radio interface
Radio spectrum: 1885-2025 & 2110-2200 MHz
Already deployed in Japan

10/19/16 11:10

Data Communication

Examples of Wireless Networks

Cellular telephony
Satellite
Metropolitan-area data networks
Local-area networks
Ubiquitous computing environments
Infostations (mobile hosts traveling through fixed
network)
Ad hoc networks (mobile nodes dynamically forming
a temporary network without the use of any existing
network infrastructure).
10/19/16 11:10

Data Communication

Wireless Challenges
Path

loss and fading

Buildings, trees etc. block or weaken signals

Reflected

Multiple copies of a signal with small timing


differences
Even fading due to interference

Flash

signals

crowds

The customer's traffic patterns are difficult to


predict

10/19/16 11:10

Data Communication

10

Cellular Network Organization

Use multiple low-power transmitters (100 W or less)


Areas divided into cells
Each served by its own antenna
Served by base station consisting of transmitter,
receiver, and control unit
Band of frequencies allocated
Cells set up such that antennas of all neighbors
are approximately equidistant (hexagonal pattern)

10/19/16 11:10

Data Communication

11

Representation of Cells

Ideal cells
10/19/16 11:10

Fictitious cells
Data Communication

12

Cell Size and Capacity


Cell

size determines number of cells


available to cover geographic area and (with
frequency reuse) the total capacity available
to all users
Capacity within cell limited by available
bandwidth and operational requirements
Each network operator has to size cells to
handle expected traffic demand

10/19/16 11:10

Data Communication

13

Cell Structure

Implements space division multiplex: base station covers a certain


transmission area (cell)
Mobile stations communicate only via the base station
Advantages of cell structures:
higher capacity, higher number of users
less transmission power needed
more robust, decentralized
base station deals with interference, transmission area etc. locally
Problems:
fixed network needed for the base stations
handover (changing from one cell to another) necessary
interference with other cells
Cell sizes from some 100 m in cities to, e.g., 35 km on the country side
(GSM) - even less for higher frequencies
10/19/16 11:10

Data Communication

14

Capacity of a Cellular System


Frequency

Re-Use Distance
The K factor or the cluster size
Cellular coverage or Signal to interference
ratio
Sectoring

10/19/16 11:10

Data Communication

15

The K factor and


Frequency Re-Use Distance
7
6
K = i + ij + j
2

K = 22 + 2*1 + 12

K=4+2+1
K=7

7
6

2
i

4
D =
Frequency re-use distance is based on the cluster size K

3K * R

D = 4.58R

The cluster size is specified in terms of the offset of the center of a cluster
from the center of the adjacent cluster
10/19/16 11:10

Data Communication

16

The Frequency Re-Use for K = 4


K = i2 + ij + j2
K = 22 + 2*0 + 02
K=4+0+0

K=4
D =

3K * R

D = 3.46R

10/19/16 11:10

R
i

Data Communication

17

The Cell Structure for K = 7


7
6

2
1

5
7
6

3
4

1
5

7
6

2
1

7
6

2
1

7
6

3
4

3
4

2
1

3
4

10/19/16 11:10

Data Communication

18

Cell Structure for K = 4


1

2
3

1
4

1
4

3
2

1
4

2
3

2
3

2
3

10/19/16 11:10

Data Communication

19

Cell Structure for K = 12


9
8

9
10

2
7

1
6

4
5

10/19/16 11:10

5
10

2
7

12

12
4

11
3

11

10

7
12

10

11

1
9

1
6

11
3
12
4

5
Data Communication

20

Increasing Cellular System


Capacity (1)

Add new channels


Not all channels used to start with
Frequency borrowing
Taken from adjacent cells by congested cells
Or assign frequencies dynamically
Cell splitting
Cells in high usage can be split in two or more smaller cells Cell
splitting
Decrease transmission power in base and mobile
Results in more and smaller cells
Reuse frequencies in non-contiguous cell groups
Example: cell radius leads 4 fold capacity increase
10/19/16 11:10

Data Communication

21

Increasing Cellular System


Capacity (2)

Cell sectoring
Directional antennas subdivide cell into 3 or 6 sectors
Might also increase cell capacity by factor of 3 or 6
Microcells
Move antennas from tops of hills and large buildings to
tops of small buildings and sides of large buildings
Even lamp posts
Form microcells
Reduced power
Good for city streets, along roads and inside large
buildings
10/19/16 11:10

Data Communication

22

Tri-Sector Antenna for A Cell

10/19/16 11:10

Data Communication

23

Cell Distribution in a Network

Rural
Highway
Suburb
10/19/16 11:10

Town
Data Communication

24

Optimum Use of Frequency


Spectrum

Operator bandwidth of 7.2MHz (36 freq of 200 kHz)


TDMA 8 traffic channels per carrier
K factor = 12
What are the number of traffic channels available
within its area for these three cases

Without cell splitting


With 72 cells
With 246 cells

10/19/16 11:10

Data Communication

25

Frequency Reuse

Cellular systems are interference-limited, not noise


limited.

