tele4652 mobile and satellite communication systems · 2008-10-17 · tele4652 mobile and satellite...
TRANSCRIPT
TELE4652 Mobile and Satellite Communication Systems
Lecture 9 – GSM GSM, the Global System for Mobile Communications, was the second generation mobile cellular standard developed as a pan-European standard. Prior to the introduction of GSM the countries in Europe each used largely incompatible networks, occupying different frequency bands, having different channel bandwidths and modulation techniques. A handset purchased in one neighbouring country would not function in a neighbouring country. The leading industry players in Europe formed a working group, called Groupe Spéciale Mobile (GSM), in 1982 to come up with a common standard to facilitate roaming across the continent. The standard was finalised in 1989 and the system launched in 1991 across Europe. The standard was immensely successful, due in large part to its flexibility and open configuration, and has been adopted in countless national networks throughout North and South America, Asia, Africa, the Middle East, and Australia. Before the beginning of the movement towards 3G networks, GSM boasted more than a billion subscribers world-wide. The GSM standard was used in 66% of the world’s cell phones, and at one count there were 470 GSM operators in 172 countries. The market dominance of GSM and its proponents has made it the industry leader in the development and evolution to 3G technologies and beyond. In addition, many of the successful features in GSM were adopted and integrated into later, competing standards, like IS-95 CDMA. GSM is documented as a series of standards, stipulating the performance of the various functional components of the network and the communications protocols. Largely these standards take the form of detailing the interfaces in the network (such as the Um, Abis, A, as we’ll see below), and defines how the devices must communicate and interact over these interfaces. It was quite unique at the time it was published, specifying not only the air interface but also the interconnection between wired infrastructure elements. This made it possible to purchase all network equipment from different vendors in the expectation that they will successfully interoperate. GSM was naturally conceived as a wholly digital cellular network, and as we discussed in an early chapter, the rapid growth in capacity was largely due to the application of efficient speech coding techniques. Moreover, digital communication techniques like channel coding, equalisation, and diversity meant that the performance of GSM greatly surpassed that of the 2G networks. The enormous success of GSM on a global level was in no small part due to the open and flexible standards framework, which ensures seamless and consistent coverage and services for subscribers, while allowing service providers to create new services
Network Structure The basic functional components of the GSM network are illustrated in the diagram below. It is broken into three domains: the Mobile Station (MS, roaming handsets); the Base Station Subsystem (BSS); and the Network Switching Subsystem (NSS). Let’s now discuss the components of each of these in turn. Mobile Station (MS): The mobile station is composed of the Mobile Equipment (ME), which is the physical device that communications with the network over the air, or Um, interface. It consists of the radio transceiver, digital signal processors, and the Subscriber Identity Module (SIM). The other component of the MS is the Terminal Equipment (TE), representing whatever applications for which the device is used.
The SIM card is a plug-in module that stores the subscriber’s identification number, the networks the subscriber is authorised to use, services the subscriber can access, encryption keys, and other information specific to the subscriber. The GSM subscriber units are completely generic until a SIM card is inserted. Apart from certain emergency communications, subscriber devices will not function without a SIM card inserted. A subscriber need only carry his or her SIM card to use a wide variety of subscriber devices in a many countries simply by inserting the SIM into the device to be used. Among other advantages this makes GSM devices very easy to upgrade. The SIM card contains the user’s International Mobile Subscriber ID (IMSI), the user’s PIN code, and authentication information, such as the user’s authentication key, and the A3, A5, and A8 authentication algorithms. The IMSI is different from the user’s phone number, which is called the Mobile Station ISDN number. It is up to 15 digits, consisting of a three digit Mobile Country Code (MCC), followed by a two digit Mobile Network Code (MNC). The remaining up to ten digits are the mobile
subscriber identification number (MSIC). For example, Australia has MCC = 505, with operators Telstra MNC = 01, Optus MNC = 02, and Vodafone MNC = 03. The IMSI is only held on the SIM card and at the Home Location Register (HLR). It is never transmitted over the network, to protect the subscriber’s identity. For these purposes a Temporary Mobile Subscriber Identity (TMSI) is assigned by the network. The main functions of the MS are: voice and data transmission and reception; frequency and time synchronisation; monitoring power levels and signal quality received from the BTS; the provision of location updates; equalisation; and the display of short messages (SMS). A functional block diagram of a MS is shown in the diagram below.
