Contents

1 Introduction 3 BSS, MSS, OSS and MS

4 GSM Protocol Stack 6 Call Setup (MO, MT) 5 Radio Interface

7 Location Update 9 Security 8 Handover

Architecture

7/12/12

11

Introduction

7/12/12

22

Introduction / History

Developed by Group Spciale Mobile (founded 1982) which was an initiative of CEPT (Conference of European Post and Telecommunication ) to replace the incompatible analog system Presently the responsibility of GSM standardization resides with special mobile group under ETSI (European telecommunication Standards Institute ) Under ETSI, GSM is named as Global System for Mobile communication it is a 2G cellular standard developed to cater voice services and data delivery using digital modulation. GSM uses a combination of time division multiple access (TDMA) and Frequency Division Multiple Access (FDMA). Tri-band phones use the 900, 1800 and 1900 MHz GSM frequencies. Quad band phones are also available covering the 850, 900, 1800 and 1900 MHz GSM frequency bands.

7/12/12

33

GSM Subscriber Growth

More than 3 billion subscribers in world and 400 million subscriber in India

7/12/12

44

GSM Frequencies

7/12/12

Single Band Dual Band Tri Band Quad .

850MH z 900MH z 1800M Hz 55 1900M

GSM Services
Services offered by GSM

Tele-services

Telecommunication services that enable voice communication via mobile phones Offered services include Mobile telephony and Emergency calling

Bearer or Data Services

Include various data services for information transfer between GSM and other networks like PSTN, ISDN 7/12/12 rates from 300 to 9600 bps . 66 etc at

Architecture

7/12/12

77

GSM Architecture

7/12/12

88

BSS, MSS, OSS and MS

7/12/12

99

GSM Network Entities (1/3)

MS (Mobile Station) - The MS consists of the physical equipment used by a PLMN subscriber; it comprises the Mobile Equipment (ME) and the Subscriber Identity Module (SIM), called USIM for Release 99 and following. Access Network (AN) Entities - Radio-related functions between mobile stations and network are performed by the following entities:

BSC (Base Station Controller) It is a high-capacity switch with radio communication and mobility control capabilities. The functions include radio channel allocation, location update, handover, timing advance, power control and paging. BTS (Base transceiver station) It is a radio transceiver station that communicates with the mobile stations. Its backend is connected to the BSC. 1010 7/12/12 Its transmitting power defines . size of a cell. the

GSM Network Entities (2/3)

PLMN - Public Land Mobile Network These are responsible for call connection, supervision and release operations between calling and called stations. HLR (Home Location Register) HLR is the database that contains a subscription record for each subscriber of the network. A GSM subscriber is normally associated with one particular HLR. The HLR is responsible for the sending of subscription data to the VLR (during registration) or GMSC (during mobile terminating call handling).
-

MSC (mobile switching center)/ VLR (Visitor Location Register) MSC performs the telephony switching function. A mobile station must be attached to a single MSC at a time (either homed or visitor), if it is currently active (not switched off). The VLR is a database attached to an MSC to contain information about its currently associated mobile stations (not. just for visitors). 7/12/12 1111

GSM Network Entities (3/3)

PLMN - Public Land Mobile Network(Contd.) AUC (Authentication Center) - The AUC provides authentication and encryption parameters that verify the user's identity and ensure the confidentiality of each call. The GSM has standard encryption and authentication algorithm which are used to dynamically compute challenge keys and encryptions keys for a call.

EIR (Equipment Identity Register) The EIR in the GSM system is the logical entity which is responsible for storing in the network the International Mobile Equipment Identities (IMEIs), used in the GSM system. The equipment is classified as "white listed", "grey listed", "black listed" or it may be unknown.

GMSC (Gateway MSC) GMSC is the switching entity that controls mobile terminating calls. On call establishment towards a GSM subscriber, a GMSC contacts the HLR of that subscriber, to obtain the address. of the MSC where that subscriber is currently registered. 7/12/12 1212

GSM Protocol Stack

7/12/12

1313

GSM Protocol Layers 1/2

7/12/12

1414

GSM Protocol Layers 2/3

CM (Connection Management) - Call control, short message service and supplementary service

MM (Mobility Management) - Registration, authentication, location and handover management

RR (Radio Resource Management) - Setup, maintenance and release of radio channels - Control of radio transmission quality

LAPDm (Link Access Protocol D-channel modified) - Modified version of ISDN LAPD protocol

BTSM (Base Transceiver Station Management) - Radio resources control messages between BSC and BTS - BSSAP (Base Station System Application Part)

7/12/12

- Control of BSC by MSC

1515

GSM Interfaces (1/3)

2G MS (voice only) BSS Abis E A B MS BTS BSC MSC VLR C D H HLR GMSC PSTN NSS

PSTN

SS 7
AuC

BSS Base Station System BTS Base Transceiver Station BSC Base Station Controller

NSS Network Sub-System MSC Mobile-service Switching Controller VLR Visitor Location Register HLR Home Location Register

AuC Authentication Server GMSC Gateway MSC

GSM Interfaces (2/3)

Um-interface The interface between the MS and the BSS.

