1 MOBILITY MANAGEMENT IN GSM SIGNALING BY KALU IFEOMA MBA PG/M.SC/07/43497 A PROJECT SUBMITTED TO THE PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE AWARD OF DEGREE OF MASTER OF SCIENCE (M.SC) DEPARTMENT OF ELECTRONIC ENGINEERING FACULTY OF ENGINEERING UNIVERSITY OF NIGERIA NSUKKA MAY 2010 APPROVAL PAGE
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
MOBILITY MANAGEMENT IN GSM SIGNALING
BY
KALU IFEOMA MBA
PG/M.SC/07/43497
A PROJECT SUBMITTED TO THE PARTIAL FULFILLMENT OF THE REQUIREMENTS
FOR THE AWARD OF DEGREE OF MASTER OF SCIENCE (M.SC)
DEPARTMENT OF ELECTRONIC ENGINEERING
FACULTY OF ENGINEERING
UNIVERSITY OF NIGERIA NSUKKA
MAY 2010
APPROVAL PAGE
2
This is to certify that the research work “The Quantification of Signaling for Mobility Management” was
submitted to the Department of Electronic Engineering, University of Nigeria Nsukka, for the award of
Degree of Master of Science (M.Sc) in Telecommunication Engineering.
KALU IFEOMA MBA DATE
DR C.I.ANI (SUPERVISOR) DATE
VEN. PROF. T. C MADUEME
(HEAD OF DEPARTMENT) DATE
3
DECLARATION
I KALU IFEOMA MBA declare that this work is my own, and contains no materials accepted for
publication for the award of any other degree at any institution.
KALU IFEOMA MBA DATE
4
DEDICATION
This research work is dedicated to Almighty God and my parents Elder and Mrs. A.M. Kalu.
5
ACKNOWLEDGEMENT
I thank God Almighty for the successful completion of this research work. My special gratitude goes to
my supervisor, Dr. C. I. Ani, for his advice and the relevant materials he made available to me.
I would wish to thank the Head of Department Electronic Engineering, Ven. Prof. T. C Madueme and the
entire staff for their tremendous assistance during the course of this project. My special thanks go to my
parents, Elder and Mrs. A.M. Kalu, Pastor Joshua Ukoha, and my sister Ngozi Kalu for their sponsorship
and support towards the success of this research work. My thanks also go to my special friends and
colleagues who have contributed to the success of this work; remain blessed.
6
TABLE OF CONTENTS
Approval page i
Declaration ii
Dedication iii
Acknowledgement iv
Table of Contents v
List of Figures viii
List of Table x
Abstract xi
CHAPTER ONE: INTRODUCTION
1.0 Background of the Study 1
1.1 Objectives of the Study 2
1.2 Significance of the Study 2
1.3 Scope of the Study 2
1.4 Dissertation Outline 3
7
CHAPTER TWO: LITERATURE REVIEW
2.0 Introduction 4
2.1 GSM Network Architecture 9
2.2 Mobile Station Subsystem 11
2.3 Base Station Subsystem 13
2.4 Network Switching System 17
2.5 GSM Network Architecture over Interfaces 20
2.6 GSM Channel Structure 23
2.7 GSM TDMA Frame 27
2.8 GSM Frame Structures and Hierarchy 28
2.9 GSM Technical Specifications 29
2.10 Mobility Management in GSM Network 34
2.11 Signaling Concept 38
2.12 Signaling System No.7 40
2.13 Objectives of Signaling System No.7 40
2.14 Components of SS7 41
2.15 SS7 Signaling Points 44
2.16 The SS7 Architecture 44
2.17 The ISDN User Part 48
8
2.18 Telephone User Part 53
2.19 Signaling Connection Control Part 53
2.20 The Transaction Capabilities Application Part 56
2.21 Mobile Application Part 61
2.22 Operation and Maintenance Application Part 63
2.23 Intelligent Network Application Part 63
2.24 Signaling Protocol in GSM Network 63
CHAPTER THREE: SIGNALING TRAFFIC
3.0 Introduction 65
3.2 Mobility Management Procedures 65
3.3 Location Update Procedure 67
3.4 Handover Procedure 71
3.5 GSM Originating Call 73
3.6 GSM Terminating Call 75
CHAPTER FOUR: SIGNALING TRAFFIC MODEL
4.0 Introduction 78
4.1 Measured Traffic Data 79
4.2 Mobility Signaling Traffic Model 82
4.2.1 Location Update 82
4.2.2 Handover 83
4.3 Location Area Management 86
9
CHAPTER FIVE; RECOMMENDATION AND CONCLUSION
5.1 Summary of Achievements 91
5.2 Recommendations 91
5.3 Conclusion 92
References 93
Appendix A 98
Appendix B 100
Appendix C 102
Appendix E 108
Appendix F 112
Appendix G 114
LIST OF FIGURES
Figure 2.1 GSM Network Architecture 10
Figure 2.2 SIM Authentication Sequence 13
Figure 2.3 GSM Base Stations 14
Figure 2.4 Block Diagram of a BSC 16
Figure 2.5 Equipment Identity Register 19
Figure 2.6 Network Switching System 20
Figure 2.7 GSM Network Architecture over Interfaces 21
Figure 2.8 Organizations of Burst, TDMA Frames and Multiframes 28
10
Figure 2.9 Composition Structure of SS7 Message Type 42
Figure 2.10 SS7 Signaling Units 43
Figure 2.11 SS7 Signaling Points 44
Figure 2.12 SS7 Protocol Layer 45
Figure 2.13 SS7 Model compared with OSI Model 46
Figure 2.14 ISUP Signaling between Exchanges 49
Figure 2.15 MAP Interfaces between Networks 62
Figure 2.16 GSM Signaling Protocol 64
Figure 3.1 Signaling Network Architecture 67
Figure 3.2 Intra-MSC Location Update 68
Figure 3.3 Inter-MSC Location Update 69
Figure 3.4 GSM Location Update Procedures 66
Figure 3.5 GSM Location Update Procedures 67
Figure 3.6 Handover Signaling Message Sequence 70
Figure 3.7 Handover Signaling Message Sequence 71
Figure 3.8 Intra-MSC Handover Flow Chart 72
Figure 3.9 Intra-MSC Handover Flow Chart 73
Figure 3.10 Intra-MSC Handover Flow Chart 74
Figure 3.1 Intra-MSC Handover Flow Chart 75
Figure 3.12 Inter-MSC Handover Flow Chart 76
Figure 3.13 Inter-MSC Handover Flow Chart 77
Figure 3.14 Inter-MSC Handover Flow Chart 78
11
Figure 3.15 Inter-MSC Handover Flow Chart 79
Figure 3.16 GSM Originating Call Flow 82
Figure 3.17 GSM Originating Call Flow 83
Figure 3.18 GSM Terminating Call Flow 85
Figure 3.19 GSM Terminating Call Flow 86
Figure 4.1 Traffic to and from the Node 79
Figure 4.2 Graph of local arrivals 80
Figure 4.3 Graph of Average LU Rate 89
Figure 4.4 Graph of Average Handover rate 90
LIST OF TABLES
Table 2.1 GSM Technical Specifications 32
Table 3.1 Number of Signaling Messages involved in GSM call types 87
Table 4.1 Summary of call type parameters and mean values 81
Table 4.2 SS7 Signaling Traffic for a Node 81
Table 4.3 Average of Signaling Traffic within an MSC per hourly average 85
Table 4.4 Summary of call type arrivals 86
Table 4.5 Modeled Parameters 86
12
ABSTRACT
Modern telephone network was developed to provide the basic telephone service, which involves the two-
