8/10/2019 Signalling and Control in GSM
1/22
0
Cellular Telecommunications
Architecture
Background
Air interfaces
Network protocols
Application: Messaging
Research
1
Signaling and control in GSM
Common control channel
structure
broadcast channels
channel access from mobile
procedures and messages for call control
Traffic channel
structure handoffs
8/10/2019 Signalling and Control in GSM
2/22
2
GSM control functions
Read system parameters
Register
Receive and originate calls
Manage handoffs
3
GSM Structure
Common Control Channel (CCCH)
Used for control information registration Paging
Call origination/termination
Traffic Channel (TCH)
information transfer
in-call control (fast/slow associated control channels
Traffic Channel (per user in a call)
TCH (13 Kbps)
Common Control ChannelBase
Station
MS1
MS2
8/10/2019 Signalling and Control in GSM
3/22
4
GSM CCCH
Reverse
(MS -> BS)
Forward
(BS -> MS)
Forward
(BS -> MS)
Forward
(BS -> MS)
Forward
(BS -> MS)
Random Access
Control Channel
(RACH)
Paging and
Access Grant
Channel (PAGCH)
Broadcast
Control
Channel
(BCCH)
Synchronization
Channel
(SCH)
Frequency
Correction
Channel
(FCCH)
PCH
AGCH
CCCH
5
GSM CCCH structure
TDMA Frame:
Slot 1 Slot 2 Slot 4 Slot 5 Slot 6 Slot 7 Slot 8Slot 3 Frame: 4.615 msec
Block
Frame 1 Frame 2 Frame 3 Frame 5151 multiframe:
235 msec
FCCH (0) SCH (1) BCCH (2-5) PAGCH(6-9)
CCCH uses 1 slot/frame; other seven used for TCH
Channel name (frame #):
TCH: 26 multi-frame repeats every 120 msec)
FCCH (0) SCH (1) PAGCH(2-9).
.
.
FCCH (0) SCH (1) PAGCH(2-9) 10
8/10/2019 Signalling and Control in GSM
4/22
6
GSM: BCCH
Broadcast to all users on the CCCH
No addressing
Used to acquire system parameters so mobile may operate within the system
Key parameters (contained in RR SYSTEM INFORMATION MESSAGES)
RACH control parameters
cell channel descriptions (frequencies)
neighbor cells (frequencies)
cell id
Location Area ID (LAI)
Control channel description
7
GSM: FCCH and SCH
Keeps system synchronization
Broadcasts basestation ID
8/10/2019 Signalling and Control in GSM
5/22
8
GSM: Mobile Channel Access Procedures (RACH)
MS communicates with BS over RACH
Feedback provided with AGCH
Functions:
responses to page
location update (registration)
call origination
9
GSM: RACH procedures (Layer 2)
Slotted ALOHA
mobiles contend when making reservations
when reservation is successful, no more contention
Mobile
sends assignment request with information
Basestation
sends back assignment with information echoed
Creates Radio Resource (RR) connection (Stand-Alone Dedicated Control Channel)
may be a physical channel may be a traffic channel is signaling-only mode
may eventually be bandwidth stolen from TCH (associated control channel)
a b c,d e c
a b e c
8/10/2019 Signalling and Control in GSM
6/22
10
GSM: Paging Channel (PCH)
Used to send pages to mobile devices
incoming calls
Done at regular intervals
mobiles belong to a paging class
allows sleeping
More than 1 mobile paged at a time
11
GSM: Access Grant Channel (AGCH)
Allocates dedicated resources
TCH
Stand-alone Dedicated Control Channels
Responds to RACH requests
8/10/2019 Signalling and Control in GSM
7/22
12
Basic Flow on Air Interface
Mobile Basestation
Request dedicated signaling channel
Assign dedicated signaling channel
Signal
Release signaling channel
13
GSM Signaling Protocol Structure
RIL-3 CC (Uses MM-connection)
call establishment
signaling during a call
tone signaling
call clearing
Mobile BTS BSC MSC/VLR HLR
MAP
TCAP
SCCP
MTP
Radio Interface Layer 3 Call Control (RIL-3 CC)
RIL-3 Mobility Management (RIL-3 MM)
RIL-3 Radio Resource (RIL-3 RR)
8/10/2019 Signalling and Control in GSM
8/22
14
GSM Signaling Protocol Structure