Abis-interface The Abis-interface is the interface between the BTS and the BSC The transmission rate is 2.048 Mbps, which is partitioned into 32 channels of 64 Kbps each

A-interface The BSS-MSC interface is used to carry information concerning: BSS management, Call handling and Mobility management

C-interface Interface between HLR and MSC The Gateway MSC must interrogate the HLR of the 7/12/12 . required subscriber to obtain routing information for a call

1717

GSM Interfaces (3/3)

B-interface

Interface between the MSC and its associated VLR. When MSC needs data related to a given mobile station currently located in its area, it interrogates the VLR This interface is internal to the MSC/VLR; signaling on it is not standardized D-interface Interface between HLR and VLR. This interface is used to exchange the data related to the location of the mobile station and to the management of the subscriber

G-interface When a mobile subscriber moves from a VLR area to another Location Registration is done. This procedure may result in retrieval of the IMSI and authentication parameters 7/12/12 . from the old VLR.

1818

Identifiers in the GSM Network (1/3)

IMSI (International Mobile Subscriber Identity)

IMSI is embedded on the SIM card and is used to identify a subscriber. The IMSI is also contained in the subscription data in the HLR.

MCC (Mobile Country Code) It identifies the country for mobile networks. The MCC is not used for call establishment.

MNC (Mobile Network Code ) It identifies the mobile network within a country . MCC and MNC together identify a PLMN for MNC usage. The MNC may be two or three digits in length.

MSIN (mobile subscriber identification number ) It is the subscriber identifier within a PLMN.

7/12/12

1919

Identifiers in the GSM Network (2/3)

MSISDN Number (Mobile Station Integrated Services Digital Network Number)

The MSISDN is not stored on the subscribers SIM card and is normally not available in the MS.

The MSISDN is provisioned in the HLR, as part of the subscribers profile, and is sent to MSC during registration.

CC (Country Code) It identifies the country or group of countries of the subscriber. NDC (National Destination Code) Each PLMN in a country has one or more NDCs allocated to it; the NDC may be used to route a call to the appropriate network. SN (Subscriber Number) It identifies the subscriber within the number plan of a PLMN.

7/12/12

2020

Identifiers in the GSM Network (3/3)

IMEI ( International Mobile Equipment Identifier )

Each mobile equipment has a unique IMEI number

IMEI is hardcoded in ME and cannot be modified

The IMEI is not used for routing or subscriber identification

The IMEI is composed of Type Allocation Code (TAC). Its length is of 8 digits. Serial Number (SNR) is an individual serial number uniquely identifying each equipment within each TAC. Its length is 6 digits. Spare digit: this digit shall be zero.

7/12/12

2121

Radio Interface

7/12/12

2222

GSM Radio / Physical Layer

FDMA/TDMA

(1/6)

7/12/12

2323

GSM Radio / Physical Layer

(2/6)

GSM Frames - 1 time slot = 156.25 bit = 0.577ms

1 frame = 8 time slots = 4.615 ms

- 1 hyperframe = 2048 superframes

For speech 1 superframe = 51 multiframes and 1 multiframe = 26 frames For Signaling 1 superframe = 26 multiframes and 1 multiframe = 51 frames . 2424

7/12/12

GSM Radio / Physical Layer

(3/6)

The data transmitted during a single time slot is known as a burst. Each burst allows 8.25 bits for guard time. Prevents bursts from overlapping.

Tail Bits - Each burst leaves 3 bits on each end in which no data is transmitted. This is designed to compensate for the time it takes for the power to rise up to its peak during a transmission. The bits at the end compensate for the powering down at the end of the transmission.

Data Bits/Encrypted bits - There are two data payloads of 57 bits each. Stealing Flags - Indicates whether the burst is being used for voice/data

Training Sequence - The training sequence bits are used to overcome multi-path fading and propagation effects through a method called equalization. 7/12/12 . 2525

GSM Radio / Physical Layer

Physical Vs. Logical Channels
Physical channels

(4/6)

Physical channels Using FDMA and TDMA techniques, each carrier is divided into 8 timeslots

Logical channels

Logical channels There are two main categories of logical channels in GSM: Control Channels Traffic Channels are used to carry two types of information to and from the user - Encoded Speech and Data 7/12/12 .

2626

GSM Radio / Physical Layer

Broadcast Channels Logical Channel Description FCCH SCH

(5/6)

MS scans for this signal after switch on and tunes to it Contains BSIC code used by the MS to check the frequency measured by it is coming from a particular BS

BCCH Detailed BTS and cell information Common Control Channels Logical Channel Description PCH RACH AGCH 7/12/12 Used to broadcast paging message for mobile terminated call Only uplink channel and used to initiate a transaction to the paging channel Answer to RACH and assigns an SDCCH . 2727

GSM Radio / Physical Layer

Dedicated Control Channels Logical Channel Description SDCCH SACCH FACCH

(6/6)

Used for system signalling,callsetup, assignment of traffic channel Transmits measurement reports and used for radio control Used for handover, It is mapped to a traffic channel and steals 20ms of traffic channel

