networks: l15 1 gsm history –rapid growth of analogue mobile phones in europe in early 1980s...
TRANSCRIPT
Networks: L15
1
GSM
•History
–rapid growth of analogue mobile phones in Europe in early 1980s
–each system incompatible with the others
»NMT450 in Scandinavia at 450MHz, 1981, TACS in UK at 900MHz, 1985, C-Netz in Germany, Radiocom in France etc. – 9 incompatible systems!
»limited market for each type of equipment – no economies of scale
–notion of a unified Europe seen as very important in the EEC
–Conference of European Posts & Telecommunications (CEPT) formed 1982
»Groupe Spécial Mobile set up to develop a pan-European digital mobile system
»later “Global System for Mobile communications”
–responsibility for GSM passed to European Telecommunications Standards Institute (ETSI) in 1989
»phase 1 GSM spec published 1990
»phase 2 GSM spec published 1995
Networks: L15
2
–first commercial services started in 1991
»over 36 GSM networks by mid-1991
»now over 300 GSM networks in 200 countries and approaching 1 billion users even the USA, where the move to digital was later (and NIH syndrome)
–design criteria :»spectral efficiency
»international roaming
»good subjective speech quality
»low terminal and service cost
»support for a range of new services and facilities
»compatibility with other services such as ISDN (though not full-rate 64Kbs)
–developers chose a complex and unproven system
»had faith that advances in chip fabrication, compression algorithms and Digital Signal Processors would occur and allow original criteria to be met
original multiple-chip systems now reduced to single-chip systems
»9.6Kbs maximum data rate need for higher rates not originally envisaged
radio spectrum not available for higher rates in any case
Networks: L15
3
–GPRS (General Packet Radio Service), in GSM phase 2, offers up to 115Kbs
–EDGE (Enhanced Data rates for GSM Enhancement) only now possible
–highest data rates will have to wait for 3rd Generation (3G) systems
»and more efficient spectrum use with CDMA rather than TDMA
•GSM Services :
–Bearer services : data transmission e.g. Fax, SMS»data transmission to POTS (Plain Old Telephone Service), ISDN, Packet
switched and Circuit switched public networks
»SMS : up to 160 bytes store-and-forward, point-to-point and cell-broadcast modes
»CSD : data transfer service at 9.6kbs with error correction and flow control
–Teleservices : voice oriented traffic
–Supplementary services :»call forwarding when mobile unreachable, caller ID, call waiting
»call barring for incoming or outgoing calls e.g. when roaming abroad
»multi-party calls, etc.
Networks: L15
4
•Cellular Systems
–a cell corresponds to the covering area of one transmitter
–transmitter either in centre of the cell or at junction of adjacent cells and transmitting in selective directions
–size of cell determined by the transmitter’s power
»don’t all need to be the same size or shape hexagonal shape only conceptual – actual shape depends on topography
–low power allows frequencies to be re-used in another cell elsewhere
»cells sharing a frequency must be sufficiently far apart to avoid interference
»transmitters around 2.5 to 3 times the diameter of a cell apart adequate
»reduced bio-electromagnetic effects
–more cells = increased cost of infrastructure
–splitting cells and reassigning frequencies increases network capacity
»or for temporary services e.g. sports events such as Open golf tournament
61
25
4
37
2
61
3
17
2
4 54
6
37
5
Networks: L15
5
–clusters of cells
»contain small number of cells e.g. 4, 7, 12, 21 or more
»the smaller the number of cells per cluster, the more channels per cell
»controlled by a single Base Station Controller
Networks: L15
6
–types of cell
»macrocells : large higher power cells for remote and sparsely populated areas
»microcells : small lower power cells used for densely populated areas
»selective cells : cells where the coverage does not need to be 360° e.g. entrances to tunnels, transmitters at junctions of adjacent cells
»umbrella cells : covers several microcells used for fast moving traffic crossing several adjacent microcells
causes multiple handovers in quick succession
e.g. a motorway going through a city
power level of umbrella cell higher than microcells it covers
when speed of mobile is too high, handed off to the umbrella cell
avoids many further handovers
AB
C
Networks: L15
7
•Architecture of GSM Networks
–SIM : Subscriber Identify Module–ME : Mobile Equipment–BTS : Base Transceiver Station–BSC : Base Station Controller–MSC : Mobile Services Switching Centre–HLR : Home Location Register–VLR : Visitor Location Register–EIR : Equipment Identity Register–AuC : Authentication Centre
SIM
ME
BTS
BTS BSC
BSC
MSC
HLR
EIR
VLR
AuC
PSTNPSPDN
UM A
Abis
–PSTN : Public Switched Telephone Network
–PSPDN : Packet Switched Public Data Network
–UM : radio link
–A : interface between base station network and base station controllers
–Abis : interface between base stations and base station controllers
Base Station Subsystem Network Subsystem
Networks: L15
8
•Mobile Station :
–Mobile Equipment (the handset)
»identified by International Mobile Equipment Identity (IMEI) nnnnnn-nn-nnnnnn-n : ( *#06# )
country/type_approval_code – manufacturer – serial_number – 0
¤e.g. 10, 20 : Nokia
–SIM provides personal mobility
»can be moved from handset to handset
»contains the International Mobile Subscriber Identity (IMSI) nnn-nnn-nnnnnnnnn : (<= 15 digits)
mobile_country_code – mobile_network_code – HLR/mobile_station_ID
»also secret key for authentication
»memory modules for a phone book, ringtones, etc.
