GSM Mobility Management

GSM architecture overview

Network layout
Protocols
Addresses & identifiers

Location management

Call delivery + location update

Security

Handover management

Originals by: Rashmi Nigalye, Mouloud Rahmani, Aruna Vegesana, Garima Mittal, Fall 2001
Prof. M. Veeraraghavan, Polytechnic University, New York

GSM network layout

GSM Network
(PLMN)

PLMN: Public Land Mobile Network

MSC: Mobile Switching Center
BTS: Base Transceiver Station
BSC: Base Station Controller

MSC region

MSC region
Location area
BSC
BTS

BTS

BSC

Location
area

MSC region

GSM network layout

PSTN
ISDN

OMC
BSC

BTS

Abis

MSC
E

BSC

B,C

EIR

BTS
BTS

GMSC

Um

HLR
AUC

VLR
3

GSM MAP protocol

GSM MAP similar to IS41 MAP
MAP uses Transactions Capabilities
Part (TCAP) of the SS7 stack
MAP functions:

Updating of location information in VLRs

Storing routing information in HLRs
Updating and supplementing user profiles
in HLRs
Handoff of connections between MSCs
4

What is a location area (LA)?

A powered-on mobile is informed of an incoming
call by a paging message sent over the PAGCH
channel of a cell
One extreme is to page every cell in the network
for each call - a waste of radio bandwidth
Other extreme is to have a mobile send location
updates at the cell level. Paging cut to 1 cell, but
large number of location updating messages.
Hence, in GSM, cells are grouped into Location
Areas updates sent only when LA is changed;
paging message sent to all cells in last known LA
5

Addresses and Identifiers

International Mobile Station Equipment Identity (IMEI)
It is similar to a serial number. It is allocated by equipment
manufacturer, registered by network, and stored in EIR

International Mobile Subscriber Identity (IMSI)

MCC

MNC

MSIN

MCC: Country Code

MNC: Mobile Network Code
MSIN: Mobile Subscriber Identification Number

When subscribing for service with a network, subscriber receives (IMSI)

and stores it in the SIM (Subscriber Identity Module) card.
The HLR can be identified by a VLR/MSC from the IMSI.

Addresses and Identifiers

Mobile Subscriber ISDN (MSISDN)
The real telephone number: assigned to
the SIM
The SIM can have several MSISDN
numbers for selection of different
services like voice, data, fax
CC

NDC

SN

NDC: National Destination Code (NDC identifies operator);

SN: Subscriber Number; CC: Country Code;
Digits following NDC identifies the HLR

Addresses and Identifiers

Mobile Station Roaming Number
(MSRN)
It is temporary location dependent
ISDN number
It is assigned by local VLR to each MS in
its area.
CC

NDC

SN

Addresses and identifiers

Temporary Mobile Subscriber
Identity (TMSI)
It is an alias of the IMSI and is used in its place for
privacy.
It is used to avoid sending IMSI on the radio path.
It is an temporary identity that is allocated to an MS by
the VLR at inter-VLR registration, and can be changed by
the VLR
TMSI is stored in MS SIM card and in VLR.

TMSI, IMSI, MSRN and MSISDN

Unlike MSISDN, IMSI is not known to the GSM user. The
CC of MSISDN translates to an MCC of IMSI as follows,
e.g, Denmark CC: 45 MCC: 238
TMSI is used instead of IMSI during location update to
protect privacy. As user moves, TMSI is used to send
location update. Thus a third party snooping on the wireless
link cannot track a user as he/she moves.
MSRN is the routing number that identifies the current
location of the called MS.
MSRN is temporary network identity assigned to a
mobile subscriber.
MSRN identifies the serving MSC/VLR.
MSRN is used for call delivery (calls incoming to an MS).
MSISDN is the dialed number to reach a GSM user

10

Addresses and Identifiers

Location Area ID (LAI)

CC: Country Code, MNC:Mobile Network

Code, LAC: Location Area Code
LAI is broadcast regularly by Base
Station on BCCH
Each cell is identified uniquely as
belonging to an LA by its LAI
CC

MNC

LAC
11

Location management
Set of procedures to:
track a mobile user
find the mobile user to deliver it calls

Current location of MS maintained by

2-level hierarchical strategy with
HLRs and VLRs.

12

Ways to obtain MSRN

1.

2.

Obtaining at location update MSRN for the MS

is assigned at the time of each location update,
and is stored in the HLR. This way the HLR is in a
position to immediately supply the routing info
(MSRN) needed to switch a call through to the
local MSC.
Obtaining on a per call basis This case requires
that the HLR has at least an identification for
the currently responsible VLR. When routing info
is requested from the HLR, it first has to obtain
the MSRN from the VLR. This MSRN is assigned
on a per call basis, i.e. each call involves a new
MSRN assignment

13

Routing information: case when MSRN

is selected per call by VLR/MSC
HLR

MS
ISD
N
MS
RN

MSISDN

MSRN
GMSC

SI
IM
RN
MS

MSISDNIMSI, VLR number

MSC/VLR

If MSRN is allocated to each subscriber visiting at an MSC, then the

number of MSRNs required is large. If instead, an MSRN is allocated
only when a call is to be established, then the number of MSRNs is
roughly equal to number of circuits at MSC a much smaller number
hence MSRNs typically allocated per call by VLR/MSC

14

Call routing to a mobile station:

case when HLR returns MSRN
1
MSISDN

ISDN

GMSC
LA 1

4
MSRN
2
3

BSC

MSISDN

MSRN

MSC

BTS

MSC

HLR

7
TMSI
5

MSRN

TMSI

LA 2

BSC

EIR

BTS

MS

TMSI

TMSI

BTS

6
TMSI

AUC

VLR

15

Messages exchanged: call delivery

PSTN

GMSC

HLR

VLR

3
6

Target
MSC

HLR
GMSC
Originating
1. ISUP IAM
Switch
2. MAP_SEND_ROUTING_INFO

VLR

Target
MSC

3. MAP_PROVIDE_ROAMING_NUMBER
4. MAP_PROVIDE_ROAMING_NUMBER_ack
5. MAP_SEND_ROUTING_INFO_ack
6. ISUP IAM

16

Find operation in GSM

ISDN switch recognizes from the MSISDN that the
call subscriber is a mobile subscriber. Therefore,
forward the call to the GMSC of the home PLMN
(Public Land Mobile Network)
GMSC requests the current routing address (MSRN)
from the HLR using MAP
By way of MSRN the call is forwarded to the local
MSC
Local MSC determines the TMSI of the MS (by
querying VLR) and initiates the paging procedure in
the relevant LA
After MS responds to the page the connection can
be switched through.

17

GSM security
Authentication
What signed response (SRES) are you able to
derive from the input challenge RAND by
applying the A3 algorithm with your personal
key Ki (Ki is per subscriber)?
Ki

RAND (128bit)

RAND

A3 algorithm

A3 algorithm
SRES

Ki

MS

network

SRES
equal?

18

GSM security
Encryption
Digital technology easy to encrypt voice data
A5 derives a ciphering sequence of 114 bits for each
burst independently
XOR 114 bits of a radio burst with 114 bits of a ciphering
sequence generated by A5

BTS

MS Kc (64 bits) frame number

frame number

Kc

(22 bits)
A5 algorithm

A5 algorithm
S1(114)
deciphering

S2(114) ciphering

S1

ciphering

S2

deciphering
19

Key management
Ciphering key Kc is generated using algorithm A8 in the same
manner as SRES (from RAND and Ki)
Each time a mobile station is authenticated the MS and network
compute the ciphering key Kc by running algorithm A8 with the
same inputs RAND and Ki as for SRES
Ciphering with Kc applies only when the network knows the
identity of the subscriber it is talking to.
Bootstrap period during which network does not know who
the subscriber is
Up to and including the first message carrying the nonambiguous subscriber identity is carried in the clear
(unencrypted)

Protection: use TMSI instead of IMSI when possible TMSI

should be exchanged during protected signaling (ciphered)
procedures

20

Location registration
MS has to register with the PLMN to get communication services
Registration is required for a change of PLMN
MS has to report to current PLMN with its IMSI and receive new
TMSI by executing Location Registration process.
The TMSI is stored in SIM, so that even after power on or off,
there is only normal Location Update.
If the MS recognizes by reading the LAI broadcast on BCCH that
it is in new LA, it performs Location Update to update the HLR
records.
Location update procedure could also be performed periodically,
independent of the MS movement.
The difference in Location Registration and Location Update is
that in location update the MS has already been assigned a TMSI.

21

MS

BSS/MSC

VLR

HLR

Location registration

IMSI Ki
Loc.Upd.Req
(IMSI,LAI)

Upd Loc.Area

Aut.Par.Req

(IMSI,LAI)

(IMSI)
Aut. Info.
(IMSI,Kc,
RAND,SRES)

Authenticate
Authentic. Req

(RAND)

(RAND)
Ki

Auth.Info.Req
(IMSI)
Auth.Info
(IMSI,Kc,
RAND,SRES)

RAND

SRES

A3 & A8
Kc

AUC

SRES

Auth.Resp.
(SRES)

Auth.Resp
(SRES)

=
Update
Location
(IMSI,MSRN)

Generate
TMSI

Contd...

22

(contd) Location registration.

