Transcription
Comunicações MóveisLicenciatura em Engenharia Electrotécnica e de ComputadoresLicenciatura em Engenharia Informática e ComputaçãoMobile Communication Systems: GSMGlobal System for Mobile CommunicationMário Jorge LeitãoPartially adapted with permission fromMobile Communication: Wireless Telecommunication Systems - Jochen Schillerhttp://www.jochenschiller.deOverviewGSM formerly: Groupe Spéciale Mobile (founded 1982) now: Global System for Mobile Communication Pan-European standard (ETSI, European TelecommunicationsStandardisation Institute) simultaneous introduction of essential services in three phases by theEuropean telecommunication administrations seamless roaming within Europe possible today many providers all over the world use GSM (more than 180countries in Asia, Africa, Europe, Australia, America) more than 900 million subscribers more than 70% of all digital mobile phones use GSMMário Jorge LeitãoGSM2
Performance characteristics of GSMCommunication mobile, wireless communication; support for voice and data servicesTotal mobility international access, chip-card enables use of access points of differentprovidersWorldwide connectivity one number, the network handles localizationHigh capacity better frequency efficiency, smaller cells, more customers per cellHigh transmission quality high audio quality and reliability for wireless, uninterrupted phone callsat higher speeds (e.g., from cars, trains)Security functions access control, authentication via chip-card and PINMário Jorge LeitãoGSM3Mobile ServicesGSM services basic serviceszvoice servicesz data servicesz short message service additional serviceszemergency numberz group 3 faxz electronic mail supplementary serviceszzzzzidentification: forwarding of caller numbersuppression of number forwardingautomatic call-backconferencing with up to 7 participants.Mário Jorge LeitãoGSM4
Basic Services Services are supported by traffic channels Voice services (speech coding with protection) full rate: 13 / 12.2 kbit/s (original coder / enhanced full rate coder)half rate: 5.6 kbit/s (enhanced half rate coder)Data services (coding with different levels of protection) full rate: 22.8 kbit/s (gross bit rate, unprotected transmission)half rate: 11.4 kbit/s (gross bit rate, unprotected transmission)full rate: 9.6 / 4.8 / 2.4 kbit/shalf rate: 4.8 / 2.4 kbit/sEnhanced data services HSCSD (High Speed Circuit Switched Data)z n X 14.4 / n X 9.6 / n X 4.8 kbit/s (n 1, 2, 3, 4)GPRS (General Packet Radio Service)zvarious rates (typically up to 53.6 kbit/s)Mário Jorge Leitão5GSMGSM architecture: PLMN - Public Land Mobile Networkradio cellMSBSSMSradio SCIWFOSSMário Jorge LeitãoEIRAuCISDN, PSTNPDNOMCGSM6
GSM architecture: PLMN - Public Land Mobile NetworkRSS - Radio Subsystem: covers all radio aspects MSMobile Station BSC Base Station ControllerManagement of several BTS and MS BTSTransmitter, receiver and antennasMobile terminal equipmentBase Transceiver StationBSSBase StationSubsystemBSCBSCMSBTSMário Jorge Leitão7GSMGSM architecture: PLMN - Public Land Mobile NetworkNSS - Network Subsystem: switching, mobility management,interconnection to other networks, system control MSCMobile Switching Centre Management of all connections HLRHome Location Register Associated to each PLMN VLRVisitor Location Register Associated to each MSC GMSC Gateway MSCHLRVLRMSCMSC providing interconnection to othernetworksGMSCMSCVLRBSCBSCMário Jorge Leitãofixed networkGSM8
GSM architecture: PLMN - Public Land Mobile NetworkOSS - Operation Subsystem: centralized operation, management, andmaintenance of all GSM subsystems OMCOperation and Management Control of the radio and networkCentresubsystems AuCAuthentication CentreSecurity functions EIREquipment Identity RegisterMobile station registrationOMCAuCNetworkElementMário Jorge LeitãoEIRHLRMSC9GSMGSM architecture: interfacesradiosubsystemMSnetwork andswitching subsystemfixedpartner networksMSISDNPSTNUmBTSMSCInterfacesAbisBSCAHLR Um : radio interface Abis : standardized, openinterface with 16/64 kbit/suser channels A: standardized, openinterface with 64 kbit/s NMário Jorge LeitãoGSM10
