GSM Call Flows

GSM Overview By:- Deepak Sharma

2

AGENDA

GSM Architecture Location Update : Call Flows MS to MS : Call Flow MS to ISUP : Call Flow Intra MSC Handover Call Flow

GSM Architecture By:- Deepak Sharma

4

GSM Architecture

VLR

GMSC

B B

C

D

D

E

F F

G

ESMS-SC

C

IWF IWF

MS MS

PSTN

ISDN

MSC EIR

BTS

BTS

BSC

BTS

A

A-Bis

BTS

BTS

A

BSC

BTSBTS

BTS

A-Bis

otherPLMN

otherPLMN

ISDN

Um

VLR

HLR/AUC

PLMNUm

datadata

PSTN

GSM Access Network

Mobile Station

GSM Core Network

5

Components of A Typical Mobile Network

Mobile Station

Access Network

Core Network

6

GSM Areas

MSC Region

MSC Region

MSC Region

Location Area

BSC

Cell Cell

BSC

Location Area

Location Area

BSC

PLMN

7

Mobile Station

MS (Mobile Station)

The mobile station (MS) consists of the: 1) Mobile equipment (the terminal) having

various functionalities: DTMF Capability, SMS capability, Ciphering Algos

A5/1 and A5/2, Display capabilities, Support of Emergency

calls without SIM, Burned In IMEI. 2) A smart card called the Subscriber Identity Module

(SIM) : Security Data: Algorithm A3 and A8 , Ki Subscriber Data: IMSI, TMSI. PLMN Data: LAI,NCC, MCC and MNC of home

PLMN. Radio Frequency channel numbers of PLMN.

TIP: Stolen Mobiles can be blocked with help of IMEI number.

TIP: Stolen Mobiles can be blocked with help of IMEI number.

8

BSS (Base Station Sub-system)

Base Station Controller (BSC) The BSC manages the channel allocation/release and handovers.

One BSC can control up to tens of BTSs depending on their traffic capacity

Connected to MSC using A interface

Base Transceiver Station (BTS) Acts as contact point for Subscribers, over the radio interface BTS consists of Radio Interface & signal processing devices along with

antenna Each BTS channel is usually shared by 8 users in TDMA mode Connected to BSC over Abis interface

TIP: BTS always broadcast the LAI information to MS via BCCH channel.

TIP: BTS always broadcast the LAI information to MS via BCCH channel.

9

NSS (Network and Switching Subsystem)

Mobile Switching Centre (MSC) Controls all connections via a separated network to/from a mobile terminal

within the domain of the MSC - several BSC can belong to a MSC. Talks to various nodes on several interfaces.

Nodes interaction Interface Protocol Used MSC MS A DTAP MSC BSC A BSSMAP MSC VLR B MAP MSC HLR C MAP MSC EIR F MAP MSC SMS-SC E MAP MSC MSC E ISUP/MAP

Performs the Switching and have overall control on the call. Interact with other nodes during Origination and Termination half of call.

10

NSS (Network and Switching Subsystem)

Home location register (HLR)Central master database containing user data, permanent and semi-permanent data of all subscribers assigned to the HLR (one provider can have several HLRs)

Permanent Data : IMSI,MSISDN, Subscriber SS related Information, MSC#, VLR#.

Semi-Permanent Data: Authentication triplets [RAND,SRES and Kc], MSRN, TMSI

Nodes interaction Interface Protocol Used HLR MSC C MAP HLR VLR D MAP HLR SMS-SC C MAP HLR AUC D MAP Visitor location register (VLR)

Local database for a subset of user data, including data about all user currently in the domain of the VLR

Local Data: IMSI,TMSI, MSRN, Authentication triplets, LAI, MSC#, HLR# Nodes interaction Interface Protocol Used VLR HLR D MAP VLR VLR G MAP VLR MSC B MAP

TIP: MSC always contacts one VLR while a VLR can serve to several MSCs

TIP: MSC always contacts one VLR while a VLR can serve to several MSCs

11

NSS (Network and Switching Subsystem)

Authentication center (AUC)• Generates user specific authentication parameters on request of a VLR • Authentication parameters used for authentication of mobile terminals and

encryption of user data on the air interface within the GSM system • Usually Integrated with HLR node. Authentication Data: IMSI,RAND, Ki, Kc, Algorithms A3 and A8

Equipment identity register (EIR) Registers GSM mobile stations and user rights

Stolen or malfunctioning mobile stations can be locked and sometimes even localized

EIR Data: IMEI, Status of IMEI(While,Black or Grey). Nodes interaction Interface Protocol

Used HLR MSC F MAP Operation and maintenance center (OMC)

Different control capabilities for the radio subsystem and the network subsystems.

