Top Banner
1 GSM NETWORK Global System for Mobile communications (GSM) 900/1800 MHz band (US: 850/1900 MHz) For 900 MHz band Uplink: 890-915 Downlink: 935-960 25 MHz bandwidth - 124 carrier frequency channels, spaced 200KHz apart Time Division Multiplexing for 8 full rate speech channels per frequency channel. Circuit Switched Data with data rate of 9.6 kbps Handset transmission power limited to 2 W in GSM850/900 and 1 W in GSM1800/1900.
45
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: GSM Overview

1

GSM NETWORK

Global System for Mobile communications (GSM)

• 900/1800 MHz band (US: 850/1900 MHz)

• For 900 MHz band

– Uplink: 890-915

– Downlink: 935-960

• 25 MHz bandwidth - 124 carrier frequency channels, spaced 200KHz apart

• Time Division Multiplexing for 8 full rate speech channels per frequency channel.

• Circuit Switched Data with data rate of 9.6 kbps

• Handset transmission power limited to 2 W in GSM850/900 and 1 W in GSM1800/1900.

Page 2: GSM Overview

2

GSM Architecture

Architecture and components

Page 3: GSM Overview

3

Architecture and components

MSC: Mobile Switching Center

LA: Location Area

BSC: Base Station Controller

BTS: Base Transceiver Station

Architecture and components

MS: Mobile StationBTS: Base Transceiver StationBSC: Base Station ControllerMSC: Mobile Switching CenterGMSC: Gateway MSCOMC: Operation and Maintenance CenterEIR: Equipment Identity RegisterAUC: Authentication CenterHLR: Home Location RegisterVLR: Visitor Location Register

Page 4: GSM Overview

4

Architecture and componentsTwo components:1. Fixed installed infrastructure2. Mobile subscribers :

Fixed infrastructure divided into three sub-systems

1/. BSS: Base Station subsystemManages transmission path from MSto NSS

2/. NSS: Network Switching SubsystemCommunication and interconnection

with other nets3/. OSS: Operational Subsystem

GSM network administration tools

Mobile Station and addresses

Mobile Station (MS)GSM separates user mobility from equipment mobile, by defining

two distinct components

Mobile Equipment:•The cellular telephone itself (or the vehicular telephone)•Address / identifier:•IMEI (International Mobile Equipment Identity)

Subscriber Identity Module (SIM)•Fixed installed chip (plug-in SIM) or•Exchangeable card (SIM card)•Addresses / identifiers:

•IMSI (International Mobile Subscriber Identity)•MSISDN (Mobile Subscriber ISDN number

» the telephone number!•TMSI (Temporary Mobile Subscriber Identity)

•MSRN ( Mobile Station Roaming Number)

Page 5: GSM Overview

5

Mobile Station and addresses

Mobile Termination functionstRadio interface (tx, rx, signalling)

Terminal Equipment functions•User interface (microphone, keyboard, speakers, etc);•Functions specific of services(telephony, fax, messaging, etc),•independent of GSM

Terminal Adaptor functions>> Interfaces MT with different types

Mobile Station and addresses

Page 6: GSM Overview

6

Mobile Station and addresses

► Uniquely identifies the mobile equipment► 15 digits hierarchical address►assigned to ME during manifacturing and “type approval” testing

Type approval procedure: guarantees that the MS meets aminimum standard, regardless of the manifacturer

► IMEI structure:

Mobile Station and addresses

IMEI Management

► Protection against stolen and malfunctioning terminals► Equipment Identity Register (EIR): 1 DataBase for each operator; keeps:

► WHITE LIST:• Valid IMEIs• Corresponding MEs may be used in the GSM network

► BLACK LIST:• IMEIs of all MEs that must be barred from using the GSM network• Exception: emergency calls (to a set of emergency numbers)• Black list periodically exchanged among different operators

► GRAY LIST:

IMEIs that correspond to MEs that can be used, but that, for some reason (malfunctioning, obsolete SW, evaluation terminals, etc), need to be tracked by the operator

A call from a “gray” IMEI is reported to the operator personnel

Page 7: GSM Overview

7

Mobile Station and addresses

SIM CardSubscriber Identity Module

Uniquely associated to a user Not to an equipment, as in first generation cellular networks

