gsm fundamentals
TRANSCRIPT
1.0 Introduction
Third generation or 3G is now the generally accepted term used to describe the next wave of
mobile networks and services. First generation (1G) is used to categorize the first analogue
mobile systems that emerged in the 1980s, such as the advanced mobile phone system
(AMPS) and nordic mobile telephony (NMT). These systems provided a limited mobile
solution for voice, but had major limitations, particularly in terms of interworking, security
and quality. The next wave, second generation (2G), arrived in the late 1980s and moved
towards a digital solution which gave the added benefit of allowing the transfer of data and
provision of other non-voice services. Of these, the global system for mobile communication
(GSM) has been the most successful, with its global roaming model. Third generation (3G)
leverages on the developments in cellular to date, and combines them with complementary
developments in both the fixed-line telecoms networks and from the world of the Internet.
The result is the development of a more general purpose network, which offers the
flexibility to provide and support access to any service, regardless of location [1].
1.1 First Generation
First-generation cellular radio network includes the mobile terminals, the base stations and
the mobile switching centers. First-generation wireless systems provide analog speech and
inefficient, low-rate data transmission between the base station and the mobile user. The
speech signals are usually digitized for transmission between the base station and the MSC.
Advance mobile phone system is an example of the first-generation wireless network which
was first built by engineers from AT&T Bell Laboratories. In the first-generation cellular
networks, the MSC maintains all mobile related information and controls each mobile
handoff. The MSC also performs all of the network management functions, e.g., call
handling and processing, billing, etc. The MSC is interconnected with the PSTN via wired
trunks and a tandem switch. MSCs are also connected with other MSCs via dedicated
signaling channels (mostly via SS7 network) for the exchange of location, authentication,
and call signaling information. The US cellular carriers use the IS-41 protocol [IS41] to
1
allow MSCs of different service providers to pass information about their subscribers to
other MSCs on demand. IS-41 relies on the autonomous registration feature of AMPS [2]. A
mobile uses autonomous registration to notify a serving MSC of its presence and location.
The mobile accomplishes this by periodically transmitting its identity information, e.g., MIN
and ESN, which allows the MSC to constantly update an entry in its database about the
whereabouts of the mobile. The MSC is able to distinguish home users from roaming users
based on the MIN of each active user. The Home Location Register (HLR) keeps the
location information of each home subscriber while the Visiting Location Register (VLR)
only keeps information of a roaming user. The visited system creates a VLR record for each
new roamer and notifies the home system via the IS-41 so it can update its own HLR [1].
Through first generation, a voice call gets modulated to a higher frequency of about
150MHz and up as it is transmitted between radio towers. This is done using a technique
called Frequency-Division Multiple Access (FDMA).In terms of overall connection quality,
first generation compares unfavourably to its successors. It has low capacity, unreliable
handoff, poor voice links, and no security at all since voice calls were played back in radio
towers, making these calls susceptible to unwanted eavesdropping by third parties. However,
first generation did maintain a few advantages over second generation. In comparison to first
generation’s analog signals, second generation digital signals are very reliant on location and
proximity. If a 2G handset made a call far away from a cell tower, the digital signal may not
be strong enough to reach it. While a call made from a first generation handset had generally
poorer quality than that of a first generation handset, it survived longer distances. This is due
to the analog signal having a smooth curve compared to the digital signal, which had a
jagged, angular curve. As conditions worsen, the quality of a call made from a first
generation handset would gradually worsen, but a call made from a second generation
handset would fail completely [3].
2
Fig.1.0 Architecture of first generation [2]
1.2 Second Generation
The roots of the development of the global system for mobile communications (GSM) began
with a group formed by the European Conference of Postal Telecommunications
Administrations (CEPT) to investigate the development of a standard mobile telephone
system to be used throughout Europe. This group was known as the Groupe Special Mobile
or GSM for short, and this is initially where the acronym GSM came from; however, it is
now widely understood to stand for global system for mobile communications. A unified
telephone system was desirable since Europe is made up of many separate countries each
with their own government, language, culture and telecommunication infrastructure, much
of which was still in the hands of state-run monopolies. As there is much trade between
these countries, a mobile network which would free users to roam internationally from
country to country was seen as a valuable asset. The other major region to discuss in parallel
is movements in mobile communications in the USA. Mobile technology was advancing
there also, but the motivation to provide roaming capabilities was not such a fundamental
PSTN
Mobile Station (MS)
Base Transceiver Station (BTS)
Mobile Station Controller (MSC)
Base Station Controller (BSC)
Visitors Location Register (VLR)
Home Location Register (HLR)
3
requirement, since it is one country. There was and is considerable regionalization of
communications in the USA and this was reflected in the proliferation of mobile devices,
where operators only needed to cater for the domestic market. GSM was eventually adopted
as a European standard by the European Telecommunications Standards Institute (ETSI). It
has been standardized to operate on three principal frequency regions, being 900 MHz, 1800
MHz and 1900 MHz. GSM is by far the most successful of the second generation cellular
systems, and has seen widespread adoption not only across Europe but also throughout the
Asia-Pacific region, and more recently, the Americas. Some of the large mobile network
operators in the USA are also introducing GSM, either as a migration step towards the
UMTS flavour of 3G or simply in addition to the current offerings [3].
1.2.1 General Architecture
From figure 1.1 which shows the general architecture for a GSM network. The various
functional blocks are explained as followed.