Location Update Call Flows By:- Deepak Sharma

13

Location Update ?

What is Location Update?

The process of Mobile Station Subscriber identifying to the Network the location in the coverage area so that the Network can provide services to the Subscriber (using the MS) based on the services subscribed.

Types of Location Updates – IMSI attach/detach location update Normal Location Update Periodic Location Update

Key Words:

IMEI: International Mobile Equipment Identity.

IMSI : International Mobile Subscriber Identity

TMSI: Temporary Mobile Subscriber Identity

Kc: Ciphering Key.

Ki : Personal Secret Key

SRES : Signed RESponse (to authenticate subscriber)

14

Types OF Location Update

IMSI Attach Location Update:

The opposite of IMSI Detach .

IMSI Attach is used by the MS to indicate that it has reentered the active state

Normal Location Update:

The MS moves across the boundaries of a location area while in the IDLE state.

Not in case of Inter Cell movement of one location area.

Periodic Location Update:

Enables the location of the silent and stationary mobiles to be updated at a reasonable rate .

It is invoked when the timer at the mobile expires and similar to Normal Location Update Map Signaling

BCDF

DTAPBSSMAP}

15

IMSI Attach Location Update

HLR MSC/VLR BSC BTS MS

Channel Request(CHANN_REQ) Channel Required(CHANN_REQD) Channel Activate(CHANN_ACT) Channel Activate ACK(CHANN_ACT_ACK) Immediate Assignment (IMM_ASS_CMD) Location Update Request(LOURQ) Connect Confirm(CC) ID Request (ID_REQ) ID Response (ID_RES) Send Authentication Information (SAI) SAI_ACK Authentication Request(AUTRQ) Authentication Response(AUTRES) SRES Comparison Update Location(UPLOC) Insert Subscriber Data(ISD) ISD_ACK Update Location Ack (UPLOCA)

Cipher Command

Cipher Complete Location Update Accepted (LOUAC) TMSI Relocation Complete (TMRCMP) Clear Command (CLRCOM) Channel Release Clear Complete (CLRCMP) Channel Disconnect Released (RLSD) Release Complete (RLC)

16

Normal Location Update

HLR MSC/VLR BSS MS

Location Update Request(LOURQ) Connect Confirm ID Request ID Response Send Authentication Information (SAI) SAI_ACKAuthentication Request(AUTRQ) Authentication Response(AUTRES) Update Location(UPLOC) Insert Subscriber Data(ISD) ISD_ACK Update Location Ack (UPLOCA)

Cipher Command

Cipher Complete Location Update Accepted (LOUAC)TMSI Relocation Complete (TMRCMP) Clear Command (CLRCOM) Clear Complete (CLRCMP) Released (RLSD) Release Complete (RLC)

TIP: This set of dialogs not be performed as VLR has already this data in IMSI Attach LOCU.

TIP: This set of dialogs not be performed as VLR has already this data in IMSI Attach LOCU.

17

Periodic Location Update

HLR MSC/VLR BSS MS

Location Update Request(LOURQ) Connect Confirm ID Request ID Response Send Authentication Information (SAI) SAI_ACKAuthentication Request(AUTRQ) Authentication Response(AUTRES) Update Location(UPLOC) Insert Subscriber Data(ISD) ISD_ACK Update Location Ack (UPLOCA)

Cipher Command

Cipher Complete Location Update Accepted (LOUAC)TMSI Relocation Complete (TMRCMP) Clear Command (CLRCOM) Clear Complete (CLRCMP) Released (RLSD) Release Complete (RLC)

18

Inter VLR Location Update

VLR1(OLD) HLR VLR2 (NEW) BSS MS

Location Update Request [TMSI] Send Identification

[UDT/BEGIN] [TMSI] Send Identification

ACK[IMSI,RAND, Kc, SRES] Update Location

[UDT/BEGIN] (UPLOC) Insert Subscriber

Data(ISD1)[UDT/CONTINUE] ------------------------------------- Insert Subscriber Data(ISD2)

[UDT/CONTINUE] -------------------------------------- Insert Subscriber Data(ISD3)

[UDT/CONTINUE] ISD_ACK [UDT/END] Update Location Ack

(UPLOCA) Cancel Location [UDT/BEGIN] Cancel Location ACK [UDT/END]

TIP: New VLR contacts old VLR for Authentication data. Finds the Old VLR by looking the old LAC & Cell ID in LOCU_REQ.

TIP: New VLR contacts old VLR for Authentication data. Finds the Old VLR by looking the old LAC & Cell ID in LOCU_REQ.

19

Detailed Messages (Channel Request)

Before performing any of the operation like Location Update or Originating Call, MS has to reserve the channels for signaling or traffic. For this MS performs the following sets of transactions with BTS and BSC.

Channel Request – MS request as channel from BTS. Uses RACCH to send this RR msg.Also have the reason as “Location Update” of establish a connection.

Channel Required : BTS decodes the above message and send this to BSC with the calculated distance of MS with Timing Advance.

Channel Activate: BSC informs the BTS which channel type to activate and which channel number to reserve.

Channel Activate ACK: BTS confirms the acknowledgement.

Immediate Assignment: BSC asks to BTS to assign the reserved channel to MS.BTS transmits the same message on AGCH.

TIP:Logical Channels flows in UPLINK,DOWNLINK and Both directions.

TIP:Logical Channels flows in UPLINK,DOWNLINK and Both directions.

20

Detailed Messages

1. Location Update Request: MS initiated message to the network requesting connection establishment. This “message” is actually multi-layered with the following information:

SCCP CR message: Containing the MTP Routing Label*, Source Local Reference Number(SLR), SCCP Calling/Called Party Addresses

BSSMAP CMPL3: Passes location information to MSC (lac +cell id)

A DTAP LOURQ message: Mobile identity (IMSI/TMSI), ClassMarkIE (20-GSM Ph1, 00-GSM ph2,40-UMTS), Type Of Location Update(70-Normal,71-Periodic,72-IMSI Attach).

2. Connect Confirmed – SCCP message from the Network to the BSC indicating that a signaling connection can be made between the two entities. It contains the following information:

Destination Local Reference Number (same as the source local reference sent in the CMSRQ msg)*

Source Local Reference Number*

21

Detailed Messages Contd…..

3. Identity Request – DTAP message from the Network to the MS requesting its IMSI/TMSI/IMEI.

4. Identity Response – DTAP message from the MS to the Network providing the requested identity (i.e. IMSI/TMSI).

5. Send Authentication Information (SAI): MAP message from VLR to HLR requesting a list of services that the subscriber has subscribed.

Information includes IMSI of the Mobile Subscriber

6. SAI_ACK: MAP message from HLR to VLR acknowledging the receipt of Send Parameters.

Information includes authentication triplets [RAND, SRES and Kc].

7. Authentication Request – DTAP message from the Network to the MS to initiate authentication of the MS identity.

Ciphering Key Sequence Number (CkSN)

Authentication parameter RAND (used by the MS to calculate the SRES response required for successful authentication)

22

Detailed Messages Contd…..

8. Authentication Response: DTAP message from the MS to the Network to respond to the authentication procedure. This message contains the calculated SRES.

9. Update Location - MAP message from VLR to HLR with location information of the MS to be stored in the HLR.

10. Insert Subscriber Data - MAP message from HLR to VLR with subscriber information

Information includes IMSI,MSISDN, Bearer Services, Tele Services, Supplementary Services

11. Insert Subscriber Data Ack - MAP message from VLR to HLR acknowledging the receipt of ISD

12. Update Location Ack - MAP message from HLR to VLR upon successful completion of an Update Location request.

13. Cipher Mode Command – BSSMAP message sent from the Network to the BSS to update the encryption parameters for the concerned MS. The encryption key is sent in this message to the BSS.Sends Kc and Algorithm A5/1 or A5/2 be used.

14. Cipher Mode Complete – BSSMAP message sent from the BSS to the Network to indicate that successful stream ciphering has been achieved over the Um I/F.

23

Detailed Messages Contd…..

15. Location Update Accepted - DTAP message from Network to MS indicating that the location update procedure has been successful

Information includes TMSI that the MS stores and uses in later transactions

16. TMSI Re-allocation Completed - DTAP Message from MS to Network acknowledging the TMSI that has been received in Location Update Accepted.

17. Clear Command - BSSMAP message from Network to BSS to clear the dedicated resource established during the Location Update Request message.