MS

VLR

BSS/MSC

HLR

AUC

Generate
TMSI

Start Ciph.
(Kc)
Forw. New TMSI
(TMSI)

Ciph.Mod.Com.
Kc

Ins.Subsc.Data
(IMSI)
Subs.Dat.Ins.Ack
Loc.Upd.Accept

Loc.Upd.Accept

Message M

(IMSI)

A5
Kc(M)

Ciph.Mod.
Kc(M)

Kc(M)

Kc

A5
TMSI Realloc.Cmd.

Loc.Upd.Accept
TMSI Realloc.Ack

New TMSI is received by MS

(TMSI Reallocation) in ciphering mode.

can be combined
TMSI.Ack

23

MS

BSS/MSC

VLR

HLR

Location update

AUC

IMSI, TMSI
Ki, Kc, LAI

Loc.Upd.Req
(TMSI,LAI)

Update Loc.Area
(TMSI,LAI)

Authentication
Update Location
(IMSI,MSRN)
Generate
TMSI
Start ciphering
(Kc)

Start ciphering.

Insert Subscriber. data

IMSI
Subs. Data Insert Ack

(contd..)

24

(..contd) Location update.

MS

BSS/MSC

VLR

HLR

AUC

Start ciphering.
Forward new TMSI
(TMSI)

Loc. Upd. Acept

(IMSI)

Loc. Upd. Acept

TMSI Realloc. Cmd.

Auth. Para. Req

(IMSI)
Auth. Info.

Loc. Upd. Acept

TMSI Reallocation
Complete

TMSI Ack

(IMSI,Kc, RAND,SRES)

Auth.Info.Req
(IMSI)
Auth.Info
(IMSI,Kc, RAND,SRES)

25

Types of handover
(same as handoff)
There are four different types of
handover in the GSM system. Handover
involves transferring a call between:

Channels (time slots) in the same cell

Cells (Base Transceiver Stations) under the
control of the same Base Station Controller
(BSC),
Cells under the control of different BSCs, but
belonging to the same Mobile services
Switching Center (MSC), and
Cells under the control of different MSCs.
26

Attributes of radio-link handover

Hard handover
MAHO
Backward
COS selection scheme: static
Cross-over switch: anchor switch

27

Handover (MAHO)
Handovers are initiated by the BSS/MSC
(as a means of traffic load balancing).
During its idle time slots, the mobile scans
the Broadcast Control Channel of up to 16
neighboring cells, and forms a list of the
six best candidates for possible handover,
based on the received signal strength.
This information is passed to the BSC and
MSC, at least once per second, and is used
by the handover algorithm.
28

Handover procedures in GSM

8

Connection route
9

MSC-A

MSC-B

MSC-C

1
6

BSC
4

BSC

BTS 1

BSC

BTS 2
2

BTS 3
5

BTS 3
7

29

Inter MSC basic handover

MS/BSS 1

MSC-A

Handover required

VLR-B

MSC-B

Perform Handover

Allocate Handover number

Handover report

Radio chan. Ack

MS/BSS 2

IAM
ACM
HA Indication

HB Indication
Send End Signal

HB Confirm

ANS
End of Call

REL
RLC
End Signal

Handover report

30

Subsequent handover from MSC-B to MSC-A

MS/BSS 1

MSC-A

MSC-B

MS/BSS 2

HA Required
Perform subsequent
Handover
Subseq. Handover
HB Indication

Acknowledge

HB Confirm
HA Indication

VLR-B

End Signal
Handover report
End of Call

REL
RLC

31

Subsequent handover from MSC-B to MSC-C

MSC-B

MSC-A

MS

HA Request

Perform subsequent
Handover

MSC-C
Perform Handover

VLR-C
Allocate Handover
Number

Radio chan. Ack.

Send Handover report

IAM
ACM
HB Indication
(Contd)

32

(contd) Subsequent handover from MSC-B to MSC-C

MSC-B

MSC-A

MS

Perform subsequent
HA Indication

Acknowledge

MSC-C
HB Confirm

Send End Signal

ANS

MSC-B

VLR-B

End Signal
Handoff Report
REL
RLC

33

Abbreviations

ISC: International switching center

OMC: Operations and maintenance center
GMSC: Gateway switching center
MSC: Mobile switching center
VLR: Visitor location register
HLR: Home Location register
EIR: Equipment Identification register
AUC: Authentication center
BSC: Base station controller
BTS: Base transceiver station
MS: Mobile subscriber
TMSI: Temporary Mobile Subscriber Identity
IMSI: International Mobile Subscriber Identity

34

References
The GSM Sytem for Mobile
communications by Mouly & Pautet
Wireless and Mobile Network
Architectures by Yi-Bing Lin & Imrich
Chlamtac
Wireless Personal Communications Systems
by Dr. Goodman
GSM Switching, Services and Protocols by
Jorg Eberspacher and Hans-Jorg Vogel
35