»can protected from unauthorised use by password of PIN
»user can have access to subscribed services irrespective of specific handset
»billing to SIM owner not ME owner
Networks: L15
9
•Base Station Subsystem
–Base Transceiver Station houses radio transceivers that define a cell
»handles radio-link protocols with mobile station
»need to be robust, reliable and low cost deployed in large numbers
»normally use two antennas a few feet apart receiver can choose best signal from both of them
–Base Station Controller
»manages radio resources for a cluster of one or more BTSs
»handles : channel assignment, change and release
handover
frequency hopping and power level control
discontinuous transmission and reception - suspended during periods of silence
»the connection between mobile station and mobile switching centre
»a means of segmenting the network and controlling congestion hierarchical design better for high density networks than direct connection to an MSC
Networks: L15
10
–a Transcoding Unit (TCU) often inserted between BSC and MSC
»to further compress traffic from mobiles even though already compressed by the handset
»and some format conversion multiplexes four traffic channels into one MSC channel
•Network Subsystem
–acts like a normal PSTN switching node
–provides all the functionality needed to handle a mobile subscriber :
»registration, authentication, location updating, handovers, call routing to a roaming subscriber etc.
–Mobile Switching Centre
»provides the connection to fixed networks e.g. PSTN, ISDN
»signalling between entities in the network subsystem use SS#7 as used in POTS trunk signalling
»directs Base Station Controllers
»each covers a large metropolitan area e.g. Glasgow
Networks: L15
11
–Home Location Register (HLR)
»a distributed database mounted on large servers
»contains all the administrative information about each subscriber IMEI, directory number, class of service subscribed to etc.
»holds the last known current location of the mobile in the form of a signalling address of the VLR associated with the mobile
–Visitor Location Register (VLR)
»another large database
»HLR and VLR work together to provide local operation and roaming outside the local service area
»when the system detects a non-local mobile VLR queries the assigned home location register
to make sure mobile is a valid subscriber
»VLR retrieves selected admin information from the HLR info necessary for call control and provision of subscribed services, power level etc.
for each mobile currently located in the geographical area controlled by the VLR
Networks: L15
12
»network now knows where the mobile is and can direct calls to it
»usually implemented by manufacturers as part of the MSC though logically separate
MSC itself does not contain information on particular mobiles stations
–Authentication Centre
»protected database storing a copy of the secret key stored in each SIM card used in a challenge and reply authentication protocol
–Interfaces : UM, A, Abis
»standardised methods for passing information back and forth
»independent of transmission medium
»allows interoperability of different manufacturers equipment
»MSC uses ISUP over SS#7 to communicate with Public Switched Network
Networks: L15
13
•Radio Link
–Frequencies :
»GSM900 : 880 - 915 MHz paired with 925 - 960 MHz
»GSM1800 : 1710 - 1785 MHz paired with 1805 - 1880 MHz
»GSM1900 : 1850 - 1910 MHz paired with 1930 - 1990 MHz
»mobile stations transmit in the lower frequency sub-band and base stations transmit in the higher frequency sub-band
–combination of Time and Frequency Division multiplexing used
–FDMA :
»carrier frequencies spaced 200kHz apart in each band
»one or more carrier frequencies assigned to each base station
–TDMA :
»each carrier frequency divided in time
»fundamental unit of time is the burst period, lasting 15/26 ms
»8 burst periods grouped into a TDMA frame
»a channel is one burst period per TDMA frame at a particular frequency
Networks: L15
14
–Traffic channels transport speech and data
»full-rate traffic channels use a group of 26 TDMA fames
»length : 26 * 8 * 15/26 ms = 120ms
»called a 26-Multiframe
»24 frames reserved for traffic
»1 frame used for the Slow Associated Control Channel (SACCH) used for slow non-critical signalling
»1 frame currently unused this period allows mobiles to perform other functions such as signal strength
measurement of neighbouring cells
»half-rate traffic channels : double the capacity of the system
26-Multiframe structure different from full-rate
half-rate speech encoding scheme defined in phase 2 spec
¤at 7Kbs instead of 13Kbs
»eighth-rate channels also specified used for signalling
Networks: L15
15
12 13 14 15 16 17 18 190 1 2 3 4 5 6 7 8 9 10 11 20 21 22 23 24 25
TCH
SACCH
TCH
unused
26 frame multiframe : duration 120ms
BP0 BP1 BP2 BP3 BP4 BP5 BP6 BP7 TDMA frame : duration 120/26 ms
3 tailbits
57 data bits1bit
26 trainingsequence bits
1bit
57 data bits3 tailbits
81/4 guardbits
stealing bitsburst : duration 15/26 ms