Adjacent cells assigned different frequencies to avoid


interference
Objective is to reuse frequency in nearby cells
10-50 channels (TDM, FDM or CDMA) assigned per cell
Transmission power controlled to limit power at that
frequency escaping to adjacent cells
The issue is to determine how many cells must intervene
between two cells using the same frequency

10/19/16 11:10

Data Communication

26

Re-use of the Frequency

One Cell
=
288 traffic channels

246 Cell
=
5904 traffic channels

8 X (72/12 X 36) = 1728

8 X 36 = 288

10/19/16 11:10

72 Cell
=
1728 traffic channels

Data Communication

27

Interference

10/19/16 11:10

Data Communication

28

Mobile Radio Propagation Effects

Signal strength

Strength of signal between BS and mobile unit strong


enough to maintain signal quality at the receiver
Not strong enough to create too much cochannel
interference
Noise varies
Automobile ignition noise greater in city than in suburbs
Other signal sources vary
Signal strength varies as function of distance from BS
Signal strength varies dynamically as mobile unit moves

Fading

Even if signal strength in effective range, signal


propagation effects may disrupt the signal

10/19/16 11:10

Data Communication

29

GSM History
Several first generation analog cellular systems
in Europe but incompatible - limited roaming
1987-1989 ETSI standards for pan-European
Global System for Mobile Communications
(GSM, originally Group Special Mobile) at 900
MHz

1992 GSM is launched


1990-1993 Standards for Digital Cellular System
at 1800 MHz (DCS 1800, recently renamed GSM
1800; US version is PCS 1900)

10/19/16 11:10

Data Communication

30

GSM Objectives
Broad

offering of speech and data services


Compatible with wireline networks, eg, ISDN
Automatic roaming and handoff
Highly efficient use of frequency spectrum
Support for different types of mobile terminal
equipment (eg, cars, portable handsets)
Digital signaling and transmission
Low cost infrastructure and terminal equipment
10/19/16 11:10

Data Communication

31

Summary of GSM Features


Channel bandwidth

200 kHz

Multiple access

TDMA

Users/carrier

Speech coding rate

13 kb/s

FEC coded speech rate

22.8 kb/s

10/19/16 11:10

Data Communication

32

Summary of GSM Service Quality


Requirements
Speech intelligibility

90%

Max one-way delay

90 ms

Max handoff gap

150 ms if intercell

Time to alert mobile of


inbound cell

4 sec first attempt,


15 sec final attempt

Release time to called


network

2 sec

Connect time to called


network

4 sec

10/19/16 11:10

Data Communication

33

GSM General Architecture (1)


PSTN
VLR

GSM Public
land mobile
network
(PLMN)

MSC
A

Abis

BSC

BTS

BSS

BTS

Um
MT
TE
10/19/16 11:10

HLR

MS

MS

BSS

OMC
AUC
EIR

NMC

ADC

OSS
OSS: operation subsystem
BSS: base station subsystem
MS: mobile station
Data Communication

34

GSM General Architecture (2)

10/19/16 11:10

Data Communication

35

GSM General Architecture (3)

10/19/16 11:10

Data Communication

36

GSM Network

MSC role: telephone switching central with special mobility management capabilities.
10/19/16 11:10

Data Communication

37

GSM System Hierarchy

Hierarchy:
MSC region n x Location Areas m x BSC k x BTS
10/19/16 11:10

Data Communication

38

GSM Essential Components

10/19/16 11:10

Data Communication

39

GSM
Sub-systems

Two components

Fixed infrastructure divided into three


sub-systems:

10/19/16 11:10

Fixed installed infrastructure


Mobile subscribers: MS

BSS (Base Station Subsystem)


Manages transmission path from
MS to MSS
NSS (Network Switching Subsystem)
Communication and
interconnection with other nets
OSS (Operational Subsystem)
GSM network administration tools

Data Communication

40

Mobile Station (MS)


TEMPORARY DATA
Temporary Subscriber Identity
Current Location
Ciphering Data
PERMANENT DATA
Permanent Subscriber Identity
Key/Algorithm for Authentication.
Provides access to the GSM network
Consists of
Mobile equipment (ME)
Subscriber Identity Module (SIM)
10/19/16 11:10

Data Communication

41

Mobile Station (MS)

GSM separates user mobility from equipment


mobility by defining two distinct components:

Mobile Equipment
The cellular telephone itself (or the vehicular telephone)
Address/identifier: IMEI (International Mobile Equipment
Identity)
Subscriber Identity Module (SIM)
Fixed installed chip (plug-in SIM) or exchangeable card
(SIM card)
Addresses/identifiers:

10/19/16 11:10

IMSI (International Mobile Subscriber Identity)


MSISDN (Mobile Subscriber ISDN Number) = the telephone
number
Data Communication

42

Mobile Equipment Structure (1)

Mobile Termination (MT) functions:

Terminal Equipment (TE) functions:

tRadio interface (tx, rx, signalling)


User interface (microphone, keyboard, speakers, etc)
Functions specific of services (telephony, fax, messaging,
etc), independent of GSM

Terminal Adaptor (TA) functions:

Intefaces MT with different types of terminals (PCs, Fax,


etc)

10/19/16 11:10

Data Communication

43

Mobile Equipment Structure (2)

Mobile Station (MS) communicates to base


stations through radio interface Um
Mobile Termination (MT) supports physical
channel between MS and base station (radio
transmission, channel coding, speech coding)
Terminal Equipment (TE), eg, telephone set.
Contains terminal/user-specific data in form of smart
card (subscriber identify module or SIM card), plugs
into any GSM terminal like credit card and identifies
user to network for personal mobility (in addition to
terminal mobility) and security
10/19/16 11:10

Data Communication

44

Mobile Equipment Max Power


(5 Power Classes)

Normally used,
for 900 MHz

This was for 900 MHz


For 1800 MHz, only two classes: 1 W and 0.25 W
10/19/16 11:10

Data Communication

45

IMEI (International Mobile


Equipment Identity)