Functionally, the MS is broken into four main subsystems: the radio subsystem, the signal processing subsystem, the I/O interface subsystem, and control. The radio subsystem consists of the antenna, associated amplifiers, up and down converters, the modulator/demodulator, and the frequency synthesiser. Apart from the antenna and the RF amplifier, all these components can be implemented digitally these days. Signal processing consists of analogue to digital conversion (and vice versa), speech coding, and channel coding. The microprocessor running the mobile phone operating system controls all these subsystems. The Base Station Subsystem (BSS) consists of the Base Transceiver Station (BTS) and the Base Station Controller (BSC). The BTS is the radio interface of Mobile Stations onto the network. It consists of one or more antennae, a radio transceiver, and a link to one or more BSCs. The BTS coverage area defines the cell, which is typically anything from 100m to 35km, depending on the environment and network design. The antenna coverage can be omni-directional, sectored, microcell, umbrella cell, or picocell, depending on the choice of the network operator. The idea here was to separate the antenna from the processing, so that the antennae could be located in strategic radio coverage spots, while the processing could be centralised for ease of access for fault finding and upgrading. The BSC does the processing for several servicing BTS. In particular it reserves radio frequencies, manages handoffs between two cells managed by the same BSC, and controls paging. The main functions of the BTS are: to encode, encrypt, multiplex, modulate, and feed RF signals to and from the antennae; transcoding and rate-adaptation; time and frequency synchronisation; frequency hopping control and implementation; random access detection; and uplink radio resource channel measurements. A functional block diagram of a BTS is shown in the picture below. There are many ways that the BTS can communicate with the BSC, via cable, microwave, optical links, or other. The interface between the BSC and the BTS is called the A-bis interface in the GSM network standard. Each BSC usually controls several Base Transceiver Stations. The primary functions of the BSC are: radio resource management for the BTSs under its control; intercell handovers; dynamic allocation of frequencies among the BTSs; power management of the BTSs (maintenance of cell boundaries); time and frequency synchronisation for the A-bis interface; direct frequency hopping; and interface to the MSC and the Operations and Maintenance Centre (OMC). The interface to the MSC is called the A-interface, and it is standardised with the SS7 protocol (Signalling System No.7), from old digital telephony. The Network Switching Subsystem (NSS) provides the link between the Public Land Mobile Network (PLMN) in question and other networks, be they the Public Switched Telephone Network (PSTN), other PLMNs, Public Packet Switched Data Networks (PPSDN, like the internet), Public Circuit Switched Data Networks (PCSDN), Integrated Services Digital Networks (ISDN), or whatever. The key element in the NSS is the Mobile Switching Centre (MSC), which controls call-routing, interfaces with external networks, the authentication of users, handoffs between different BSC cells, accounting and billing, and facilitates subscriber roaming.
Each MSC controls several BSCs. The group of cells serviced by an MSC is called the Location Area, and this is the region that is paged for an incoming call to a mobile station. Each cell is assigned a Cell Global Identity (CGI) number, and each Location Area a Location Area Identity (LAI) – this is the temporary ‘area code’ of the mobile station that is stored by the network in the HLR to indicate the current location of the mobile. The primary functions of the MSC are: paging; coordination of call establishment; dynamic allocation of resources; location registration (to obtain mobility); handover management; billing of subscribers; dynamic frequency re-allocation; encryption; echo canceller operation (for the interface to the PSTN); synchronisation with the BSS; and the gateway to the Short Message Service Centre (SMSC). A functional block diagram of a MSC is shown below. The MSC usually interfaces with its components, like the HLR, VLR, OMC, and other MSCs, using the X.25 protocol. Most MSCs are what is known as Gateway MSCs (GMSC), in that they also interface to eternal networks, whatever they are.
The MSC is supported by four databases, all co-located. The Home Location Register (HLR) stores information about each of the subscribers that ‘belong’ to it. This is basically a copy of the information stored on the user’s SIM card, along with the user’s current location on the network.
The Visitor Location Register (VLR) maintains information about subscribers that are currently physically in the region covered by the MSC. It records whether or not the subscriber is active and other parameters associated with the subscriber. Even if a subscriber is in the region covered by its HLR it is still maintained in the VLR for consistency. In particular, the VLR stores the IMSI, MSISDN, Mobile Station Roaming Number (MSRN), TMSI, LAI, and the authentication key, query, and response, of each MS in its servicing area. The HLR only stores information about the mobiles that area considered to come from its Location Area. The permanent data stored by the HLR is, for each MS: the IMSI; MSISDN; Roaming restrictions; closed user group membership data; call forwarding details; voice mail passwords; registration details; activation details; and the authentication key. The temporary data in the HLR is: the local TMSI; RAND, SRES, and Kc – for authentication and ciphering; MSRN; the VLR address that is currently servicing the MS; the associated MSC address; and message waiting data. The Authentication Centre (AC) holds the authentication and encryption keys for all the subscribers in both the HLR and VLR. It is principally used for the authentication for when a subscriber joins the network. In addition, the digital information transmitted over the air interface in GSM is ciphered, for security. An algorithm, called A3, is used for authentication, while another algorithm, A5, is used for ciphering. The authentication and ciphering procedures will be discussed in the next section. Finally there is the Equipment Identity Register (EIR), which keeps track of the type of equipment (serial number) at the mobile station. It also plays a role in security, by blocking calls from stolen mobile stations and preventing the use of the network by mobile stations that have not been approved. In addition there is the Operations and Maintenance system (OMC), which effectively manages the network as a whole. Its functional components are the Network Management Centre (NMC) and the Billing Centre (BC).