Stores user addresses IMSI MSISDN Temporary addresses for location (TMSI) ,roaming (MSRN) , etc

Authentication and encryption features All security features of GSM are stored in the SIM for maximum protection Subscriber’s secret authentication key (Ki) Authentication algorithm (“secret” algorithm - A3 – not unique) Cipher key generation algorithm (A8)

Personalization SIM stores user profile (subscribed services) RAM available for SMS, short numbers, user’s directory, etc Protection codes PIN (Personal Identification Number, 4-8 digits) PUK (PIN Unblocking Key, 8 digits)

Mobile Station and addresses

Identity International Mobile Subscriber Identity

Uniquely identifies the user (SIM card) GSM-specific address

unlike MSISDN - normal phone number 15 digits hierarchical address Assigned by operator to SIM card upon subscription IMSI structure:

Page 8: GSM Overview

8

Mobile Station and addresses

IMSI is used in the case of internal - system signaling.

IMSI is permanently stored on the SIM card and unknown by the subscriber.

In HLR, it is used as the storage address for the subscriber data.

Mobile Station and addresses

Page 9: GSM Overview

9

Mobile Station and addresses

TMSI Temporary Mobile Subscriber

Identity

•32 bits•Assigned by VLR within an administrative area•Has significance only in this area•Transmitted on the radio interface instead of IMSI•Reduces problem of “eavesdropping”

MSRNMobile Station Roaming

Number

• An MSISDN number• CC, NDC of the visited network• SN assigned by VLR• Used to route calls to a roaming MS• Subscriber Number (SN) assigned to provide routing information towards actually responsible MSC

Addresses Temporary

Mobile Station and addresses

Why TMSI ?

Page 10: GSM Overview

10

Architecture and componentsTwo components:1. Fixed installed infrastructure2. Mobile subscribers :

Fixed infrastructure divided into three sub-systems

1/. BSS: Base Station subsystemManages transmission path from MSto NSS

2/. NSS: Network Switching SubsystemCommunication and interconnection

with other nets3/. OSS: Operational Subsystem

GSM network administration tools

Fixed Infrastructure

ComponentsMS Mobile StationBTS Base Transceiver StationBSC Base Station ControllerMSC Mobile Switching CenterOMC Operation and Maintenance CenterEIR Equipment Identity RegisterAUC Authentication CenterHLR Home Location RegisterVLR Visitor Location Register

Interfaces

Um Radio InterfaceAbis BTS-BSCA BSS-MSC B MSC-VLRC MSC-VLR D HLR-VLRE MSC-MSC F MSC-EIRG VLR-VLR

Page 11: GSM Overview

11

Fixed Infrastructure

Fixed Infrastructure

Base Transceiver Station (BTS)> Transmitter and receiver devices, voice coding & decoding, rate

adaptation for data.> Provides signaling channels on the radio interface

Base Station Controller (BSC)> Performs most important radio interface management functions:Radio channels allocation and deallocation; handover management; …

Page 12: GSM Overview

12

Fixed Infrastructure

TRX radio interface functions:- GMSK modulation-demodulation- channel coding- encryption/decryption- burst formatting, interleaving- signal strength measurements- interference measurements

Fixed Infrastructure

Page 13: GSM Overview

13

Fixed Infrastructure

Switch calls from MSC to

correct BTS and conversely

Protocol and coding

conversion: for traffic (voice) &

signaling (GSM-specific

to ISDN-specific)

Manage MS mobility

Enforce power control

Fixed Infrastructure

BTS:

- Collects speech traffic

- Deciphers and removes error protection

- Result:

13 kbps air-interface GSM peech-

coded signal

MSC:

- A 64kp/s ISDN switch

- Needs to receive ISDN-coded speech :

64 kbps PCM format (A-law)

Transcoding andRate Adaptation

Unit (TRAU)

Needed !

Transcoding Transcoding and Rate

Page 14: GSM Overview

14

Fixed Infrastructure

Fixed Infrastructure

Page 15: GSM Overview

15

Fixed Infrastructure

Fixed Infrastructure

Page 16: GSM Overview

16

Fixed Infrastructure

Fixed Infrastructure

Page 17: GSM Overview

17

Fixed Infrastructure

Geographic relation between the MSC and the VLR

Page 18: GSM Overview

18

Fixed Infrastructure

GSM Specifications

• RF Spectrum

GSM 900

Mobile to BTS (uplink): 890-915 Mhz

BTS to Mobile(downlink):935-960 Mhz

Bandwidth : 2* 25 Mhz

GSM 1800

Mobile to BTS (uplink): 1710-1785 Mhz

BTS to Mobile(downlink) 1805-1880 Mhz

Bandwidth : 2* 75 Mhz

Page 19: GSM Overview

19

GSM Specification

• Carrier Separation : 200 Khz

• Duplex Distance : 45 Mhz

• No. of RF carriers : 124

• Access Method : TDMA/FDMA

• Modulation Method : GMSK

• Modulation data rate : 270.833 Kbps

Frequency Bands / Bandwidth

Uplink 890 – 915 MHz 25 MHz

Downlink 935 – 960 MHz 25 MHz

100 KHz 200 KHz 100 KHz

1 43 1242 …………….

A 200 kHz carrier spacing has been chosen. Excluding 2x100 kHz edges ofthe band, this gives 124 possible carriers for the uplink and downlink. The use of carrier 1 and 124 are optional for operators.

Multiple Access Technique

FDMA/TDMA. The total band is divided into 124x200 kHz bands (FDMA).Each group of 8 users transmit through a 200 kHz band sharingtransmission time (TDMA).

Page 20: GSM Overview

20

GSM uses paired radio channels

0 124 0 124

915MHz 935MHz890MHz 960MHz

GSM delays uplink TDMA frames

T1 T2 T3 T5 T6 T7T4 T8

R T

R T

R1 R2 R3 R5 R6 R7R4 R8

Uplink TDMA Frame

Downlink TDMA

The start of the uplink TDMA is delayed of

three time slots

TDMA frame (4.615 ms)

Fixed transmit Delay of three time-slots

Page 21: GSM Overview

21

GSM - TDMA/FDMA

1 2 3 4 5 6 7 8

higher GSM frame structures

935-960 MHz124 channels (200 kHz)downlink

890-915 MHz124 channels (200 kHz)uplink

time

GSM TDMA frame

GSM time-slot (normal burst)

4.615 ms

546.5 µs577 µs

guardspace

guardspacetail user data TrainingS S user data tail

3 bits 57 bits 26 bits 57 bits1 1 3

GSM Operation

Speech decoding

Channel decoding

De-interleaving

Burst Formatting

De-ciphering

DemodulationModulation

Ciphering

Burst Formatting

Interleaving

Channel Coding

Speech coding

Radio Interface

Speech Speech

13 Kbps

22.8 Kbps

22.8 Kbps

33.6 Kbps

33.6 Kbps

270.83 Kbps

Page 22: GSM Overview

22

Physical Channel

0 1 2 3 4 5 6 2043 2044 2045 2046 2047

0 1 2 3 4 48 49 50

0 1 2 24 25

0 1 2 3 24 25

0 1 2 3 4 48 49 50

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0

1 HYPER FRAME = 2048 SUPERFRAMES = 2 715 648 TDMA FRAMES ( 3 H 28 MIN 53 S 760 MS )

1 SUPER FRAME = 1326 TDMA FRAMES ( 6.12 S )LEFT (OR) RIGHT

1 MULTI FRAME = 51 TDMA FRAMES (235 .4 ms )

1 SUPER FRAME = 26 MULTI FRAMES

1 SUPER FRAME = 51 MULTI FRAMES

1 MULTIFRAME = 26 TDMA FRAMES ( 120 ms )

TDMA FRAME NO.0 1

0 1

HIERARCHY OF FRAMES

1 2 3 4 155 156

1 TIME SLOT = 156.25 BITS ( 0.577 ms)

(4.615ms)

(4.615 ms)

1 bit =36.9 micro sec

TRAFFIC CHANNELS

SIGNALLING CHANNELS

Page 23: GSM Overview

23

GSM Frame

0 1 2 3 4 5 6 7

3 57 1 26 1 57 3 8.25

0 1 2 12 24 25

Full rate channel is idle

in 25

SACCH is transmitted in

frame 120 to 11 and 13 to 24Are used for traffic data

Frame duration =

120ms

Frame duration = 60/13ms

Frame duration = 15/26ms

Channels

• The physical channel in GSM is the timeslot.