18. Clear Complete - BSSMAP Message from BSS to Network that the associated dedicated resource has been successfully cleared

19. SCCP Released

20. SCCP Release Complete

MS-MS Call Flow By:- Deepak Sharma

25

MS-to-MS Call (Originating Half)

MO BTS BSC MSC/VLR HLR EIR MT Channel request procedure CM Serv Request Connect Confirm Authentication Request(AUTRQ) Authentication Response(AUTRES) SRES Comparison Cipher Command Cipher Complete ID Request ID Response Check IMEI Check IMEI ACK Setup SIOC CC Call Proceeding SRI PRN PRN_ACK SRI_ACK Assignment_Request Assignment_Complete

Location Update Request(LOURQ) ID Request

Send Authentication Information (SAI) SAI_ACK

Update Location(UPLOC) Insert Subscriber Data(ISD) ISD_ACK Update Location Ack (UPLOCA) Cipher Command Location Update Accepted (LOUAC)TMSI Relocation Complete (TMRCMP) Clear Command (CLRCOM) Clear Complete (CLRCMP) Released (RLSD) Release Complete (RLC)

TIP: HLR sends MSISDN in PRN to VLR to search MSRN. VLR receives MSIDN in ISD message.

TIP: HLR sends MSISDN in PRN to VLR to search MSRN. VLR receives MSIDN in ISD message.

26

MS-to-MS Call (Terminating Half)

MO MSC/VLR HLR EIR BSC BTS MT Paging Paging Command Paging Request Channel Request Procedure Paging Response Connect Confirm Auth Request(AUTRQ)Auth Response(AUTRES) SRES Comparison Cipher Command Cipher Complete ID Request ID ResponseTMSI Relocation CommandTMSI Relocation Complete Setup SIIC CC Call ConfirmAssignment_Request Assignment Command Assignment_Complete Assignment_Complete

Clear Command (CLRCOM) Clear Complete (CLRCMP) Released (RLSD) Release Complete (RLC)

27

Mobile-to-Mobile Call contd….

MO MSC/VLR HLR EIR BSC BTS MT

Alerting Alerting Connect Connect Connect_ACK Connect_ACK ************** CALL IS IN TALKING STATE NOW **************************

28

MS-MS Call Flow (Release procedure)

MS(O) MS(T)MSC HLR EIR

Disconnect

Release

Release Complete

Clear Complete

Disconnect

Release

Release Complete

Clear Command

Clear Complete

Released

Released Complete

Clear Command

Released Complete

Released

DTAP SCCP

F InterfaceBSSMAP

C InterfaceD InterfacePSTN I/F

29

Detailed Messages

1. CM Service Request – MS initiated message to the network requesting connection establishment. In “normal” call establishment, this “message” is actually multi-layered with the following information:

SCCP CR message: containing the MTP Routing Label*, Source Local Reference Number*, Calling/Called Party Addresses

BSSMAP CMPL3: basically passes location information to the switch (lac and cell id)

DTAP CMSRQ message: classmark2 indication (20-GSM Ph1, 00-GSM ph2,40-UMTS), mobile identity (IMSI/TMSI), CM Service Type (mobile originated call, emergency call setup, short message xfer, SS Activation).

2. Connect Confirmed – SCCP message from the Network to the MS indicating that a signaling connection can be made between the two entities. It contains the following information:

Destination Local Reference Number (same as the source local reference sent in the CMSRQ msg)*

Source Local Reference Number.

30

Detailed Messages Contd….

3. Identity Request : DTAP message from MSC to MS for providing the requested identity (i.e. the IMEI)

4. Identity Response – DTAP message from the MS to the Network providing the requested identity (i.e. the IMEI).

5. Check IMEI – MAP message from the MSC to the EIR requesting IMEI validation. This message contains MANY parameters:

SCCP Calling & Called Party address (i.e. MSC # and EIR # and their respective SSNs)

IMEI value

Transaction ID: contained in each map message and are used to identify messages as part of a certain dialogue between two nodes. (This has been covered in detail in the MAP Overview)

Invoke ID: sent by the originating node to uniquely identify a request for an operation (such as Check IMEI)

Operation Code: a unique code which identifies what is to be performed (such as Check IMEI)

31

Detailed Messages Contd….

6. Check IMEI Ack – MAP message from the EIR to the MSC telling replying the IMEI validation request. It contains parameters similar to above including:

Equipment Status: this can be white, grey or black.

7. Setup- DTAP message sent from either the MS OR the MSC to initiate call establishment.BASIC call setup information includes:

Speech or DATA bearer capability

Called & Calling Party Numbers

8. Send Info For Outgoing Call (SIOC) : MSC send SIOC to VLR to know the Call Barring status of the originated call. Ex: BAOC, BAOIC etc

9. Call Complete (CC): Returned back in the response of SIOC.

Contains results of BAOC or any flavor of barring.