15 digits hierarchical address, uniquely identifies the mobile


equipment
Assigned to ME during manufacturing and type approval
testing. Type approval procedure guarantees that the MS
meets a minimum standard, regardless of the manufacturer
IMEI structure

10/19/16 11:10

Data Communication

46

IMEI Management

Protection against stolen and malfunctioning terminals


Equipment Identity Register (EIR) : one database for each operator
which keeps:
WHITE LIST
Valid IMEIs; corresponding MEs may be used in the GSM network
BLACK LIST
IMEIs of all MEs that must be barred from using the GSM network
Exception: emergency calls (to a set of emergency calls)
Periodically exchanged among different operators
GREY LIST
IMEIs that correspond to MEs that can be used, but that, for some
reason (malfunctioning, obsolete SW, evaluation terminals, etc),
need to be tracked by the operator
A call from a grey IMEI is reported to the operator personnel

10/19/16 11:10

Data Communication

47

SIM Card

Uniquely associated to a user


Not to an equipment, as in first generation cellular networks
Stores user addresses
IMSI
MSISDN
Temporary addresses for location, roaming, etc
authentication and encryption features
All security features of GSM are stored in the SIM for maximum protection
subscribers secret authentication key (Ki)
Authentication algorithm (secret algorithm - A3 not unique)
Cipher key generation algorithm (A8)
Personalization
SIM stores user profile (subscribed services)
RAM available for SMS, short numbers, users directory, etc
Protection codes
PIN (Personal Identification Number, 4-8 digits)
PUK (PIN Unblocking Key, 8 digits)

10/19/16 11:10

Data Communication

48

IMSI (International Mobile


Subscriber Identity)

15 digits hierarchical address, uniquely identifies the user (SIM


card)
GSM-specific address
unlike MSISDN - normal phone number
assigned by operator to SIM card upon subscription
IMSI structure:

10/19/16 11:10

Data Communication

49

MSISDN
(Mobile Subscriber ISDN Number)

MSISDN: the usual telephone number


Follows international ISDN numbering plan (ITU-T E.164 recommendations)
Structure:

GSM is the first network to distinguish


The user identity (i.e. IMSI)
CC Indonesia
: 62
From the number to dial (i.e. MSISDN)
NDC
: 081, 085
Separation IMSI-MSISDN protects confidentiality
IMSI is the real user address: never public!
Faking false identity: need signal IMSI to the network; but IMSI hard to obtain!
Separation IMSI-MSISDN allows
Easy modification of numbering and routing plans
single IMSI may be associated to several MSISDN numbers
E.g. different services (fax, voice, data, etc) may be associated with different
MSISDN numbers

10/19/16 11:10

Data Communication

50

Temporary Addresses (1)

TMSI - Temporary Mobile Subscriber Identity

32 bits
assigned by VLR within an administrative area
has significance only in this area
transmitted on the radio interface instead of IMSI
reduces problem of eavesdropping

MSRN - Mobile Station Roaming Number

An MSISDN number
CC, NDC of the visited network
SN assigned by VLR
Used to route calls to a roaming MS
Subscriber Number (SN) assigned to provide routing
information towards actually responsible MSC

10/19/16 11:10

Data Communication

51

Temporary Addresses (2)

Mobile Station Roaming Number (MSRN), same format as MSISDN.


A temporary location dependent ISDN number.
Is assigned in two cases, at registration or at call set up.
Location Area Identity (LAI). Regularly sent on BCCH LAI = CC +
MNC + LAC,
LAC = Location Area Code, max 5 decimals (<FFFFhex).
Temporary Mobile Subscriber Identity (TMSI). Stored only in the VLR
and SIM card. Consists of 4*8 bits excluding value FFFF FFFFhex
TMSI has only local meaning and can be defines according to
operators specifications.
LAI + TMSI uniquely identifies the user, I.e. IMSI is no longer needed
for ongoing communication

10/19/16 11:10

Data Communication

52

Temporary Addresses (3)

Temporary Mobile Subscriber Identity (TMSI). Stored only in


the VLR and SIM card. Consists of 4*8 bits excluding value
FFFF FFFFhex
TMSI has only local meaning and can be defines according to
operators specifications.
LAI + TMSI uniquely identifies the user, I.e. IMSI is no longer
needed for ongoing communication
Local Mobile Subscriber Identity (LMSI). Created in VLR and
stored in HLR.
Like TMSI is operator defined.
Used in communication with VLR to speed the search for
mobile records.
Speed is essential to achieve short call setup times.
10/19/16 11:10

Data Communication

53

Global Cell ID and BSIC


Global

Cell Id = LAI + CI
CI = Cell id, unique id within the LAI.
Maximum 2*8 bits
Base Transceiver Station Identity Code
(BSIC) = NCC + BCC
BSIC is broadcast periodically by the base
station on the synchronization channel.
NCC = Network Color Code, 3 bits
BCC = Base Station Color Code, 3 bits
10/19/16 11:10

Data Communication

54

Fixed Infrastructure:
Components and Interfaces
Components

MS Mobile Station

BTS Base Transceiver Station

BSC Base Station Controller

MSC Mobile Switching Center

OMC Operation and Maintenance Center

EIR Equipment Identity Register

AUC Authentication Center

HLR Home Location Register

VLR Visitor Location Register


Interfaces

Um Radio Interface

Abis BTS-BSC

A BSS-MSC

B MSC-VLR

C MSC-VLR

D HLR-VLR

E MSC-MSC

F MSC-EIR

G VLR-VLR
10/19/16 11:10

Data Communication

55

Fixed Infrastructure:
Base Station Sub-System

Base Transceiver Station (BTS)