7/12/12

2828

6 Call Setup (MO, MT)

7/12/12

2929

Mobile Originated Call (1/2)

7/12/12

3030

Mobile Originated Call (2/2)

7/12/12

3131

Mobile Terminated Call (1/2)

7/12/12

3232

Mobile Terminated Call (2/2)

7/12/12

3333

Location Update

7/12/12

3434

Location update (1/4)

Location Area Cells are grouped into Location Areas updates sent only when LA is changed; paging message sent to all cells in last known LA

Location registration MS has to register with the PLMN to get communication services Registration is required for a change of PLMN MS has to report to current PLMN with its IMSI and receive new TMSI by executing Location Registration process. The TMSI is stored in SIM, so that even after power on or off, there is only normal Location Update. If the MS recognizes by reading the LAI broadcast on BCCH that it is in new LA, it performs Location Update to update the HLR records. Location update procedure could also be performed periodically, independent of the MS movement. The difference in Location Registration and Location Update is that in location update the MS has already been assigned a TMSI. 7/12/12 . 3535

Location update (2/4)

Case 1: Inter-LAHLR Movement

VLR 1
MS C1 MS C2

VLR 1
HLR: Home Location Register VLR: Visitor Location Register MSC: Mobile Switching Center LA: Location Area MS: Mobile Station

A location update request message_ack MAP_UPDATE_LOCATION_AREA_ack MAP_UPDATE_LOCATION_AREA A location update request message LA1
M S

LA2

7/12/12

3636

Location update (3/4)

HLR Case 2: Inter-MSC Movement VLR 1

MS C1 MS C2

VLR 1
A MAP_UPDATE_LOCATION_AREA MAP_UPDATE_LOCATION_AREA_ack location update request message_ack A location update request message MAP_UPDATE_LOCATION_ack MAP_UPDATE_LOCATION

LA1
M S

LA2

7/12/12

3737

Location update (4/4)

HLR Case 3: Inter-VLR Movement MAP_CANCEL_LOCATION_ack MAP_CANCEL_LOCATION VLR 1
MS C1 MS C2

VLR 1
MAP_UPDATE_LOCATION_AREA_ack A location update request message_ack

LA1
M S

LA2 MAP_SEND_IDENTIFICATION_ack MAP_UPDATE_LOCATION_AREA AMAP_UPDATE_LOCATION_ack MAP_SEND_IDENTIFICATION location update request MAP_UPDATE_LOCATION message .

7/12/12

3838

Handover

7/12/12

3939

Handover

(1/2)

There are four different types of handover in the GSM system. Handover involves transferring a call between: Channels (time slots) in the same cell Cells (Base Transceiver Stations) under the control of the same Base Station Controller (BSC) Cells under the control of different BSCs, but belonging to the same Mobile services Switching Center (MSC) Cells under the control of different MSCs Handovers are initiated by the BSS/MSC (as a means of traffic load balancing). During its idle time slots, the mobile scans the Broadcast Control Channel of up to 16 neighboring cells, and forms a list of the six best candidates for possible handover, based on the received signal strength. This information is passed to the BSC and MSC, at least once per second, and is used by the handover algorithm. . 4040

7/12/12

Handover
Connection route
9

(2/2)
8

MSC -A
1

MSC -B
6

MSC -C
8

4 B T S 1 2

B S C

B T S 2 5

B S C
B T S 3

B S C
B T S 3

7/12/12

4141

Security

7/12/12

4242

GSM Authentication

Authentication Mechanism

Authentication is performed by a challenge and response mechanism

On receiving a random challenge from the network, the mobile encrypts the challenge using A3 algorithm and the key Ki assigned to the mobile, and sends the response back

The Response so sent is passed through an algorithm A8 by both mobile and network to derive Kc, which is used for encryption

7/12/12

4343

References
3GPP TS 23.002 version 3.6.0 Release 1999 q GSM Networks - Protocols, Terminology and Implementation.pdf
q

7/12/12

4444

Abbreviations

(1/2)

7/12/12

AUC Authentication Center BSC Base Station Controller BSS Base Station Subsystem BTS Base Transceiver System (Antenna System + Radio Base Station) EIR Equipment Identification Register (for IMEI verification) IMEI International Mobile Equipment Identity GMSC Gateway MSC HLR Home Location Register ISDN Integrated Services Digital Network IWF Interworking Function ILR Interworking Location Register (roaming between AMPS and GSM system) IWMSC Interworking MSC MS Mobile Station MSC Mobile Switching Center NSS Network Switching Subsystem OSS Operation and Support System PDN Public Data Network PLMN Public Land Mobile Network PSTN Public Switched Telephone Network SMS Short Message Service SABME Set Asynchronous Balance Mode Extended VLR Visitor Location Register

4545

Abbreviations
AGCH Access Grant Channel BCCH Broadcast Common Control Channel CBCH Cell Broadcast Channel FACCH Fast Associated Control Channel FCCH Frequency Correction Channel PCH Paging Channel RACH Random Access Channel SDCCH Standalone Dedicated Control Channel SACCH Slow Associated Control Channel SCH Synchronization Channel

(2/2)

7/12/12

4646