Voice transcoding and rate adaptation Need for transcoding and rate adaptation BTS - 13 kbit/s air-interface (original coder)MSC - 64 kbit/s ISDN type switching (PCM, A-law)3 options for Transcoding and Rate Adapter Unit (TRAU)AbisBTSBTSABSCTRAUMSC64 kbit/sBTSBSC64 kbit/sBSC TRAU16 kbit/sBTSMSC64 kbit/sBSC16 kbit/sMário Jorge LeitãoMSCTRAUMSC64 kbit/s(4 x 16 sub-mux)GSM11Mobile addresses Several mobile numbers are needed IMSI - International Mobile Subscriber IdentityMobile Country Code (MCC) Mobile Network Code (MNC) Mobile Subscriber Identification Number (MSIN)z uniquely identifies the user (SIM card)TMSI - Temporary Mobile Subscriber Identity32 bitszlocal number allocated by VLR, may be changed periodicallyz hides the IMSI over the air interface - transmitted instead of IMSI MSRN - Mobile Station Roaming NumberVisitor Country Code (VCC) Visitor National destination Code (VNDC) Current MSC code temporary subscriber numberzgenerated by VLR for all visiting userszhelps HLR to determine current location areaz hides the IMSI inside the networkMário Jorge LeitãoGSM12
Mobile station functional groups MT (Mobile Termination) offers common functions used by all services the MS offers end-point of the radio interface (Um) - equivalent to NT of an ISDN access hides GSM radio specific characteristics TE (Terminal Equipment) peripheral device of the MS, offers services to a userTA (Terminal Adapter) interfaces MT with different types of terminalTE1MTTE2UmMário Jorge LeitãoTAMTGSMUm13Mobile station functional groups SIM card (Subscriber Identity Module) uniquely associated to a user stores user and location addresseszIMSI - International Mobile Subscriber Identityz TMSI - Temporary Mobile Subscriber Identityz LAI - Location Area Identification supports authentication and encryption mechanismszzzzz PIN - Personal Identity NumberPUK - PIN Unblocking KeyKi - subscriber secret authentication keyA3 - authentication algorithmA8 - cipher key generation algorithmcontains personal datazlist of subscribed servicesz RAM for user directory, SMSMário Jorge LeitãoGSM14
Base transceiver station and base station controller Tasks of a BSS are distributed over BSC and BTS BTS comprises radio specific functionsBSC is the switching center for radio channelszswitch calls from MSC to correct BTSFunctionsManagement of radio channelsFrequency hopping (FH)Management of terrestrial channelsMapping of terrestrial onto radio channelsChannel coding and decodingRate adaptationEncryption and decryptionPagingUplink signal measurementsTraffic measurementAuthenticationLocation registry, location updateHandover managementMário Jorge LeitãoBTSXXXXXXBSCXXXXXXXXXXGSM15Mobile switching center The MSC (mobile switching center) plays a central role in GSM switching functionsadditional functions for mobility supportmanagement of network resourcesinterworking functions via Gateway MSC (GMSC)integration of several databasesSpecific functions of a MSC switching of 64 kbit/s channelspaging and call forwardingtermination of SS7 (signaling system no. 7)mobility specific signalinglocation registration and forwarding of location informationsupport of short message service (SMS)generation and forwarding of accounting and billing informationMário Jorge LeitãoGSM16
Location registers Database requirements scalabilityhigh capacitylow delayHome Location Register (HLR) central master databasezdata from every user that has subscribed to the operatorz one database per operatorz may be replicated subscriber datazIMSI - International Mobile Subscriber Identityz list of subscribed services with parameters and restrictions location datazcurrent MSC/VLR addressMário Jorge LeitãoGSM17Location registersVisitor Location Register (VLR) local databasezdata about all users currently in the domain of the VLRz includes roamers and non-roamersz associated to each MSC subscriber identityz temporary locationz IMSI - International Mobile Subscriber IdentityLAI - Location Area Identificationtemporary addresseszMSRN - Mobile Station Roaming Numberz TMSI - Temporary Mobile Subscriber IdentityMário Jorge LeitãoGSM18