Transmitter and receiver
devices, voice coding &
decoding, rate adaptation for
data
Provides signaling channels on
the radio interface
Limited signal and protocol
processing (error protection
coding, link layer LAPDm)
Base Station Controller (BSC)
performs most important radio
interface management functions:
Radio channels allocation and
deallocation; handover
management;
10/19/16 11:10

Data Communication

56

Fixed Infrastructure Components:


BSS, BTS, BSC

Base station Subsystem (BSS) communicates


with mobile switching center through network
interface A
Base Transceiver Station (BTS) handles channel
allocation, signaling, frequency hopping, handover
initiation, etc.
BTS communicates with BSC using Abis interface
Base station controller (BSC) manages radio
channels, paging, handoff for several BTSs
BSC communicates with MSC using A interface
10/19/16 11:10

Data Communication

57

Base Transceiver Station (BTS)

TRX radio interface functions:


GMSK modulation-demodulation
channel coding
encryption/decryption
burst formatting, interleaving
signal strength measurements
interference measurements
10/19/16 11:10

In essence, BTS is
a complex modem!

Data Communication

58

Base Station Controller (BSC)

DB contains

state information for all BSS


BTS software

From/to MSC

1 BSC may control


up to 40 BTS

10/19/16 11:10

FUNCTIONS:
switch calls from MSC to correct
BTS and conversely
Protocol and coding conversion
for traffic (voice) & signaling
(GSM-specific to ISDNspecific)
Manage MS mobility
Enforce power control
Data Communication

59

Transcoding and Rate Adaptation


Adaptation
BTS:
collects speech traffic
Deciphers and removes
error protection
Result: 13 kbps air-interface
GSM speech-coded signal
MSC:
A modified ISDN switch
Needs to receive ISDNcoded speech
64 kbps PCM format (A-law)

Transcoding and Rate


Adaptation Unit (TRAU)
needed!

Rationale:
re-use existing ISDN switches & protocols
10/19/16 11:10

Data Communication

60

TRAU Possible Placements

Why 16 kbps instead of 13? Inband signalling needed for BTS control of TRAU
(TRAU needs to receive synchro & decoding information from BTS)
10/19/16 11:10

Data Communication

61

Fixed Infrastructure Component:


Network Switching Sub-System (NSS)

Elements:
Mobile Switching Center (MSC) / Gateway MSC (GMSC)
Home Location Register (HLR ) / Authentication Center (AuC)
Visitor Location Register (VLR)
Equipment Identity Register (EIR)
Functions:
Call control
User management
Inter-component communication
Via SS7 signalling network
With suitable extensions (e.g. MAP Mobile Application Part)

10/19/16 11:10

Data Communication

62

Fixed Infrastructure Component:


Mobile Switching Center (MSC)

An ISDN switch (64 kbps channels); gateway to PSTN and packet


data networks
Performs all the switching and routing functions of a fixed network
switching node
PLUS specific mobility-related functions:
Allocation and administration of radio resources
Management of mobile users
registration, authentication
handover execution and control
paging
A PLMN (operator network) has, in general, many MSC
Each MSC is responsible of a set of BSS
(note: a BSS refers to just 1 MSC, not many)
10/19/16 11:10

Data Communication

63

Fixed Infrastructure Component:


Home Location Register (HLR) (1)
1

database per operator (PLMN)


In principle; in practice may be

N-plicated for reliability reasons


In large operator networks, there may be 2+ HLR
with distinct information, although MSISDN-HLR
association needs to be introduced (e.g. first two
digits of the Subscriber Number)

HLR

entries: Every user / MSISDN that has


subscribed to the operator
10/19/16 11:10

Data Communication

64

Fixed Infrastructure Component:


Home Location Register (HLR) (2)
HLR Stores:
Permanent information associated to the user
IMSI, MSISDN
Services subscribed
Service restrictions (e.g. roaming restrictions)
Parameters for additional service
info about user equipment (IMEI)
Authentication data
Temporary information associated to the user
Link to current location of the user:
Current VLR address (if avail)
Current MSC address (if avail)
MSRN (if user outside PLMN)
10/19/16 11:10

Data Communication

65

Fixed Infrastructure Component:


Authentication Center (AUC)
Associated

to HLR

Eventually integrated with HLR

Search

key: IMSI
Responsible of storing security-relevant
subscriber data

Subscribers secret key Ki (for authentication)


Encryption key user on the radio channel (Kc)
Algorithms to compute volatile keys used during
authentication process

10/19/16 11:10

Data Communication

66

Gateway
MSC GMSC

10/19/16 11:10

Data Communication

Needed, as fixed network


switches are not mobile
capable!!
GMSC task: query HLR for
current MS location
(if fixed network switches
were able to query HLR,
direct connection with local
MSC would be available)

67

Fixed Infrastructure Component:


Visitor Location Register (VLR) (1)

At most 1 database per MSC

Generally, joint MSC-VLR implementation


No need to carry heavy MSC-VRL signalling load on
network links but 1 VLR may serve many MSCs

VLR entries:

Every user / MSISDN actually staying in the administrative


area of the associated MSC
Entry created when an MS enters the MSC area
(registration)
NOTE: may store data for roaming users (subscribed to
different operators)

10/19/16 11:10

Data Communication

68

Fixed Infrastructure Component:


Visitor Location Register (VLR) (2)
Stores:
Subscriber and subscription data

IMSI, MSISDN
Parameters for additional services
info about user equipment (IMEI)
Authentication data

