PART 3 Introduction to GSM
Lecture 3.0 History
Giuseppe Bianchi
History of wireless communication Î 1896: Marconi Ö first demonstration of wireless telegraphy Ö tx of radio waves to a ship at sea 29 km away Ö long wave transmission, high power req. (200 kW and +) Î 1901: Marconi Ö Telegraph across the atlantic ocean Ö Close to 3000 Km hop! Î 1907 Commercial transatlantic connections Ö huge ground stations (30 by100m antennas) Î 1915: Wireless telephony established Ö NY – S. Francisco Ö Virginia and Paris Î 1920 Marconi: Ö Discovery of short waves (< 100m) Ö reflection at the ionosphere Ö (cheaper) smaller sender and receiver, possible due to the invention of the vacuum tube (1906, Lee DeForest and Robert von Lieben)
Giuseppe Bianchi
1 History of wireless communication Î 1920's: Radio broadcasting became popular Î 1928: many TV broadcast trials Î 1930's: TV broadcasting deployment Î 1946: First public mobile telephone service in US Ö St. Louis, Missouri Ö Single cell system Î 1960's: Bell Labs developed cellular concept Ö brought mobile telephony to masses Î 1960’s: Communications satellites launched Î Late 1970's: technology advances enable affordable cellular telephony Ö entering the modern cellular era Î 1974-1978: First field Trial for Cellular System Ö AMPS, Chicago
Giuseppe Bianchi
1st generation mobile systems early deployment ÎFirst system: Ö NMT-450 (Nordic Mobile Telephone) ÆScandinavian standard; adopted in most of Europe Æ450 MHZ band ÆFirst european system (Sweden, october 1981) Î Italian history: Ö 1966: first experiments (CSELT) at 160 MHZ ÆRTMI (Radio Telefono Mobile Italiano) ÆMarket: 1973 Ö First italian cellular system: 1985 ÆRTMS (Radio Telefono Mobile di Seconda Generazione) Æ450 MHZ Ö Evolution: 1990, TACS ÆTotal Access Communication System Æ900 MHZ
Giuseppe Bianchi
2 1st generation mobile systems
ÎFirst generation: 1980’s ÎAnalog transmission ÎSeveral competing standards in Ö Frequency modulation different countries ÎVarious bands: Ö NMT (Nordic Mobile Telephone) Ö NMT: ÆScandinavian standard; adopted in most Æ450 MHz first of Europe Æ900 MHz later ÆFirst european system (Sweden, 1981) Ö TACS Ö TACS (Total Access Communication Æ900 MHz Systems), starts in 1985 Æ1230 bidirectional ÆUK standard; A few of Europe, Asia, channels (25KHz) Japan Ö AMPS Ö AMPS (Advanced Mobile Phone Æ800 MHz Service) ÆUS standard ÎToday still in use in low- Ö C-Netz (Only in Germany) technology countries Ö And not yet completely dismissed Ö Radiocom 2000 (Only in France) in high-tech countries Giuseppe Bianchi
2nd generation mobile systems
Î4 systems ÎBasic bands: ÖGlobal System for Mobile (GSM) Ö900 MHz ÖDigital AMPS (D-AMPS), US Ö1800 MHz ÖCode Division Multiple Access Æ(Digital Cellular System: (IS-95) – Qualcomm,US DCS-1800) ÖPersonal Digital Cellular Ö1900 MHz (PDC),Japan Æ(Personal Communication ÎGSM by far the System:PCS-1900,US only) dominant one ÎSpecifications for ÖOriginally pan-european ÖGSM-400 (large areas) ÖDeployed worldwide ÖGSM-800 (north america) Æ(slow only in US)
Giuseppe Bianchi
3 Timing Î1982: Start of GSM-specification in Europe (1982-1990) Î1983: Start of American AMPS widespread deployment Î1984 CT-1 standard (Europe) for cordless telephones Î1991 Specification of DECT ÖDigital European Cordless Telephone (today: Digital Enhanced Cordless Telecommunications) - ~100-500m range, 120 duplex channels, 1.2Mbit/s data transmission, voice encryption, authentication Î1992: Start of GSM operation Europe- wide Î1994: DCS-1800 Giuseppe Bianchi
2 ½ generation mobile systems GSM incremental extension ÎHigh speed circuit switched data (HSCSD) ÆCircuit switched data communication ÆUses up to 4 slots (1 slot = 9.6 or 14.4 Kbps) ÎGeneral Packet Radio Service (GPRS) ÆPacket data (use spectrum only when needed!) ÆUp to 115 Kbps (8 slots) ÎEnhanced Data-rates for Global Evolution (EDGE) ÆHigher data rate available on radio interface (3x) » Up to 384 Kbps (8 slots) » Thanks to new modulation scheme (8PSK) » May coexist with old GMSK
Giuseppe Bianchi
4 3rd generation mobile systems
ÎUMTS (Universal Mobile TelecommunicationSystem) ÆITU standard: IMT-2000 (International Mobile Telecommunication – 2000) ÆUMTS forum created in 1996 ÆLater on 3GPP forum (bears most of standardization activities) ÖWideband CDMA radio interface ÆBut several other proposals accepted as “compatible” ÖRadio spectrum: 1885-2025 & 2110-2200 MHz ÖAlready deployed in Japan ÖTime to market in Italy: 2004?