GSM location / mobile addresses: summaryHLR - Home Location RegisterPermanentIMSI - International Mobile Subscriber IdentityTemporaryMSRN - Mobile Station Roaming NumberVLR - Visitor Location RegisterPermanentIMSI - International Mobile Subscriber IdentityLAI - Location Area IdentificationTemporaryMSRN - Mobile Station Roaming NumberTMSI - Temporary Mobile Subscriber IdentitySIM - Subscriber Identity ModulePermanentTemporaryIMSI - International Mobile Subscriber IdentityLAI - Location Area IdentificationTMSI - Temporary Mobile Subscriber IdentityMário Jorge LeitãoGSM19Operation subsystem elementsAuthentication Center (AuC) associated to HLRsearch key: IMSIsupports authentication and encryption mechanismszKi - subscriber secret authentication keyz A3 - authentication algorithmz A8 - cipher key generation algorithmEquipment Identity Register (EIR) stores mobile stations IMEI (International Mobile Equipment Identity)white list - mobile stations allowed to connect without restrictionsblack list - mobile stations locked (stolen or not type approved)gray list - mobile stations under observation for possible problemsOperation and Maintenance Center (OMC) control capabilities for the radio and the network subsystemsMário Jorge LeitãoGSM20
GSM - TDMA/FDMAncy935-960 MHz124 channels (200 kHz)downlinkfrequeFDMA channels890-915 MHz124 channels (200 kHz)uplinktimeTDMA frame013246574.615 msRadio interfacebit rate156.25 bits/0.5769 ms 270.8 kbit/stime-slot (normal burst)tailuser dataStrainingSuser data3 bits57 bits126 bits157 bitstailguardspace3 bits 8.25 bits148 bits / 0.5465 ms156.25 bits / 0.5769 msMário Jorge Leitão21GSMBurst structures Normal Burst: normal data transmissionTBCDSTSSCDTB GP3571261573 8.25Guard Period - avoidsoverlapping between burstsTrainin Sequence - allows estimation ofpropagation characteristics (including multipath),in order to set up the equaliser parametersTail Bits - assist receiverequalisation (set to 0)Stealing flags - indicate that a burst normallyassigned to traffic is stolen for signalling Coded Data - user data transmissionAccess Burst: MS first time accessTBSSCDTBGP84136368.25Synchronisation Sequence long training sequenceMário Jorge LeitãoCoded Data - channel orhandover access requestGSMGuard Period - long period sincetime advance is not yet defined22
Burst structures Frequency Correction Burst: frequency synchronisation of the MSTBFBSTB GP31423 8.25Fixed Bit Sequence - frequencyinformation for MS local oscilator locking Synchronisation Burst: time synchronisation of the MSTBCDSSCDTB GP33964393 8.25Synchronisation Sequence long training sequenceCoded Data - data used to align the mobileto the base station's time-slot structureMário Jorge Leitão23GSMFrame hierarchyframe8 x 15/26 ms 60/13 ms 4.615 mstime-slot15/26 ms 0.577 ms0011234567frame 02frame 12frame 2traffic multiframe26 x 60/13 120 ms2frame 242frame 25234567frame 00frame 10frame 2x 51superframe (*)6.12 sx 2048hyperframe (**) 3.5 hoursx 26control multiframe51 x 60/13 235.38 ms0frame 490frame 50Mário Jorge LeitãoGSM(*) - aligns traffic and control multiframes(**) - allows cycle for frame number24