Authentication, Ciphering, and Functionality To demonstrate the functionality of the GSM network, let’s consider the procedures of a mobile station connecting to the network, authenticating, and then originating and receiving a call. This will motivate the discussion in the subsequent section, of the GSM logical and traffic channel structure. The first thing the MS does when it is powered on is to scan the available GSM band for the strongest ‘base channel’, effectively the synchronisation channel of the strongest base station that it can receive. On this base channel, a set fixed frequency channel distinct for each base station, the MS first locates the Frequency Correction Channel (FCCH). The information on the FCCH enables the MS to adjust and synchronise its frequency characteristics to that of the base station. Following this the MS identifies the Synchronisation Channel (SCH), which identifies the base station and allows it to synchronise to this base station’s frame format (that is, achieve time
synchronisation). One time and frequency synchronisation has been achieved the mobile then listens to the Broadcast Control Channel (BCCH). The BCCH transmits information such as the cell configuration, the network to which it belongs, access information, and control channel information. Having obtained the requisite information of the base station structure the mobile is then ready to attempt to access the network. The first part of this access procedure is a location update and authentication request. To connect to the network the mobile places an 8-bit message onto the Random Access Channel (RACH). This is an uplink control channel that functions via the Slotted ALOHA protocol, where mobile stations randomly attempt to transmit packets to the BTS. If the base station successfully receives the transmission it acknowledges receipt with a message on the Access Grant Channel (AGCH). If two or more MS transmitted in the same timeslot, resulting in a collision, no acknowledge is given and the mobile stations each wait a random amount of time before attempting transmission again. The 8-bit message inserted on the RACH consists of a 5 bit random number, whose purpose is to provide identification of the request, followed by a 3 bit purpose indicator. The purpose indicator could be a location registration, a new call attempt, the response to a paging message, or the request to transmit an SMS. The acknowledgement by the base station on the AGCH repeats the 8 bit message and directs the terminal to use a Stand-alone Dedicated Control Channel (SDCCH). The remainder of signalling can then be performed on this dedicated bi-directional SDCCH, possibly resulting in the base station directing the mobile to a certain frequency and time slot Traffic Channel (TCH), for the transfer of user data. For a call directed to a mobile, the mobile subscriber number initially routes the call request to the subscriber’s HLR. The user’s home MSC has the current location of the subscriber in the VLR. The request is then forwarded to the MSC at the subscriber’s current location. This MSC then transmits a request to all BSCs under its control to page the mobile unit in question through a message on their paging channels, PCH. The procedure for a mobile originated call are similar. The figure below shows the signalling involved in the establishment of a mobile originated call in GSM. There are two types of handoffs in GSM: those between two cells controlled by the same BSC, and those between two cells under the jurisdiction of different BSCs. If the handoff is to be performed within the area of a BSC, it can be handled by the BSC without consulting the MSC. The MSC will merely be notified. If, instead, the mobile is crossing the border of a BSC, then the MSC has to control the procedure in order to ensure the smooth transition of the conservation. In GSM, it was consider far worse to drop a call that is in progress than to block a new call attempt, and with this in mind, the network will always keep some network capacity available to ensure that there are always channels available should a handover be required. GSM is a hard handoff system, since neighbouring cells use different frequency channels, and so the mobile must move onto a new physical channel (different frequency and timeslot) as a result of the handoff. The handoff procedure in GSM was an improvement on the basic 1G techniques in that it featured Mobile Assisted Handovers (MAHO). The base station gives the mobile a list of base stations (and their corresponding base channels) on which to perform regular quality and power
level measurements. This data is periodically sent back to the base station in a measurement report on the SACCH. The network can then use this information to assist it in its decision as to whether to instigate a handoff. The decision process for deciding on handoff is quite complex, and is ultimately at the discretion of the network operator, accounting for factors such as call quality and available dynamic network capacity.
Security is a primary concern in GSM, as user data is transmitted over the open air interface, it is potentially possible for other parties to eavesdrop and access this information. A user is required to authenticate his or her identity, using a public key – private key authentication system, and user’s transmitted digital data is ciphered to prevent eavesdropping. For authentication, the user has a Private Key, Ki, that is only stored in the SIM and on the network, and is never transmitted across any interface at all. The actual size and structure of Ki is at the discretion of the network operator (and equipment manufacturers). On reception of an authentication request, required for a mobile to access the network, the network will generate a random number, RAND, a binary number that is 128 bits long, and this transmitted to the mobile over the air interface. The mobile then uses Ki and RAND, passing them into an algorithm called A3, to generate a 32 bit result, SRES. Then SRES is transmitted back to the network, which can use the same algorithm with the same inputs to generate the same result, SRES. If the result received from the mobile matches that calculated by the mobile then the user is authenticated and can access and use network resources.
The algorithm A3 is designed in such a way that, given Ki and RAND, it is easy to find SRES. The other way, given SRES and RAND it is nearly impossible to determine Ki. The ideas here are akin to that used in credit card security and the like, where the algorithm involves multiplying two large prime numbers and finding the result modulus another large prime. Breaking the algorithm then involves factoring large prime numbers, modulus another prime, and no efficient way is known to perform this other than an exhaustive search. If the prime numbers are chosen sufficiently large, then this search could potentially require years to complete.
Ciphering provides a way of protecting digital data from eavesdropping. The simple idea is to XOR the transmitted data sequence with a ciphering key. The original data can then be recovered at the receiver by XOR-ing the received ciphered data with the same key. However, if one does not have access to the ciphering key, the digital data appears essentially random and meaningless. Plain Data 0 1 1 1 0 0 1 0 1 0 0 0 1 1 1 0 0 1 1 0 1 … Ciphering Key 0 0 0 1 1 0 1 0 1 0 1 0 0 0 1 1 0 1 1 1 0 … Ciphered Data 0 1 1 0 1 0 0 0 0 0 1 0 1 1 0 1 0 0 0 1 1 … Ciphered Data 0 1 1 0 1 0 0 0 0 0 1 0 1 1 0 1 0 0 0 1 1 … Ciphering Key 0 0 0 1 1 0 1 0 1 0 1 0 0 0 1 1 0 1 1 1 0 … Recovered Data 0 1 1 1 0 0 1 0 1 0 0 0 1 1 1 0 0 1 1 0 1 … GSM uses an algorithm A8 to generate a ciphering key, Kc, from the Private Key Kc and the received random number, RAND. Kc is 64 bits in length. A different algorithm, called A5, then uses this ciphering key, Kc, along with the 22 bit frame number, to cipher the 114 data bits within the frame. When GSM was first developed, the American Department of Defence invested a considerable some of money to buy the rights to this algorithm, A5, for security reasons. Thus, in practise, there are actually two different algorithms deployed in GSM networks: A5/1, uses in American
and its allies; and A5/2, used in countries that the US doesn’t entirely improve off (and is consequently much, much, weaker than A5/1).