Tracking and routing information

Mobile Station Roaming Number (MSRN)


Temporary Mobile Station Identity (TMSI)
Location Area Identity (LAI) where MS has registered
Used for paging and call setup

10/19/16 11:10

Data Communication

69

Fixed Infrastructure Component:


Operation & Maintenance Sub-system (OSS)

Network measurement and control functions


Monitored and initiated from the OMC (Operation
and Maintenance Center)
Basic functions

Network Administration
configuration, operation, performance management,
statistics collection and analysis, network maintenance
Commercial operation & charging
Accounting & billing
Security Management
E.g. Equipment Identity Register (EIR) management

10/19/16 11:10

Data Communication

70

The GSM Radio Interface

MOBILE

K
N
I
L
N
W
z
O
H
D
M
60
9
935
K
z
N
I
H
L
M
P
5
U 91
0
89
BASE TRANSCEIVER STATION

10/19/16 11:10

Data Communication

71

GSM Interfaces
Air Interface
Um

Abis

CM

CM

MM

MM

RRM

LAPD
RF
10/19/16 11:10

RRM

RRM
LAPD LAPD
RF

RF

RRM

SCCP

SCCP

LAPD LAPD

LAPD

RF
Data Communication

RF

RF
72

GSM Protocol Layers


RF

: Physical Layer
LAPD: Link Layer, ISDN protocol based
SCCP: Signal Connection Control Layer, part
of link layer
RR: Radio Resource
MM: Mobility Management
CC: Call Control

10/19/16 11:10

Data Communication

73

The GSM Network Architecture


Time

division multiple access-TDMA


124 radio carriers
890 to 915mhz mobile to base - UPLINK
935 to 960mhz base to mobile - DOWNLINK
GSM combines FDM and TDM: bandwidth is
subdivided into channels of 200khz
(intercarrier spacing), shared by up to eight
stations, assigning slots for transmission on
demand (8 channels/carrier)
10/19/16 11:10

Data Communication

74

Frequency Multiplex
Separation of the whole spectrum into smaller frequency bands
A channel gets a certain band of the
spectrum for the whole time
Advantages:

no dynamic coordination
necessary
works also for analog signals

k1

k2

k3

k4

k5

k6

c
f

Disadvantages:

waste of bandwidth
if the traffic is
distributed unevenly
inflexible
guard spaces t

10/19/16 11:10

Data Communication

75

Time Multiplex

A channel gets the whole spectrum for a certain amount of time


Advantages:
only one carrier in the
medium at any time
k1
k2
k3
k4
k5
k6
throughput high even
for many users
c
Disadvantages:
precise
synchronization
necessary

10/19/16 11:10

Data Communication

76

Time and Frequency Multiplex

Combination of both methods


A channel gets a certain frequency band for a certain amount of time
Example: GSM
Advantages:

Better protection against


tapping
Protection against frequency
selective interference
Higher data rates compared to
code multiplex

But: precise coordination


required

k1

k2

k3

k4

k5

k6

c
f

t
10/19/16 11:10

Data Communication

77

GSM - TDMA/FDMA
fre
qu
en
c

935-960 MHz
124 channels (200 kHz)
downlink

890-915 MHz
124 channels (200 kHz)
uplink

higher GSM frame structures


time

GSM TDMA frame


1

8
4.615 ms

GSM time-slot (normal burst)


guard
space

tail

3 bits
10/19/16 11:10

user data

57 bits

user data

tail

1 26 bits 1

57 bits

S Training

Data Communication

guard
space

546.5 s
577 s

78

GSM Uses Paired Radio Channels


INK
L
P
U

INK
L
WN
O
D

890MHz

915MHz 935MHz

124

10/19/16 11:10

Data Communication

960MHz

124

79

GSM Logical and Physical


Channels
Um

interface: various logical channels are


mapped to physical channels
A physical channel is a timeslot with timeslot
number in a sequence of TDMA frames
8 physical channels mapped onto 8 timeslots
within TDMA frame per frequency carrier

10/19/16 11:10

Data Communication

80

GSM Physical Channels


TDMA frame = 4.615 ms
Timeslot 1

Frequency 1

Ch 1 Ch 2 Ch 3 Ch 4 Ch 5 Ch 6 Ch 7 Ch 8

Frequency 2

Ch 1 Ch 2 Ch 3 Ch 4 Ch 5 Ch 6 Ch 7 Ch 8

:
:

:
:

Frequency 124

Ch 1 Ch 2 Ch 3 Ch 4 Ch 5 Ch 6 Ch 7 Ch 8

10/19/16 11:10

Data Communication

81

GSM Logical Channel Structure


LOGICAL CHANNELS
TCH

FULL RATE
Bm 22.8 Kb/S

CBCH

CCCH

DCCH

HALF RATE
Lm 11.4 Kb/S

BCH

FCCH

CCH

SCH

DOWN LINK ONLY


10/19/16 11:10

BCCH

PCH

RACH

AGCH

UPLINK ONLY
Data Communication

SDCCH

SACCH

FACCH

BOTH UP & DOWNLINKS


82

Abbreviations

TCH
CCH
FCCH
SCH
BCCH
PCH
RACH
AGCH
SDCCH
SACCH
FACCH

10/19/16 11:10

TRAFFIC CHANNEL
CONTROL CHANNEL
FREQUENCY CORRECTION CHANNEL
SYNCHRONISATION CHANNEL
BROADCAST CONTROL CHANNEL
PAGING CHANNEL
RANDOM ACCESS CHANNEL
ACCESS GRANTED CHANNEL
STAND ALONE DEDICATED CONTROL CHANNEL
SLOW ASSOCIATED CONTROL CHANNEL
FAST ASSOCIATED CONTROL CHANNEL