Mobile station (MS)
The MS consists of the mobile equipment (ME; the actual device) and a smart card called
the subscriber identity module (SIM). The SIM offers personal mobility since the user can
remove the SIM card from one mobile device and place it in another device without
informing the network operator. In contrast, most other 2G systems require a registration
update to the operator. The SIM contains a globally unique identifier, the international
mobile subscriber identity (IMSI), as well as a secret key used for authentication and other
security procedures. The IMSI (or a variation of it for security purposes) is used throughout
the network as the identifier for the subscriber. This system enables a subscriber to change
the mobile equipment and still be able to make calls, receive calls and receive other
subscriber information by simply transferring the SIM card to the new device. Any calls
made will appear on a single user bill irrespective of changes in the mobile device [2]. The
mobile equipment is also uniquely identifiable by the international mobile equipment
identity (IMEI). The IMEI and IMSI are independent, thus providing the user flexibility by
4
separating the concept of subscriber from access device. Many operators still issue ‘locked’
mobile devices where the equipment is tied for use only on a particular operator’s network.
A mobile device not equipped with a SIM must also still be able to
Fig 1.1 Architecture of second generation
make emergency calls. To protect the call from undesirable snooping or listening in, the
IMSI will not always be transmitted over the cell to identify the subscriber. Instead a
temporary IMSI (T-IMSI) identifier is used and changed at regular intervals. Note that for
extra security the whole data stream is encrypted over the air interface.
Home Location Register (HLR)
Authentication Centre (AUC)
User Equipment (UE)
PSTN
Equipment Identity Register (EIR)
GMSC
Base Transceiver Station (BTS)
Mobile Station Controller (MSC)
TRAU
Base Station Controller (BSC)
5
Base station subsystem (BSS)
The base station subsystem (BSS) is composed of three parts, the base transceiver station
(BTS), the base station controller (BSC), which controls the BTSs, and the transcoding and
rate adaption unit (TRAU) [1].
Base transceiver station (BTS)
The BTS houses the radio transceivers (TRXs) that define a cell and handle the radio link
with the mobile station. As was seen, each transceiver can handle up to eight full-rate users
simultaneously. If more than eight full-rate users request resources within the TRX then they
will receive a busy tone, or a network busy message may be displayed on the mobile device.
It is possible to increase the number of simultaneous users in a cell by increasing the number
of TRXs, hence the number of frequencies used. When a mobile device moves from one cell
to another the BTS may change. Within the GSM system a mobile device is connected to
only one BTS at a given time. The first TRX in a cell can actually only handle a maximum
of seven (possibly less) simultaneous users since one channel on the downlink is used for
broadcasting general system information through what is known as the broadcast and control
channel (BCCH). The BTS is also responsible for encrypting the radio link to the mobile
device based on security information it receives from the core network [3].
Base station controller (BSC)
The BSC manages the radio resources for one or more BTSs. It handles the radio channel
setup, frequency hopping and handover procedures when a user moves from one cell to
another. When a handover occurs, the BSC may change; it is a design consideration that this
will not change with the same regularity as a BTS change. A BSC communicates with the
BTS through time division multiplex (TDM) channels over what is referred to as the Abis
interface, generally implemented using E1 or T1 lines. If the numerous BTSs and the
corresponding BSC are in close proximity then this link may be a fibre optic or copper cable
connection. In some cases, there are a large number of BTSs in close proximity but quite
6
some distance away from the controlling BSC. In such cases it may be more efficient to
relay the calls from each of the BTSs to a single BTS via microwave links. This type of link
may be very cost effective since generally the running costs of a point-to-point microwave
link may be free. Of course this has to be weighed against the cost of the purchasing and
deployment of the equipment. The collector BTS can then connect to the BSC via another
microwave link or via a landline cable. A problem with the above system is that if the
collector BTS fails then calls from the other BTSs may also fail. To overcome this problem
it is possible to have two collector BTSs both sending the calls to the BSC. This forms a
redundant link and if one collector BTS fails then this does not present such a large problem,
as is illustrated in Figure 1.3
Transcoding and rate adaption unit (TRAU)
The central role of the second generation systems is to transfer speech calls and the system
has been designed and optimized for voice traffic. The human voice is converted to binary in
a rather complex process. GSM is now quite an old system and as such the original encoding
method used (LPC-RPE1) is not as efficient as some of the more recently developed coding
systems such as those used in other cellular systems. There have been many developments
in digital signal processing (DSP) which have enabled good voice quality to be transmitted
at lower data rates. Although the TRAU is actually
7
Fig1.3 Base Station Connectivity
seen as being logically part of the BSS, it usually resides close to the MSC since this has
significant impact on reducing the transmission costs [2]. The voice data is sent in a 16 kbps
channel through to the TRAU from the mobile device via the BTS and BSC. The
transcoding and rate adaptation unit will convert this speech to the standard 64 kbps for
transfer over the PSTN or ISDN network. Where over the air interface; speech uses 13 kbps
(full-rate) and data 9.6 or 14.4 kbps, with each of these requiring a 16 kbps link through the
BSS. As has been mentioned, digital voice data is robust in the face of errors, and can
handle substantial bit error rates before the user begins to notice signal degradation. This is
in stark contrast to data such as IP packets, which is extremely error intolerant and a
checksum is generally used to drop a packet which contains an error. The adaptive multirate
(AMR) speech CODECS which are implemented in UMTS and also the enhanced full-rate
(EFR) bit rates for the second generation GSM, TDMA and PDC systems for comparison.