tail bits : zero bits used to cover periods when mobile’s power is ramping up and downstealing bits : indicate whether burst corresponds to traffic or signalling datatraining sequence : used to synchronise receiver with incoming information, avoiding multipath fadingguard period : used to avoid a possible overlap of two mobiles during the ramping time
Networks: L15
16
–a mobile does not need to transmit and receive at the same time
»3 burst periods between base station and mobile transmit slots
»greatly reduces mobile’s transceiver complexity
–frequency hopping – mobiles need to be frequency agile
»propagation conditions e.g. multipath fading, depend on frequency
»slow frequency hopping changes the frequency with every TDMA frame avoids differences in quality between channels
»hopping algorithm selected by Base Station sent through the Broadcast Control channels
»frequency hopping optional for Base Stations mandatory for mobiles to be able to accept it
BP0 BP1 BP2 BP3 BP4 BP5 BP6 BP7
BP0 BP1 BP2 BP3 BP4 BP5 BP6 BP7
BP0 BP1 BP2 BP3
BP0BP5 BP6 BP7
BTS transmits
Mobile transmits
Networks: L15
17
–Control channels used for network management messages and maintenance»Broadcast Control Channel :
sends identity of base station, its frequency allocations, frequency hopping sequences, list of neighbouring cells to monitor
»Synchronisation Channel : gives the mobile one of 8 defined training sequences used for equalisation
mobile compares this with the training sequences received in each burst
»Frequency Correction Channel : a system frequency reference so mobile can synchronise with the network
»Paging Channel : used to alert a mobile of an incoming call
»Random Access Channel : used by mobile to request access to the network
»Access Grant Channel : used by Base Station to tell mobile which channel it should use
»Standalone Dedicated Control Channel : to exchange signalling info upstream and downstream
»Slow and Fast Associated Control Channels : non critical and urgent (call establishment, authentication, handover) signalling resp.
Networks: L15
18
•Speech Coding
–RPE-LPC : Regular Pulse Excited – Linear Predictive Coder (GSM 06.10)
–based on a model of the human vocal tract
»hums and hisses from the glottis to generate a succession of phonemes
»sound waves in the tract are affected by throat, tongue, roof of the mouth, teeth and lips
»sound waves are mixed and sound’s frequency spectrum changes
»vowels have 3 to 5 typical (formant) frequencies that distinguish it from others
–input speech split up into frames 20ms long
»a period in which a speech wave does not change too much
»about 1 glottal period for a person with a very low voice
»about 10 glottal periods for a person with a very high voice
–160 samples per frame 50 8000 samples per sec, 8 bits per sample 64Kbs
–each frame encoded into 260 bits 260 50 = 13Kbs
–for each frame a set of 8 short term predictor coefficients found
–each frame then further split into 4 sub-frames
»for each sub-frame a delay and a gain found for the codec's long term predictor.
Networks: L15
19
–for each sub-frame, the residual signal after short and long term filtering is quantised
» The 40 sample residual signal is decimated into three possible excitation sequences, each 13 samples long
»The sequence with the highest energy is chosen as the best representation of the excitation sequence
»each pulse in the sequence has its amplitude quantized with three bits
–at the decoder the reconstructed excitation signal is fed through the long term and then the short term synthesis filters to give the reconstructed speech
–a post filter is used to improve the perceptual quality of the reconstructed speech
short termpredictor
long termpredictor
residual pulseencoding
short termsynthesis
long termsynthesis
residual pulsedecoding
coder
decoder
speech
speech
Networks: L15
20
•Channel coding
–convolutional encoding and block interleaving to achieve error protection
–260 bit blocks divided into three classes
»class 1a : 50 bits – most sensitive to bit errors 3-bit parity protected
»class 1b : 132 bits – moderately sensitive to bit errors class 1a bits with parity + class 1b bits passed through ½-rate convolutional
encoder
»class 2 : 78 bits – least sensitive to bit errors class 2 bits concatenated
class 1a class 1b class 2
50 bits 132 bits 78 bits
3 bit parity
182 bits
convolutional block encoding
unprotected bits
182 bits
Networks: L15
21
–each input bit coded by the convolutional encoder into 2 output bits
»456 bits in total gives 22.8kbps
–456 bits divided into 8 blocks of 57 bits
»blocks transmitted in 8 successive burst periods interleaved with another channel, since two 57-bit blocks per burst period
first 4 blocks occupy even-numbered bit positions
second 4 blocks occupy odd-numbered bit positions
»a new data block starts every 4 burst periods
class 1a 3-bit parity
conv
olut
iona
l en
code
rr
= ½
class 1b
class 2
tail bits4/
50/
3/
132/
78/
189/
189/
mux
378/
456/
Networks: L15
22
•Discontinuous transmission
–a person speaks 40% of the time in normal conversation
–transmission can be turned off during periods of silence
»saves transmission capacity
»saves power
–Voice Activation Detection
»non-trivial - must distinguish between voice and background noise
»if a voice is misinterpreted as noise, very annoying clipping heard at other end
»if noise is too often interpreted as voice, efficiency can be dramatically decreased
–to assure receiver that the connection is not dead, comfort noise is substituted
»tries to match the characteristics of the transmitting end’s background noise
•Discontinuous reception
–paging channel (used to signal an incoming call) structured into sub-channels
–each mobile only needs to listen to its own paging sub-channel
–in between, it can go into sleep mode – in which it uses almost no power
Networks: L15
23
•Radio Resources Management
–mobiles and BTSs operate at the lowest power level that will maintain an acceptable signal quality
–mobile station continuously monitors received signal strength and quality
»from current cell and of up to 16 neighbouring cells
»list of cells that must be monitored supplied by the base station
»the six best candidates found and passed back to the base station once a second
–base station usually does not know reason for poor signal quality
»could be due to multipath fading or to the mobile having moved to another cell
»especially true in small urban cells
–handover :
»controlled by BSC when in same cell or in same BSC – internal handover
»controlled by MSC when in same or different MSCs – external handover
–handovers can be initiated either by the mobile of by the BSC or MSC
»the latter as a means of load balancing
Networks: L15
24
–handover algorithm not defined in GSM spec
»two commonly used
–minimum acceptable performance algorithm :
»gives precedence to power control
»when quality of transmission decreases, power level is increased
»increased in 2dB steps until the increase in power has no effect on the quality of the signal
then handover takes place
–power budget algorithm :
»gives precedence to quality control
»performs a handover when a better quality signal is available in a neighbouring cell
without continuously increasing the power level
at the same or lower power level if possible
Networks: L15
25
•Modulation
–Gaussian Minimum Shift Keying (GMSK) used
»a pre-modulation Gaussian filter used to minimise out-of-band radiation
–a compromise between spectrum efficiency, complexity and low spurious radiations
»the latter to reduce the possibilities of adjacent channel interference
integration Gaussian filter
cos
sin
cos ωt
sin ωt
+fcos ωt+f
Networks: L15
26
•Timing advance
–timing of burst transmission very important
–mobiles are at different distances from the base station
–their delay depends consequently on their distance
–aim of timing advance is to ensure that signals coming from different mobiles arrive at the base station at the right time
–if the burst corresponding to a particular mobile arrive too late they will overlap with other bursts
–base station measures the timing delay
–if late, base station tells mobile to advance its transmissions
Networks: L15
27
•Mobility Management
–a powered-on mobile is informed of an incoming call by a paging message sent over the paging channel (or sub-channel)
–at one extreme, every cell in the network could be paged
»but very inefficient use of bandwidth
–at the other extreme, a mobile could notify the system of its current location
»every time it moved from cell to cell
»using location updating messages
»also very wasteful due to the large number of update messages generated
–compromise used is to group cells into location areas
»update messages only needed when moving between location areas or to a different operator’s area
»just those cells in the current location area need to be paged
–also periodic location updating for reliability
»if an HLR or VLR failed, each mobile would subsequently reregister simultaneously and cause overload
»time period between updates controlled by the operator
Networks: L15
28
–Detach :
»lets the network know when the mobile is unreachable
»avoids having to allocate channels and send paging messages
–Attach :
»similar to location update
»informs system that the mobile is reachable again
•Authentication and Security
–involves the SIM card and the Authentication Centre (AuC)
–each subscriber has a secret key stored on the SIM card and in the AuC
–during authentication, the AuC generates a random number
»and sends it to the mobile
–mobile uses the random number and the secret key to generate a signed response (SRES)
»using an algorithm called A3 (similar to DES) supposedly secret but now in the public domain
Networks: L15
29
–mobile sends SRES back to the AuC
–AuC performs the same calculation
»and checks that SRES received is the same
–has proved to be a robust authentication system
–same initial random number and key also used to compute the ciphering key
»using an algorithm called A8
–ciphering key, together with the TDMA frame number, used to create a 114-bit cipher sequence
»that is XORed with the 114 bits of a burst (the two 57 bit blocks)
–ciphering an option for the paranoid
»since the signal is already coded, interleaved and TDMA transmitted!
»need to be a persistent and dedicated eavesdropper to beat this!