Giuseppe Bianchi
Facts about wireless communication ÎWho has a cellular phone? ÖUSA: Over 50% of US households ÖItaly: from 2001, more wireless lines than wired ÖWorld: from march 2002, 1 billion wireless cellular users ÆMuch faster than projections! ÆAugust 2000: 372 GSM networks, 362M customers ÎRevenues: Öglobal revenue from wireless portals predicted to grow from $700M to $42 billion by 2005 ÖWLAN revenues predicted at $785M by 2004 ÖForecasting a 59 percent growth rate for wireless usage in rural areas between 2000 and 2003
Giuseppe Bianchi
5 PART 3 Introduction to GSM
Lecture 3.1 Architecture and components
Giuseppe Bianchi
GSM Network high-level view MSC = Mobile Switching Center = administrative region PSTNPSTN PublicPublic switched switched telephonetelephone network network MSC MSC
Base Base Station Station
PLMN Public Land Mobile Network
MSC role: telephone switching central with special mobility management capabilities Giuseppe Bianchi
6 GSM system hierarchy
MSC MSC region LOCATION BSC AREA MSC: Mobile Switching Center LA: Location Area BSC: Base Station Controller BTS BTS: Base Transceiver Station
Hierarchy: MSC region Æ n x Location Areas Æ m x BSC Æ k x BTS
Giuseppe Bianchi
GSM essential components
To fixed network OMC (PSTN, ISDN, PDN) GMSC EIR AUC HLR VLR MSC
BSC BTS MS Mobile Station BTS BTS Base Transceiver Station BTS BSC Base Station Controller BTS BSC MSC Mobile Switching Center GMSC Gateway MSC BTS OMC Operation and Maintenance Center MS EIR Equipment Identity Register AUC Authentication Center HLR Home Location Register VLR Visitor Location Register Giuseppe Bianchi
7 Î Two components: GSM Sub-Systems Ö Fixed installed infrastructure Æ The network in the proper sense Ö Mobile subscribers Æ MS: Mobile Station Î Fixed infrastructure divided operator into three sub-systems Ö BSS: Base Station subsystem Æ Manages transmission path from MS to NSS External Ö NSS: Network Switching Subsystem Networks Æ Communication and interconnection with other nets OSS Ö OSS: Operational Subsystem Æ GSM network administration tools
Users NSS BSS MS
A Interface Radio Interface (Um)
Giuseppe Bianchi
PART 3 Introduction to GSM
Lecture 3.2 Mobile Station and addresses
Giuseppe Bianchi
8 Mobile Station (MS) GSM separates user mobility from equipment mobility, by defining two distinct components
ÎMobile Equipment ÆThe cellular telephone itself (or the vehicular telephone) ÖAddress / identifier: ÆIMEI (International Mobile Equipment Identity)
ÎSubscriber Identity Module (SIM) ÆFixed installed chip (plug-in SIM) or Æexchangeable card (SIM card) ÖAddresses / identifiers: ÆIMSI (International Mobile Subscriber Identity) ÆMSISDN (Mobile Subscriber ISDN number) » the telephone number!