The GSM EFR uses the algebraic code excited linear prediction (ACELP) algorithm and
gives better quality speech than full-rate (FR) using 12.2 kbps. A half-rate (HR) method of
Base Station Controller (BSC)
BTS
BTS
BTS BTS
BTS
BTS
Base Station Controller (BTS)
BTS
8
speech coding has also been introduced in to the standards, which is known as code excited
linear prediction-vector sum excited linear prediction (CELP-VSELP). This method will
enable two subscribers to share a single time slot [4].
Network switching subsystem (NSS)
The NSS comprises the circuit switched core network part of the GSM system. The main
element is the mobile switching centre (MSC) switch and a number of databases refer to as
the visitor location register (VLR) and home location register (HLR). The HLR is always in
the home network for roaming subscribers and thus any data exchange may have to cross
international boundaries. The MSC and VLR are usually combined and are located in the
visited network.
Mobile switching centre (MSC)
This acts like a normal switching node for a PSTN or ISDN network. It also takes care of all
the additional functionality required to support a mobile subscriber. It therefore has the dual
role of both switching and management. When a mobile device is switched on and requests
a connection to a mobile network, it is principally the MSC that processes this request, with
the BSS merely providing the access to facilitate this request. If the request is successful
then the MSC registers the mobile device within its associated VLR (see below; most
manufacturers tend to combine the VLR functionality with the MSC). The VLR will update
the HLR with the location of this mobile device, and the HLR may be either in the same
network, or a different network in the case of a roaming user.
The MSC deals with registration, authentication (the MSC requests information from the
authentication centre but it is the MSC which actually does the authentication), mobile
device location updating and routing of calls to and from a mobile user. An MSC which
provides the connectivity from the mobile network to the fixed network, e.g. ISDN or
PSTN, is known as a gateway-MSC (G-MSC) [2].
9
Home Location Register (HLR)
When a subscriber registers with an operator, they enter into what is known as a service
level agreement (SLA). This operator’s mobile network is known as the home network or
home public land mobile network (H-PLMN). The HLR is a huge database located within
this home network which stores administrative information about the mobile subscriber. The
information stored for a user in the HLR will include their IMSI, service subscription
information, service restrictions and supplementary services. The HLR is also expected to
know the location of its mobile users. It actually knows their location only to the VLR with
which the mobile device is registered. The HLR also only knows the location of a mobile
device which is switched on and has registered with some mobile operator’s network. This
is the case even if the mobile is in a different country connected to another mobile operator’s
network, as long as a roaming agreement exists between the two mobile operators. The
GSM system provides all the technical capabilities to support roaming; however, this
roaming agreement is also required so that both operators can settle billing issues arising
from calls made by visiting mobile subscribers.
Visitor Location Register (VLR)
The VLR is another database of users and is commonly integrated with an MSC. Unlike the
HLR, where most information is of a permanent nature, the VLR only holds temporary
information on subscribers currently registered within its vicinity. This vicinity covers the
subscribers in the serving area of its associated MSC. When a mobile device enters a new
area, the mobile device may wish to connect to this network and if so informs the MSC of
its arrival. Once the MSC checks are complete, the MSC will update the VLR. A message is
sent to the HLR informing it of the VLR which contains the location of the mobile. If the
mobile device is making or has recently made a call, then the VLR will know the location of
the mobile device down to a single cell. If the mobile device has requested and been granted
attachment to a mobile network, but not made any calls recently, then the location of the
mobile device will be known by the VLR to a location area, i.e. a group of cells and not a
single cell [1].
10
Equipment Identity Register (EIR)
The EIR is a list of all valid mobiles on the network. If a terminal has been reported stolen
or the equipment is not type approved then it may not be allowed to operate in the network.
The terminals are identified by their unique IMEI identifier [5].
Authentication Centre (AuC)
The AuC is a database containing a copy of the secret key present in each of the users’ SIM
cards. This is used to enable authentication and encryption over the radio link. The AuC
uses a challenge–response mechanism, where it will send a random number to the mobile
station; the mobile station encrypts this and returns it. The AuC will now decrypt the
received number and if it is successfully decrypted to the number originally sent, then the
mobile station is authenticated and admitted to the network. To make and receive calls, the
location of the mobile device has to be known by the network. It would be extremely
inefficient if a user needed to be paged across an entire network, and almost impossible to
support roaming to other networks. Each cell broadcasts its globally unique identity on its
broadcast channel, which is used by the mobile device for location purposes. Mobility
management is the mechanism that the network uses for keeping a dynamic record of the
location of all of the mobile devices currently active in the network. In this context, location
does not refer specifically to the geographical location of the mobile device, but rather its
location with respect to a cell in which it is currently located. However, for the development
of cellular towards third generation, geographical location becomes important as an enabler
for location-based services (LBS). The major benefit of the cellular telephone over a fixed
landline is the mobility that it presents to the subscriber. Initially, this mobility was merely
allowing the user to move around and be tracked within a certain area; however, now
mobility extends to cover the concept of roaming. Unfortunately, the provision of mobility
makes the network much more complex to design and operate. As a subscriber moves from
one location to another, the strength of the signal it receives from the base station to which it
is currently listening will fluctuate, and, conversely, the signal received by the base station
from the mobile device will also vary. Both the network and the mobile device must
11
constantly monitor the strength of the signal, with the mobile device periodically reporting
the information it has measured to the network. The mobile device also monitors the
strength of other cells in the vicinity. When the signal strength gets too weak from a
particular base station, a handover (also known as a handoff) to a base station in another cell
may take place. The network must try to guarantee that in the event of a handover, the user
call is not dropped and there is a smooth transition from cell to cell, even if the user is
moving quite rapidly, as is the case for a motorist. The HLR, which is in the home network,
knows which VLR has information regarding the particular subscriber. The information the
VLR holds depends on the connection state of the mobile device: in idle mode only the
location area (LA) is known whereas in dedicated mode the actual cell is known. Most of
the GSM mobile network is designed and implemented in a hierarchical manner. The change
of a cell from one base station to another is relatively simple if the BTSs are controlled by
the same BSC. The change of a BSC is more complex and hence will require more
signalling but will occur less frequently since each BSC controls a number of BTSs. A
change of the MSC is also possible but, again, this should be rather infrequent for most
users. If a user is in a vehicle and moving at high speed, then a number of MSC handovers
may take place during a prolonged voice call. However, this will probably occur rarely as
the vehicle will likely have crashed or the driver been arrested before handover occurs! This
system of handover enables a subscriber to continue with a call in progress while moving
from one geographical area to another.
• When User 1 changes from one cell to another, a cell update is required. As noted, this
does not require much in the way of signalling.
• When User 2 changes cell, a cell update and a BSC update are required. This will require
more signalling, with the MSC controlling the change in BSC.
• When User 3 changes cell, a cell update, a BSC update and an MSC update are required.
This is a much more complex task, which will require a greater amount of signalling. Note
that these updates only take place when a mobile device has a call in progress, or in what is
referred to as dedicated mode. Mobile devices which do not have a call in progress but may
12
have registered with the network are said to be in idle mode. Mobile devices in idle mode
will only send periodic updates indicating that the mobile is still active, thus reducing the
signalling load on the network. When a user wishes to make a call, the mobile device will
transparently update the network as to its position and move to dedicated mode. In idle
mode the location of the mobile device is still known but over a number of cells rather than
a single cell. In idle mode the mobile device monitors a certain area spanning a number of
cells, known as a Location Area (LA), and sends location update information to the network
when the mobile device physically crosses a boundary between LAs. A certain period of
time has elapsed. Even when the mobile device is stationary, after a long period of inactivity
it will send an update to allow the network to refresh its stored information regarding the
subscriber’s location. Devices which do not send this update will be assumed to have left the
coverage area and their data may be removed from the network. This interval is network
configurable and could be, for example, one hour.
1.2.2 GSM Air Interface
There is a limited spectrum of frequencies that is both available and suitable for GSM.
Cellular operators have to compete for this bandwidth with the likes of the military,
broadcast television and broadcast radio. The available electromagnetic spectrum has been
split into a number of bands by both national and international regulatory bodies.
Fortunately there was much international agreement on the frequencies in the 900 MHz and
1800 MHz bands, which brought in large economies of scale, reducing the price of handsets,
and thus enabling GSM to flourish. GSM was originally designed to work in a 900 MHz
band but is now used in 1800 MHz, 1900 MHz and a number of others, such as 450 MHz.
As shown in Figure 1.4, the 900 MHz range is made up of two separate 25 MHz bands,
between 890–915 MHz and 935–960 MHz. The lower 25 MHz is used for the mobile
station, or uplink, transmission and the upper 25 MHz of the range is
13
GSM Mobile Station
Transmits
20MHz GSM Base Station Transmits
890 915 935 960
Fig 1.4: GSM original band
used for base station, or downlink, transmission. There is a gap of 20 MHz between the
transmission sub-bands i.e. the GSM base station transmit band starts at 890 + 45 MHz. The
mobile device transmits on the lower frequency since it is a physical property of
electromagnetic waves that there will generally be less attenuation on lower frequencies.
The base station is not reliant on a small battery and can therefore radiate greater power,
thus the greater attenuation in the downlink is not seen as a major problem, allowing the
mobile device to avail itself of better transmission characteristics. As discussed, GSM works
on a combination of frequency division multiplexing (FDM), and time division multiplexing
(TDM) multiple access schemes. It also uses slotted-Aloha, a contention method which is
similar in operation to Ethernet. This contention mechanism is required since it is possible
for two mobile subscribers to make a request for resources at exactly the same time. The
mobile stations use this contention method to compete with each other to request a traffic
channel (TCH), which is required for a call. Like Ethernet, there is a chance that a collision
will occur, so mechanisms are implemented to deal with this. The FDM allocates each GSM
channel 200 kHz of bandwidth and therefore there are 25 MHz/200 kHz = 125 channels
available in each direction. One of these channels is not used for data transfer but is used as
a guard band, leaving 124 channels available for communication. A matching pair of GSM
frequency channels, i.e. one uplink and a corresponding downlink, is controlled by a device
referred to as a transceiver (TRX). All of the operators in a country using GSM900 have to
share these 124 channels and they will be allocated a licence covering a range of them by the
national telecommunications regulator. Say there are four mobile operators in a given
country. Each of them may be allocated 31 channels (124/4). For example, Operator 1 may
be allocated 31 channels starting from 890.0 MHz, 890.2 MHz, and 890.4 MHz etc. up to
14
896.0 MHz in the uplink and 935.0 MHz, 935.2 MHz, 935.4 MHz etc. up to 941.0 MHz in
the downlink, as shown in Figure 3.8. TDM further splits each of these frequency channels
into eight separate time slots, each of which may be allocated to a user or used for control
purposes. These time slots are individually referred to as slot 0 through to slot 7, and form a
TDM frame. A single time slot in GSM is also referred to as a burst; however, this should
not be confused with the term ‘error burst’. If a cell is allocated a single frequency (one
TRX) then slot 0 on this frequency is reserved as a control channel. If two or more
frequencies are employed within the cell then it may require additional control channels to
increase the overall efficiency. The slot 0 control channel always includes the broadcast and
control channel (BCCH), which is broadcast from the base station in the downlink to
provide information to the mobile devices registered in the cell, such as the cell identifier,
network operator etc.[3,4]
1.3 Deficiencies of First- and Second-Generation Wireless Systems
First-generation cellular systems provide connection-oriented services for each voice user.
Voice channels are dedicated to the users at a serving base station and network resources are
dedicated to the voice traffic on initiation of a call. The MSC sets up a dedicated voice
channel connection between the base station and the PSTN for the duration of a cellular
phone call. Circuit switching is used to transmit voice traffic to and from the user's terminal
to the PSTN. Circuit switching establishes a dedicated radio channel between the base
station and the mobile, and a dedicated phone line between the MSC and the PSTN for the
entire duration of a call. First-generation cellular systems provide data communications
using circuit switching. Wireless data services such as fax and electronic mail are not well
supported by circuit switching because of their short, bursty transmission, which are
followed by periods of inactivity. Often, the time required to establish a circuit exceeds the
duration of the data transmission. Modem signals carrying data need to be passed through
the audio filters that are designed for analog, FM, and common air interfaces. Thus, it is
both clumsy and inefficient, e.g., voice filtering must be deactivated when data are
transmitted [6].
15
1.4 Third-Generation Wireless Networks
The deficiencies of the first- and second-generation wireless systems prevent them from
allowing roaming users to enjoy high data rate connections and multimedia
communications. The aim of third-generation wireless networks is to introduce a single set
of standards that provide higher airlink bandwidth and support multimedia applications. In
addition, the third-generation wireless systems are expected to be able to communicate with
other information networks, e.g., the Internet and other public and private databases.
Examples of third-generation wireless systems are TIA IxEV Data Only (or commonly
referred to as High Data Rate system)-based networks [EVDO], TIA IxEVDV-based
networks [EVDV], and 3GPP UMTS networks [UMTS]. Such 3G systems promise a peak
airlink bandwidth of 2-3Mbps [4].
1.4.1 UMTS / WCDMA Network Architecture
The UMTS network architecture is required to provide a greater level of performance to that
of the original GSM network. However as many networks had migrated through the use of
GPRS and EDGE, they already had the ability to carry data. Accordingly many of the
elements required for the WCDMA / UMTS network architecture were seen as a migration.
This considerably reduced the cost of implementing the UMTS network as many elements
were in place or needed upgrading. With one of the major aims of UMTS being to be able to
carry data, the UMTS network architecture was designed to enable a considerable
improvement in data performance over that provided for GSM [5].
The UMTS network architecture can be divided into three main elements:
User Equipment (UE): The User Equipment or UE is the name given to what was previous
termed the mobile, or cellphone. The new name was chosen because the considerably
greater functionality that the UE could have. It could also be anything between a mobile
phone used for talking or a data terminal attached to a computer with no voice capability.
16
Radio Network Subsystem (RNS): The RNS is the equivalent of the previous Base Station
Subsystem or BSS in GSM. It provides and manages the air interface for the overall
network.
Core Network: The core network provides all the central processing and management for
the system. It is the equivalent of the GSM Network Switching Subsystem or NSS. The
core network is then the overall entity that interfaces to external networks including the
public phone network and other cellular telecommunications networks.
Fig. 1.5 UMTS Network Architecture Overview
User Equipment, UE
The User Equipment UE is a major element of the overall UMTS network architecture. It
forms the final interface with the user. In view of the far greater number of applications and
facilities that it can perform, the decision was made to call it user equipment rather than a
mobile. However it is essentially the handset (in the broadest terminology), although having
access to much higher speed data communications, it can be much more versatile,
17
containing many more applications. It consists of a variety of different elements including
RF circuitry, processing, antenna, battery, etc.
There are a number of elements within the UE that can be described separately:
User Equipment RF circuitry: The RF areas handle all elements of the signal, both for the
receiver and for the transmitter. One of the major challenges for the RF power amplifier was
to reduce the power consumption. The form of modulation used for W-CDMA requires the
use of a linear amplifier. These inherently take more current than non linear amplifiers
which can be used for the form of modulation used on GSM. Accordingly to maintain
battery life, measures were introduced into many of the designs to ensure the optimum
efficiency.
Baseband processing: The base-band signal processing consists mainly of digital circuitry.
This is considerably more complicated than that used in phones for previous generations.
Again this has been optimised to reduce the current consumption as far as possible.
Battery: While current consumption has been minimised as far as possible within the
circuitry of the phone, there has been an increase in current drain on the battery. With users
expecting the same lifetime between charging batteries as experienced on the previous
generation phones, this has necessitated the use of new and improved battery technology.
Now Lithium Ion (Li-ion) batteries are used. These phones to remain small and relatively
light while still retaining or even improving the overall life between charges.
Universal Subscriber Identity Module, USIM: The UE also contains a SIM card, although
in the case of UMTS it is termed a USIM (Universal Subscriber Identity Module). This is a
more advanced version of the SIM card used in GSM and other systems, but embodies the
same types of information. It contains the International Mobile Subscriber Identity number
(IMSI) as well as the Mobile Station International ISDN Number (MSISDN). Other
information that the USIM holds includes the preferred language to enable the correct
language information to be displayed, especially when roaming, and a list of preferred and
18
prohibited Public Land Mobile Networks (PLMN). The USIM also contains a short
message storage area that allows messages to stay with the user even when the phone is
changed. Similarly "phone book" numbers and call information of the numbers of incoming
and outgoing calls are stored.
The UE can take a variety of forms, although the most common format is still a version of a
"mobile phone" although having many data capabilities. Other broadband dongles are also
being widely used [5].
1.4.2 UMTS Radio Network Subsystem
This is the section of the UMTS / WCDMA network that interfaces to both the UE and the
core network. The overall radio access network, i.e. collectively all the Radio Network
Subsystem is known as the UTRAN UMTS Radio Access Network.
The Radio Network Subsystem comprises two main components:
Radio Network Controller, RNC: This element of the radio network subsystem controls the
Node Bs that are connected to it. The RNC undertakes the radio resource management and
some of the mobility management functions, although not all. It is also the point at which
the data encryption / decryption is performed to protect the user data from eavesdropping.
Node B: Node B is the term used within UMTS to denote the base station transceiver. It
contains the transmitter and receiver to communicate with the UEs within the cell. In order
to facilitate effective handover between Node Bs under the control of different RNCs, the
RNC not only communicates with the Core Network, but also with neighbouring RNCs.
19
Fig 1.6 UMTS Radio Network Subsystem Architecture
UMTS Core Network
The UMTS core network architecture is a migration of that used for GSM with further
elements overlaid to enable the additional functionality demanded by UMTS. In view of the
different ways in which data may be carried, the UMTS core network may be split into two
different areas:
Circuit switched elements: These elements are primarily based on the GSM network
entities and carry data in a circuit switched manner, i.e. a permanent channel for the duration
of the call.
Packet switched elements: These network entities are designed to carry packet data. This
enables much higher network usage as the capacity can be shared and data is carried as
packets which are routed according to their destination. Some network elements,
particularly those that are associated with registration are shared by both domains and
operate in the same way that they did with GSM [1].
20
Fig 1.7 UMTS Core Network
Circuit Switch Elements
The circuit switched elements of the UMTS core network architecture include the following
network entities:
Mobile switching centre (MSC): This is essentially the same as that within GSM, and it
manages the circuit switched calls under way. The mobile switching centre (MSC) is the
centre piece of the circuit switched core network. The same MSC can be used to serve both
the GSM-BSS and the UTRAN connections. A GSM-MSC must be upgraded to meet the
3G requirements, but the same MSC can be used to serve both access networks. In addition
to the radio access networks, it has interfaces to the fixed PSTN network, other MSCs, the
packet-switched network (SGSN), and various core network registers (HLR, EIR, AuC).
Physically, the VLR is implemented in connection with the MSC, so the interface between
them (the B interface) exists only logically. Several BSSs can be connected to the MSC. The
number and the size of MSCs also vary; a small operator may only have one small MSC, but
once the number of subscribers increase, several large MSCs may be needed.
The functions of an MSC include the following [1]:
• Paging;
21
• Coordination of call setup from all MSs in the MSC’s jurisdiction;
• Dynamic allocation of resources;
• Location registration;
• Interworking functions (IWFs) with other type of networks;
• Handover management (especially the complex inter-MSC handovers);
• Billing of subscribers (not the actual billing, but collecting the data for the billing center);
• Encryption parameter management;
• Signaling exchange between different interfaces;
• Frequency allocation management in the whole MSC area;
• Echo canceler operation and control.
The MSC terminates the MM and CM protocols of the air interface protocol stack, so the
MSC has to manage these protocols, or delegate some responsibilities to other core network
elements.
Gateway MSC (GMSC): This is effectively the interface to the external networks. The
Gateway MSC (GMSC) is an MSC that is located between the PSTN and the other MSCs in
the network. Its function is to route the incoming calls to the appropriate MSCs by first
interrogating the appropriate HLR. If the operator allows the outside networks to access its
HLRs, then a dedicated GMSC is not necessary as the other networks can route the calls to
the right MSC by themselves. In practice it is also possible that all MSCs are also GMSCs in
a PLMN.
Packet Switched Elements:
The packet switched elements of the UMTS core network architecture include the following
network entities: Serving GPRS Support Node (SGSN): As the name implies, this entity
was first developed when GPRS was introduced, and its use has been carried over into the
UMTS network architecture. The SGSN provides a number of functions within the UMTS
network architecture.
22
Mobility management: When a UE attaches to the Packet Switched domain of the UMTS
Core Network, the SGSN generates MM information based on the mobile's current location.
Session management: The SGSN manages the data sessions providing the required quality
of service and also managing what are termed the PDP (Packet data Protocol) contexts, i.e.
the pipes over which the data is sent.
Interaction with other areas of the network: The SGSN is able to manage its elements
within the network only by communicating with other areas of the network, e.g. MSC and
other circuit switched areas.
Billing: The SGSN is also responsible for billing. It achieves this by monitoring the flow of
user data across the GPRS network. CDRs (Call Detail Records) are generated by the SGSN
before being transferred to the charging entities (Charging Gateway Function, CGF).
Gateway GPRS Support Node (GGSN): Like the SGSN, this entity was also first
introduced into the GPRS network. The Gateway GPRS Support Node (GGSN) is the
central element within the UMTS packet switched network. It handles inter-working
between the UMTS packet switched network and external packet switched networks, and
can be considered as a very sophisticated router. In operation, when the GGSN receives data
addressed to a specific user, it checks if the user is active and then forwards the data to the
SGSN serving the particular UE [3].
Shared Elements
The shared elements of the UMTS core network architecture include the following network
entities:
Visitor Location Register
The visitor location register (VLR) contains information about the mobile stations roaming in
this MSC area. It is also possible that one VLR handles the visitor register of several MSC
areas. Note that a VLR contains information from all active subscribers in its area, even from
those to whom this network is their home network, so the name VLR is misleading as most
23
entries in that register are not visitors, but users in their own home network. The VLR contains
pretty much the same information as the home location register (HLR), the difference being that
the information in the VLR is there temporarily, whereas the HLR is a site for permanent
information storage. When a user makes a subscription, the subscriber’s data is added to his
home HLR. From there it is copied to the VLR the user is currently registered with. When a
user registers with another network, the subscriber data is removed from the old VLR and
copied to the new VLR. There are, however, some network optimization schemes, which may
change this principle in the future. The VLR contains such data that the normal call setup
procedures can be handled without consulting the HLR. This is important especially if the user
is roaming abroad, and the signalling connection to the home network is expensive.
A VLR subscriber data entry includes the following information:
• International mobile subscriber identity (IMSI);
• Mobile station international ISDN number (MSISDN);
• Mobile station roaming number (MSRN);
• Temporary mobile station identity (TMSI), if applicable;
• Local mobile station identity (LMSI), if used;
• Location area where the mobile station has been registered;
• Identity of the SGSN where the MS has been registered, if applicable;
• Last known location and the initial location of the MS.
In addition, there can be lots of optional data, depending on what features the network
supports [e.g., CAMEL or local service area (LSA)]. The VLR may also contain
supplementary service parameters. The procedures the VLR has to perform include the
following:
• Authentication procedures with the HLR and the AuC;
• Cipher key management and retrieval from the home HLR/AuC;
• Allocation of new TMSI numbers;
• Tracking of the state of all MSs in its area;
• Paging procedure support (retrieval of the TMSI and the current location area).
24
Home location register (HLR): This database contains all the administrative information
about each subscriber along with their last known location. In this way, the UMTS
network is able to route calls to the relevant RNC / Node B. When a user switches on
their UE, it registers with the network and from this it is possible to determine which
Node B it communicates with so that incoming calls can be routed appropriately.
Even when the UE is not active (but switched on) it re-registers periodically to ensure
that the network (HLR) is aware of its latest position with their current or last known
location on the network.
The HLR contains the permanent subscriber data register. Each subscriber information
profile is stored in only one HLR. The HLR can be implemented in the same equipment as
the MSC/VLR, but the usual arrangement is to have the MSC/VLR as one unit, and the
HLR/AuC/EIR combination as another unit. One PLMN can have several HLRs. The
subscriber information is entered into the HLR when the user makes a subscription. There
are two kinds of information in an HLR register entry, permanent and temporary. The
permanent data never change, unless the subscription parameters are changed. An example
of this is the user who adds some supplementary services to his/her subscription. The
temporary data contain things like the current (VLR) address and ciphering information,
which can change quite often, even from call to call. Temporary data are also sometimes
conditional; that is, it is not always there. A subscriber data entry can be accessed by either
IMSI or MSISDN [5].
The permanent data in the HLR include among others:
• International mobile subscriber number (IMSI), which identifies the subscriber (or actually
his or her SIM card) unambiguously;
• MS category information;
• Possible roaming restrictions;
• Closed user group (CUG) membership data;
• Supplementary services parameters;
• Authentication key;
25
• Network access mode (NAM), which determines whether the user can access the GPRS
networks, non-GPRS networks, or both.
In addition, if GPRS is supported, PDP addresses are included. Again, there may be lots of
other entries, depending on what features the network supports.
The temporary data include the following:
• Local mobile station identity (LMSI);
• Triplet vector; that is, three authentication and ciphering parameters: (1) random number
(RAND), (2) signed response (SRES), and (3) ciphering key (Kc);
• Quintuplet vector; that is, five authentication and ciphering parameters: (1) random
challenge (RAND), (2) expected response (XRES), (3) cipher key (CK), (4) integrity key
(IK), and (5) authentication token (AUTN);
• MSC number;
• VLR number (the identity of the currently registered VLR).
In addition, if GPRS is supported, SGSN and GGSN numbers (SS7 addresses) are included
The HLR also forwards the charging information to the billing center.
Equipment identity register (EIR): The EIR is the entity that decides whether given UE
equipment may be allowed onto the network. Each UE has a number known as the
International Mobile Equipment Identity. This number, as mentioned above, is installed in
the equipment and is checked by the network during registration.
The equipment identity register (EIR) stores the international mobile equipment identities
(IMEIs) used in the system. An EIR may contain three separate lists:
White list: The IMEIs of the equipment known to be in good order;
Black list: The IMEIs of any equipment reported to be stolen;
Gray list: The IMEIs of the equipment known to contain problems (such as faulty software)
that are not fatal enough to justify barring them.
At a minimum an EIR must contain a white list. It is unfortunate that the black list and the
checks against it are not mandatory, as stolen mobile phones can now be used in some
26
networks that have a weaker security policy. And it is even more unfortunate that changing
the IMEI code of a handset is not yet illegal in many countries.
Typically a PLMN has only one EIR, which then interconnects to all HLRs in the network.
Note that EIR handles IMEI values, not IMSIs or any other identities. The IMEI is (or
should be) a unique identity of a mobile handset assigned when it is manufactured.
Authentication centre (AuC) : The AuC is a protected database that contains the secret key
also contained in the user's USIM card. The authentication center (AuC) is associated with
an HLR. The AuC stores the subscriber authentication key, Ki, and the corresponding IMSI.
These are permanent data entered at subscription time. The Ki key is used to generate an
authentication parameter triplet (Kc, SRES, RAND) during the authentication procedure.
Parameter Kc is also used in encryption algorithms. An AuC physically always exists with
an HLR. The MAP interface between them (the H interface) has not been standardized [3,5].
27
Reference:
Mooi Choo Chuah and Qinqing Zhang (2006) Design and Performance of 3G Wireless
Networks and Wireless LANS, Springer Science and Business Media Inc.
Jeffrey Bannister, Paul Mather and Sebastian Coope (2004) Convergence Technologies for 3G
Networks IP, UMTS, EGPRS and ATM.,John Wiley and Sons LTD.
Juha Korhonen (2003) Introduction to 3G Mobile Communications, Artech House, Inc.
G.Gomez and R. Sanchez (2005) End to End Quality of Service Over Cellular Networks, Data
Service Performance and Optimization in 2G/3G. John Wiley and Sons LTD.
Monoru Etoh (2005) Next Generation Mobile System 3G and Beyond, John Wiley and Sons.
Willie W, Broadband Wireless Mobile 3G and Beyond. John Wiley and Sons Ltd.
Dr. Jonathan P. Castro, The UMTS Network and Radio Access Technology; Interface
Technique for Future Mobile Systems. John Wiley and Sons Ltd.
Williams C.Y. Lee (2006) Wireless and Cellular Telecommunication, McGraw Hill, Singapore.
V. Vangi, A. Damnjanovic and B. Vojcic (2004) The cdma2000 System for Mobile
Communications, Prentice-Hall PTR.
S.C. Yang (2004) 3G CDMA 2000, Artech House, Inc., Boston.
B. Pelletier and H. Leib (2004) UPCS Third Generation CDMA system, Study of the Physical
Layer. Wireless Communication Group at Mc Gill University.
H. Holma and Antti Toskala (2001) WCDMA for UMTS, John Wiley and Sons.
C. Smith and D. Collins (2002) 3G Wireless Works, McGraw-Hill.
D. Collins (2001) Carrier Grade Voice Over IP, McGraw Hill.
28
V.K. Garg (2000) IS-95 CDMA and cdma2000, Prentice- Hall PTR.
D. J. Goodman (1997) Wireless Personal Communications Systems. Addison-Wesley,
Reading, MA
O. Sallent, J. Perez-Romero, R. Agusti et al. (2003) ‘Provisioning multimedia wireless
networks for better QoS: RRM strategies for 3G W-CDMA.’ IEEE Communications
Magazine 41(2), 100–107
Walke, B., Mobile Radio Networks, New York: Wiley,
Silventoinen, M. (1999) “Indoor Base Station Systems,” in GSM—Evolution Towards 3rd
Generation Systems, Z. Zvonar, P. Jung, and K. Kammerlander (eds.), Norwell, MA:
Kluwer Academic Publishers.
Roberts, J., U. Mocci, and J. Virtamo (1996) “Broadband Network Teletraffic,” COST 242
report, Berlin: Springer-Verlag.
A. S. Tanenbaum (2003) Computer Networks, 4th edn. Prentice Hall, Upper Saddle River,NJ.
H. Taub, D. Schilling (1986) Principles of Communication Systems. 2nd edn. McGraw-Hill,
New York.
A. J. Viterbi (1995) CDMA: Principles of Spread Spectrum Communication. Addison-Wesley,
Reading, MA.
A. J. Viterbi (1967) ‘Error bounds for convolutional codes and an asymptotically optimum
decoding algorithm’, IEEE Transactions on Information Theory IT-13, 260–269.
D. J. Goodman (1997) Wireless Personal Communications Systems. Addison-Wesley,
Reading, MA.
H. Holma, A. Toskala (2002) WCDMA for UMTS, 2nd edn. John Wiley and Sons, Chichester.
29
J. Laiho, A. Wacker, T. Novosad (2002) Radio Network Planning and Optimisation for
UMTS,John Wiley and Sons, Chichester.
S. Floyd, V. Jacobson (1993) ‘Random early detection gateways for congestion avoidance’,
IEEE/ACM Transactions on Networking, 1(4), 397–413.
Karkkainen, K.H.A. (1995) “Influence of Various PN Sequence Phase Optimization Criteria on
the SNR Performance of an Asynchronous DS-CDMA System,” Proc. IEEE 1995
Military Communications Conference (MILCOM 95), San Diego, California.
Ojanpera, T., and R. Prasad (1998) Wideband CDMA for Third Generation Mobile
Communications, Norwood, MA: Artech House.
Holma, H., and A. Toskala (eds.), (2000) WCDMA for UMTS: Radio Access for Third
Generation Mobile Communications, New York: Wiley.
Prasad, R., W. Mohr, and W. Konhauser (2000) Third Generation Mobile Communication
Systems, Norwood, MA: Artech House.
Black, U. D. (1989) Data Networks: Concepts, Theory, and Practice, Englewood Cliffs, NJ:
Prentice Hall International.
Viterbi, A. J. (1995) CDMA: Principles of Spread Spectrum Communication, Reading, MA:
Addison-Wesley.
30