Data Communication

83

GSM Logical Channels (1)


3

groups of logical channels, TCH, CCH and


CBCH
TCH is used to carry voice or data traffic
CCH is used for control functions
CBCH is used for broadcast functions

10/19/16 11:10

Data Communication

84

GSM Logical Channels (2)


Logical traffic channels = full rate (TCH/F) at
22.8 kb/s or half rate (TCH/H) at 11.4 kb/s
Physical channel = full rate traffic channel (1
timeslot) or 2 half rate traffic channels (1
timeslot in alternating frames)
Full rate channel may carry 13 kb/s speech or
data at 12, 6, or 3.6 kb/s
Half rate channel may carry 6.5 kb/s speech or
data at 6 or 3.6 kb/s

10/19/16 11:10

Data Communication

85

GSM Logical Channels: BCH

CCH consists of 3 groups of logical control channels,


BCH, CCCH and DCCH
BCH (broadcast channel): point-to-multipoint downlink
only (a base to mobile channel). Contains three subchannels, BCCH, FCCH and SCH

BCCH: provides general information about the network, the cell in


which the mobile is currently located and the adjacent cells, send cell
identities, organization info about common control channels, cell
service available, etc
FCCH: provides information for carrier synchronization, send a
frequency correction data burst containing all zeros to effect a
constant frequency shift of RF carrier
SCH (synchronization channel): carries information for frame
synchronization and identification of the base station transceiver,
send TDMA frame number and base station identity code to
synchronize MSs

10/19/16 11:10

Data Communication

86

GSM Logical Channels: CCCH

CCCH (common control channel): Consists of three subchannels, PCH, AGCH and RACH. This channels is used
for paging and access

PCH (paging channel): a base to mobile channel to page


MSs, to alert a mobile to a call originating from the network
AGCH (access grant channel): a mobile to base channel
used to request for dedicated resources, to assign MSs to
stand-alone dedicated control channels for initial
assignment
RACH (random access channel): a base to mobile which is
used to assign dedicated resources (SDCCH or TCH)

10/19/16 11:10

Data Communication

87

GSM Logical Channels: DCCH

DCCH (dedicated control channel): bi-directional point-to-point -- main


signaling channels. Consist of three sub-channels: SDCCH, SACCH, and
FACCH
SDCCH: a bi-directional channel allocated to a specific mobile for
exchange of location update information and call set up information,
for service request, subscriber authentication, equipment validation,
assignment to a traffic channel
SACCH: a bi-directional channel used for exchanging control
information between base and a mobile during the progress of a call
set up procedure. The SACCH is associated with a particular traffic
channel or stand alone dedicated control channel, for out-of-band
signaling associated with a traffic channel, eg, signal strength
measurements
FACCH: a bi-directional channel which is used for exchange of time
critical information between mobile and base station during the
progress of a call. The FACCH transmits control information by
stealing capacity from the associated TCH, for preemptive signaling
on a traffic channel, eg, for handoff messages
10/19/16 11:10

Data Communication

88

GSM Frame
SACCH is
transmitted in
frame 12

0 to 11 and 13 to 24
Are used for traffic data
0

3
10/19/16 11:10

Full rate
channel is
idle in 25

57

12

26

24

Data Communication

Frame
duration
= 120ms

25

57

Frame
duration =
60/13ms

8.25

Frame
duration
=
15/26ms

89

GSM Frame
114

bits are available for data transmission.


The training sequence of 26 bits in the middle
of the burst is used by the receiver to
synchronize and compensate for time
dispersion produced by multipath
propagation.
1 stealing bit for each information block (used
for FACCH)
10/19/16 11:10

Data Communication

90

Location update from the mobile


Mobile looks for BCCH after switching on
RACH send channel request
AGCH receive SDCCH
SDCCH request for location updating
SDCCH authenticate
SDCCH authenticate response
SDCCH switch to cipher mode
SDCCH cipher mode acknowledge
SDCCH allocate TMSI
SDCCH acknowledge new TMSI

10/19/16 11:10

SDCCH switch idle update mode


Data Communication

91

Call establishment from a mobile


Mobile looks for BCCH after switching on
RACH send channel request
AGCH receive SDCCH
SDCCH send call establishment request
SDCCH do the authentication and TMSI allocation
SDCCH send the setup message and desired number
SDCCH require traffic channel assignment
FACCH switch to traffic channel and send ack (steal bits)
FACCH receive alert signal ringing sound
FACCH receive connect message
FACCH acknowledge connect message and use TCH

10/19/16 11:10

TCH conversation
continues
Data Communication

92

Call establishment to a mobile


Mobile looks for BCCH after switching on
Mobile receives paging message on PCH
Generate Channel Request on RACH
Receive signaling channel SDCCH on AGCH
Answer paging message on SDCCH
Receive authentication request on SDCCH
Authenticate on SDCCH
Receive setup message on SDCCH
Receive traffic channel assignment on SDCCH
FACCH switch to traffic channel and send ack (steal bits)
Receive alert signal and generate ringing on FACCH
Receive connect message on FACCH
10/19/16 11:10

Communication
FACCH acknowledge connectData
message
and switch to TCH

93

GSM Speech Coding


GSM

is a digital system, so speech which is


inherently analog, has to be digitized.
The method employed by current telephone
systems for multiplexing voice lines over high
speed trunks and is pulse coded modulation
(PCM). The output stream from PCM is 64
kbps, too high a rate to be feasible over a
radio link.
10/19/16 11:10

Data Communication

94

GSM Speech Coding


Speech

is divided into 20 millisecond


samples, each of which is encoded as 260
bits, giving a total bit rate of 13 kbps.
Regular pulse excited -- linear predictive
coder (RPE--LPC) with a long term predictor
loop is the speech coding algorithm.

