Mobile Communications - GSM

Zainab Zaidi Networks Group NICTA Zainab.Zaidi@nicta.com.au

Contents
GSM Overview Services System architecture GSM Channels Call establishment Handover Security Data services
HSCSD (High-Speed Circuit Switched Data) GPRS (General Packet Radio Service) EDGE (Enhanced Data rates for Global Evolution)

Almost all slides contain material from Schiller, J., Mobile Communications, Addison Wesley

GSM: Overview
Objective:
Seamless roaming within Europe(ETSI, European Telecommunications Standardization Institute)

formerly: Groupe Spciale Mobile (founded 1982), now: Global System for Mobile Communication Market share:
85% of global mobile subscribers use GSM and 3GSM (WCDMA) (March, 2007)

Salient features:
Roaming Security Better transmission quality Higher capacity Device independence (SIM)

Example coverage of GSM networks (www.gsmworld.com)

T-Mobile (GSM-900/1800) Germany O2 (GSM-1800) Germany

AT&T (GSM-850/1900) USA

Vodacom (GSM-900) South Africa

GSM frequency bands

Type Channels Uplink [MHz] Downlink [MHz]

GSM 850 (Americas)

GSM 900 classical extended GSM 1800 (DCS)

128-251
0-124, 955-1023 124 channels +49 channels 512-885

824-849
876-915 890-915 880-915 1710-1785

869-894
921-960 935-960 925-960 1805-1880

GSM 1900 (Americas, PCS)

GSM-R exclusive

512-810

1850-1910

1930-1990

955-1024, 0-124 69 channels

876-915 876-880

921-960 921-925

- Additionally: GSM 400 (also named GSM 450 or GSM 480 at 450-458/460-468 or 479-486/489-496 MHz - Please note: frequency ranges may vary depending on the country! - Channels at the lower/upper edge of a frequency band are typically not used

GSM: Mobile Services

GSM offers
several types of connections
voice connections, data connections, short message service

multi-service options (combination of basic services)

Three service domains

Bearer or data Services (max data rate 9.6 kbits/s) Telematic Services (voice, fax, SMS) Supplementary Services (call forwarding, call redirection, etc.)
bearer services MS TE MT GSM-PLMN transit network (PSTN, ISDN) tele services source/ destination network TE

R, S

Um

(U, S, R)

Ingredients 1: Mobile Phones, PDAs & Co.

The visible but smallest part of the network!

Ingredients 2: Antennas

Still visible cause many discussions

Ingredients 3: Infrastructure 1
Base Stations

Cabling

Microwave links

Ingredients 3: Infrastructure 2
Not visible, but comprise the major part of the network (also from an investment point of view)

Management

Data bases

Switching units Monitoring

GSM: elements and interfaces

radio cell MS Um MS BSS

components
radio cell

RSS

BTS

MS

BTS Abis BSC BSC

MS (mobile station) BS (base station) MSC (mobile switching center) LR (location register)

subsystems
MSC MSC signaling GMSC IWF O ISDN, PSTN PDN

NSS

VLR HLR

VLR

OSS

EIR

AUC

OMC

RSS (radio subsystem): covers all radio aspects NSS (network and switching subsystem): call forwarding, handover, switching OSS (operation subsystem): management of the network

System architecture: radio subsystem

radio subsystem
MS MS

network and switching subsystem

Components
MS (Mobile Station) BSS (Base Station Subsystem): consisting of
BTS (Base Transceiver Station): sender and receiver BSC (Base Station Controller): controlling several transceivers

Um BTS BTS Abis BSC MSC

Interfaces
A BSC

BTS BTS BSS

MSC

Um : radio interface Abis : standardized, open interface with 16 kbit/s user channels A: standardized, open interface with 64 kbit/s user channels

Mobile station
A mobile station (MS) comprises several functional groups
MT (Mobile Terminal):
offers common functions used by all services the MS offers corresponds to the network termination (NT) of an ISDN access end-point of the radio interface (Um) terminal adaptation, hides radio specific characteristics

TA (Terminal Adapter):

TE (Terminal Equipment):
peripheral device of the MS, offers services to a user does not contain GSM specific functions

SIM (Subscriber Identity Module):

personalization of the mobile terminal, stores user parameters (PIN, PIN unblocking key, authentication key, IMSI)

Device is identified through IMEI (International mobile equipment identity)

TE R

TA S

MT

Um

System architecture: network and switching subsystem

network subsystem fixed partner networks

Components
MSC (Mobile Services Switching Center): IWF (Interworking Functions) ISDN (Integrated Services Digital Network) PSTN (Public Switched Telephone Network) PSPDN (Packet Switched Public Data Net.) CSPDN (Circuit Switched Public Data Net.)