• The logical channel is the information which goes through the physical channel .

• Both user data and signaling are logical channels.

Page 24: GSM Overview

24

Channels

• User data is carried on the traffic channel (TCH), which is defined as 26 TDMA frames.

• There are lots of control channels for signaling, base station to mobile, mobile to base station (“aloha” to request network access)

LOGICAL CHANNELS

TRAFFIC SIGNALLING

FULL RATEBm 22.8 Kb/S

HALF RATELm 11.4 Kb/S

BROADCAST COMMON CONTROL DEDICATED CONTROL

FCCH SCH BCCH

PCHRACH

AGCH

SDCCH SACCH FACCH

FCCH -- FREQUENCY CORRECTION CHANNELSCH -- SYNCHRONISATION CHANNELBCCH -- BROADCAST CONTROL CHANNELPCH -- PAGING CHANNELRACH -- RANDOM ACCESS CHANNELAGCH -- ACCESS GRANTED CHANNELSDCCH -- STAND ALONE DEDICATED CONTROL CHANNELSACCH -- SLOW ASSOCIATED CONTROL CHANNELFACCH -- FAST ASSOCIATED CONTROL CHANNEL

DOWN LINK ONLY

UPLINK ONLY

BOTH UP &DOWNLINKS

Page 25: GSM Overview

25

Trafficchannels

(TCH)

Signalingchannel

TCH/F: Full-rate Traffic Channel

TCH/H: Half-rate Traffic Channel

FCCH: Frequency correction

SCH: Synchronization

BCCH: Broadcast control

PCH: Paging

AGCH: Access grant

RACH: Random access

SDCCH: Stand-alone dedicated control

SACCH: Slow associated control

FACCH: Fast associated control

Two-way

Base-to-mobile

Two-way

Logical Channel List

BCH

CCCH

DCCH

Broadcast Channel - BCH

• Broadcast control channel (BCCH) is a base to mobile channel which provides general information about the network, the cell in which the mobile is currently located and the adjacent cells.

• Frequency correction channel (FCCH) is a base to mobile channel which provides information for carrier synchronization

• Synchronization channel (SCH) is a base to mobile channel which carries information for frame synchronization and identification of the base station transceiver

Page 26: GSM Overview

26

Common Control Channel - CCH

• Paging channel (PCH) is a base to mobile channel used to alert a mobile to a call originating from the network

• Random access channel (RACH) is a mobile to base channel used to request for dedicated resources

• Access grant channel (AGCH) is a base to mobile which is used to assign dedicated resources (SDCCH or TCH)

Dedicated Control Channel - DCCH

• Stand-alone dedicated control channel (SDCCH) is a bi-directional channel allocated to a specific mobile for exchange of location update information and call set up information

Page 27: GSM Overview

27

Dedicated Control Channel - DCCH

• Slow associated control channel (SACCH) is a bi-directional channel used for exchanging control information between base and a mobile during the progress of a call set up procedure. The SACCH is associated with a particular traffic channel or stand alone dedicated control channel

• Fast associated control channel (FACCH) is a bi-directional channel which is used for exchange of time critical information between mobile and base station during the progress of a call. The FACCH transmits control information by stealing capacity from the associated TCH

Call Routing

• Call Originating from MS

• Call termination to MS

Page 28: GSM Overview

28

Outgoing Call

1. MS sends dialled number to BSS

2. BSS sends dialled number to MSC

3,4 MSC checks VLR if MS is allowed the requested service.If so,MSC asks BSS to allocate resources for call.

