Project Number AC 336 Project Title USECA: UMTS Security Architecture Deliverable Type Report Security Class Defined Projects and Participants

Deliverable Number D12 Title of Deliverable Overview of UMTS architecture Nature of the Deliverable Intermediate deliverable Document reference AC336/ATEA/W23/DS/L/01/1 Contributing WPs WP 2.3 Contractual Date of Delivery June 1998 (Y01M04) Actual Date of Delivery 29 July 1998 Editor Bart Vinck, Siemens Atea

Abstract This report provides a concise overview of the UMTS network architecture as far as it is known and described in the ETSI Technical Reports and Technical Specifications up to now. Also the architecture of the IMT-2000 family of networks that will influence the standardisation of UMTS, and that of GSM Phase 2+ from which the UMTS core network will evolve and with which it will closely interact in a first deployment phase, are treated.

In Chapter 4, the GSM circuit-switched network architecture is presented. In Chapter 5 a number of GSM Phase 2+ extensions (excluding GPRS), including Advanced Speech Call Items (ASCI), High-Speed Circuit Switched Data (HSCSD), Cordless Telephone System (CTS), SIM Appli- cation Toolkit, Mobile Execution Environment (MExE) and Customised Applications for Mobile network Enhanced Logic (CAMEL). In Chapter 6, the General Packet Data Service (GPRS) is presented. This is a data service providing a high-speed packet radio access for GSM MSs with a high ar- chitectural impact on the GSM NSS.

Chapter 7 presents the UMTS network architecture, starting from the do- main-strata model in ETS 23.01, and subsequently treating different net- work domains.

Finally, Chapter 8 presents the network architecture of the IMT-2000 family of networks currently standardized by ITU-T.

Keywords ACTS, USECA, UMTS, GSM, GPRS, IMT-2000, network architecture, security D12 Overview of UMTS architecture 86(&$ Page 2 of 49

Executive Summary

This report provides a concise overview of the UMTS network architecture as far as it is known and de- scribed in the ETSI Technical Reports and Technical Specifications up to now. The report will provide the USECA partners with part of the necessary background material required in the definition, develop- ment and integration of a UMTS security architecture for the UMTS network architecture. The UMTS network architecture however is still far from complete, stable and entirely defined. Therefore the archi- tecture of the IMT-2000 family of networks that will influence the standardisation of UMTS and the GSM Phase 2+ network architecture from which the UMTS core network will evolve are also treated.

In Chapter 4, the GSM circuit-switched network architecture is presented; first the network subsystems are identified and at a later stage the network entities, their functionality and the interfaces that exist between them.

In Chapter 5 a number of GSM Phase 2+ extensions (excluding GPRS) are presented that have an impact on the network architecture or can be seen as the seeds from which the new UMTS services will evolve. The first topics are the so-called Advanced Speech Call Items (ASCI). One is an enhanced multi-level precedence and pre-emption (eMLPP) service that allows handling precedence levels for subscribers within a PLMN including the possibility of pre-emption of ongoing calls. A second is the voice group call service (VGCS) that allows speech conversation of a predefined group within a predefined area. Another is the voice broadcast service (VBS) that allows to set-up a point to multi-point connection for the distri- bution of speech to a predefined group of service subscribers located in a predefined geographical area.

Another network feature is high-speed circuit switched data (HSCSD). It will allow higher transmission rates than the current 9.6 kbit/s, up to 64 kbit/s, through channel combining and enhanced channel coding. An architectural novelty is the cordless telephone system (CTS). The CTS is a radio communications sys- tem based on a GSM-compatible cellular interface between a private radio base station and a mobile sta- tion. The fixed part is connected via a wire-line to the PSTN/ISDN network for which it behaves as a normal telephone terminal.

An overview is given of the GSM Phase 2+ features that provide service differentiation and the creation of a virtual home network, i.e., the provision of an identical user interface independent of the location of the mobile station. A first is the SIM Application Toolkit that provides mechanisms that allow applications on the SIM to interact with the mobile equipment and initiate network actions. The second is the mobile exe- cution environment (MExE) that will provide support for operator-defined services in the mobile equip- ment. The third is the CAMEL feature that enables the use of operator specific services by a subscriber even when roaming outside the Home PLMN and is based on the Intelligent Network (IN) approach.