ISDN PSTN MSC

EIR SS7

HLR

Databases
HLR (Home Location Register) VLR (Visitor Location Register) EIR (Equipment Identity Register)
ISDN PSTN PSPDN CSPDN

VLR MSC IWF

Network and switching subsystem

NSS is the main component of the public mobile network GSM
switching, mobility management, interconnection to other networks, system control

Components
Mobile Services Switching Center (MSC) controls all connections via a separated network to/from a mobile terminal within the domain of the MSC - several BSC can belong to a MSC Databases (important: scalability, high capacity, low delay)
Home Location Register (HLR) central master database containing user data, permanent and semipermanent data of all subscribers assigned to the HLR (one provider can have several HLRs) Visitor Location Register (VLR) local database for a subset of user data, including data about all user currently in the domain of the VLR

Mobile Services Switching Center

The MSC (mobile switching center) plays a central role in GSM
switching functions additional functions for mobility support management of network resources interworking functions via Gateway MSC (GMSC) integration of several databases specific functions for paging and call forwarding termination of SS7 (signaling system no. 7) mobility specific signaling location registration and forwarding of location information provision of new services (fax, data calls) support of short message service (SMS) generation and forwarding of accounting and billing information

Functions of a MSC

Operation subsystem
The OSS (Operation Subsystem) enables centralized operation, management, and maintenance of all GSM subsystems Components
Authentication Center (AUC)
generates user specific authentication parameters on request of a VLR authentication parameters used for authentication of mobile terminals and encryption of user data on the air interface within the GSM system

Equipment Identity Register (EIR)

registers GSM mobile stations and user rights stolen or malfunctioning mobile stations can be locked and sometimes even localized

Operation and Maintenance Center (OMC)

different control capabilities for the radio subsystem and the network subsystem

GSM - TDMA/FDMA
935-960 MHz 124 channels (200 kHz) downlink

890-915 MHz 124 channels (200 kHz) uplink

higher GSM frame structures

time

GSM TDMA frame 1 2 3 4 5 6 7 8 4.615 ms GSM time-slot (normal burst)

guard space tail user data S Training S user data guard tail space

3 bits

57 bits

1 26 bits 1

57 bits

546.5 s 577 s

Some questions
Raw data rate per carrier? Data rate per carrier? Data rate per user (1 slot in a frame)? For higher data rate user, what can be done? Uplink and Downlink frequencies are 45 MHz apart, do we need a full duplex receiver? One frequency band might suffer in frequency selective fading, what to do? Answers: 270 Kbits/s (148 bits/546.5 s) 200 Kbits/s (114/(546.5 or 577 s)) 25 Kbits/s (excluding FEC ~ 22.8Kbits/s) Use multiple slots logical channels Uplink and downlink TDM channels are shifted by 3 slots Frequency hopping

Traffic channels
Full rate (TCH-F)
22.8 Kbits/s Standard voice codes, full rate is 13 Kbits/s Rest of the bits are used for error correction

Half rate (TCH-H)

11.4 Kbits/s Doubles the capacity of system, how? At the expense of what? Half rate codec 5.6 Kbits/s

Data transmission
TCH/F4.8 (4.8 Kbits/s) Why the data rate is low? TCH/F9.6 (9.6 Kbits/s) TCH/F14.4 (14.4 Kbits/s)

Control Channels
Broadcast channels (0th time slot)
Broadcast control channel
Cell/network ID Channel characteristics and availability

Frequency correction channel

To synchronize local oscillators of MS

Synchronization channel
Correction of individual path delay

Common control channels (0th time slot if not used by broadcast)

Paging channel Random access channel Access grant channel

Control channels II
Dedicated control channels (any time slot except 0th)
Slow associated control channel

TTTTTTTTTTTTSTTTTTTTTTTTTS.
Forward channel: current control information (power level etc.) Reverse channel: received signal quality Also used for SMS

Fast associated control channel

For urgent messages (Handover etc.) Can take many traffic channels

Stand-alone dedicated control channels

Signaling data before TCH assignment Also used for SMS

Mobile Terminated Call

1: calling a GSM subscriber 2: forwarding call to GMSC 3: signal call setup to HLR 4, 5: request MSRN (Mobile subscriber roaming no.) from VLR calling 6: forward responsible station 1 MSC to GMSC 7: forward call to current MSC 8, 9: get current status of MS 10, 11: paging of MS 12, 13: MS answers 14, 15: security checks, selection of TMSI (Temporary mobile subscriber identity) 16, 17: set up connection
4 5 7

HLR

VLR

3 6
PSTN

8 9 14 15
MSC

GMSC

10
BSS

10 13 16
BSS

10
BSS

11

11 11 12 17
MS

11

Mobile Originated Call

1, 2: connection request 3, 4: security check 5-8: check resources (free circuit) 9-10: set up call
PSTN

VLR

3 4 6
GMSC

5
MSC

2 9
MS

1 10

BSS

GSM Operations

From Rappaport, T. S., Wireless Communications, Prentice Hall

Security in GSM
Security services
access control/authentication
user SIM (Subscriber Identity Module): secret PIN (personal identification number) SIM network: challenge response method

confidentiality
voice and signaling encrypted on the wireless link (after successful authentication)

anonymity
temporary identity TMSI (Temporary Mobile Subscriber Identity) newly assigned at each new location update (LUP) encrypted transmission

3 algorithms specified in GSM

A3 for authentication (secret, open interface) A5 for encryption (standardized) A8 for key generation (secret, open interface)

secret: A3 and A8 available via the Internet network providers can use stronger mechanisms

GSM - authentication

mobile network Ki AC 128 bit RAND 128 bit RAND

SIM RAND 128 bit Ki 128 bit

A3
SRES* 32 bit SRES

A3
SIM 32 bit

MSC

SRES* =? SRES

SRES 32 bit

SRES

Ki: individual subscriber authentication key

SRES: signed response

GSM - key generation and encryption

mobile network (BTS) Ki AC 128 bit RAND 128 bit RAND

MS with SIM RAND 128 bit Ki 128 bit SIM

A8
cipher key Kc 64 bit

A8

Kc 64 bit

BSS

data
A5

encrypted data

SRES data MS A5

4 types of handover
1 MS 2 MS 3 MS 4 MS

BTS

BTS BSC

BTS BSC MSC

BTS BSC MSC

Typical cell radius: 35 Km in countryside, 100s m in cities

Handover decision

receive level BTSold

receive level BTSold

HO_MARGIN MS BTSold MS BTSnew

Average signal strength is used instead of instantaneous values HO_Margin or hysteresis level to reduce the pingpong effect

Disadvantages of GSM
There is no perfect system!! no end-to-end encryption of user data no full ISDN bandwidth of 64 kbit/s to the user, no transparent Bchannel reduced concentration while driving electromagnetic radiation abuse of private data possible roaming profiles accessible high complexity of the system several incompatibilities within the GSM standards

Data transmission in GSM

Data channels
TCH/F4.8 (4.8 Kbits/s) TCH/F9.6 (9.6 Kbits/s) TCH/F14.4 (14.4 Kbits/s)

Why the data rate is low (TCH-F:22.8Kbits/s)?

TCH/F4.8 (1/3 convolutional code with added tail bits TCH/F9.6 & TCH/F14.4 (1/2 convolutional code, bit period is small in F14.4)

Good enough for SMS, fax, etc. but not enough for Internet and multimedia applications

Data services in GSM I

HSCSD (High-Speed Circuit Switched Data)
bundling of several time-slots to get higher AIUR (Air Interface User Rate) (e.g., 57.6 kbit/s using 4 slots, 14.4 each) mainly software update advantage: ready to use, constant quality, simple disadvantage: channels blocked for voice transmission (circuit-switched)
AIUR [kbit/s] 4.8 9.6 14.4 19.2 28.8 38.4 43.2 57.6 TCH/F4.8 1 2 3 4 TCH/F9.6 1 1 2 3 4 2 3 4 TCH/F14.4

Data services in GSM II

GPRS (General Packet Radio Service)
packet switching using free slots only if data packets ready to send (e.g., 50 kbit/s using 4 slots temporarily) standardization 1998, introduction 2001 advantage: one step towards UMTS, more flexible disadvantage: more investment needed (new hardware)

GPRS user data rates in kbit/s

Coding 1 slot schem e CS-1 CS-2 CS-3 CS-4 9.05 13.4 15.6 21.4

2 slots 18.1 26.8 31.2 42.8

3 slots 27.15 40.2 46.8 64.2

4 slots 36.2 53.6 62.4 85.6

5 slots 45.25 67 78 107

6 slots 54.3 80.4 93.6 128.4

7 slots 63.35 93.8 109.2 149.8

8 slots 72.4 107.2 124.8 171.2

GPRS coding schemes

Scheme PDU Size (bits) BCS USF Tail bits Convolutional coder Input Output Puncture d bits Effectiv e rate Input/ 456 0.5

(bits)

(bits)

CS-1

184

40

228

456

CS-2
CS-3 CS-4

271
315 431

16
16 16

3
3 9

4
4 -

294
338 -

588
676 456

132
220 0

0.64
0.74 1

Radio block: 456 bits in 4 slots, 1 slot in 1 frame (114bits/slot)

GPRS architecture
GPRS network elements
GSN (GPRS Support Nodes): GGSN and SGSN GGSN (Gateway GSN)

interworking unit between GPRS and PDN (Packet Data Network)

SGSN (Serving GSN)

supports the MS (location, billing, security)

GR (GPRS Register)

user addresses

GPRS architecture and interfaces

SGSN Gn

MS

BSS

SGSN

GGSN

PDN

Um

Gb

Gn

Gi

MSC

HLR/ GR EIR

VLR

Serving GPRS Support Node (SGSN)

at same hierarchical level as MSC delivers packets to MS within its service area queries HLRs for profile data of GPRS subscribers detects new GPRS mobile stations in a given service area processes registration of new MSs and keeps a record of their location

Gateway GPRS Support Node (GGSN)

used as interface to external packet-switched networks connected to SGSN via an IP-based GPRS backbone network maintains routing information that is necessary to tunnel the Protocol Data Units (PDUs) to the SGSNs that service particular mobile stations one or more GGSNs may support multiple SGSNs

GPRS Network Enhancements

Base Station System (BSS):
must be enhanced to recognize and send user data to the SGSN that is serving the area

Home Location Register (HLR):

must be enhanced to register GPRS user profiles and respond to queries originating from SGSNs regarding these profiles

MSC/VLR:
optionally enhanced to coordinate GPRS and non-GPRS e.g. combined location updates, SGSN paging for GSM calls

GPRS Network Operations

For GPRS user, network is connectionless HOWEVER, a network connection must be established for each transaction, and released once the transaction is completed GPRS attach request from MS to begin a transaction GPRS detach request from MS to end a transaction Attach/detach requests are infrequent e.g. daily

GPRS operations II
User Registration associates the MS ID with the user address
In home area, HLR is enhanced to reference GPRS data Outside home area, dynamically allocated records are references in VLRs

Authentication - via GSM mobility management protocols Call Admission Control determines resources for QoS Routing is performed by the GSNs on a hop-by-hop basis, using the destination address
Routing tables are maintained by the GSNs using the GTP layer

EDGE (Enhanced Data rate for GSM Evolution)

Uses GSM/GPRS, but with higher-level modulation (8-PSK instead of GMSK) Radio link control is also enhanced for better transmission quality
Link adaptation Adaptive transmission rate

Allows up to 48 kbps per timeslot, 384 kbps using 8 time slots

Comparison of EDGE and GSM frame

GSM time-slot (normal burst)
guard space tail user data S Training S user data guard tail space

3 bits

57 bits

1 26 bits 1

57 bits

546.5 s 577 s

Basic data rate : (12/13).1/8.114/0.577 = 22.8 kbps

EDGE time-slot

Basic data rate : (12/13).1/8.116/0.577 = 23.2 ksymbols/s = 69.6 kbps

EDGE coding schemes

Scheme CS-1 CS-2 CS-3 CS-4 PCS-1 PCS-2 PCS-3 PCS-4 PCS-5 PCS-6 Effective rate 0.5 0.64 0.74 1 0.33 0.49 0.59 0.74 0.82 1 Data rate/slot (kbps) 11.4 14.5 16.9 22.8 22.8 34.3 41.3 51.6 57.4 69.6

Modulation CS GMSK PCS 8-PSK Convolutional code CS 1/2 PCS 1/3

EDGE link quality control

Link adaptation
Coding scheme is chosen according to the link quality feedback

Adaptive transmission rate

Start with the highest rate code If transmission is unsuccessful, use lower rate for re-transmission by puncturing more bits

Reference
Mobile communications by J. Schiller, Chapter 4