Giuseppe Bianchi
Mobile Equipment structure
TerminalTerminal MobileMobile EquipmentEquipment TerminationTermination Terminal Terminal Mobile Equipment Adaptor Termination
Î Mobile Termination functions Ö tRadio interface (tx, rx, signalling) Mobile Equipment Î Terminal Equipment functions S Um Ö User interface (microphone, keyboard, speakers, etc); TE1 MT Ö Functions specific of services (telephony, fax, messaging, etc), R independent of GSM Î Terminal Adaptor functions TE2 TA MT Ö Interfaces MT with different types of terminals (PCs, Fax, etc.) Giuseppe Bianchi
9 Mobile Equipment Max Power 5 power classes
max power Type of CLASS (watt) terminal
I 20 vehicular
II 8 vehicular
III 5 portable Normally used IV 2 portable
V 0.8 portable
This was for 900 MHz – for 1800 MHz only two classes: 1W, and 0.25 W
Giuseppe Bianchi
IMEI International Mobile Equipment Identity
Î Uniquely identifies the mobile equipment Î 15 digits hierarchical address Î assigned to ME during manifacturing and “type approval” testing Ö Type approval procedure: guarantees that the MS meets a minimum standard, regardless of the manifacturer Î IMEI structure:
TAC – 6 digits FAC – 2 digits SNR – 6 digits SP – 1 digit (Type Approval Code) (Final Assembly Code) (Serial Number) (Spare Digit)
centrally assigned assigned by assigned by Additional upon type approval manufacturer manufacturer digit available Identifies place Unique for given where ME was TAC+FAC assembled or combination manufactured Giuseppe Bianchi
10 IMEI management Î Protection against stolen and malfunctioning terminals Î Equipment Identity Register (EIR): 1 DataBase for each operator; keeps: ÖWHITE LIST: Ævalid IMEIs ÆCorresponding MEs may be used in the GSM network ÖBLACK LIST: ÆIMEIs of all MEs that must be barred from using the GSM network ÆException: emergency calls (to a set of emergency numbers) ÆBlack list periodically exchanged among different operators ÖGRAY LIST: ÆIMEIs that correspond to MEs that can be used, but that, for some reason (malfunctioning, obsolete SW, evaluation terminals, etc), need to be tracked by the operator ÆA call from a “gray” IMEI is reported to the operator personnel
Giuseppe Bianchi
SIM card Subscriber Identity Module Î Uniquely associated to a user Ö Not to an equipment, as in first generation cellular networks Î Stores user addresses Ö IMSI Ö MSISDN Ö Temporary addresses for location, roaming, etc Î authentication and encryption features Ö All security features of GSM are stored in the SIM for maximum protection Æsubscriber’s secret authentication key (Ki) ÆAuthentication algorithm (“secret” algorithm - A3 – not unique) ÆCipher key generation algorithm (A8) Î Personalization Ö SIM stores user profile (subscribed services) Ö RAM available for SMS, short numbers, user’s directory, etc Ö Protection codes ÆPIN (Personal Identification Number, 4-8 digits) ÆPUK (PIN Unblocking Key, 8 digits) Giuseppe Bianchi
11 IMSI International Mobile Subscriber Identity
Î Uniquely identifies the user (SIM card) Î GSM-specific address Ö unlike MSISDN - normal phone number Î 15 digits hierarchical address Î assigned by operator to SIM card upon subscription Î IMSI structure:
MCC – 3 digits MNC – 2 digits MSIN – max 10 digits (Mobile Country Code) (Mobile Network Code) (Mobile Subscriber Identification Number)
Internationally standardized; Identifies operator Uniquely identifies subscriber identifies operator country network (PLMN) in the operator network within country Italy: 222 TIM=01 OMNI=10 WIND=88 BLU=98 Giuseppe Bianchi
MSISDN Mobile Subscriber ISDN Number Î MSISDN: the “usual” telephone number Ö Follows international ISDN numbering plan (ITU-T E.164 recommendations) Ö Structure:
CC – up to 3 digits NDC – 3 digits (for PLMN) SN – max 10 digits (Country Code) (National Destination Code) (Subscriber Number) Î GSM is the first network to distinguish Ö The user identity (i.e. IMSI) Ö From the number to dial (i.e. MSISDN) Î Separation IMSI-MSISDN protects confidentiality Ö IMSI is the real user address: never public! Ö Faking false identity: need signal IMSI to the network; but IMSI hard to obtain! Î Separation IMSI-MSISDN allows Ö Easy modification of numbering and routing plans Î single IMSI may be associated to several MSISDN numbers Ö E.g. different services (fax, voice, data, etc) may be associated with different MSISDN numbers Giuseppe Bianchi
12 Temporary addresses
Î TMSI - Temporary Mobile Î MSRN - Mobile Station Subscriber Identity Roaming Number Ö 32 bits Ö An MSISDN number Ö assigned by VLR within an ÆCC, NDC of the visited network administrative area ÆSN assigned by VLR Æhas significance only in this area Ö Used to route calls to a roaming MS Ö transmitted on the radio interface ÆSubscriber Number (SN) instead of IMSI assigned to provide routing Æ reduces problem of information towards actually “eavesdropping” responsible MSC
Giuseppe Bianchi
PART 3 Introduction to GSM
Lecture 3.3 Fixed Infrastructure
Giuseppe Bianchi
13 Components and interfaces Components
MS MS Mobile Station BTS Base Transceiver Station BSC Base Station Controller Um MSC Mobile Switching Center BTS OMC Operation and Maintenance Center EIR Equipment Identity Register AUC Authentication Center Abis Other HLR Home Location Register BSC MSC E BSS VLR Visitor Location Register A Interfaces Other MSC OMC Networks Um Radio Interface B Abis BTS-BSC C A BSS-MSC F B MSC-VLR EIR HLR VLR CMSC-VLR D D HLR-VLR G E MSC-MSC Other FMSC-EIR AUC G VLR-VLR VLR
Giuseppe Bianchi
Base Station Sub-System Um - Radio Interface OSS BTS BSS
BTS BSC
A BTS A-bis Interface Interface
ÖBase Transceiver Station (BTS) ÆTransmitter and receiver devices, voice coding & decoding, rate adaptation for data ÆProvides signaling channels on the radio interface ÆLimited signal and protocol processing (error protection coding, link layer LAPDm) ÖBase Station Controller (BSC) Æperforms most important radio interface management functions: ÆRadio channels allocation and deallocation; handover management; … Giuseppe Bianchi
14 Base Transceiver Station - BTS
Um Interface (to MS)
Output HF filter Transmitter TRX Digital Signal System Hopping
Input HF freq. Slow Processing
Filter Receiver Transmission Abis InterfaceBSC) (to
Operation and Maintenance Functionality/clock distribution
TRX radio interface functions: - GMSK modulation-demodulation - channel coding In essence, BTS is - encryption/decryption - burst formatting, interleaving a complex modem! - signal strength measurements - interference measurements Giuseppe Bianchi
BTS – maximum power
Î GSM 900 Î DCS 1800 Ö 320 W Ö 20 W Ö 160 W Ö 10 W Ö 80 W Ö 5W Ö 40 W Ö 2.5 W Ö 20 W Ö 1.6 W (micro-BTS) Ö 10 W Ö 0.5 W (micro-BTS) Ö 5W Ö 0.16 W (micro-BTS) Ö 2.5 W Ö 0.25 W (micro-BTS) Ö 0.08 W (micro-BTS) Ö 0.03 W (micro-BTS)
Giuseppe Bianchi
15 Base Station Controller - BSC
DB contains BTS-1 DB - state information for all BSS - BTS software BTS-2
X From/to MSC switch FUNCTIONS: matrix Î switch calls from MSC to correct BTS Ö and conversely BTS-K Î Protocol and coding conversion Ö for traffic (voice) & 1 BSC may control signaling (GSM-specific up to 40 BTS to ISDN-specific) Î Manage MS mobility Î Enforce power control Giuseppe Bianchi
Transcoding and Rate Adaptation
BTS: -collects speech traffic -Deciphers and removes error protection -Result: -13 kbps air-interface GSM speech-coded signal Transcoding and MSC: Rate Adaptation -A modified ISDN switch Unit (TRAU) -Needs to receive ISDN-coded speech needed! -64 kbps PCM format (A-law)
Rationale: re-use existing ISDN switches & protocols
Giuseppe Bianchi
16 TRAU possible placements
13 kbit/s 64 kbit/s 64 kbit/s On BTS BTS TRAU BSC MSC
On BSC 13 kbit/s 16 kbit/s 64 kbit/s BTS BSC TRAU MSC