way real time transmission of voice signals. Cellular networks extended the basic telephone services by
providing mobility to mobile users. The main issue with the provisioning of the mobile services is the
need to track mobile users. Mobility management enables telecommunication network to locate mobile
users for call delivery. This dissertation, therefore, presented the protocols involved in GSM network
mobility management and the comprehensive signaling messages required. The signaling messages were
categorized into the messages required for call connection setup; call connection maintenance,
disconnection, mobile station location update, and mobile call handover. The average rates at which
mobile station location updates and handovers were effected in a given cell area were defined and the
associated signaling messages were quantified. The results were validated using data measured from a
typical GSM network within a 24 hour period. It was confirmed that a network with smaller location area
size has increased rate of location updates. Also, a cell with an increased size minimizes the rate at which
active mobile stations are handed over to their neighboring cells. This implies that location area sizes
should be increased to reduce the number of signaling messages involved in location updates and
handover.
13
CHAPTER 1
INTRODUCTION
1.0 Background of the study
Communication can be defined as the process by which information is being transferred from
one point to another in space and time [1]. The point of origination of information is called the
source while the target point is called the destination. The facility that provides a service that
transfers information between users located at various geographical points is called the network.
It also provides access for gathering of information and flexibility in their usage [1]. Wireless
network is the most common real-time service provided by a network; Cellular telephone
service extended its services to mobile users who are free to move within a regional area
covered by an interconnected array of smaller geographical areas called cells. A cell has a radio
transmission system that allows it to communicate with users in its area [2]. The cellular system
handles the ‘’handing over’’ of users as the move from one cell to another so that an ongoing
conversation is not terminated suddenly. The need for mobility arises whenever a subscriber
wishes to access service from any part of the world.
Communication network is a set of facilities that provide services, and to transfer information
between a source and a destination [2]. The source and the destination comprise of terminal
equipment that attaches to the network, e.g. a telephone. This process may involve a transfer of
single block of information or the transfer of a stream of information. The basic capability is
provided by transmission systems that transfer information through various media; cable, radio,
and optical fiber. They are designed to carry specific types of information representation, analog
voice signals, bits or characters. The switches transfer the information flow from one
transmission line to another [7]. A path is set to transfer different information to their various
destinations, which is called routing. The basic network functions include; transmission,
information representation, switching includes routing and forwarding, addressing, traffic
control, congestion control, and network management. Signaling was introduced to carry the
message between the terminal and the network [2].
14
Signaling allows mobility, which is the capability of a network to locate users as the roam away
from their home network. There are two basic types of signal exchanges; between the user and
the network, within the network. These types of signaling have to work together to establish a
call. When a request for a call would come in, stored program control would check whether the
destination is available. A separate computer communication network was introduced to carry
the signaling information [2]. Communications from the user are split into two streams, at the
service switching point (SSP). The signaling information is directed toward the signaling
network where it is routed and processed. The signaling systems issues commands to the
switches to establish the desired connection. The second stream in the SSP consists of the user
information that is directed to the transport network to where it flows from one user to another.
1.2 Objectives of the study
The aim of this study is to quantify the impact of mobility on GSM signaling in Nigerian
network systems. Other objectives of this research work include;
� To know how much signaling messages exchanged between network components for a
local, trunk or GSM to fixed network.
� To quantify the impact of mobility on GSM signaling
� To determine how much signaling messages involved in mobility; handover and location
updates in GSM network.
1.3 Significance of the study
The results obtained from this research work will help GSM operators in Nigeria to determine
the location of base stations, type of cell selection, the measurements values and corresponding
signaling events of all customers’ calls in a specific time.
1.4 Scope of the study
In this research work, the areas covered include all call traffic data from a typical GSM operator
in Nigeria gotten on average, which the network experienced within a given time. This was used
for the quantification of the signaling traffic, and influence of mobility in GSM signaling.
15
The number, cell size, sizes of a location area and user movement determine the influence of
mobility in the network. The GSM service providers in Nigeria are MTN, Globacom, Zain and
Etisalat.
1.5 Dissertation outline
This dissertation report is organized as follows; Chapter one is the background of the study. In
chapter two different literatures were reviewed on GSM network architecture, components, and
technical specifications, Signaling System No.7, Signaling Concepts and Signaling Protocols.
