Beruflich Dokumente
Kultur Dokumente
Overview
GSM
formerly: Groupe Spéciale Mobile (founded 1982)
now: Global System for Mobile Communication
Pan-European standard (ETSI, European Telecommunications
Standardisation Institute)
simultaneous introduction of essential services in three phases by the
European telecommunication administrations
seamless roaming within Europe possible
today many providers all over the world use GSM (more than 180
countries in Asia, Africa, Europe, Australia, America)
more than 900 million subscribers
more than 70% of all digital mobile phones use GSM
Communication
mobile, wireless communication; support for voice and data services
Total mobility
international access, chip-card enables use of access points of different
providers
Worldwide connectivity
one number, the network handles localization
High capacity
better frequency efficiency, smaller cells, more customers per cell
Security functions
access control, authentication via chip-card and PIN
Mobile Services
GSM services
basic services
z voice services
z data services
z short message service
additional services
z emergency number
z group 3 fax
z electronic mail
supplementary services
z identification: forwarding of caller number
z suppression of number forwarding
z automatic call-back
z conferencing with up to 7 participants
z ...
radio cell
BSS
MS MS
radio cell
RSS BTS MS
BTS
BSC BSC
MSC MSC
BSS BSC
Base Station
Subsystem BSC
MS
BTS
HLR
GMSC
fixed network
BSC BSC
MS MS
ISDN
PSTN
Um MSC
Abis Interfaces
BTS
BSC Um : radio interface
BTS A
HLR Abis : standardized, open
interface with 16/64 kbit/s
SS7
user channels
PDN
Mobile addresses
MT (Mobile Termination)
offers common functions used by all services the MS offers
end-point of the radio interface (Um) - equivalent to NT of an ISDN access
hides GSM radio specific characteristics
TE (Terminal Equipment)
peripheral device of the MS, offers services to a user
TA (Terminal Adapter)
interfaces MT with different types of terminal
TE1 MT TE2 TA MT
Um Um
Database requirements
scalability
high capacity
low delay
subscriber data
z IMSI - International Mobile Subscriber Identity
z list of subscribed services with parameters and restrictions
location data
z current MSC/VLR address
Location registers
subscriber identity
z IMSI - International Mobile Subscriber Identity
temporary location
z LAI - Location Area Identification
temporary addresses
z MSRN - Mobile Station Roaming Number
z TMSI - Temporary Mobile Subscriber Identity
935-960 MHz
124 channels (200 kHz)
downlink
y FDMA channels
e nc
qu
890-915 MHz
fre
time
TDMA frame
0 1 2 3 4 5 6 7
4.615 ms
Radio interface
time-slot (normal burst) bit rate
guard 156.25 bits/0.5769 ms=
tail user data S training S user data tail space 270.8 kbit/s
3 bits 57 bits 1 26 bits 1 57 bits 3 bits 8.25 bits
148 bits / 0.5465 ms
156.25 bits / 0.5769 ms
Burst structures
TB FBS TB GP
3 142 3 8.25
Synchronisation Sequence -
long training sequence
Frame hierarchy
frame
8 x 15/26 ms = 60/13 ms = 4.615 ms
time-slot
15/26 ms = 0.577 ms
0 1 2 3 4 5 6 7 frame 0
2 frame 1
2 frame 2
traffic multiframe
26 x 60/13 = 120 ms
2 frame 24 x 51
2 frame 25
x 2048
superframe (*) hyperframe (**)
6.12 s ≈ 3.5 hours
0 1 2 3 4 5 6 7 frame 0
0 frame 1
x 26
0 frame 2
control multiframe
51 x 60/13 = 235.38 ms
0 frame 49
TCH CCH
Traffic Channels Control Channels
CCCH DCCH
Full-rate Half-rate BCH
Common Dedicated
Broadcast
Control Control
Channels
TCH/F TCH/H Channels Channels
Half-rate
TrafficChannels
TrafficChannels
Full-rate
ACCH
FCCH SCH BCCH RACH AGCH PCH
Associated
Frequency Correction
Channel
Channel
Random Access
Channel
Channel
Channel
Paging
Broadcast
Access Grant
Synchronization
Control Channel
Control
Channels
Fast Associated
Control Channel
Dedicated
Slow Associated
Stand-alone
Control Channel
Control Channel
Uplink channel: MS transmits
Downlink channel: BTS transmits
Logical channels
(*) Fast allocation by setting S bit; bits are stolen from TCH
Bursts /
Channel Burst type Time-slot Mulitiframe Capacity
Multiframe
TCH TCH/H Normal 26 frames 24 24 x 114 / 120 = 22.8 kbit/s
Any
Traffic Channels TCH/F (114 data bits) (120 ms) 12 12 x 114 / 120 = 11.4 kbit/s
Frequency
FCCH 5
correction
BCH
TS0 - base channel (*) 51 frames
Broadcast SCH Synchronisation 5
TS0/TS2/TS4/TS6 (**) (235.38 ms)
Channels
Normal
BCCH 4 4 x 114 / 235.38 = 1.94 kbit/s
(114 data bits)
Random 27 minimum
RACH
CCCH access 51 typical
Common TS0 - base channel (*) 51 frames
AGCH
Control Normal TS2/TS4/TS6 (**) (235.38 ms) 12 x 114 / 235.38 = 5.81 kbit/s
Channels 12 minimum
(114 data bits) minimum
PCH
receive receive
downlink
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
uplink
0 1 2 3 4 5 6 7 0 1 2 3 4 5
transmit transmit
Initial ranging
z Access Burst is transmitted without time advance
z Guard Period of 68.25 bits allows for a path delay due to 37 km distance
z BTS measures path delay and sends required time advance on SACCH
z MS introduces time advance on all bursts
Adaptive control
z BTS monitors burst and measures delays with specified time advance
z if path delay varies more than 1 bit period, the new value is signalled on
SACCH
Frequency hopping
Hoping sequence
several possible hoping algorithms
selected algorithm broadcast on BCCH
Transmission power
Power control
implemented on both links
objective: lowest power level which provides desired quality (BER)
procedure
z MS measures power received and BER and sends result on SACCH
z BTS sends new power level on SACCH, if and when necessary
control range
GSM 900 GSM 1800 Comments
effective maxima depend on cell size and MS capability
5 - 39 dBm 0 - 36 dBm
control steps of 2 dB
channels with no power control - use maximum power for the cell
z downlink BCH and CCCH: power set by BTS
z uplink RACH
– BCCH broadcasts maximum power level for the cell
– MS uses this value to set RACH transmission power
Security services
access control/authentication
z user Î SIM (Subscriber Identity Module): secret PIN (Personal
Identification Number)
z SIM Î network: challenge - response method
confidentiality
z voice and signaling encrypted on the wireless link (after successful
authentication)
anonymity
“secret”:
z TMSI - Temporary Mobile Subscriber Identity
• A3 and A8
z newly assigned at each new location update available via the
z encrypted transmission Internet
• network providers
3 algorithms specified in GSM can use stronger
mechanisms
A3 for authentication (“secret”, open interface)
A5 for encryption (standardized)
A8 for encryption key generation (“secret”, open interface)
GSM - authentication
RAND
Ki RAND RAND Ki
A3 A3
SIM
SRES* 32 bit SRES 32 bit
SRES
MSC SRES* =? SRES SRES
32 bit
RAND
Ki RAND RAND Ki
AuC 128 bit 128 bit 128 bit 128 bit SIM
A8 A8
cipher Kc
key 64 bit Kc
64 bit
data encrypted SRES
data
BTS
data MS
A5 A5
Um Abis A
MS BTS BSC MSC
CM CM
MM MM
BSSAP BSSAP
RR RR’
RR’ BTSM BTSM
SS7 SS7
LAPDm LAPDm LAPD LAPD
CM (Connection Management)
call control, short message service and supplementary service
MM (Mobility Management)
registration, authentication, location and handover management
3 6 15 8 9
4, 5: get routing info
14
(MSRN) from VLR
calling
6: forward routing station 1
PSTN GMSC MSC
2 7
info to GMSC
10 10 13 10
7: route call to current MSC 16
8, 9: get current status of MS (LAI + TMSI) BSS BSS BSS
11 11 11
10, 11: paging of MS in location area
11 12
12, 13: MS answers paging and
17
authentication request
MS
14, 15: security checks
16, 17: set up connection
Release FACCH
FACCH Release
4 types of handover
1
2 3 4
MS MS MS MS
MSC MSC
handover
margin
HO_MARGIN
MS MS
BTSold BTSnew
MS scans, measures and reports power received from several RF carrier based on BCCH information
OLD NEW
MS BTS BSC MSC BSC BTS
measurement measurement
report result
HO decision
HO required HO request
resource allocation
ch. activation
HO complete HO complete
clear command clear command
MS is aware of location
BTS broadcasts Location Area Identification (LAI) on BCCH
SIM stores current LAI and TMSI
Location update
OLD NEW
MSCold VLRold HLR VLR MSC MS
location update
location update request
request
request IMSI (old LAI/TMSI sent)
send IMSI
send IMSI
cancellation
confirmed cancellation
confirmed