RIL-3 MM (Uses RR-connection)
common (over RR)
temporary ID maintenance (TMSI reallocation)
authentication
ID procedures
de-registration (IMSI detach)
specific (no RR required)
location update
periodic update
registration (IMSI attach)
Mobile BTS BSC MSC/VLR HLR
MAP
TCAP
SCCP
MTP
Radio Interface Layer 3 Call Control (RIL-3 CC)
RIL-3 Mobility Management (RIL-3 MM)
RIL-3 Radio Resource (RIL-3 RR)
15
GSM Signaling Protocol Structure
RIL-3 RR
paging
connection transfer
handoffs
cipher mode
Mobile BTS BSC MSC/VLR HLR
MAP
TCAP
SCCP
MTP
Radio Interface Layer 3 Call Control (RIL-3 CC)
RIL-3 Mobility Management (RIL-3 MM)
RIL-3 Radio Resource (RIL-3 RR)
8/10/2019 Signalling and Control in GSM
9/22
16
GSM Signaling Protocol Structure
RIL-3 CC Messages
call establishment
ALERTING
CALL CONFIRMED
CALL PROCEEDING
CONNECT
CONNECT ACK
SETUP
Mobile BTS BSC MSC/VLR HLR
MAP
TCAP
SCCP
MTP
Radio Interface Layer 3 Call Control (RIL-3 CC)
RIL-3 Mobility Management (RIL-3 MM)
RIL-3 Radio Resource (RIL-3 RR)
call release
DISCONNECT
RELEASE
RELEASE COMPLETE
in-call
START DTMF
START DTMF ACK
STOP DTMF
STOP DTMF ACK* DMTF is tone signaling
17
GSM Signaling Protocol Structure
RIL-3 MM messages
Registration
Location Update Request (LAI)/Accept
IMSI Detach (de-registration)
Security
Authentication Request (cipher key, seq #, RAND)
Authentication Response (SRES)
TMSI Reallocation Command/Complete
Service Request (service type)/Accept
Mobile BTS BSC MSC/VLR HLR
MAP
TCAP
SCCP
MTP
Radio Interface Layer 3 Call Control (RIL-3 CC)
RIL-3 Mobility Management (RIL-3 MM)
RIL-3 Radio Resource (RIL-3 RR)
8/10/2019 Signalling and Control in GSM
10/22
18
GSM Signaling Protocol Structure
RIL-3 messages
Connection establishment
Paging request (TMSI)
Channel request (random ref)
Immediate assignment (channel description,cipher key)
Page response Channel release
Ciphering
Cipher mode command/complete
Mobile BTS BSC MSC/VLR HLR
MAP
TCAP
SCCP
MTP
Radio Interface Layer 3 Call Control (RIL-3 CC)
RIL-3 Mobility Management (RIL-3 MM)
RIL-3 Radio Resource (RIL-3 RR)
Radio Resource
Assign command (Rf channel)
Assignment complete
Handover command (channel description)
Handover complete
Measurement report
19
GSM Registration
Types
power up/down
location area
periodic
User Confidentiality
mobile device may send in real address: International Mobile Subscriber Identity (IMSI)
gets back temporary id (TMSI) Unique in local area
subsequent registrations use TMSI
8/10/2019 Signalling and Control in GSM
11/22
20
GSM: Registration, High Level
Mobile Basestation
RR connection
established
Get SDCCH
Authenticate
Cipher
UpdateLocation
Release RR connection
21
GSM: Registration, Lower Level
Mobile Basestation
Authentication Response (SRES)
LOC UPD RQST
Authentication Request (RAND)
Cipher Mode
Cipher Mode Complete
LOC UPD ACC (TMSI)
TMSI REAL Complete
Get SDCCHGet SDCCH
Release RR connection
8/10/2019 Signalling and Control in GSM
12/22
22
GSM: Registration
Mobile Basestation
Channel request
Immediate assignment
Authentication Response (SRES)
SABM(LOC UPD RQST)
UA(LOC UPD RQST)
Authentication Request (RAND)
Cipher Mode
Cipher Mode Complete
LOC UPD ACC (TMSI)
TMSI REAL Complete
Channel Release
Get SDCCH
RR connection
established
RR connectionrelease
23
GSM: Call Termination (Receive a call)
Mobile Basestation
Channel request
Immediate assignment
SABM(Page Response)
UA(Page Response)
Alert
Assignment Command
Connect
Get SDCCH
RR connection
established
RR connection
release
Authentication and Ciphering
SETUP
Call Confirmed
Assignment Complete
Connect ACK
Page Request (TMSI)
8/10/2019 Signalling and Control in GSM
13/22
24
GSM: Call Origination
Mobile Basestation
Channel request
Immediate assignment