The General Packet Data Service (GPRS) is presented in Chapter 6. This is a data service providing a high-speed packet radio access for GSM MSs and requiring the introduction of a packet switched routing functionality in GSM infrastructure with new network entities (GPRS support nodes). These GPRS sup- port nodes and the GPRS backbone network or an evolution thereof is likely to play an important role in UMTS.

Chapter 7 presents the UMTS network architecture, starting from the domain-strata model in ETS 23.01, and subsequently treating different network domains. As UMTS Phase 1 will consist out of the introduc- tion of a new UMTS Terrestrial Radio Access Network (UTRAN) to an evolution of the existing GSM/GPRS 2+ core network, work on the access network is more detailed than that on the core networks.

Chapter 8 finally presents the network architecture of the IMT-2000 family of networks currently stan- dardized by ITU-T, of which UMTS will be a member.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 3 of 49

Table of Contents

EXECUTIVE SUMMARY ...... 2

TABLE OF CONTENTS...... 3

1 INTRODUCTION...... 5

1.1 CONTRIBUTORS...... 5 1.2 DOCUMENT HISTORY...... 5 2 REFERENCES...... 6

2.1 GSM SPECIFICATIONS ...... 6 2.2 UMTS SPECIFICATIONS, REPORTS AND TEMPORARY DOCUMENTS ...... 6 2.3 ITU-T RECOMMENDATIONS ...... 7 2.4 INFORMATIVE REFERENCES ...... 7 3 ABBREVIATIONS...... 8

4 GLOBAL SYSTEM FOR MOBILE COMMUNICATION (GSM)...... 9

4.1 OVERALL NETWORK ARCHITECTURE...... 9 4.2 MOBILE STATION (MS)...... 9 4.3 BASE STATION SUBSYSTEM (BSS)...... 10 4.4 NETWORK AND SWITCHING SUBSYSTEM (NSS)...... 11 4.5 OPERATION SUBSYSTEM (OSS) ...... 12 5 GSM PHASE 2+ EXTENSIONS ...... 13

5.1 ADVANCED SPEECH CALL ITEMS (ASCI) ...... 13 5.1.1 Enhanced Multi-Level Precedence and Pre-emption (eMLPP) service...... 13 5.1.2 Voice Group Call Service (VGCS)...... 14 5.1.3 Voice Broadcast Service (VBS)...... 15 5.2 HIGH SPEED CIRCUIT SWITCHED DATA (HSCSD) ...... 17 5.3 CORDLESS TELEPHONE SYSTEM (CTS) ...... 18 5.3.1 Introduction ...... 18 5.3.2 System Overview ...... 18 5.3.3 Service aspects...... 19 5.3.4 Security Aspects ...... 21 5.4 SUPPORT FOR SERVICE DIFFERENTIATION AND VIRTUAL HOME NETWORK...... 24 5.4.1 SIM Application Toolkit...... 24 5.4.2 Mobile Execution Environment (MExE) ...... 24 5.4.3 Customised Applications for Mobile network Enhanced Logic (CAMEL)...... 25 6 GENERAL PACKET RADIO SERVICE (GPRS) ...... 27

6.1 GPRS ARCHITECTURE ...... 27 6.3 PROTOCOLS ...... 28 6.4 GPRS SERVICES ...... 29 6.5 MOBILITY MANAGEMENT ...... 30 6.6 GPRS SECURITY SERVICES ...... 31 7 UNIVERSAL MOBILE TELECOMMUNICATION SYSTEM (UMTS) ...... 32

7.1 PHASED CONCEPT ...... 32 7.2 DOMAIN-STRATA MODEL ...... 32 7.2.1 UMTS network domains...... 32 7.2.2 UMTS strata...... 35 7.3 USIM AND SMARTCARD ...... 38 7.4 MOBILE EQUIPMENT...... 38 7.5 ACCESS NETWORK ...... 39

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 4 of 49

7.5.1 Access stratum ...... 39 7.5.2 UMTS Terrestrial Radio Access Network (UTRAN) ...... 40 7.6 CORE NETWORK EVOLUTION...... 41 7.6.1 Coupling the UTRAN to a GSM NSS ...... 41 7.6.2 Introduction of UMTS CN...... 42 7 IMT-2000 NETWORK ARCHITECTURE...... 44

7.1 OVERALL NETWORK ARCHITECTURE...... 44 7.1.1 Functional subsystems ...... 44 7.1.2 Interfaces and functional communications ...... 45 7.2 ACCESS NETWORK TYPE DIVERSITY ...... 46 APPENDIX A: LIST OF FIGURES...... 48

APPENDIX B: LIST OF TABLES...... 49

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 5 of 49

1 Introduction

This report provides in a concise overview of the UMTS network architecture as far as it is known and described in the ETSI Technical Reports and Technical Specifications up to now. The report will provide the USECA partners to provide part of the necessary background to define, develop and integrate a UMTS security architecture on the UMTS network architecture. The UMTS network architecture however is still far from complete, stable and entirely defined. Therefore also the architecture of the IMT-2000 family of networks that will influence the standardisation of UMTS and the GSM Phase 2+ network ar- chitecture from which the UMTS core network will evolve are treated.

1.1 Contributors

Bart Vinck Siemens Atea Editor Atealaan 34, 2200 Herentals, Belgium. Phone: +32 14 252592 / Fax: + 32 14 253339 E-mail: [email protected] Günther Horn Siemens AG ZT IK 5, 81730 Munich, Germany Phone: +49 89 636 41494 / Fax: + 49 89 636 48000 E-mail: [email protected] Volker Kessler Siemens AG ZT IK 3, 81730 Munich, Germany Phone: +49 89 636 41494 / Fax: + 49 89 636 48000 E-mail: [email protected] Adnan Al-Adnani Panasonic Mobile Communications Development Centre, West Forest Gate, Wellington Road, Wokingham, Berkshire, RG40 2AQ, UK. Phone: +44 118 902 9312 / Fax: +44 118 902 9331 E-mail: [email protected]

1.2 Document History

Version Date Content / Changes

A 12/06/98 Sections on UMTS and IMT-2000

B 15/07/98 New section on GSM, GSM extensions and GPRS

C 23/07/98 New version in response to comments from various partners

1 29/07/98 Final version sent to the Commission

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 6 of 49

2 References

2.1 GSM Specifications [1] GSM 01.04. Digital cellular telecommunications system (Phase 2+); Abbreviations and acronyms. Version 5.0.0. March 1996. [2] GSM 02.04. Digital cellular telecommunications system (Phase 2+); General on supplementary services. Version 5.3.0. July 1996. [3] GSM 02.09. Digital cellular telecommunications system; Security aspects. Version 5.0.1. April 1997. [4] GSM 02.30. Digital cellular telecommunications system (Phase 2+); Man-Machine Interface (MMI) of the Mobile Station. Version 5.3.0. July 1996. [5] GSM 02.34. Digital cellular telecommunications system (Phase 2+); High Speed Circuit Switched Data (HSCSD) – Stage 1. Version 5.1.0. March 1997. [6] GSM 02.56. Digital cellular telecommunications system (Phase 2+); GSM Cordless Telephony System (CTS), Phase 1; Service description – Stage 1. [7] GSM 02.60. Digital cellular telecommunications system (Phase 2+); Genral Packet Radio Service (GPRS); Service description; Stage 1. Version 5.2.0. [8] GSM 02.67. Digital cellular telecommunications system (Phase 2+); enhanced Multi-Level Preceden- ce and Pre-emption service (eMLPP) – Stage 1. Version 5.0.1. July 1996. [9] GSM 02.68. Digital cellular telecommunications system (Phase 2+); Voice Group Call Service (VGCS) – Stage 1. Version 5.1.0. March 1996. [10] GSM 02.69. Digital cellular telecommunications system (Phase 2+); Voice Broadcast Service (VBS) – Stage 1. Version 5.1.0. March 1996. [11] GSM 02.78. Digital cellular telecommunications system (Phase 2+); Customised Applications for Mobile network Enhanced Logic (CAMEL); Service dscription – Stage 1. Version 5.4.0. January 1996. [12] GSM 03.02. Digital cellular telecommunications system (Phase 2+); Network architecture. Version 5.1.0. May 1996. [13] GSM 03.20. Digital cellular telecommunications system (Phase 2+); Security Related Network Functions. Version 5.2.0. February 1998. [14] GSM 03.20 Annex E. Digital cellular telecommunications system (Phase 2+); GSM Cordless Telephony System (CTS), Phase 1; Security Related Network Functions. Version 1.0.1. July 1998. [15] GSM 03.56. Digital cellular telecommunications system (Phase 2+); GSM Cordless Telephony System (CTS), Phase 1; Architecture description – Stage 2. [16] GSM 03.60. Digital cellular telecommunications system (Phase 2+); General Packet Radio Service (GPRS); Service description; Stage 2. Version 6.0.0. March 1998. [17] GSM 03.67. Digital cellular telecommunications system (Phase 2+); enhanced Multi-Level Preceden- ce and Pre-emption service (eMLPP) – Stage 2. Version 5.0.0. January 1996. [18] GSM 03.68. Digital cellular telecommunications system (Phase 2+); Voice Group Call Service (VGCS) – Stage 2. Version 5.1.0. May 1996. [19] GSM 03.69. Digital cellular telecommunications system (Phase 2+); Voice Broadcast Service (VBS) – Stage 2. Version 5.1.0. June 1996. [20] GSM 03.78. Digital cellular telecommunications system (Phase 2+); Customised Applications for Mobile network Enhanced Logic (CAMEL); Stage 2. Version 5.3.2. January 1996.

2.2 UMTS Specifications, Reports and temporary documents [21] UMTS 21.01. Universal Mobile Telecommunications System (UMTS); Requirements for the UMTS Terrestrial Radio Access System (UTRA). Version 3.0.0. June 1997. [22] UMTS 22.01. Universal Mobile Telecommunications System (UMTS); Service aspects; service principles. Version 3.2.1. January 1998. [23] UMTS 22.07. Universal Mobile Telecommunications System (UMTS); Terminal and smartcard concepts. Version 3.0.0. March 1998. [24] UMTS 23.01. Universal Mobile Telecommunications System (UMTS); General UMTS Architecture. Version 0.6.0, April 1998. [25] UMTS 23.20. Universal Mobile Telecommunications System (UMTS); Evolution of the GSM platform towards UMTS. Version 0.5.6. May 1998.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 7 of 49

[26] UMTS 23.05. Universal Mobile Telecommunications System (UMTS); Network Principles. Version 0.10.0. September 1997. [27] UMTS 23.10. Universal Mobile Telecommunications System (UMTS); UMTS Access Stratum – Services and Functions. Version 0.6.0. April 1998. [28] UMTS 30.01. Universal Mobile Telecommunications System (UMTS); Baseline document – Positions on UMTS agreed by SMG. Version 3.0.0. June 1997 [29] UMTS 33.20. Universal Mobile Telecommunications System (UMTS); Security Principles. Version 0.6.1. July 1998.

2.3 ITU-T Recommendations [30] ITU-T Recommendation Q.1701 (previously known as Q.FIN). Framework for IMT-2000 Networks. Version 4.2. May 1998. [31] ITU-T Draft Recommendation Q.1711 (previoulsy known as Q.FNA). Network Functional Model for IMT-2000. Version 12.2. May 1998.

2.4 Informative References [32] Michel MOULY, Marie-Bernadette PAUTET. The GSM System for Mobile Communication. 1992. [33] UTRAN Architecture Description, Stage 2 version 0.0.4, Tdoc SMG2 UMTS-ARC 081/98, June 1998. [34] