gsm overview study

7/31/2019 GSM Overview Study

1/46

7/12/12 .

Contents

11

2

Introduction

1

RadioInterface

5

GSM ProtocolStack

4

Architecture

2

BSS, MSS,OSS and MS

3

Call Setup(MO, MT)

6

Security

9

LocationUpdate

7

Handover

8


2/46

7/12/12 . 22

Introduction

1


3/46

7/12/12 .

Introduction / History

33

Developed by Group Spciale Mobile (founded 1982) which was an initiative ofCEPT (Conference of European Post and Telecommunication ) to replace the

incompatible analog system

Presently the responsibility of GSM standardization resides with special mobile

group under ETSI (European telecommunication Standards Institute )

Under ETSI, GSM is named as Global System for Mobile communication it is a2G cellular standard developed to cater voice services and data delivery using digital

modulation.

GSM uses a combination of time division multiple access (TDMA) and Frequency

Division Multiple Access (FDMA).

Tri-band phones use the 900, 1800 and 1900 MHz GSM frequencies. Quad band

phones are also available covering the 850, 900, 1800 and 1900 MHz GSM

frequency bands.


4/46

7/12/12 .

GSM Subscriber Growth

More than 3 billion subscribers in world and 400 million subscriberin India

44


5/46

7/12/12 .

GSM Frequencies

55

900MHz

1800MHz

850MH

zSingleBandDualBandTriBandQuad

1900M


6/46

7/12/12 .

GSM Services

Services offered by GSM

Tele-services

Telecommunication services that enable voice

communication via mobile phones Offered services include Mobile telephony and

Emergency calling

Bearer or Data Services

Include various data services for information transfer

between GSM and other networks like PSTN, ISDN

etc at rates from 300 to 9600 bps 66


7/46

7/12/12 . 77

Architecture

2


8/46

7/12/12 .

GSM Architecture

. 88


9/46

7/12/12 .. 99

BSS, MSS, OSSand MS

3


10/46

7/12/12 .

GSM Network Entities(1/3)

. 1010

MS (Mobile Station) - The MS consists of the

physical equipment used by a PLMN subscriber;

it comprises the Mobile Equipment (ME) and the

Subscriber Identity Module (SIM), called USIM

for Release 99 and following.

Access Network (AN) Entities - Radio-related functions between mobile stations and

network are performed by the following entities:

BSC (Base Station Controller) - It is a high-capacity switch with radio communication and mobility control capabilities.

The functions include radio channel allocation, location update, handover, timingadvance, power control and paging.

BTS (Base transceiver station) It is a radio transceiver station that communicates with the mobile stations. Its backend

is connected to the BSC. Its transmitting power defines the size of a cell.


11/46

7/12/12 .


. 1111

PLMN - Public Land Mobile Network

- These are responsible for call connection,

supervision and release operations between

calling and called stations. HLR (Home Location Register) HLR is the database that contains a subscription record for each subscriber of the

network. A GSM subscriber is normally associated with one particular HLR. The HLR is responsible for the sending of subscription data to the VLR (during

registration) or GMSC (during mobile terminating call handling).

MSC (mobile switching center)/ VLR (Visitor Location Register) MSC performs the telephony switching function.A mobile station must be attached to a single MSC at a time (either homed or visitor),

if it is currently active (not switched off).The VLR is a database attached to an MSC to contain information about its currently

associated mobile stations (not just for visitors).


12/46

7/12/12 .


. 1212

PLMN - Public Land Mobile Network(Contd.)

AUC (Authentication Center) - The AUC provides

authentication and encryption parameters that verify the

user's identity and ensure the confidentiality of each call.

The GSM has standard encryption and authentication algorithm which are used to

dynamically compute challenge keys and encryptions keys for a call.

EIR (Equipment Identity Register) The EIR in the GSM system is the logical entity

which is responsible for storing in the network the International Mobile Equipment

Identities (IMEIs), used in the GSM system. The equipment is classified as "white listed",

"grey listed", "black listed" or it may be unknown.

GMSC (Gateway MSC) GMSC is the switching entity that controls mobile terminating calls. On call establishment towards a GSM subscriber, a GMSC contacts the HLR of that

subscriber, to obtain the address of the MSC where that subscriber is currently registered.


13/46

7/12/12 .. 1313

GSM Protocol Stack

4


14/46

7/12/12 .

GSM Protocol Layers1/2

. 1414


15/46

7/12/12 .

GSM Protocol Layers 2/3

CM (Connection Management)

- Call control, short message service and supplementary service

MM (Mobility Management)

- Registration, authentication, location and handover management

RR (Radio Resource Management)

- Setup, maintenance and release of radio channels

- Control of radio transmission quality

LAPDm (Link Access Protocol D-channel modified)

- Modified version of ISDN LAPD protocol

BTSM (Base Transceiver Station Management)

- Radio resources control messages between BSC and BTS

- BSSAP (Base Station System Application Part)

- Control of BSC by MSC. 1515


16/46

SS7

BTS

BSCMSC

VLR

HLRAuC

GMSC

BSS

PSTN

NSS

AE

C

D

PSTNAbis

B

H

MS

BSS Base Station

System

BTS BaseTransceiver Station

BSC Base StationController

NSS Network Sub-System

MSC Mobile-serviceSwitching Controller

VLR Visitor LocationRegister

HLR Home Location

Register

AuC AuthenticationServer

GMSC Gateway MSC

2G MS (voiceonly)

GSM Interfaces(1/3)


17/46

7/12/12 .. 1717

GSM Interfaces(2/3)

Um-interface

The interface between the MS and the BSS.

Abis-interface The Abis-interface is the interface between the BTS and

the BSC The transmission rate is 2.048 Mbps, which is partitioned

into 32 channels of 64 Kbps each

A-interface The BSS-MSC interface is used to carry information

concerning: BSS management, Call handling and Mobility

management

C-interface Interface between HLR and MSCThe Gateway MSC must interrogate the HLR of the

required subscriber to obtain routing information for a call


18/46

7/12/12 .. 1818

B-interface

Interface between the MSC and its associated VLR. WhenMSC needs data related to a given mobile station currently

located in its area, it interrogates the VLR This interface is internal to the MSC/VLR; signaling on it is

not standardized

D-interface Interface between HLR and VLR.This interface is used to exchange the data related to the

location of the mobile station and to the management of the

subscriber

G-interfaceWhen a mobile subscriber moves from a VLR area to

another Location Registration is done. This procedure may

result in retrieval of the IMSI and authentication parametersfrom the old VLR.

GSM Interfaces(3/3)

d ifi i h k


19/46

7/12/12 .

Identifiers in the GSM Network(1/3)

. 1919

IMSI (International Mobile Subscriber Identity)

IMSI is embedded on the SIM cardand is used to identify a subscriber.

The IMSI is also contained in thesubscription data in the HLR.

MCC (Mobile Country Code) It identifies the country for mobilenetworks. The MCC is not used for call establishment.

MNC (Mobile Network Code ) It identifies the mobile network within acountry . MCC and MNC together identify a PLMN for MNC usage. TheMNC may be two or three digits in length.

MSIN (mobile subscriber identification number ) It is the subscriberidentifier within a PLMN.

d ifi i h GS k


20/46

7/12/12 .


. 2020

MSISDN Number (Mobile Station IntegratedServices Digital Network Number)

The MSISDN is not stored on thesubscribers SIM card and is normally notavailable in the MS.

The MSISDN is provisioned in the HLR, as part of the subscribers profile,and is sent to MSC during registration.

CC (Country Code) It identifies the country or group of countries of thesubscriber. NDC (National Destination Code) Each PLMN in a country has one ormore NDCs allocated to it; the NDC may be used to route a call to theappropriate network. SN (Subscriber Number) It identifies the subscriber within the numberplan of a PLMN.

Id ifi i h GSM N k


21/46

7/12/12 .


. 2121

IMEI ( International Mobile

Equipment Identifier )

Each mobile equipment has aunique IMEI number

IMEI is hardcoded in ME and

cannot be modifiedThe IMEI is not used for routing or subscriber identification

The IMEI is composed of Type Allocation Code (TAC). Its length is of 8digits. Serial Number (SNR) is an individual serial number uniquelyidentifying each equipment within each TAC. Its length is 6 digits. Sparedigit: this digit shall be zero.


22/46

7/12/12 .. 2222

Radio Interface

5


23/46

7/12/12 .

GSM Radio / Physical Layer (1/6)

. 2323

FDMA/TDMA


24/46

7/12/12 .


. 2424

GSM Frames

-1 frame = 8 time slots = 4.615 ms - 1 time slot = 156.25 bit = 0.577ms

- 1 hyperframe = 2048 superframes

For speech

1 superframe = 51 multiframes and 1 multiframe = 26 frames

For Signaling

1 superframe = 26 multiframes and 1 multiframe = 51 frames


25/46

7/12/12 .


. 2525

The data transmitted during a single time slot is known as a burst.

Each burst allows 8.25 bits for guard time. Prevents bursts from overlapping.

Tail Bits - Each burst leaves 3 bits on each end in which no data is transmitted. This is

designed to compensate for the time it takes for the power to rise up to its peak during a

transmission. The bits at the end compensate for the powering down at the end of the

transmission.

Data Bits/Encrypted bits - There are two data payloads of 57 bits each.

Stealing Flags - Indicates whether the burst is being used for voice/data

Training Sequence - The training sequence bits are used to overcome multi-path fading

and propagation effects through a method called equalization.


26/46

7/12/12 .


. 2626

Physical Vs. Logical Channels

Physical channels Using

FDMA and TDMA techniques,

each carrier is divided into 8

timeslots

Logical channels There are

two main categories of logical

channels in GSM: Control Channels Traffic Channels are used

to carry two types of

information to and from the

user - Encoded Speech and

Data

Physical channels

Logical channels


27/46

7/12/12 .


. 2727

Logical Channel DescriptionFCCH MS scans for this signal after switch on and tunes to

it

SCH Contains BSIC code used by the MS to check thefrequency measured by it is coming from a particularBS

BCCH Detailed BTS and cell information

Broadcast Channels

Logical Channel Description

PCH Used to broadcast paging message for mobile terminated

call

RACH Only uplink channel and used to initiate a transaction tothe paging channel

AGCH Answer to RACH and assigns an SDCCH

Common ControlChannels


28/46

7/12/12 .


. 2828

Logical Channel Description

SDCCH Used for system signalling,callsetup, assignment oftraffic channel

SACCH Transmits measurement reports and used for radiocontrol

FACCH Used for handover, It is mapped to a traffic channeland steals 20ms of traffic channel

Dedicated Control

Channels


29/46

7/12/12 .. 2929

Call Setup(MO, MT)

6


30/46

7/12/12 .

Mobile Originated Call (1/2)

. 3030


31/46

7/12/12 .

Mobile Originated Call (2/2)

. 3131


32/46

7/12/12 .

Mobile Terminated Call (1/2)

. 3232


33/46

7/12/12 .

Mobile Terminated Call (2/2)

. 3333


34/46

7/12/12 .. 3434

Location Update

7


35/46

7/12/12 .

Location update (1/4)

. 3535

Location Area

Cells are grouped into Location Areas updates sent only when LA is changed;paging message sent to all cells in last known LA

Location registration

MS has to register with the PLMN to get communication services

Registration is required for a change of PLMN MS has to report to current PLMN with its IMSI and receive new TMSI by

executing Location Registration process.

The TMSI is stored in SIM, so that even after power on or off, there is only normal

Location Update.

If the MS recognizes by reading the LAI broadcast on BCCH that it is in new LA, itperforms Location Update to update the HLR records.

Location update procedure could also be performed periodically, independent of

the MS movement.

The difference in Location Registration and Location Update is that in location

update the MS has already been assigned a TMSI.


36/46

7/12/12 .


Case 1: Inter-LA Movement

. 3636

LA2

HLR

VLR

1

VLR

1

MSC1

MSC2

LA1MS

HLR: Home Location Register

VLR: Visitor Location Register

MSC: Mobile Switching Center

LA: Location AreaMS: Mobile Station

A location update request messageMAP_UPDATE_LOCATION_AREAMAP_UPDATE_LOCATION_AREA_ackA location update request message_ack


37/46

7/12/12 .


Case 2: Inter-MSC Movement

. 3737

LA2

HLR

VLR

1

VLR

1

MSC1

MSC2

LA1MS

A location update request messageMAP_UPDATE_LOCATION_AREAMAP_UPDATE_LOCATIONMAP_UPDATE_LOCATION_ackMAP_UPDATE_LOCATION_AREA_ackA location update request message_ack


38/46

7/12/12 .


Case 3: Inter-VLR Movement

. 3838

LA2

HLR

VLR

1

VLR

1

MSC1

MSC2

LA1MS

A location update requestmessageMAP_UPDATE_LOCATION_AREAMAP_SEND_IDENTIFICATIONMAP_SEND_IDENTIFICATION_ackMAP_UPDATE_LOCATIONMAP_UPDATE_LOCATION_ack

MAP_UPDATE_LOCATION_AREA_ack

MAP_CANCEL_LOCATIONMAP_CANCEL_LOCATION_ack

A location update requestmessage_ack


39/46

7/12/12 .. 3939

Handover

8


40/46

7/12/12 .

Handover (1/2)

. 4040

There are four different types of handover in the GSM system. Handover involves

transferring a call between: Channels (time slots) in the same cell

Cells (Base Transceiver Stations) under the control of the same Base Station

Controller (BSC)

Cells under the control of different BSCs, but belonging to the same Mobile

services Switching Center (MSC) Cells under the control of different MSCs

Handovers are initiated by the BSS/MSC (as a means of traffic load balancing).

During its idle time slots, the mobile scans the Broadcast Control Channel of up to

16 neighboring cells, and forms a list of the six best candidates for possiblehandover, based on the received signal strength.

This information is passed to the BSC and MSC, at least once per second, and is

used by the handover algorithm.


41/46

7/12/12 .

Handover (2/2)

. 4141

BS

C

MSC-A

BSC

MSC-B

BT

S1

BTS3

BTS2

BSC

MSC-C

BTS3

Connection route

1

2

34

5

6

7

8

8

9


42/46

7/12/12 .. 4242

Security

9

h i i


43/46

7/12/12 .

GSM Authentication

. 4343

Authentication Mechanism

Authentication is performed by achallenge and response mechanism

On receiving a random challengefrom the network, the mobile encrypts

the challenge using A3 algorithm andthe key Ki assigned to the mobile, andsends the response back

The Response so sent is passedthrough an algorithm A8 by both

mobile and network to derive Kc, whichis used for encryption


44/46

7/12/12 .

References

4444

q

3GPP TS 23.002 version 3.6.0 Release 1999q GSM Networks - Protocols, Terminology andImplementation.pdf


45/46

7/12/12 .

Abbreviations (1/2)

. 4545

AUC Authentication CenterBSC Base Station Controller

BSS Base Station SubsystemBTS Base Transceiver System (Antenna System + Radio Base Station)EIR Equipment Identification Register (for IMEI verification)IMEI International Mobile Equipment IdentityGMSC Gateway MSCHLR Home Location RegisterISDN Integrated Services Digital Network

IWF Interworking FunctionILR Interworking Location Register (roaming between AMPS and GSMsystem)IWMSC Interworking MSCMS Mobile StationMSC Mobile Switching CenterNSS Network Switching SubsystemOSS Operation and Support SystemPDN Public Data NetworkPLMN Public Land Mobile NetworkPSTN Public Switched Telephone NetworkSMS Short Message ServiceSABME Set Asynchronous Balance Mode Extended

VLR Visitor Location Register


46/46

Abbreviations (2/2)

AGCH Access Grant Channel

BCCH Broadcast Common Control ChannelCBCH Cell Broadcast ChannelFACCH Fast Associated Control ChannelFCCH Frequency Correction ChannelPCH Paging ChannelRACH Random Access ChannelSDCCH Standalone Dedicated Control Channel

SACCH Slow Associated Control ChannelSCHSynchronization Channel

gsm overview study

Documents