Channel Structure GSM makes the distinction between logical channels and physical channels. The physical channel refers to the specific frequency timeslot in a sequence of frames on a particular RF carrier, whose frequency may be hopped across the available spectrum following some specified sequence. The logical channels represent some pre-defined data format that can be assigned to some particular physical channel in a certain way. Logical channels are broken into two types: traffic channels (TCH), which carry user data in either direction, and control channels (CCH), which carry signalling information. As the above section alluded to there are many different types of logical channels defined in GSM, each to perform a specific function. The set of control channels are:
Broadcast Control Channels (all downlink) - Frequency Correction Channel (FCCH) - Synchronisation Channel (SCH) - Broadcast Control Channel (BCCH)
Common Control Channels - Paging Channel (PCH) (downlink) - Access Grant Channel (AGCH) (downlink) - Random Access Channel (RACH) (uplink)
Dedicated Control Channels (bi-directional) - Stand-alone Dedicated Control Channel (SDCCH) - Slow Associated Control Channel (SACCH) - Fast Associated Control Channel (FACCH)
As previously described, the FCCH channel essentially provides a pilot tone to enable synchronisation of the mobile’s oscillator to the transmitted frequency of the BTS. The SCH channel provides a reference sequence to allow the mobile to synchronise to the frame structure of the servicing base station – establish which timeslot is which. The BCCH channel transmits the necessary cell and network specific to allow the mobile to connect to the network. The PCH channel is used by the network to notify a mobile station of an incoming call or message. The RACH channel allows mobiles to randomly connect to the network, be it to register on the network or initiate a call. The ACGH channel is used by the network to allocate a dedicated control channel to the mobile for signalling purposes. The SDCCH channel is used for signalling data, such as the authentication procedure and traffic channel assignment. The SACCH is allocated along with a traffic channel. In the downlink, the SACCH carries power level adjustment and timing advance instructions to the MS. In the uplink the MS transmits received radio signal strength indicators, quality measures of its traffic channel, and broadcast control channel measurements from neighbouring cells for mobile assisted handoffs (MAHO) on the SACCH. If urgent signalling needs to be performed, such as for a hand-off, the system can steal traffic channel slots with a FACCH. The interest is then how GSM maps these logical channels to physical channels. GSM maps these various channels in functional groups. The mapping is different for Traffic channels and Control channels. Traffic channels are assigned in as a repeating timeslot in a group of 26 consecutive frames. Of these 26 frames, 24 of them carry TCH timeslots, while the timeslot in the 12th frame is dedicated to the SACCH for in-call signalling, and the 25th and final frame can be used for a SACCH or left idle.
Control channel assignment is done in groups of 51 multiframes. Apart from the SDCCH assignment structures, control channel groups are always assigned to Timeslot TS0 at a set of prescribed frequencies across the band. These frequencies are fixed and do not take part in the slow frequency hopping. In the Uplink all the TS0 at the assigned control frequencies are assigned RACH channels. The other timeslots can carry traffic channels or SDCCH channels in their assignment patterns. In the downlink the control channels are assigned in the following pattern, as shown in the diagram below. The assignment is performed in five 10 frame groups, with the final 51st frame timeslot left idle. The frame TS0 carries the FCCH, allowing the mobile station to perform carrier synchronisation and match the base station’s transmitted frequency. This is followed in the next frame by the SCH, used by the mobile to establish frame, hence time, synchronisation. The BCCH then occupies the next four consecutive frames, repeated only once every 51 frame group (which is then once per 235 ms). The remaining frames are used for either AGCH or PCH channels.
All the channel types, except the RACH, insert their data into each timeslot as a 148 bit message. The standard format, used in particular by traffic channels, assigns bits into the timeslot in the pattern illustrated below. There are 114 data bits in two groups of 57 bits, and other bits are used for the training sequence, synchronisation, and signalling flag purposes.
The FCCH makes all of these 148 bits ‘0’s, making its timeslot an unmodulated sine wave, or pilot tone, for the mobiles to synchronise to. The SCH uses a longer training sequence than the standard, of 64 bits in length. The payload data in the SCH is only 78 bits, which is formed by protecting a 25 bit message with 10 CRC parity check bits followed with a (2,1,4) convolutional encoder. The 25 bit message contains the 6 bit BS identity code and a 15 bit frame synchronisation sequence.
The BCCH, ACGH, and PCH all operate on an original 184 bit message, add 40 CRC bits, followed with a (2,1,4) convolutional encoder. The resultant 456 encoded bits are then split into four groups of 114 bits, and assigned to the data field of four successive frames, structured in the same way as the TCH timeslots as above.