Logical channelsSCHBCCHRACHAGCHPCHBroadcastControl ChannelRandom AccessChannelAccess GrantChannelPagingChannelDownlink channel: BTS transmitsSDCCHStand-aloneDedicatedControl ChannelUplink channel: MS st AssociatedControl astChannelsFrequency -rateTrafficChannelsFull-rateFull-rateCCHControl ChannelsSlow AssociatedControl ChannelTCHTraffic ChannelsBi-direccional channel: both transmitMário Jorge Leitão25GSMLogical channelsChannelTCHTraffic ChannelsDirectionTCH/HTCH/FSCHCarrier synchronizationBTS MS Frame manentGeneral network informationCell information (present and located by network ondemand by MSBTS MS User dataFCCHBCHBroadcastChannelsApplicationBTS MSAGCHRequest SDCCH for signallingRequest TCH for handoverMultiple access with slottedAlhoa contention between MSConfirmation of SDCCH or TCH requestBTS MSPCHPermanentAllert MS to a call originated in the networkSDCCHRegistration / location updatingCall control proceduresAllocated by network ondemandSACCH BTS MSControl information between MS and BTSduring the progress of a call or call set upAssociated to a specific TCHor SDCCHFACCHExchange of time critical control informationduring the progress of a callAllocated by network or MS (*)(*) Fast allocation by setting S bit; bits are stolen from TCHMário Jorge LeitãoGSM26
Logical channelsChannelTCHTraffic elsTCH/HTCH/FBurst typeTime-slotMulitiframeNormal(114 data bits)Any26 frames(120 ms)24 x 114 / 120 22.8 kbit/s1212 x 114 / 120 11.4 kbit/sFCCHSCHSynchronisationBCCHNormal(114 data bits)4RACHRandomaccess27 minimum51 typicalPCHNormal(114 data bits)SACCH5TS0 - base channel (*)TS0/TS2/TS4/TS6 (**)TS0 - base channel (*)TS2/TS4/TS6 (**)TS0 - base channel (*)TS0/TS2/TS4/TS6 (**)SDCCHSame TS as SDCCHNormal(114 data bits)51 frames(235.38 ms)51 frames(235.38 ms)5Same TS as TCH26 frames(120 ms)4 x 114 / 235.38 1.94 kbit/s12 minimum51 frames(235.38 ms)Same TS as TCH (bitsstolen from catedControlChannelsBursts /Multiframe12 x 114 / 235.38 5.81 kbit/sminimum44 x 114 / 120 3.8 kbit/s2 (***)2 x 114 / 120 1.9 kbit/s11 x 114 / 120 0.95 kbit/sSame asTCHSame as TCH(***) 4 bursts in 2 multiframesequivalent to 2 bursts/ multiframe(*) Low capacity cells(**) High capacity cellsMário Jorge Leitão27GSMTransmission / reception timing Transmit / receive frame staggering to simplify hardware design, transmitter and receiver never operate atthe same time transmission is half-duplex the numbering scheme is staggered by 3 23456701234uplinktransmitMário Jorge Leitão5transmitGSM28
Transmission / reception timing Transmit time advance Principle of operationzzzzz correct timing of uplink bursts at the BTS is required to avoid overlappingdifferent path delays (MS-BTS distances) must be compensatedtransmission from the MS is advanced 0-63 bits under BTS controlmaximum time advance of 63 bits allows 0.233 ms round trip delaymaximum cell radius is approximately 35 kmInitial rangingzAccess Burst is transmitted without time advancez Guard Period of 68.25 bits allows for a path delay due to 37 km distancez BTS measures path delay and sends required time advance on SACCHz MS introduces time advance on all bursts Adaptive controlzBTS monitors burst and measures delays with specified time advancez if path delay varies more than 1 bit period, the new value is signalled onSACCHMário Jorge LeitãoGSM29Frequency hopping Application of frequency hoping optional, but usually implemented channels with no frequency hopping: BCH and CCCHHoping sequence several possible hoping algorithms selected algorithm broadcast on BCCHSlow frequency hopping characteristics in a given time-slot, successive TDMA frame are transmitted on differentcarriers main hoping parameterszperiod: 4.615 msz frequency: 217 hops/sz number of bits: 1250 bits/hopMário Jorge LeitãoGSM30
Transmission power Mobile station power classesGSM 900 GSM 18008W39 dBmvehicular4W36 dBmvehicular5W37 dBmportable1W30 dBmportable2W33 dBmportable0.25 W24 dBmportable0.8 W29 dBmportableusual classesDiscontinuous transmission (DTX) for voice no data transmission during periods of silence (approx. 60% of time)zVoice Activity Detector (VAD) algorithm suppresses TCH transmission silent frames are sent to synthesise comfort noise at the receiver several advantageszreduces interference, on average, by 3 dBz Increases MS battery lifeMário Jorge Leitão31GSMTransmission power Power control implemented on both links objective: lowest power level which provides desired quality (BER) procedurezMS measures power received and BER and sends result on SACCHz BTS sends new power level on SACCH, if and when necessary control rangeGSM 900GSM 18005 - 39 dBm0 - 36 dBmCommentseffective maxima depend on cell size and MS capabilitycontrol steps of 2 dBchannels with no power control - use maximum power for the cellzdownlink BCH and CCCH: power set by BTSz uplink RACH– BCCH broadcasts maximum power level for the cell– MS uses this value to set RACH transmission powerMário Jorge LeitãoGSM32