10/19/16 11:10

Data Communication

95

GSM Speech Coding


BS Side
8 bit A-Law
to
13 bit Uniform

8 K sps

RPE/LTP
speech Encoder

To Channel Coder 13Kbps

RPE/LTP
speech Encoder

To Channel Coder 13Kbps

MS Side
LPF

A/D

8 K sps,

Sampling Rate - 8K
Encoding - 13 bit Encoding (104 Kbps)
RPE/LTP - Regular Pulse Excitation/Long Term Prediction
RPE/LTP converts the 104 Kbps stream to 13 Kbps
10/19/16 11:10

Data Communication

96

GSM Network Layer


Network layer consists of 3 sublayers
Radio resource management (RR) sublayer

Establishment, maintenance, and termination of


radio channel connections

Mobility

Registration, authentication, and location tracking

Call

management (MM) sublayer

control (CC) sublayer

Establishment, maintenance, and termination of


circuit-switched calls

10/19/16 11:10

Data Communication

97

Roaming
When

a MS enters another operators


network, it can be allowed to use the services
of this operator

Operator to operator agreements and contracts


Higher billing

The

MS is identified by the information in the


SIM card and the identification request is
forwarded to the home operator

The home HLR is updated to reflect the MS's


location

10/19/16 11:10

Data Communication

98

GSM Roaming From Another


PLMN
VLR

registers users roaming in its area

Recognizes mobile station is from another PLMN


If roaming is allowed, VLR finds the mobiles HLR
in its home PLMN
VLR constructs a global title from IMSI to allow
signaling from VLR to mobiles HLR via public
telephone network
VLR generates a mobile subscriber roaming
number (MSRN) used to route incoming calls to
mobile station
MSRN is sent to mobiles HLR

10/19/16 11:10

Data Communication

99

GSM Roaming, contd


VLR

contains
MSRN
TMSI
Location area where mobile station has
registered
Info for supplementary services (if any)
IMSI
HLR or global title
Local identity for mobile station (if any)

10/19/16 11:10

Data Communication

100

GSM Security (1)


3

security problems
unauthorized access
privacy from eavesdropping
protection of subscriber identity/location

10/19/16 11:10

Data Communication

101

GSM Security (2)


Unauthorized

(fraudulent) access

GSM handsets must be presented with a subscriber


identity module (SIM)
SIM must be validated with personal identification
number (PIN)
SIM also stores subscriber authentication key,
authentication algorithm, cipher key generation
algorithm, encryption algorithm
During registration (when roaming), mobile station
receives challenge and uses authentication key and
authentication algorithm to generate challenge
response to verify users identity

10/19/16 11:10

Data Communication

102

GSM Security (3)


Privacy

from eavesdropping
Temporary encryption key is used for
privacy of data, signaling, and voice
Info is encrypted before transmission

10/19/16 11:10

Data Communication

103

GSM Security (4)


Anonymity

of users

Supported by temporary mobile subscriber ID


(TMSI)
When registered, mobile station sends globallyunique international mobile subscriber ID (IMSI)
to network
Network assigns TMSI for use during call - IMSI
is not sent over radio link
Only network and mobile station know true
identity
New TMSI is assigned when roam into new are

10/19/16 11:10

Data Communication

104

GSM Security (5)


Fetched

triplets are stored in VLR

Every call uses up one triplet (discarded)


Another set must be fetched when exhausted
Visited system

IMSI/TMSI
+ LAI

Registration request

IMSI/TMSI identifies user,


LAI points to old VLR,
requests data to
authenticate user

Subscriber data
Old VLR
10/19/16 11:10

Data Communication

105

GSM Security (6)


Visited system

Calculates
response
by authentication
algorithm

Requests triplets
from home system,
chooses a triplet

Challenge
Challenge response

New TMSI

Compares to stored
response in triplet,
registration successful
if matches
Assigns new TMSI

Acknowledge

10/19/16 11:10

Data Communication

106

GSM Security (7)


Visited system

Location update
HLR

Acknowledge

Registration
cancel

Old VLR

10/19/16 11:10

Data Communication

107

Handoff / Handover
Hard handover / handoff:
When a call is in process the changes in location
require more processing
Within a BSS the BSC, which knows the current
radio link configuration, prepares an available
channel in the new BTS
The MS is told to switch over to the new BTS
Soft handover:
the MS is connected to two BTSes simultaneously
10/19/16 11:10

Data Communication

108

Handoff / Handover: Types


Movement into a different cell requires MTSO to
automatically transfer call to another base
station without interruption
Two types of handoff
hard handoff
break before make, connection is broken
then re-established
soft handoff
temporarily connected to two or more base
stations simultaneously before dropping all
but one

10/19/16 11:10

Data Communication

109

Phases of Handoff

Handoff Decision/Initiation

Resource reservation

frequencies are reserved with new base station

Execution

Base station detects measured signal strength drops


below threshold (first generation) or mobile station
detects signal from another base station is stronger than
current base station (second generation)

actual handoff of connection

Clearing Resources / Completion

unneeded resources are cleared

10/19/16 11:10

Data Communication

110

Handoff: Types
There

are three type of handoffs

MS controlled handoff
Network controlled handoff
Mobile assisted handoff (MAHO)