Chapter three defines signaling traffic and gives the various signaling messages exchanged in
GSM network with respect to local, trunk and GSM to fixed network calls, calls involved in
mobility, the quantification of mobility signaling. In chapter four analytical results were
presented on location update rate, handover rate, and graphs showing influence of mobility in
the network. In chapter five, conclusions were drawn and recommendations made. Lastly, the
work concludes with references, and appendix which shows the signaling flow diagrams.
16
CHAPTER TWO
LITERATURE REVIEW
2.0 Introduction
The Global System for Mobile communications (GSM) is comprised of several functional
entities, whose functions and interfaces are specified. These entities of the GSM network inter-
communicate to give the total functions and capabilities of the GSM communications. In this
chapter, the GSM network architecture and the entities functions are presented.
Mobile communication today employs digital technology in distinction to the old analog mobile
phones like the first generation (1G) mobile standards. A wireless user is no longer limited to
only voice calls or very low speed data applications often using circuit switched data. The GSM
network allows file downloads of high-speed multimedia, e-mails and browsing the internet.
During the early 1980s, analog cellular telephone systems were experiencing rapid growth in
Europe, particularly in Scandinavia and the United Kingdom, also in France and Germany.
These countries developed its own system, which was incompatible with everyone else's in
equipment and operation [12]. This caused the limitation of mobile equipments to operate
within national boundaries. The Europeans realized this early, in 1982 the Conference of
European Posts and Telegraphs (CEPT) formed a study group called the Groupe Special Mobile
later called Global System for Mobile Communication (GSM) to study and develop a pan-
European public land mobile system. The system was to meet the following criteria below:
• Good subjective speech quality
• Low terminal and service cost
• Support for international roaming
• Ability to support handheld terminals
• Support for range of new services and facilities
• Spectral efficiency
• Integrated Services Digital Network (ISDN) compatibility
17
Services offered by GSM Network
The planners of GSM wanted ISDN compatibility in provision of the services offered and the
control signaling used [8]. Radio transmission limitations, in terms of bandwidth and cost, do
not allow the standard ISDN B-channel bit rate of 64 kbps to be practically achieved. Using the
ITU-T definitions, telecommunication services can be divided into bearer services, teleservices,
and supplementary services. The most basic teleservice supported by GSM is telephony; speech
is digitally encoded and transmitted through the GSM network as a digital stream [12]. A
variety of data services is offered. GSM users can send and receive data, at rates up to 9600 bps,
compared to users on Plain Old Telephone Service (POTS), ISDN, Packet Switched Public Data
Networks, and Circuit Switched Public Data Networks using a variety of access methods and
protocols, such as X.25 or X.32. A unique feature of GSM, not found in older analog systems,
is the Short Message Service (SMS).
SMS is a bidirectional service for short alphanumeric (160 bytes) messages [13]. Messages are
transported in a store-and-forward fashion. SMS can also be used in a cell-broadcast mode, for
sending messages such as traffic updates or news updates. Supplementary services are provided
on top of teleservices or bearer services. In the current (Phase I) specifications, they include
several forms of call forward (such as call forwarding when the mobile subscriber is
unreachable by the network), and barring of outgoing or incoming calls, that is when roaming in
another country, call waiting, and advice of charge [12]. The ability to provide these services
introduces a new level of complexity. Information being transferred over the air interface at 13
kbps transcoding schemes and format translation services are provided by the GSM network
components.
Voice information is digitized using the Regular Pulse Excitation-Long Term Prediction
algorithm that removes enough redundancy from the voice signal to transmit over the 13 kbps
channel; this is translated to pulse code modulation (PCM) and adaptive differential pulse code
modulation (ADPCM) by the GSM switching network for transmission over the PSTN [12].
Mobility management presents a unique set of challenges; users may roam into areas supported
by other carriers. Algorithms and protocols have been designed to locate users and handle
charging while users are visiting areas away from home. Data formats and control signals are
transferred between the switching systems and mobile subscriber equipment.
18
Protocols used in GSM Network
The collection of components and services require the use of several protocols to control calls,
transfer information, and provide overall system management [19]. There are four layers for
communication;
• The radio frequency (RF)interface to the base transceiver station (BTS)
• The radio resource management (RR) layer to the base station controller (BSC)
• Mobility management (MM)
• Communications management (CM) to the mobile switching center/ visitors location
register (MSC/ VLR )
Additional protocols are used to provide control services that are managed between the system
switching and management components; Mobile application part, transmission layer [7].
Transmission layer; the transmission layer sets up a connection between mobile station (MS) and
BTS [7]. Transmission channel between the MS and the BTS is a unique component to GSM
cellular networks, modified to operate on different frequencies in the case of personal
communication systems (PCS) and replaced in its entirety in the case of satellite communications
systems.
Mobile application part (MAP); is the protocol that is used to allow the GSM network nodes
within the Network Switching Subsystem (NSS) to communicate with each other [7]. They
provide services, such as roaming capability, text messaging (SMS), and subscriber
authentication. MAP provides an application layer on which to build the services that support a
GSM network. This application layer provides a standardized set of operations. MAP is
transported and encapsulated with the signaling system no.7 (SS7) protocols; message transfer
part, signaling connection control part, transaction capabilities application part (MTP, SCCP,
and TCAP) [7].
Radio Resource Management; the radio resource (RR) protocols are responsible for the
allocation and reallocation of traffic channels between the MS and the BTS [1]. These services
include controlling the initial access to the system, paging for Mobile terminated calls, and
19
handover of calls between cell sites, power control, and call termination. The RR protocols
provide the procedures for the use, allocation, reallocation, and release of the GSM channels.
RF Interface to the BTS; the interface between the MS and the BTS consists of a frequency-
Hopped time division multiple access (TDMA) channel that is divided into several sub channels
[8]. They are used for the transmission of user information [19]. Moreover, to increase battery
life and decrease interference between stations operating in adjacent cell-sites, the MS and the
BTS transmitters automatically adapt their transmission power [8]. Several channels are used in
the air interface.
Mobility Management
One of the major features used in GSM networks is the ability to support roaming users [1].
Through the control signaling network, the mobile switching center (MSC) interacts to locate
and connect to users throughout the network. "Location Registers" are included in the MSC
databases to assist in the role of determining how and whether connections are to be made to
roaming users. A mobile subscriber is assigned a Home Location Register (HLR) that is used to
maintain the user's location and subscribed services [1]. A separate register, the Visitor Location
Register (VLR) is used to track the location of a user. As the users roam out of the area covered
by the HLR, the mobile station (MS) notifies a new VLR of its whereabouts. The VLR in turn
uses the control network (this is based on SS7) to signal the HLR of the MS's new location.
Through this information, mobile terminated calls can be routed to the user by the location
information contained in the user's HLR.
Mobility management entails keeping track of the MS while it is on the move [1]. The mobility
management procedures vary across three different ways; when MS is turned off, MS idle
mode, and MS has an active call [12]. In the first scenario, when the network cannot reach it
because it does not respond to the paging message, the MS is considered to be in the turned-off
state. In this state, the MS is considered detached from the system international mobile
subscriber identity (IMSI detached). In the second scenario, the MS is in the ready state to make
or receive calls [3]. The system considers it attached (IMSI attached). The MS informs the
system about any changes in LA while on the move; this is known as location updating. In the
third scenario, the system has active radio channels that are allowed to the MS for conversation
and data flow. The MS is required to change to new radio channels if the quality of current
20
channels drops below a certain level; this is known as handover. The MSC (sometimes BSC)
makes the decision to handover an analysis of information that is obtained real-time from the
MS and BTS [3].
Location update
Location updating is the mechanism that is used to determine the location of a MS [12]. The MS
initiates location updating, which can occur when:
• The MS is first switched on
• The MS moves within the same VLR area, but to a new LA
• The MS moves to a new VLR area
• A location updated timer expires
There are several reasons why a mobile may provide update location information to the
network. Whenever a mobile is switched on or off, the network may require it to perform an
IMSI attach or IMSI detach location update procedure. A mobile phone is required to regularly
report its location at a set time interval using a periodic location update procedure [12].
Whenever a mobile moves from one location area to another while not on a call, a random
location update is performed. This is also required of a stationary mobile that reselects coverage
from a cell in a different location area, because of signal fade.
The enabling of periodic updating, and the time period between periodic updates, is controlled
by the operator, and is a trade-off between signaling traffic and speed of recovery. If a mobile
does not register after the updating time period, it is deregistered [3].
Signaling in GSM Network
Signaling refers to all the control signals used within or between communication equipments,
whose function is to set up communication [1]. The signaling used in GSM network is the
signaling system number seven (SS7). SS7 is a protocol that has several layers; each provides
functions for connection-oriented and connectionless-oriented signaling in GSM network. This
is important in GSM networks; it is responsible for establishment of call, billing, maintenance
and release connections.
21
Signaling can be in-band or out-of-band. In band signaling uses audio tones for conveying its
signals; that is the control information is exchanged in the same channel, while out-of-band
signaling the control information is done on a separate channel [2]. It reserves a narrow band
within the voice band for conveying control signals. The GSM network uses SS7 and its
communications involve much signaling messages to enable information to be transferred from
the source to the destination.
2.1 GSM Network Architecture
The GSM network can be divided into three broad parts; The Mobile Station Subsystem (MSS),
Base Station Subsystem (BSS), and the Network Switching Subsystem (NSS). The mobile
station is carried by the subscriber, base station controls the radio link with the Mobile Station,
and the network switching subsystem consists of the Mobile service Switching Center (MSC),
which performs the switching of calls between mobile users, and mobile to fixed network users.
The MSC also handles the mobility management operations. Operations and Maintenance
Center, oversees the proper operation and setup of the network [12, 14]. Figure 2.1 shows the
architecture of a GSM network.
22
PSTN, ISDN, PSPDN, CSPDNPSTN, ISDN, PSPDN,
CSPDN
Figure 2.1General Architecture of a GSM Network
Base Station
Controller
BSC
BSC
Base
Transceiver Station
(BTS)
Base
Transceiver Station
(BTS)
Base Station
Controller
VLR VLR
HLR
MSC
Visitors
Location
Register
Mobile service
Switching Centre
GMSC Gateway MSC
Home
Location
Register
The network & Switching
Subsystem (NSS)
(GSM Core Network)
MSC
23
2.2 Mobile Station subsystem
Mobile station subsystem (MSS) consists of the mobile equipment (the terminal) and a smart
card called the Subscriber Identity Module (SIM).
The Mobile Equipment
This is a terminal that is carried about by the GSM subscribers. This comes in different forms
and has different supporting features. Mobile equipment also supports different frequency
spectrum for their operations. The GSM terminal bears a unique number called the International
Mobile Equipment identity (IMEI) that is written on the phone. The GSM network to identify
valid terminals uses the IMEI number. It is also used to stop stolen phones from accessing the
network if reported, and identifies the mobile equipment not the subscriber. SIM card contains
the International Mobile Subscriber Identity (IMSI) used to identify the subscriber to the
system, a secret key for authentication, and other information. The IMEI and the IMSI are
independent, thereby allowing personal mobility [14].
Mobile equipment comprises of two parts: the transmitter and the receiver. The transmitter
sends dialed digits and voice signals from the handset to the network while the receiver receives
the signals sent to the subscriber from the network. The digital processes that take place at the
digital processor of the mobile equipment transmitter include error protection coding, bit
interleaving, encryption and appending of frame bits. At the receiver, the digital processes
include slot separation, removal of frame bits; bit de-interleaving, decryption and error
protection decoding [12].
Subscriber Identity Module (SIM)
The Subscriber Identity Module (SIM) is a smart card, which stores subscriber information
including the International Mobile Subscriber Identity (IMSI). The SIM card is inserted in any
GSM phone to enable the user to make, receive calls and other subscribed services. The SIM
card also allows mobility, so that the user can have access to the subscribed services irrespective
of the terminal. The SIM card is protected against unauthorized use by a password or personal
identity number [14].
24
SIM Authentication and security
Authentication is a process, which proves that the MS contains a secret key value Ki. It is a
very important element of a mobile network to identify a subscriber. Authentication involves
two functional entities, the SIM card in the mobile, and the Authentication Center (AuC). A
subscriber is given a secret key, one copy of which is stored in the SIM card and the other in
the AuC. The AuC generates a random number that is sent to the mobile during authentication.
The mobile and the AuC use the random number, in conjunction with the subscriber's secret
key and a ciphering algorithm called A3, to generate a signed response (SRES) that is sent
back to the AuC. This is to verify if the number sent by the mobile is the same as the one
calculated by the AuC, the subscriber is authenticated [7].
Encryption is done against unauthorized listening; the MSC uses the same initial random
number and subscriber key to compute the ciphering key using an algorithm called A8. The
ciphering key, and the TDMA frame number, use A5 algorithm to create a 114 bit sequence
that is XORed with the 114 bits of a burst (the two 57 bit blocks). Enciphering is an option for
the fairly paranoid, since the signal is already coded, interleaved, and transmitted in a TDMA
manner, thus providing protection from all but the most persistent and dedicated
eavesdroppers. The Authentication Center (AUC) is a secured database that handles the
authentication and encryption of keys. Authentication involves a two-way transaction, the base
station transmits a random "challenge number" (RAND) with different values when a call is to
be connected or an authentication is to be performed for another reason to the mobile set. The
mobile set performs a calculation using that number with an internal secret number and returns
the result of the computation SRES to the radio link. The base system also knows what the
correct result will be, and can reject the connection if the mobile did not respond with the
correct number [8, 13].
However, if a criminal copies the entire radio link transaction, it will not permit imitation of
the valid set, because the base system begins the next authentication with a different challenge
value. This transaction generates some other secret numbers, which are used in subsequent
transmissions for encryption of data.
25
There will be no technological fraud, such as customers presenting false identity to get service
but never paying their bills (subscription fraud). The MSC does not contain any information
about a particular mobile station; this information is stored in the location registers. The
network sends a randomly generated number to the mobile. The mobile performs a calculation
against it with a number it has stored and sends the result back. If the switch gets the number it
expects the call proceeds. The AC stores all data needed to authenticate a call and to encrypt
voice traffic and signaling messages [6]. Figure 2.2 explains the SIM authentication
sequences. Calculations in A3 algorithm are similar to Lucifer or other encryption codes
(repeated bit permutation and XORED with distinct secret number). It is performed in a
separate secure SIM chip (processor and memory) in GSM.
2.3 Base Station Subsystem
The Base Station Subsystem is composed of two parts; the Base Transceiver Station (BTS) and
the Base Station Controller (BSC). These communicate across the standardized Abis interface,
allowing operation between components made by different suppliers. Figure 2.3 shows the
GSM base station subsystem [14].
A3 algorithm
Authentication MSC (base)
SRES
correct value
RAND
RAND
Figure.2. 2 SIM authentication sequence
MS
Ki
SRES
Authentic or
wrong?
Compare
bits
26
The Base Transceiver Station (BTS)
The base Transceiver Station also called the Remote Base Station (RBS) houses the radio
transceivers that define a cell and handles radio-link protocols with the mobile station. The base
transceiver station contains the equipment for encryption, decryption and base station controller.
In a large urban area, there would be a large number of BTSs with several transceivers
deployed. The performance of a BTS is increased using frequency hopping which switches the
voice traffic between the transceiver and the mobile equipment [14]. The requirements for a
BTS are ruggedness, reliability, portability, and minimum cost. It is controlled by the Base
Station control function (BCF) through the BSC. BCF is a unit which provides an operation and
maintains the connection to the network management system.
Figure 2.3 GSM Base Station Subsystems
Location area
BSC BSC
LA 3
LA 1
Base Station
Controller
A Interface
Abis
Interface
Mobile
Terminal
Radio Interface
BTS
27
Functions of different components of a BTS
They functions of a BTS are illustrated as follows:
• Transceiver; the transceiver transmits and receives signals to other components of the
network such as the BSC.
• Power Amplifier; amplifies the signals from the transceiver through the antenna for
transmission [12].
• Combiner puts different signals together from several transceivers for onward
transmission through the antenna, reducing the number of antennas used.
• Duplexer is used to separate sending and receiving signals to and from the antennas.
• Alarm Extension System collects working status alarms of the various units in the BTS
and sends them to the operations and maintenance monitoring stations.
• Control Functions controls the BTS and manages its various units and the software for
the functioning of the BTS, software upgrade, and status changes [14].
The Base Station Controller (BSC)
The BSC manages the radio resources for one or more BTSs. It is responsible for the
allocation, release and management of the radio channels, frequency hopping, and handovers.
The BSC is the connection between the mobile station and the Mobile service Switching Center
(MSC). It is a small switch linking the several cells under its control to the MSC [19]. Figure
2.4 describes the switching of the incoming traffic channels to their correct Abis-interface
channels
28
The Internal Structures of a BSC
• Database: the BSC is the control centre for BSS. It contains the complete BTS
operations software for all attached and BSS specific information such as assigned
frequency. It maintains the quality of the radio resources, and the BSS.
• The switch Matrix switches the incoming traffic channels to the correct Abis-interface
channels. It also takes care of the relay functionality.
• Terminal control element (TCE) of the Abis-interface connects the BSC to the BTS.
The number of Abis TCE that a BSC contains depends on the number of BTS and the
system manufacturer. The major tasks of the Abis-TCEs are to setup LAPD connections
towards the BTS, the transfer of signaling data, and the transparent transfer of payload.
It also administers a BTS radio resource, which is the assignment, the release of
signaling and traffic channels over the Abis- interface and the Air interface. It also helps
in the evaluation of measurement results from the BTS concerning busy and idle
channels which are relevant for power control used in handover decisions.
Figure 2.4 Block diagram of a BSC
Abis interface
TM
TCE
TCE
TCE
Central
DB
Switch
matrix
TCE
TCE
TCE
Central functions and clock distributions OMC
TM
TM
TM
TM
TM
29
• The A-interface Terminal Control Elements (A-TCEs): A-TCE is required for the
connection of a BSC to the MSC. It is for setting up and operating the SS7/SCCP
connection towards the MSC.
• The central module decides when a handover should be taken place, and power control.
It also connects the OMC, which manages the BSS through the BSC.
• Connection to the OMC: the central module provides the connection to the OMC; every
BSS is supervised and managed by an OMC through the BSC [19].
2.4 Network Switching System (NSS)
Network switching system consists of the Mobile Switching Center (MSC), Home Location
Register, and the Visitor Location Register (VLR) is the GSM core network. It is responsible
for the switching, handling of calls and mobility management. It uses an intelligent network,
which separates the central database (HLR) from the switch (MSC) and uses STP to transport
signaling among the MSC and HLR. The MSC is the central component of this system [7].
Mobile Switching Center (MSC)
The central component of the Network Subsystem is the Mobile Switching Center (MSC). It
provides all the functionality needed to handle mobile subscriber applications, such as
registration, authentication, location updates, handovers, and call routing to a roaming
subscriber [7]. The MSC provides the connection between the GSM network and other
networks such as PSTN and ISDN. Signaling between functional entities in the Network
Subsystem uses Signaling System Number 7 (SS7), used for trunk signaling in ISDN and
widely used in current public networks [22]. The mobile switching center also handles
connections between cells. As a mobile user moves from one cell to another, a handover
procedure is carried out which transfers the connection from one base station to another,
allowing the call to continue without interruption [22].
30
Gateway Mobile Switching Center (GMSC)
This is an MSC with interface to other networks. An MSC routes calls to the gateway MSC
which routes it to their destination networks. Interworking function (IWF); is a gateway for
MSC to interface with the external networks for communication with users outside GSM, such
as packet-switched data network (PSDN) and circuit-switched data network (CSDN) . The role
of interworking function depends on the type of user data and the network to which it interfaces.
An incoming mobile terminating call is routed to a Gateway MSC, which finds the correct HLR
by knowing the directory number of the subscriber. GMSC has an interface with the external
network and the network operates the full SS7 signaling between NSS machines [7].
The Home Locations Register (HLR)
The Home Location Register is the GSM network permanent database which contains all the
administrative information of each subscriber registered in the corresponding GSM network,
along with the current location of the mobile. The location of the mobile is typically in the form
of the signaling address of the VLR associated with the mobile station. The Home Location
Register (HLR), Visitor Location Register (VLR), and the MSC provide the call routing and
roaming capabilities of a GSM network. There is logically one HLR per GSM network,
although it may be implemented as a distributed database [8].
The Visitor Location Registers (VLR)
The VLR is a temporary database containing the data necessary to set up calls to and from the
mobile station. It contains the location area information being roamed, the mobile stations
roaming number, the international Mobile Subscriber Identity and Mobile Station ISDN
number. The VLR keeps the home location area (HLR) updated on the location of the user [5].
It contains selected administrative information from the HLR, necessary for call control and
provision of the subscribed services, for each mobile currently located in the geographical area
controlled by the VLR.
31
Moreover, each functional entity can be implemented as an independent unit. All manufacturers
of switching equipment implements the VLR with the MSC, so that the geographical area
controlled by the MSC corresponds to that controlled by the VLR, thus simplifying the
signaling required.
The Equipment Identity Register (EIR)
The EIR is a database in GSM network which contains a list of all valid mobile equipments in
the network [6]. The mobile station is identified by its International Mobile Equipment Identity
(IMEI). It marks an IMEI invalid if stolen hence denying access to the subscriber, and checks
for unauthorized calls from mobile stations [6]. The EIR maintains three lists, it is the status
returned in response to an IMEI query to the EIR these are:
• White-listed: it contains all approved types of mobile equipments (type approved
codes).The terminal is allowed to connect to the network.
• Grey-listed: contains all mobile equipment to be traced. The terminal is under observation
from the network for possible problems.
• Black-listed: contains all mobile to be barred (complete IMEI). The terminal has either
been reported stolen, or is not type approved (the correct type of terminal for a GSM
network). The terminal is not allowed to connect to the network [6]. Fig 2.5 Shows the
Equipment Identity Register contents.
Grey-listed Black-listed White-listed
Figure.2.5 Equipment Identity Register contents
32
The Authentication Center (AuC)
The Authentication Center is used to authenticate and encrypt parameters that verify user’s
identity. An International Mobile Equipment Identity (IMEI) is marked as invalid if it has been
reported stolen or is not type approved. The Authentication Center (AuC) is a protected
database that stores a copy of the secret key stored in each subscriber's SIM card. This secret
key is used for authentication and encryption over the radio channel. The AuC is often
considered part of HLR [6, 8]. Figure 2.6 illustrates the internal structure of the network
switching system.
2.5 GSM Network Architecture over the interfaces
The different components that make up the GSM network have to communicate with each other
to enable efficient service provisioning [6]. Figure 2.7 shows the architecture of the GSM
network interfaces over the signalling network.
CF------Control Flow
UDF-----User Data Flow
C F
UDF
MSC/VLR
AUC HLR
BSS
BSS
GMSC PSTN
SS7
SS7 SS7
NSS
Figure .2.6 Network Switching System
33
As shown in figure 2.7, the MAP signalling is transferred among B, C, D, E, F and G interfaces
in the GSM network [8]. The BSSAP is responsible for the A interface, the description of each
interface is as follows:
Um- Interface: Is the air interface used for exchange between the mobile station (MS) and the
Base Station Subsystem (BSS). This interface uses the Link Access protocol for ISDN-D
channel of Mobile (LAPDm) for signalling.
Abis- Interface: this is a BSS internal interface that links the BSC and the BTS. This interface
uses TDMA traffic channels for traffic, LAPD protocol for BTS control, frequency allocation,
maintenance of data and signalling.
A-interface: is the communication interface between the network subsystem and the base
station subsystem. With respect to the functional entity of the subsystem, the A interface is the
interface between the Base Station Controller (BSC) and the Mobile Switching Centre (MSC).
The information transferred by this interface includes mobile station management, base station
management, mobility management and call processing.
Figure 2.7 GSM Network Architecture over Interfaces
E
MS
VLR VLR
HLR
EIR
MSC F
G
B
Um
D
C
A
BTS
Abis
MSC BSC
34
B-interface: is the interface between the VLR and the MSC. The B interface is used for the
MSC to query the current location information of a Mobile Station (MS). It is used for the
operations of supplementary services.
C-interface: is the interface between the MSC and the HLR. It is used when transferring short
messages to the MS, and used for the SMS gateway to obtain the number of the MSC where the
MS is currently located from the HLR.
D-interface: is the interface between the VLR and the HLR. This interface is used to exchange
the location information of the MS. The data exchange through the D interface is needed for the
service modification request of the subscriber such as supplementary service operation and the
subscriber data modification of the operation.
E-interface: is the interface between one MSC and another MSC. The E interface is used to
control the handover between different MSCs in the neighbouring cells The E interface is also
used for the data exchange between the MSCs to start and implement the handover operation.
F-interface: this is an interface between the MSC and the EIR. When an MSC needs to check
the validity of the International Mobile Equipment Identity (IMEI), the F interface is needed for
exchanging IMEI-related information with the EIR.
G-interface: is the interface between the VLR and the VLR. When a mobile subscriber roams
to a new VLR-controlled cell and the Temporary Mobile Subscriber Identity (TMSI) is used to
initiate the location updating, the G interface is used for the current VLR to obtain the IMSI and
authorization set from the previous VLR.
In GSM network, MAP is responsible for information transfer between the GSM functional
entities through SS7 system in the following processes: Location update, User Management;
authorization, encryption and IMEI management. Routing function; access processing, paging,
Processing of supplementary services, Handover Short message service, Operation and
maintenance. The VLR and MSC are integrated into the same entity. The B interface becomes
an internal interface, C and D interfaces can pass the same physical connection, likewise E and
G interfaces [6].
35
Link Layer on the Air interface
The data link layer over the radio link connecting the MS to the BSS is based on a LAPD-like
protocol, labeled LAPDm that has been modified for operation within the constraints set by the
radio path. In particular, LAPDm uses no flags for frame delimitation. Frame delimitation in
LAPDm is denoted by the physical layer that defines the transmission frame boundaries [9].
LAPDm uses a “Length Indicator” field to distinguish the information carrying field from fill-in
bits used to fill the transmission frame. LAPDm uses an address field to carry the service access
point identifier (SAPI), 3 bits which it also uses to identify the user of the service provided by
the protocol [10]. The 2-bit link protocol discriminator (LPD) is used to specify a particular
recommendation for the use of LAPDm, the C/R is a single bit which specifies a command or
response frame as used in LAPD, and 1-bit extended address (EA) which is used to extend the
address field to more than one octet (the EA bit in the last octet of the address is set to 1, or to
0).
2.6 GSM Channel Structure
Channels are defined by the number and position of their corresponding burst periods within a
TDMA frame. There are two types of Channels namely; traffic (dedicated channels), which are
allocated to a mobile station, and control channels, which are used by mobile stations in idle
mode [14].
GSM Traffic channel (TCH)
A traffic channel (TCH) is used to carry speech and data traffic. Traffic channels are defined
using a 26-frame which forms the 26-multiframe, or group of 26 TDMA frames. The length of
a 26-multiframe is 120 ms, the length of a burst period is defined (120 ms divided by 26 frames
divided by 8 burst periods per frame) 26 frames, 24 are used for traffic, 1 is used for the Slow
Associated Control Channel (SACCH) and 1 is unused [12]. The unused frame allows the
mobile network to perform other functions such as measuring the signal strength of
neighboring cells. TCHs for the uplink and downlink are separated in time by 3 burst periods;
which prevent the mobile station from transmitting and receiving simultaneously.
36
In addition, Half-rate TCHs doubles the capacity of the system once half-rate speech codes are
specified (i.e., speech coding at around 7 kbps, instead of 13 kbps). Eighth-rate TCHs are also
specified, and are used for signaling. It is grouped in a 26-multiframe and has different
internal structure from the full rate traffic. In the recommendations, they are called Stand-alone
Dedicated Control Channels (SDCCH) [17].
GSM Control Channel
The common channels are used for network management and channel maintenance. They are
also used by idle mode mobiles to exchange the signaling information required to change to
dedicated mode [13]. Mobiles already in dedicated mode monitor the surrounding base stations
for handover and other information.
There are three main control channels in the GSM which are as follows;
(i) Broadcast Channel (BCH)
(ii) The common control channel (CCCH)
(iii) The dedicated channel(DCCH)
Each control channel consists of several logical channels which are distributed in time to
provide the necessary GSM control functions.
Broadcast channels (BCHs); these channels are used by the BTS to provide mobile equipment
with synchronization information. They continually broadcast on the downlink information
including base station identity, frequency allocations, and frequency-hopping sequences. The
BCH is defined by three separate channels which are given access to TS 0 during various time
frames of the 51 frame sequence [17]. There are three types of BCHs;
� Broadcast control channel (BCCH); broadcast control channel is used in the BSS to
give mobile equipments the direction to broadcast system information in the network,
such as the synchronization parameters, available services and cell identity.
37
� Synchronization channel (SCH); carries information from the BSS for frame
synchronization. That is, it gives the mobile equipment the training symbol sequence to
demodulate the information transmitted by the BTS.
� Frequency control channel (FCCH); carries information from the BSS for carrier
synchronization. Every cell in a GSM network broadcasts exactly one FCCH and one
SCH, which are by definition on time slot number 0 within a TDMA frame.
Common control channel (CCCH): Common control channels are used for transferring
signaling information between all mobiles, the BSS for call origination and call paging
functions. There are three common controls channels;
� Paging Channel (PCH): provides paging signals from the base station to all mobiles in
the cell, and notifies a specific mobile of an incoming call [7].
� Random Access Channel (RACH): is used by the mobile stations to request access to
the network. The mobiles use the slotted Aloha scheme over this channel to request
access from the network.
� Access Grant Channel (AGCH): is used by the BTS to assign resources to mobile for
signaling in order to obtain a DCCH channel following a request on the RACH.
Dedicated control channels (DCCH): these channels are used for message exchange between
a mobile and the network. There are three types of dedicated control channels in GSM:
� Stand-alone dedicated control channel (SDCCH): This channel is used for the transfer
of call control signaling in the TCHs, the SDCCH has its own SACCH to and from the
mobile during call setup. It is released once call setup is complete. It ensures that the
mobile station and the base station remain connected while the base station and MSC
verify the subscriber unit and allocate resources for the mobile [11].
� Slow-associated control channel (SACCH): is used for channel maintenance and
control. The SACCH is implemented on frame 12 numbered from O, providing eight
SACCH channels, one dedicated to each of the eight TCH channels. Frame 25 in the
multiframe is currently idle and reserved to implement the additional eight SACCH
required when half-rate speech channels become a reality [17].
38
� Fast –associated control channels (FACCHs): carries signaling data and is assigned
whenever a SDCCH has not been dedicated for a particular user when there is urgent
message. It is obtained on demand by stealing from the TCH, and is used by either end
for signaling, transfer characteristics of the physical path, or other purposes such as
connection, and handover control messages. The stealing of a TCH slot for FACCH
signaling is indicated through a flag within the TCH slot. The Random Access Channel
(RACH), Access Grant Channel (AGCH), and Standalone Dedicated Control Channel
(SDCCH) are for MS location updating [17].
The GSM Slow Associated Control channel (SACCH) which is associated with the SDCCH
channel permits the mobile station (MS) to receive from the base station (BS) to report its
beacon frequency for signal quality. The channels involved in handover are the Traffic
Channels (TCH) and Fast Associated Control Channel (FACCH). The control channels
involved in call setup are; Paging Channel (PCH) used to alert the mobile station (MS),
RACCH, AGCCH, SDCCH, FACCH and TACH. A mobile originated call involves the
RACCH while the FACCH is used in call release [17].
2.7 GSM TDMA Frame
The method chosen by GSM is a combination of Time and Frequency Division Multiple Access
(TDMA/FDMA). The FDMA part involves the division by frequency of the (maximum) 25
MHz bandwidth into 124 carrier frequencies spaced 200 kHz apart. One or more carrier
frequencies are assigned to each base station. These carrier frequencies are then divided in time,
using a TDMA scheme [14].The fundamental unit of time in this TDMA scheme is called a
burst period. The GSM TDMA frame time axis is divided into eight time slots of length 0.577
ms, which are grouped into a frame with length 4.615 ms. This forms the basic unit for the
definition of logical channels. One physical channel is one burst period per TDMA frame.
39
GSM Time Slots Structure
The TDMA factor of 8 in combination with a carrier spacing of 200 kHz would correspond to
the earlier analog system using single channel per-carrier with a 25 kHz carrier spacing. TDMA
structure is applied in both the forward (base station to mobile) and the reverse (mobile to base
station) directions. The numbering is staggered by three time slots to prevent the mobile station
from transmitting and receiving at the same time. These time slots are used to carry user and
signaling or control information in bursts [9]. GSM defines a variety of traffic and signaling or
control channels of different bit rates. These channels are assigned to logical channels derived
from multiframe structuring of the basic eight slotted TDMA frames. The GSM TDMA has two
types of burst duration which are the full duration (normal) and the short duration burst.
� Full Duration Burst; is used to carry data and signaling, and has a total length of
156.25 bits. The full duration burst is made up of two 57 information bits, a 26 bit
training sequence used for equalization, 1 stealing bit for each information block (used
for FACCH), 3 tail bits at each end, and an 8.25 bit guard sequence, as shown in Figure
2.9. The 156.25 bits are transmitted in 0.577 ms, giving a gross bit rate of 270.833 kbps.
The flag bit indicates if the normal burst has been replaced with FACCH signaling
information or not [11]. The Frequency correction burst (F burst); is used on the FCCH
to correct the mobile station radio frequency. The synchronization burst (S burst), is
used on the SCH to set hyper frame counter in mobile stations. It contains 64-bit long
training bits, and a 39-bit length information field. They have the same length as a
normal burst, but a different internal structure which differentiates them from normal
bursts. FCCH and SCH bursts are used in TS 0 of specific frames to broadcast the
frequency and time synchronization control messages on the forward link [14].
� The Short Duration Burst; this is used by all mobiles to access services from any base
station [11]. Short Duration Burst is an access burst used on TS 0 of predesigned carrier
on the uplink direction and after handover on any time slot in the uplink direction.
Dummy burst is used as filter information for unused time slot in the forward link. The
access burst is shorter than the normal burst, and is used only on the RACH [17].
40
Figure 2.8 Illustrates the Organization of bursts, TDMA frames, and multiframes for
speech and data.
2.8 GSM Frame Structures and Hierarchy
There are eight timeslots per TDMA frame, and the frame period is 4.615ms. A frame contains
8*156.25 which is equal to1250 bits; although some bit periods are not used. The frame rate is
270.833kbps/1250 bits/frame or 216.66 frames /sec. The 13th and the 26th frames are not used
for traffic, but for control purposes. In frame hierarchy, each frame is grouped into larger
structures called multiframes; which are grouped into supper frames and hyper frames. One
multiframe contains 26 TDMA frames, and one supper frame contains 51 multiframes, or 1326
TDMA frames [14]. A hyper frame contains 2048 supper frames or 2,715,648 TDMA frames.
Figure 2.8 Organization of bursts, TDMA frames, and multiframes for speech and data