Security in GSM Security servicesaccess control/authentication user Î SIM (Subscriber Identity Module): secret PIN (PersonalIdentification Number)z SIM Î network: challenge - response methodzconfidentiality zvoice and signaling encrypted on the wireless link (after successfulauthentication)anonymity “secret”: A3 and A8available via theInternet network providerscan use strongermechanismszTMSI - Temporary Mobile Subscriber Identityz newly assigned at each new location updatez encrypted transmission 3 algorithms specified in GSMA3 for authentication (“secret”, open interface)A5 for encryption (standardized)A8 for encryption key generation (“secret”, open interface) Mário Jorge Leitão33GSMGSM - authenticationSIMmobile networkKiRAND128 bitAuCRAND128 bitRANDKi128 bit128 bitA3A3SIMSRES* 32 bitMSCSRES* ? SRESSRESSRES32 bitKi: individual subscriber authentication keyMário Jorge LeitãoGSM32 bitSRESSRES: signed response34
GSM - key generation and encryptionMS with SIMmobile network (BTS)KiAuCRANDRAND128 bitRAND128 bit128 bitA8cipherkey128 bitSIMA8Kc64 bitKc64 bitdataBTSKiSRESdataencrypteddataMSA5A5Mário Jorge Leitão35GSMGSM protocol layers for MRR’BTSMLAPDmLAPDmLAPDLAPDradioradioPCMPCM16/64 kbit/sMário Jorge LeitãoGSMBSSAPSS7SS7PCMPCM64 kbit/s /2048 kbit/s36
GSM protocol layers for signaling CM (Connection Management) MM (Mobility Management) modified version of ISDN LAPD protocolBTSM (Base Transceiver Station Management) setup, maintenance and release of radio channelscontrol of radio transmission qualityLAPDm (“Link Access Protocol D-channel” modified) registration, authentication, location and handover managementRR (Radio Resource Management) call control, short message service and supplementary serviceradio resources control messages between BSC and BTSBSSAP (Base Station System Application Part) control of BSC by MSCMário Jorge Leitão37GSMMobile Terminated Call1: calling a GSM subscriber42: forwarding call to GMSCHLRVLR53: signal call setup to HLR3 64, 5: get routing info(MSRN) from VLR6: forward routinginfo to GMSCcallingstation 1PSTN2GMSC158, 9: get current status of MS (LAI TMSI)9MSC7107: route call to current MSC81410 131610BSSBSSBSS11111110, 11: paging of MS in location area111712, 13: MS answers paging andauthentication request12MS14, 15: security checks16, 17: set up connectionMário Jorge LeitãoGSM38
Mobile Terminated Call Channel activity at radio interfaceBTSMSBCCH System parameters and other overheadincoming callPCHPaging message to specified TMSIChannel request RACHidle updatedannounced TMSImatches stored valuesuccessful accessAGCH Assign stand alone dedicated control channelPaging acknowledge SDCCHsuccessful pagingsend RANDcalculate SRES / KcSDCCH Authentication requestcalculate SRES / KcAuthentication response SDCCHsend SRESSRES confirmedSDCCH Request to transmit in cipher modeswitch to cipher modeAcknowledge cipher mode request SDCCHMário Jorge Leitão39GSMMobile Terminated Call Channel activity at radio interface (cont.)BTSSDCCH Setup message for incoming callSDCCH Assign traffic channel and release SDCCHAcknowledge channel assignment FACCHFACCH Alerting mobileFACCH Connect acknowledgeTCHremote party on-hookswitch signaling toFACCH usingassigned TCHgenerate ringing soundConnect FACCHswitch to traffic channelMSmobile off-hookswitch to traffic channeldata flowFACCH DisconnectRelease FACCHFACCH Release completeFACCH Release traffic channelMário Jorge LeitãoGSMidle updated40
Mobile Originated Call1, 2: connection and authenticationrequestHLR3, 4: security check5-8: check resources (free circuit)369-10: set up call5GMSCPSTN47MSC82 91MSBSS10Mário Jorge Leitão41GSMMobile Originated Call Channel activity at radio interfaceBTSMSBCCH System parameters and other overheadChannel request RACHidle updatednumber dialedsuccessful accessAGCH Assign stand alone dedicated control channelCall establishment request SDCCHsend RANDcalculate SRES / KcSDCCH Authentication requestAuthentication response SDCCHcalculate SRES / Kcsend SRESSRES confirmedSDCCH Request to transmit in cipher modeswitch to cipher modeAcknowledge cipher mode request SDCCHMário Jorge LeitãoGSM42
Mobile Originated Call Channel activity at radio interfaceBTSMSSetup message for outgoing call SDCCHSDCCH Assign traffic channel and release SDCCHAcknowledge channel assignment FACCHFACCH Alerting remote partyremote party ringingswitch signaling toFACCH usingassigned TCHringing toneFACCH Connectremote party off-hookConnect acknowledge FACCHswitch to traffic channelTCHswitch to traffic channeldata flowDisconnect FACCHmobile on-hookFACCH ReleaseRelease complete FACCHFACCH Release traffic channelMário Jorge Leitãoidle updated43GSM4 types of handover1MSBTS234MSMSMSBTSBTSBTSBSCBSCBSCMSCMSC1 - between different sectors of the same cell2 - between different cells within the same BSC domain3 - between different BSC domains within the same MSC domain4 - between different MSC domainsMário Jorge LeitãoGSM44
Handover decisionreceive levelBTSoldreceive levelBTSnewhandovermarginHO MARGINMSMSBTSoldBTSnewMário Jorge Leitão45GSMMobile-Assisted Handover (MAHO)MS scans, measures and reports power received from several RF carrier based on BCCH SmeasurementresultHO decisionHO requiredHO requestresource allocationch. activationHO commandHO commandHO commandHO request ackch. activation ackHO completeHO completeHO accesslink establishmentMário Jorge Leitãoclear commandclear commandclear completeclear completeGSM46
Location update MS is aware of location BTS broadcasts Location Area Identification (LAI) on BCCHSIM stores current LAI and TMSIEvents which determine a current location update MS is switched on and current LAI equals stored LAIa timer set by the network expires and MS reports positionªTMSI may be updated and stored in SIM Events which determine a new location update MS is switched on and current LAI differs from stored LAIMS enters a new location areaªTMSI and LAI are updated and stored in SIMMário Jorge Leitão47GSMLocation updateOLDMSColdNEWVLRoldHLRVLRrequest IMSIMSClocation updaterequestMSlocation updaterequest(old LAI/TMSI sent)send IMSIsend IMSIupdate locationrequestcancel locationcancellationconfirmedMário Jorge Leitãocancel locationrequestupdateconfirmedupdate confirmedGSM48
Location update Channel activity at radio interfaceBTSMSBCCH System parameters and other overheadidle updatedChannel request RACHsuccessful accessAGCH Assign stand alone dedicated control channelLocation updating request SDCCHsend RANDcalculate SRES / KcSDCCH Authentication requestAuthentication response SDCCHold LAI/TMSI sentcalculate SRES / Kcsend SRESSRES confirmedSDCCH Request to transmit in cipher modeswitch to cipher modeAcknowledge cipher mode request SDCCHnew TMSI sent(optional)SDCCH Location update confirmedstore LAI/TMSI in SIMAcknowledge new location SDCCHSDCCH Release stand alone dedicated control channelMário Jorge LeitãoGSMidle updated49
Mário Jorge Leitão GSM 3 Performance characteristics of GSM Communication mobile, wireless communication; support for voice and data services Total mobility international access, chip-card enables use of access points of different providers Worldwide connectivity one number, the network handles localization High capacity better frequency efficiency, smaller cells, more customers per cell