D-AMPS

and CDMA use MAHO, AMPS uses


network controlled handoff.
Capabilities required for the MS are taken
into account.
10/19/16 11:10

Data Communication

111

Handoff Illustrated (1)

BS

BS
PSTN

Target MSC #1

Serving MSC

BS
Target MSC #2

HANDMREQ
HANDMREQ
HANDMREQR

10/19/16 11:10

Data Communication

112

Handoff Illustrated (2)

BS

BS
PSTN

Serving MSC

Target MSC #1

FACDIR
FACDIRR
MSONCH

10/19/16 11:10

Data Communication

113

Handoff Illustrated (3)


What happens if we go back to the anchor MSC?
What if a third MSC gets involved?
Path minimization process

BS

BS
PSTN

10/19/16 11:10

Anchor MSC

New Serving MSC

Data Communication

114

Path Optimization Process (1)


6
BS

7
BS

BS
Serving MSC
PSTN

Anchor MSC

HANDTHIRD
2

Target MSC

FACDIR
FACDIRR

5 HANDTHIRDR
9

FACREL
FACRELR

10/19/16 11:10

MSONCH

10
Data Communication

115

Path Optimization Process (2)


BS
BS

BS
MSC
PSTN

Anchor MSC

New Serving MSC

Call Path after path minimization process

10/19/16 11:10

Data Communication

116

Handoff Challenge

Measured signal strength drop is caused by


momentary fading
Handoff must be completed before signal strength
drops below a minimum acceptable level
No channels are free at nearby base stations,
causing call connection problems, dropped calls.
If mobile station moves to another cellular system
(controlled by different MTSO), an intersystem
handoff is required - more complicated

10/19/16 11:10

Data Communication

117

GSM Handoffs
3

types of handoffs
Intra-BSS: if old and new BTSs are
attached to same base station
MSC

is not involved

Intra-MSC:

if old and new BTSs are


attached to different base stations but
within same MSC
Inter-MSC: if MSCs are changed
10/19/16 11:10

Data Communication

118

GSM Intra-MSC Handoff (1)

Mobile station monitors signal quality and determines handoff


is required, sends signal measurements to serving BSS
Serving BSS sends handoff request to MSC with ranked list
of qualified target BSSs
MSC determines that best candidate BSS is under its control
(assumed here)
MSC reserves a trunk to target BSS
Target BSS selects and reserves radio channels for new
connection, sends Ack to MSC
MSC notifies serving BSS to begin handoff, including new
radio channel assignment

10/19/16 11:10

Data Communication

119

GSM Intra-MSC Handoff (2)

Serving BSS forwards new radio channel assignment to


mobile station
Mobile station re-tunes to new radio channel, notifies
target BSS on new channel
Target BSS notifies MSC that handoff is detected
Target BSS and mobile station exchange messages to
synchronize transmission in proper timeslot
MSC switches voice connection to target BSS, which
responds when handoff is complete
MSC notifies serving BSS to release old radio traffic
channel
10/19/16 11:10

Data Communication

120

GSM Inter-MSC Handoff (1)

Mobile station monitors signal quality and determines


handoff is required, sends signal measurements to serving
BSS
Serving BSS sends handoff request to MSC with ranked
list of qualified target BSSs
Serving MSC determines that best candidate BSS is under
control of a target MSC (assumed here) and calls target
MSC through PSTN
Target MSC notifies its VLR to assign a TMSI
Target VLR returns TMSI
Target MSC reserves a trunk to target BSS
10/19/16 11:10

Data Communication

121

GSM Inter-MSC Handoff (2)

Target BSS selects and reserves radio channels for new


connection, sends Ack to target MSC
Target MSC notifies serving MSC that it is ready for
handoff
Serving MSC notifies serving BSS to begin handoff,
including new radio channel assignment
Serving BSS forwards new radio channel assignment to
mobile station
Mobile station re-tunes to new radio channel, notifies
target BSS on new channel
10/19/16 11:10

Data Communication

122

GSM Inter-MSC Handoff (3)


Target

BSS notifies target MSC that handoff is


detected
Target BSS and mobile station exchange
messages to synchronize transmission in
proper timeslot
Voice connection is switched to target BSS,
which responds when handoff is complete
Target MSC notifies serving MSC
Old network resources are released
10/19/16 11:10

Data Communication

123

Performance Characteristics of GSM

Communication: mobile, wireless communication; support for


voice and data services
Total mobility: international access, chip-card enables use of
access points of different providers
Worldwide connectivity: one number, the network handles
localization
High capacity: better frequency efficiency, smaller cells, more
customers per cell
High transmission quality: high audio quality and reliability for
wireless, uninterrupted phone calls at higher speeds (e.g., from
cars, trains)
Security functions: access control, authentication via chip-card
and PIN
10/19/16 11:10

Data Communication

124

Disadvantages of GSM

No full ISDN bandwidth of 64 kbit/s to the user


Reduced concentration while driving
Electromagnetic radiation
Abuse of private data possible
High complexity of the system
Several incompatibilities within the GSM standards

10/19/16 11:10

Data Communication

125

Reading Suggestion
Wireless

Communications: Principles and


Practice, Rappaport, sections 2.1
Wireless personal communications systems,
Goodman, Chapter 7

10/19/16 11:10

Data Communication

126