5 MSC routes the call to GMSC

6 GMSC routes the call to local exchange of called user

7, 8,

9,10 Answer back(ring back) tone is routed from called user to MS via GMSC,MSC,BSS

Incoming Call1. Calling a GSM

subscribers

2. Forwarding call to GSMC

3. Signal Setup to HLR

4. 5. Request MSRN from VLR

6. Forward responsible MSC to GMSC

7. Forward Call to current MSC

8. 9. Get current status of MS

10.11. Paging of MS

12.13. MS answers

14.15. Security checks

16.17. Set up connection

Page 29: GSM Overview

29

Page 30: GSM Overview

30

Page 31: GSM Overview

31

Handovers

• Between 1 and 2 – Inter BTS / Intra BSC

• Between 1 and 3 –

Inter BSC/ Intra MSC

• Between 1 and 4 –

Inter MSC

Page 32: GSM Overview

32

The interfaces

Each entity communicate with each other through the appropriate interfaceBTS

BSC

MSC MSC GMSC

HLRVLR VLREIR AuC

SMSgwy

Abis

E

G D H

C

A

BF B

E

C

GSM Interfaces

– The component parts of the GSM system interconnect using standard interfaces. These allows an operator to purchase different parts of the system competitively, I.e. from different manufacturers.

– The more important interfaces are :

• Um – the air interface

• A-bis interface – between the BTS and BSC

• A interface – between the BSC and MSC

Page 33: GSM Overview

33

GSM protocol layers for signaling

CM

MM

RR

MM

LAPDm

radio

LAPDm

radio

LAPD

PCM

RR’ BTSM

CM

LAPD

PCM

RR’BTSM

16/64 kbit/s

Um Abis A

SS7

PCM

SS7

PCM

64 kbit/s /2.048 Mbit/s

MS BTS BSC MSC

BSSAPBSSAP

Protocols involved in the A-bis interface

• Level 1-PCM transmission (E1 or T1)– Speech encoded at 16kbit/s and sub multiplexed in 64kbit/s

time slots.– Data which rate is adapted and synchronized.

• Level 2-LAPD protocol, standard HDLC– Radio Signaling Link (RSL)– Operation and Maintenance Link (OML).

• Level 3-Application Protocol– Radio Subsystem Management (RSM)– Operation and Maintenance procedure (OAM)

Page 34: GSM Overview

34

The A-bis interface

Presentation of A-bis Interface

• Messages exchanges between the BTS and BSC.– Traffic exchanges– Signaling exchanges

• Physical access between BTS and BSC is PCM digital links of E1(32) or T1(24) TS at 64kbit/s.

• Speech:– Conveyed in timeslots at 4X16 kbit/s

• Data:– Conveyed in timeslots of 4X16 kbit/s. The initial

user rate, which may be 300, 1200, … is adjusted to 16 kbit/s

Page 35: GSM Overview

35

Presentation of the A-ter interface

Presentation on the A-ter interface

• Signaling messages are carried on specific timeslots (TS)– LAPD signaling TS between the BSC and the TCU– SS7 TS between the BSC and the MSC, dedicated for

BSSAP messages transportation.– X25 TS2 is reserved for OAM.

• Speech and data channels (16kbit/s)• Ater interface links carry up to:

– 120 communications(E1), 4*30– 92 communications(T1).

• The 64 kbit/s speech rate adjustment and the 64 kbit/s data rate adaptation are performed at the TCU.

Page 36: GSM Overview

36

Presentation of the A interface

Signaling Protocol Model

Page 37: GSM Overview

37

Presentation on the A-Interface

• BSSMAP - deals with procedures that take place logicallybetween the BSS and MSC, examples:

- Trunk Maintenance, Ciphering, Handover, Voice/Data Trunk Assignment

• DTAP - deals with procedures that take place logicallybetween the MS and MSC. The BSS does not interpret the DTAP information, it simply repackages it and sends it to the MS over the Um Interface. examples:

– Location Update, MS originated and terminated Calls, Short Message Service, User Supplementary Service registration, activation, deactivation and erasure

Inter MSC presentation

Page 38: GSM Overview

38

OAM

LAPD

BTS

MTP2

SCCP

MTP3

LAPD

OAM

RR

DTAP

BSSMAP

BSSAP

BSC

MTP1

MTP3

MTP2

SCCP

MTP2

MTP3

SCCP

BSSAPDTAP/

BSSMAP

TCAP

MM

CM MAP

NSS

RR

MM

CM

MS

UmInterface

A bisInterface

AInterface

Security in GSM

• On air interface, GSM uses encryption and TMSI instead of IMSI.

• SIM is provided 4-8 digit PIN to validate the ownership of SIM

• 3 algorithms are specified :

- A3 algorithm for authentication

- A5 algorithm for encryption

- A8 algorithm for key generation

Page 39: GSM Overview

39

Authentication in GSM

Key generation and Encryption

Page 40: GSM Overview

40

GSM services

ETSI provide specifications

•Tele services: voice call, fax, SMS

•Bearer services: Internet surfing

•Supplement services: call forwarding, call hold, call barring…

Bearer Services

• Telecommunication services to transfer data between access points

• Specification of services up to the terminal interface (OSI layers 1-3)

• Different data rates for voice and data (original standard)

– Data service

• Synchronous: 2.4, 4.8 or 9.6 kbit/s

• Asynchronous: 300 - 1200 bit/s

Page 41: GSM Overview

41

Supplementary services

• Services in addition to the basic services, cannot be offered stand-alone

• May differ between different service providers, countries and protocol versions

• Important services– identification: forwarding of caller number

– suppression of number forwarding

– automatic call-back

– conferencing with up to 7 participants

– locking of the mobile terminal (incoming or outgoing calls)

SMS Network Infrastructure

SME: Short Message Entity

SMSC: Short Message Service CenterGMSC: Gateway MSC

•Receive short message from SMSC

•Interogate HLR for routing information

•Deliver short message to recipient’s MSC

IWMSC: Interworking MSC

•Receive short message from MSC

•Submit it to appropriate SMSC

Page 42: GSM Overview

42

Signaling Element – SS7

MTP1

MTP2

MTP3

SCCP

TCAP

MAP

ISUP

Call-related signaling

No call-related signaling

•MAP (Mobile Application Part): used for signaling related to a number of services

Signaling Element

MSC

SMSC

HLRVLR

SMSgwyE

D

B C

• FROM MSC TO VLR (B): MAP_SEND_INFO_FOR_MO_SM MAP_SEND_INFO_FOR_MT_SM

• FROM SMSgwy TO HLR (C): MAP_SEND_ROUTING_INFO_SM MAP_REPORT_SM_DELIVERY_STATUS

• FROM HLR TO SMSgwy (C): MAP_ALERT_SERVICE_CENTRE MAP_INFORM_SERVICE_CENTRE

• FROM MSC TO HLR (D, via VLR):

MAP_READY_FOR_SM

• FROM MSC TO SMSgwy (E):

MAP_MO_FORWARD_SM

• FROM SMSgwy TO MSC (E):

MAP_MT_FORWARD_SM

•Routing information Request: retrieve routing information of serving MSC for MS at the delivery attempt

•Point to point short message delivery: delivery short message from SMSC to MSC

•Short message waiting indication: add SMSC address in HLR

•Service center alert : HLR alert SMSC that the MS is now available

Page 43: GSM Overview

43

Classes of SMS

• Class 0: messages are display immediately, ACK to SMSC

• Class 1:messages are store in memory of mobile station or SIM card

• Class 2: reserved , carries SIM-specific data

• Class 3: messages indicate that they can be forwarded to external equipment

SMS Messages - Point to Point

• SMS MO :short message mobile originated Submit SM from SME to SMSC

• SMS MT : short message mobile terminated

Deliver SM from SMSC to SME

Page 44: GSM Overview

44

SMS MT

SMS MT format

SMS MT

1. The short message is submitted from the SME to the SMSC.2. After completing its internal processing, the SMSC interrogates the HLR and receives the routing information for the MS3. The SMSC sends the short message to the MSC using the forwardShortMessage operation.4. The MSC retrieves the subscriber information from the VLR. This operation may include an authentication procedure.5. The MSC transfers the short message to the MS.6. The MSC returns to the SMSC the outcome of the forwardShortMessage operation.7. If requested by the SME, the SMSC returns a status report indicating delivery of the short message.

Page 45: GSM Overview

45

SMS MO

SMS MO format

SMS MO

1. The MS transfers the SM to the MSC.2. The MSC interrogates the VLR to verify that the message transfer does not violate the supplementary services invoked or the restrictions imposed.3. The MSC sends the short message to the SMSC using the forwardShortMessage operation.4. The SMSC delivers the short message to the SME.5. The SMSC acknowledges to the MSC the successful outcome of the forwardShortMessage operation.6. The MSC returns to the MS the outcome of the MO-SM operation.