SABM(CM Service Request Call Orig)
UA(CM Service Request Call Orig)
Alert
Assignment Command
Connect
Get SDCCH
RR connection
established
RR connectionrelease
Authentication and Ciphering
SETUP
Call Proceeding
Assignment Complete
Connect ACK
25
GSM: Mobile Assisted Handoff (MAHO)
MSC Old BS MS New BS
Measurement Report
Measurement Report
Measurement Report
Measurement Report
Handoff OrderHandoff Access
Handoff Access
Handoff Complete
8/10/2019 Signalling and Control in GSM
14/22
8/10/2019 Signalling and Control in GSM
15/22
28
GSM: SMS Examples Mobile Termination, High Level
Mobile Basestation
Page
Page Response
SMS Delivery
29
GSM: SMS Examples Mobile Termination
Mobile Basestation
Page
Page Response
CP-Data (RP-Data(SMS Delivery))
CP-Ack
CP-Data(RP-Ack)
CP-Ack
8/10/2019 Signalling and Control in GSM
16/22
30
GSM: SMS Examples Mobile Origination
Mobile Basestation
CP-Data (RP-Data(SMS Submit))
CP-Ack
CP-Data(RP-Ack)
CP-Ack
31
Review
Mobile Station powers on
locates CCCH and reads system parameters
Mobile Registers
gets a paging class
Monitors paging channel
can receive or make calls
can receive and send messages
8/10/2019 Signalling and Control in GSM
17/22
32
Other air interfaces
IS-136
digital
TDMA
IS-95
digital
CDMA
CDMA 2000
3G
UMTS
W-CDMA
3G
33
TIA/EIA/IS-136
Supports:
Call origination and termination
Registration
SMS
Digital:
TDMA
Based on IS-54
Primary difference: Digital Control Channel
8/10/2019 Signalling and Control in GSM
18/22
34
IS-136 Spectrum
Reverse Channel (uplink)
824 849 MHz
Forward Channel (downlink)
869 894 MHz
Carriers spaced at 30 KHz
3 traffic channels per carrier
Frequencies equally divided into 2 systems
each has 12.5 MHz in uplink and downlink
35
IS-136 Structure
Digital Control Channel (DCCH)
Used for control information registration
Paging
Call origination/termination
Used for SMS
Digital Traffic Channel (DCH)
information transfer
in-call control (fast/slow associated control channels)
Digital Traffic Channel (per user in a call)
DCH (13 Kbps)
Digital Control Channel (48.6 Kbps)Base
Station
MS1
MS2
8/10/2019 Signalling and Control in GSM
19/22
36
IS-136 DCCH
Reverse
(MS -> BS)
Forward
(BS -> MS)
Forward
(BS -> MS)
Forward
(BS -> MS)
Random Access
Control Channel
(RACH)
SMS, Paging, and
Access Response
Channel (SPACH)
Broadcast
Control
Channel
(BCCH)
Shared Feedback
Control Channel
(SCF)
PCH
ARCH
DCCH
SMSCH
F-BCCH
E-BCCH
S-BCCH
37
IS-95
Code Division Multiple Access (CDMA) Transmission
Similar call processing to GSM and IS-136
1.23 MHz carriers, each with 65 sub code channels
Operates in similar bands to AMPS/IS-136
8/10/2019 Signalling and Control in GSM
20/22
38
Network Architecture: CDMA, CDMA2000
Data path
RNC/PCF
performs frame-selection/power control
terminates Radio Link Protocol with mobiles
performs packet and burst control functions
PDSN
terminates Point-to-Point Protocol (PPP) withclients
provides foreign agent (FA) support forMobile IP enabled clients
AAA
provides Authentication, Authorization, andAccounting for data users
Voice path
BSC
Coordinates handoff for voice users
performs frame-selection/power control
MSC
call control and mobility management
interfaces to the PSTN for voice users
HLR
provides location management and AAA
functions for voice users using the IS41 protocol
BS
RNC/PCF
BSC
SS7
Internet
PSTN
PDSN
FA
HA
MSC
VLR
CDMA
R-P if
IP
HLR
AAA
BSSoft
handoff
39
CDMA: benefits
Higher capacity
interference limited => maximum efficiency
uses voice activity detection to reduce transmission bandwidth
Improved quality
soft handoff
CDMA has frequency, spatial, and time diversity to adapt to wireless errors
EVRC coding at 8kbps of voice includes error correction etc.
Ease of deployment
no frequency planning since frequency reuse=1Greater coverage
cost effective in sub-urban and rural areas
Increased privacy
spreads small signal (9.6kbps) over large spectrum (1.25Mbps) so that signal appears like noise
Increased talk time
power control (performed 800 times a second) ensures that the mobile station transmits at
optimum power resulting in longer battery life
8/10/2019 Signalling and Control in GSM
21/22
40
3G CDMA Air Interfaces
CDMA2000
(3GPP2/TIA/TTA I)
Chip rate: 1.2288,3.6864/... Mc/s
Channel Bandwidth: 1.25/5MHz
Network synchronous (base stations
synchronized using GPS)
3G3X uses 5 MHz direct spread, 3G1X uses 1.25
MHz multicarrier
20 ms frames
Common cdm pilot
Power control (800 Hz)
WCDMA
(3GPP/ETSI/ARIB/TTA II)
Chip rate: (4.096)/ 3.84/... Mc/s
Channel Bandwidth: 5MHz
Network Asynchronous (base stations not
synchronized)
Direct Spread
10 ms frames
Dedicated tdm pilot
Power control (1600 Hz)
CDMA Harmonization group is trying to reconcile these and the SCDMA
standard (TDD mode): WCDMA now has chip rate of 3.84 Mcps,
common cdm pilot, synchronous mode...
41
Observations: CDMA2000
CDMA2000 as the 3G air interface is compatible with IS95
CDMA2000 networks can be deployed as overlay on existing 2G
spectrum
Network architecture/protocols designed to gracefully migrate from IS95
Network architecture is more IP friendly than UMTS but still not all-IP
3G1X, 3G1X EV-DO (HDR), 3G3X high data rate options for evolution
3G1X and HDR deployments likely in U.S.; 3G3X farther out in the future
8/10/2019 Signalling and Control in GSM
22/22
42
Network Architecture: UMTS/GPRS/GSM
RNC
Radio network controller
manages a set of basestations
(Node B)
HLR
uses the GSM MAP protocol
for location management
and authentication
MSC/GMSC
call control and mobility
management for circuit
switched (CS) users
SGSN/GGSN
uses GPRS Tunneling Protocol
(GTP) to provide mobility
management and transport for
packet switched (PS) users
Internet
MSCSGSN
GGSN
GMSC
HLR
PSTN
VLR
PSTN
IuPS
Figure based onUMTS TS-23.002
Firewall +IP Router
IuCS IuPS
MS
IuPSA
RNC
Um
BSC
BTSBTS
RNC
Node BNode B
Um
BSC
BTSBTS
UuUu
2G CS 2.5G
PSMS
BTS
43
Observations: WCDMA
WCDMA is the UMTS air interface and is a disruptive change from GSM
GPRS allows for evolution to higher data rates from GSM, and uses
UMTS network architecture but does not use WCDMA air interface
Network architecture is not pure IP and is not IETF friendly
All IP wireless network architecture is the current predominant theme
Regulations allow UMTS deployment only in new frequency spectrum
Service Providers have paid huge amounts for UMTS spectrum in U.K.,Germany but are becoming increasingly conservative as in Italy, Austria,
Swiss auctions
UMTS: tremendous money and effort is being poured in;
financial issues will dictate deployment speed