The RACH timeslot structure is quite different. The burst period is much shorter, being only 88 bits in length followed by a longer guard interval equivalent to 68.25 bits. This greater guard interval compensates for the maximum round trip delay that the transmission can entail. This is a problem on the RACH in particular, since this channel will contain the very first transmission to the BTS from the mobile, prior to the base station having directed the mobile to either advance or delay its timing to fit into the timeslot structure as received at the base station. This guard time corresponds to a round-trip of 35 km, corresponding to the maximum cell radius allowed in GSM.
The 8 bit RACH message, consisting of the 5 bit random number and 3 bit request identifier discussed earlier, is appended with 6 CRC bits and then convolutionally encoded to 36 data bits. These 36 encoded data bits make up the RACH time slot along with 41 synchronisation bits.
As an example of the use of these logical channels, the diagram below shows the logical channel assignment in the mobile station performing a location update. Location updates occur when a mobile is first turned on, and then can be periodically enforced by the network to track a MS movement. Only control channels are involved in a location update.
The next diagram shows the logical channels used over the air interface for a mobile terminated call. Note firstly the significant amount of overhead signalling needed to eventually establish a traffic channel for data transfer. Also note the large number of
control channels required in the exchange, and the afore described function of each control channel in the exchange.
The above discussion is only for the logical channels used over the GSM air interface. One the network different logical channels are used for data exchange between network elements. These tend to use existing, established protocols, such as SS7 or X.25. A discussion of these protocols is beyond the scope of this course.
Protocol Stack Every communication system is built on a layered protocol stack, or a set of agreed formats and procedures that the components of the network follow to allow successful transmission and reception. In the layered architecture, the idea is that a layer below provides the necessary service and functionality to the layer above. In a sense the lower layer provides functionality that the higher layer can take for granted. This is akin to your everyday experience of using a phone – you can merely take into the phone and know that your data is somehow transferred over the network, without having to concern yourself with the details of how this transmission actually happens. The diagram below shows the standard internet protocol stack, which is most likely familiar to students from their previous studies or everyday experience. All of the layers, aside from the lowest, exist as software. The lowest layer is the physical layer, managing the physical link, be it radio, wire, or fibre, and as such is implemented as hardware.
The top layer is the Application Layer, which is the program or application in which users enter the information they wish to transmit across the network. In the case of a packet based network like the internet, this information is encapsulated into information units or packets, and it is the job of the lower layers to ensure that these information units are routed across the network to arrive at the correct destination. The first layer below the Application Layer is called the Transport Layer. In the internet protocol suite this is either Transmission Control Protocol (TCP), for non-real-time applications, or User Datagram Protocol (UDP), for real-time applications. Considering TCP, for example, this protocol performs takes such as data unit sequencing, error correction and flow control, among other things, to ensure the correct and orderly delivery of messages across the network. Error correction is the simple automatic-repeat-request (ARQ) scheme. The Transport Layer logically connects the sending and receiving hosts, and the function of the lower layers is to provide a pipeline between these two hosts such that data can be inserted at one end and comes out correctly, and in the same sequence, at the other end. This should occur successfully with no knowledge of the network in between the sending and receiving hosts. The routing function is performed by the next layer down, the Network Layer, which for the internet is the Internet Protocol (IP). The bottom two layers then manage the connections between two devices in the network providing the link between the two users. The Data Link Layer ensures that the blocks of bits constituting a data unit arrive recognisably at the receiving end of a link. The functions of this sub-layer include detecting the beginning and the end of a data unit, error detection, and managing the multiple access strategy. The physical layer actually carries out the physical transmission of the data over the network.
Note that as we work down the protocol stack each layer will append a specific header to the data unit message (and possibly a trailer), so that it can perform the function of its layer successfully. In internet terminology, the term ‘packet’ refers to the network layer protocol data unit (N-PDU). We will use the term more loosely in these notes, though.
The complexity of the network architecture and functionality means that the protocol layers required in a second generation cellular network is fairly involved. We only have space for a brief overview in these notes. The signalling protocol adopted in GSM is an adaptation of Signalling System Number 7 (SS7), used in digital telephony over the PSTN. The major differences naturally stem from the different physical layer format, whereby the 22.8 kbps data channel is supplied over the radio channel. Over the network the standard 64 kbps digital telephony channel is used at the physical layer.
At the link layer, a data link control protocol known as LAPDm is used. This is a modified version of the LAPD protocol used in ISDN. The primary function of the link layer is to provide error detection via cyclic redundancy checks followed by automatic repeat request (ARQ). Above the link layer there are a number of protocols that perform specific functions. Radio Resource Management (RRM) controls the setup, maintenance, and termination of radio channels, including handoffs. Mobility management (MM) manages location updating and registration, as well as security and authentication. Connection Management (CM) handles the setup, maintenance, and termination of calls. The Mobile Application Part (MAP) handles most of the signalling between different entities in the fixed part of the network, such as between the HLR and the VLR. BTS Management (BTSM) performs various management and administrative functions at the base transceiver station, under the control of the BSC. This all we will say about the GSM protocol stack here. Obviously there is much more to be said, but our main interest is the physical layer. An in-depth treatment of the higher protocol layers is more the domain of networking courses.
Physical Layer Originally GSM was allocated the 25 MHz duplex bands, 935-960 MHz for the Downlink and 890-915 MHz for the Uplink, for transmission. Thus, GSM is a Frequency Division Duplexing system, a feature inherited from the first generation networks. Many alternative bands have since been allocated to GSM services in different parts of the world, far too many to document here. GSM is really a FDMA/TDMA system, with different RF carriers spaced every 200 kHz for a total of 125 duplex channels across the band. However, the channel at the lower end of the band is left unused as a guard band, so there are really only 124 duplex channels available. Each RF carrier has 8 timeslots, shared in the regular TDMA frame structure, with an air interface data rate of 270.833 kbps. To avoid the use of a duplexer in the mobile station, the timeslots in the forward and reverse directions are offset by three. Thus, the mobile stations do not need to transmit and receive at the same time.
As discussed in an earlier section, GSM classifies logical channels into two different types, traffic or control. Traffic channels are assigned as a group of 26 repeating timeslots in consecutive frames, while control channels occupy a repeating timeslot in 51 consecutive frames. This repeating frame structure is illustrated in the diagram below. Note that, at any time, one timeslot in a frame could be carrying a logical control channel group, while another timeslot carries a traffic channel group.
A GSM timeslot is also known as a ‘burst period’, and it has a duration of 15/26 = 0.577ms, or a length of 156.25 bits. This really consists of 148 data bits followed by a guard interval of equivalent duration 8.25 bits or 30.46µs. The guard interval is intended to the overlapping of consecutive bursts due to varying path delays. Each timeslot carries two 57 data bits groups that, for the case of traffic, come from different speech samples (and as such represents a form of interleaving). The other overheads within the frame are 3 trail bits, used to synchronise mobile transmission; two stealing bits to indicate whether this timeslot carries user data or has been stolen for an urgent control message (such as a handoff request, or rapid power alternation); and a 26 bit training sequence, used as input to the channel equaliser. Within the 26 frame traffic channel format, 24 of these frames are used to carry a pair of 57 bit data, one frame is for the Slow Associated Control Channel (SACCH), and
one frame was left vacant for possible developments but was never assigned. Thus, each traffic channel gets 114 data bits per timeslot, one timeslot per frame, and 24 frames per 120 ms multiframe. The resulting effective user data rate is thus 22.8 kbps. The GSM standard also defines half-rate traffic channels, where a pair of users will each occupy 12 out of the 26 frames within the traffic channel multiframe.
The modulation used is Gaussian Minimum Shift Keying (GMSK). We have discussed this modulation technique in details in earlier notes, and will not repeat this discussion here. The 3dB-bandwidth symbol period product used is 3.03 =sTB , a trade-off between bandwidth efficiency and the introduction of ISI. At the data rate of 270.833 kbps the baseband bandwidth of the Gaussian filter is 81 kHz. The spectrum of the modulated signal thus fits into the 200 kHz assigned channels, with very little out of band power, thanks to the high spectral efficiency of the GMSK technique.
To provide frequency diversity GSM implements slow frequency hopping. Each successive TDMA frame in a given channel is carried on a different carrier frequency, following a pseudo random sequence controlled by the base station. Thus, the carrier frequency is hopped every 4.615ms. This ensures that the channel fading experienced by each successive frame is independent, and when combined with the channel coding structure allows a very high level of error performance to be achieved. Slow frequency hopping also has the effect of randomising adjacent channel interference. The equaliser is not specified by the standard as is at the discretion of the terminal manufacturer to design and implement. The most common used about the industry is the Viterbi algorithm applied to the MLSE equaliser. Several training sequences are defined in the standard, allowing neighbouring base stations to use distinct training sequences. This enables a form of addressing, so that the mobile and the base station can verify that this timeslot comes from the correct transmitter and not an interfering transmitter. GSM has defined 8 different training sequences. The first is: TS0 001001011100001000010001001011 As is the case with power control, the network also directs timing control messages to mobiles. Even considering the trailing bits and the guard interval, it is still necessary for the base station to direct the transmission from each mobile station so that, accounting for varying propagation delay, the transmission from each mobile arrives at the base station within the designated timeslot period. The base station can adjust the timing of any active mobile unit by control signals that instruct the mobile unit to increment or decrement its timing. As we will discuss in the signal processing below, the channel coding adopted at the physical layer in GSM combines CRC codes for error detection and convolutional codes for error correction. In speech data protection, GSM uses a (53,50) CRC code to add three parity bits to data blocks of 50 bits. The polynomial used to generate the parity bits is:
( ) 13 ++= pppg GSM uses a (2,1,4) convolutional encoder for error correction, with the Viterbi algorithm to perform real-time decoding. The structure of the convolutional encoder is shown in the diagram below. The output relationships are:
( ) [ ] [ ] [ ] [ ]431 −+−+= nbnbnbnc ( ) [ ] [ ] [ ] [ ] [ ]4312 −+−+−+= nbnbnbnbnc
Signal Processing An overview of the signal processing in a GSM system is shown in the diagram below. As described in the previous lecture, GSM using Regular Pulse Excited – Linear Predictive Coding (RPE-LPC) for speech compression. Speech frames of 20ms duration are compressed into 260 bits, for an aggregate bit rate of 13 kbps out of the speech codec. The composition of these 260 bits for a single frame is:
8 STP LAR coefficients 36 bits per frame 4 LTP Gains 4 × 2 = 8 bits 4 LTP Delays 4 × 7 = 28 4 RPE Grid positions 4 × 2 = 8 4 RPE Block Maxima 4 × 6 = 24 4 × 13 RPE Pulse Amplitudes 52 × 3 = 156 Total bits per 20 ms 260 bits/frame Students will recall that one estimate of the LPC short-term predictive filter is made per frame. Then the frame is broken into four sub-frames, each representing 5ms of speech. In each sub-frame pitch prediction is performed, but the bulk of the bit rate comes from quantisation of the regularly spaced pulse excitation sequence.
From the point of view of perceptual quality the 260 bits out of the speech codec are separated into three classes. Class Ia consists of the 50 bits that are deemed most sensitive to bit errors. The 132 bits of Class Ib are moderately sensitive to bit errors,
while the 78 bits of Class II are fairly robust to bit errors. This classification of the relative importance of the compressed bits results in a layered structure of the channel coding. Firstly, the 50 Class Ia bits are supplemented with 3 CRC bits, to detect errors. If an error is detected in these bits the entire block is discarded and replaced with a modified version of the preceding block. These 53 bits, plus the 132 Class Ib bits and 4 tailing bits of 0000 to flush the encoder, are fed into a (2,1,4) convolutional encoder. The 78 Class II bits remain uncoded and are added to the 378 bits output from the convolutional encoder such that the 20 ms speech frame is encoded as 456 bits. 456 bits every 20 ms corresponds to a data rate of 22.8 kbps, matching exactly the data rate provided by the GSM traffic channel. To add protection against burst errors due to channel fading, each 456 bit speech block is broken into eight blocks of 57 bits and transmitted in eight consecutive timeslots. This provides time diversity through interleaving, since each timeslot is transmitted spaced by an interval greater than the (typical) coherence time. Thus, each burst carries data from two different speech samples. Data is processed in a similar fashion to speech. Data is transported as blocks of 240 bits every 20 ms, for a data rate of 12 kbps. Depending on how the precise logical channel is defined, the net aggregate data rate turns out to be either 9.6, 4.8, or 2.4 kbps. Each block is augmented with 4 flush bits and passed into the (2,1,4) convolutional encoder. From the 488 output bits of the convolutional encoder 32 bits are dropped, leaving a block of 456 bits. This is called puncturing, where effectively the transmitter introduces errors into the transmitted sequence by leaving out certain encoded bits, to raise the effective code rate. The 456 data bits are spread over 22 bursts in the following way: Bursts 1 and 22 carry 6 bits each. Bursts 2 and 21 carry 12 bits each. Bursts 3 and 20 carry 18 bits each. Burst 4 through 19 carry 24 bits each. The result is that each burst carries information from 5 or 6 consecutive data blocks. Additional speech processing in GSM is shown in the diagram below. Voice Activity Detection (VAD) is used identify speech frames from noise frames. Rather than waste system resources communicating background noise, the noise frames are taken aside at the encoder and used to generate a Silence Descriptor (SID). This SID is transmitted to the decoder once every 480 ms. On the receipt of a new SID, the decoder will then update its algorithm to generate some background noise, termed ‘comfort noise’. This provides an experience akin to a fixed wire-line telephone conversation, with a background ‘buzz’. Perceptually it was found to be disturbing for the listener to experience silence along the line whenever the other party is not speaking, as they tend to believe the line has gone dead. This is a feature that has since been adopted into all mobile cellular systems.
Evolution to 3G The desire to further increase network capacity, and the demand for the provision of more types of data meant the focus was very quickly on designing a network to supersede GSM. A particularly famous development was the ‘short message service’, or SMS. The original standard included a prevision for short messages of 120 characters, and it was intended that this feature would be of very limited interest to subscribers. It was conceived merely as a form of paging service for use by some professionals like doctors and surgeons. However, today sms traffic virtually supersedes voice data across the network. The enormous growth in the demand for different types of data was the driver for the evolution to a 3G network. As we will discuss in two lectures time, the move towards a 3G network had three facets:
(i) The evolution to a packet switched network backbone. The 1G and 2G cellular networks were all designed as phone networks, where a dedicated channel is assigned to the two parties for the duration of the call – the circuit switching principle. Circuit-switched networks are good for voice data, however, when seeking a network that can efficiently communicate a wide diversity of data and information types, a packet switched network (like the internet), is superior.
(ii) The provision of higher data rates. Applications like video streaming require data rates of the order of 2 Mbps and beyond. This far exceeds the capacity of 2G cellular networks.
(iii) The ability of the network to efficiently provide varying data rates. A 3G network should be able to support services ranging from sms, requiring only of the order of 1 kbps, right up to streaming video at 2 Mbps. Designing a network to be able to simultaneously provide channels to different users with data rates varying by the order of thousands is no trivial task.
As we shall see in the following two lectures, CDMA was seen as the technology best suited to satisfy the above three requirements, and the two major existing 3G cellular standards are based on the CDMA principle. However, to provide a seamless transition from 2G into 3G several important advancements were implemented in the GSM standard. The first of these was High-Speed Circuit Switched Data (HSCSD), a simple technique to increase the available data rate by allocating multiple timeslots to a single user in the TDMA frame. Next was the General Packet Radio Service (GPRS), which added a packet-switched backbone into the GSM network (circuit switched and packet switched services would coexist). Finally, there was EDGE (Enhanced Data Rates for GSM Evolution), which altered the modulation and coding to increase the aggregate data rate. The idea here was to gradually increase the data rates available to operators of GSM networks, to allow new applications to be developed in readiness for the deployment of 3G networks. High-Speed Circuit Switched Data (HSCSD) was an enhancement to provide higher-rate circuit-switched data capabilities with relatively simple software upgrades to the MSC, BSC, BTS, and mobile stations. The HSCSD enhancement for GSM increases the effective payload data rate from 9.6 kbps to 14.4 kbps by increasing the forward error correcting coding code rate by puncturing. Puncturing is a technique to remove certain encoded bits from the output of the convolutional encoder in such a way to the original data can be recovered, but naturally the error robustness of the sequence is reduced. Essentially puncturing is the encoder itself introducing errors into the transmitted sequence, for an improvement in spectral efficiency, with the knowledge that the receiver can still correct these errors. Moreover, in HSCSD the level of puncturing, and hence the effective data rate, can be varied according to channel conditions. When the channel conditions are poor puncturing is not performed and the maximum data rate is capped at 9.6 kbps. In good channel, when the RSSI and BER indicate clear conditions, puncturing can be applied to increase the data rate to 14.4 kbps. HSCSD then allows the aggregation of up to four timeslots for a single user, making the maximum achievable data rate 57.6 kbps. This data rate is equivalent to that achieved in the old voice-band modems, and HSCSD has much in common with these systems, in the sense that it still routes data over a circuit-switched backbone. The General Packet Radio Service, or GPRS, provided GSM with a packet-switched network backbone. The core network portion of GPRS uses a layered architecture with the internet based TCP/IP protocols playing a key role. We will devote considerable effort to describing the protocol suite of GPRS, since both W-CDMA and cdma2000 have very similar packet-switched architectures at their cores. Different types of data, such as voice calls, video, images, and data files, each put very different demands on the air interface. Some are more suited to circuit switched networks, and others to packet switched networks. Packet-switching, like the internet, are designed for ‘bursty’ traffic, for which the time required to deliver the traffic is much less than the time between successive burst; frequent transfer of small volumes of data; and the occasional transfer of large files. Some of the advantages of cellular systems switching to packet based networks is a significant reduction in the
connection times, the ability to connect seamlessly to other packet data networks, and the provision of desired Quality of Service (QoS) characteristics. Quality of Service (QoS) objectives vary widely between the different types of data, in terms of the acceptable delay, time variation between information entities, and data integrity (probability of error). Each of the QoS parameters are specifies in terms of classes. For instance, GPRS defines three reliability classes, ranging from bit error probabilities as low as 910− to as high as 210− . There are three priority levels: high precedence, normal precedence, and low precedence. Low precedence corresponds to the Internet ‘best-effort’ class, with no constraint placed on the time of arrival of the transmitted information. There are four delay classes, and the final QoS parameter is the data throughput. This is specified both in terms of the maximum bit and the mean bit rate. The implementation of GPRS in the GSM network required changes in the GSM core network architecture, as well as changes in the way messages are transmitted across the air interface. Two packet-based support nodes were added to the GSM network. These were the Serving GPRS Support Node (SGSN) and the Gateway GPRS Support Node (GGSN). The SGSN is connected to the base station in the local area, delivering packets to, and receiving packets from, GPRS mobile stations serviced by this base station. It is responsible for mobile management, location management, and authentication, and as such performs a role akin the MSC in the GSM network. Connections to external packet data networks are made through the GGSN.
Inserting the packet-based protocol architecture onto the mobile protocol stack is no easy task. A simplified version of the GPRS protocol stack is shown in the diagram below. The idea is to insert a TCP/IP on top of the communication stack, and alter the lower layers in such a way to make the physical communication through the PLMN transparent to the transport and network layers GPRS packets share the same frame structure as GSM circuit-switched calls. In GPRS data packets are mapped to the 114 bit data portion of a time slot in four consecutive frames, and is called a radio block. The encoded radio block size is thus 456 bits. A variety of parity check bits and channel coding (convolutional encoding) can be used,
depending on the channel conditions, to produce net data rates between 9.05 kbps and 21.4 kbps. A 3-bit Uplink State Flag (USF) is also inserted into the packet, which acts as a kind of packet address, identifying the mobile station involved in the transmission.
GPRS added several logical channels to the GSM framework. These are listed in the table below. These are very similar in nature to the original GSM logical channels. Channel Group Channel Name Function Direction Traffic packets PDTCH Data traffic bi-directional Dedicated control PACCH Associated Control bi-directional PTCCH Timing advance bi-directional Broadcast Control PBCCH Broadcast control Downlink Common Control PRACH Random Access Uplink PAGCH Access Grant Downlink PPCH Paging request Downlink PNCH Multicast notification Downlink The final development to GSM in the path to 3G was EDGE, or Enhanced Data Rates for GSM Evolution. The idea here was to use a higher modulation scheme, 8-PSK, to immediately increase data rate three-fold (transmit three bits per symbol). Variable modulation and code puncturing can then be used to achieve data rates anywhere between 11.4 kbps and 69.6 kbps. The adaptive modulation and coding is achieved through a Hybird-ARQ scheme, whereby if each packet transmission is successfully the code is further punctured or modulation scheme increased for the next transmission. This is continued until packet transmission is unsuccessful.