10. Progress – DTAP message from the MSC to the MS indicating the progress of the call in the event of interworking

32

Detailed Messages Contd….

11. Send Routing Information - MAP message sent from the GMSC to the

HLR requesting information on how to route a call towards a mobile subscriber. This message includes previously mentioned MAP parameters including:

MSISDN: used by the HLR to determine where the called subscriber is currently located in order to query its current VLR for a Roaming Number.

Number of Forwarding: indicates how many times the call has been forwarded (max of 5 times)

12. Provide Roaming Number: HLR to the serving VLR requesting a roaming number for the called subscriber. It includes:

IMSI: used by the VLR identify the called subscriber so an MSRN can be provisioned to the MS.

13. Provide Roaming Number Ack:

Roaming Number(MSRN) : used by the originating MSC to translate to the proper MSC where the called subscriber is located.

Forwarding Information: this includes the forwarded to number. During SRI, the HLR may be able to make the determination of Call Forwarding before PRN is invoked (i.e. CFU).

33

Detailed Messages Contd….

14. Send Routing Info ACK: MAP message sent from the HLR to the GMSC returning either the Roaming Number of the requested subscriber, forwarding information or an Error.

Roaming Number: used by the originating MSC to translate to the proper MSC where the called subscriber is located

Forwarding Information: this includes the forwarded to number. During SRI, the HLR may be able to make the determination of Call Forwarding before PRN is invoked (i.e. CFU

15. Paging – BSSMAP message sent from the MSC to the BSS which allows the BSS to transmit the PAGING message to the proper cells. It Includes:

mobile identity (either TMSI or IMSI) and the cell identification.

After getting Paging Command message from BSC, BTS broadcasts the paging in Air I/F on PCH.

16. Paging Response - Similar to the CM SERVICE REQUEST message except the enveloped DTAP message is PGRSP instead of CMSRQ.

17. DTAP Setup.

18. SIIC/CC : Incoming calls barring check performed by MSC to VLR in same way as SIIC.

19. Call Confirmed- DTAP message sent by the called MS to the MSC to confirm the attempted incoming call setup.

TIP: MS always listen to PCH.

TIP: MS always listen to PCH.

34

Detailed Messages Contd….

20. Alerting – DTAP message sent by MSC to the MS to indicate that called user alerting has begun.

21. Connect – DTAP message sent by MSC to the MS to indicate that the call has been accepted.

22. Connect Ack – DTAP message sent by the MS to the MSC to indicate that the call is being accepted.

23. Disconnect - DTAP message sent by the MS to the MSC indicating that the call needs to be torn down.

MS-ISUP Call Flow By:- Deepak Sharma

36

MS-to-ISUP Call

MO BSS MSC/VLR HLR ISUP

CM Serv Request Connect Confirm Authentication Request(AUTRQ) Authentication Response(AUTRES) Cipher Command Cipher Complete ID Request ID Response Setup

SIOC CC

Call Proceeding

Assignment_Request Assignment_Complete

Initial Address Message (IAM) Address Complete Message (ACM)

37

MS-to-ISUP Call

MO BSS MSC/VLR HLR ISUP

Alerting Answer Message (ANM) Connect Connect_Ack

***************** CALL IS IN TALKING STATE HERE ************************

Disconnect ISUP Release (REL) Release Release Complete (RLC) Release Complete Clear Command (CLRCOM) Clear Complete (CLRCMP) Released (RLSD) Release Complete (RLC)

38

Intra MSC- Inter BSC Handover

MO BTS1 BSC1 MSC/VLR HLR EIR BSC2

Channel request procedure

CM Serv Request Connect Confirm Authentication Request(AUTRQ) Authentication Response(AUTRES) SRES Comparison

Cipher Command Cipher Complete ID Request ID Response Check IMEI Check IMEI ACK Setup HO Required HO Request HO request ACK HO Command HO CommandHO ACCESS HO DETECTHO Complete HO Complete

39

Intra MSC- Inter BSC Handover

BSC1 MSC/VLR HLR EIR BSC2 MO

CLR CMD CLR CMP Released (RLSD) Release Complete (RLC) Call Proceeding SRI PRN PRN_ACK SRI_ACK

Assignment_Request

Assignment_Complete ********* MO has been moved to BSC2 and rest flow of the call will remain

same*************

40