64 kbit/s (4x16 sub-mux) On MSC 13 kbit/s 16 kbit/s BTS BSC TRAU MSC Why 16 kbps instead of 13? Inband signalling needed for BTS control of TRAU (TRAU needs to receive synchro & decoding information from BTS) Giuseppe Bianchi
Network Switching Sub-System
ÎElements: ÖMobile Switching Center (MSC) / Gateway MSC (GMSC) ÖHome Location Register (HLR ) / Authentication Center (AuC) ÖVisitor Location Register (VLR) ÖEquipment Identity Register (EIR) ÎFunctions: ÖCall control ÖUser management ÎInter-component communication ÖVia SS7 signalling network ÖWith suitable extensions (e.g. MAP – Mobile Application Part)
Giuseppe Bianchi
17 Mobile Switching Center - MSC
Î An ISDN switch (64 kbps channels) Î Performs all the switching and routing functions of a fixed network switching node Î PLUS specific mobility-related functions: Ö Allocation and administration of radio resources Ö Management of mobile users Æregistration, authentication Æhandover execution and control Æpaging
Î A PLMN (operator network) has, in general, many MSC Ö Each MSC is responsible of a set of BSS Æ(note: a BSS refers to just 1 MSC, not many)
Giuseppe Bianchi
Home Location Register - HLR Î 1 database per operator (PLMN) Ö In principle; in practice may be ÆN-plicated for reliability reasons ÆIn large operator networks, there may be 2+ HLR with distinct information, although MSISDN-HLR association needs to be introduced (e.g. first two digits of the Subscriber Number) Î HLR entries: Ö Every user / MSISDN that has subscribed to the operator Î Stores: Î Permanent information associated Î Temporary information associated to the user to the user Ö IMSI, MSISDN Ö Link to current location of the user: Ö Services subscribed ÆCurrent VLR address (if avail) Ö Service restrictions (e.g. roaming ÆCurrent MSC address (if avail) restrictions) ÆMSRN (if user outside PLMN) Ö Parameters for additional services Ö info about user equipment (IMEI) Ö Authentication data
Giuseppe Bianchi
18 Authentication Center - AUC
ÎAssociated to HLR ÖEventually integrated with HLR ÎSearch key: IMSI ÎResponsible of storing security-relevant subscriber data ÖSubscriber’s secret key Ki (for authentication) ÖEncryption key user on the radio channel (Kc) ÖAlgorithms to compute volatile keys used during authentication process
Giuseppe Bianchi
Needed, as fixed network switches are not mobile Gateway MSC – GMSC capable!!
X X GMSC task: query HLR for current MS location
(if fixed network switches X X X were able to query HLR, direct connection with localMSC wouldbeavailable) GMSC MSC MSC MSC HLR PLMN Public Land Mobile Network
Giuseppe Bianchi
19 Visitor Location Register - VLR Î At most 1 database per MSC Ö Generally, joint MSC-VLR implementation ÆNo need to carry heavy MSC-VRL signalling load on network links Ö but 1 VLR may serve many MSCs Î VLR entries: Ö Every user / MSISDN actually staying in the administrative area of the associated MSC ÆEntry created when an MS enters the MSC area (registration) Ö NOTE: may store data for roaming users (subscribed to different operators) Î Stores: Î Subscriber and subscription data Î Tracking and routing information Ö IMSI, MSISDN Ö Mobile Station Roaming Number Ö Parameters for additional services (MSRN) Ö info about user equipment (IMEI) Ö Temporary Mobile Station Identity Ö Authentication data (TMSI) Ö Location Area Identity (LAI) where MS has registered ÆUsed for paging and call setup Giuseppe Bianchi
Operation & Maintenance Sub-system (OSS) ÎNetwork measurement and control functions ÎMonitored and initiated from the OMC (Operation and Maintenance Center) ÎBasic functions ÖNetwork Administration Æconfiguration, operation, performance management, statistics collection and analysis, network maintenance ÖCommercial operation & charging ÆAccounting & billing ÖSecurity Management ÆE.g. Equipment Identity Register (EIR) management O&M functions based on ITU-T TMN standards (Telecommunication Network Management) – complex topic out of the scopes of this course Giuseppe Bianchi
20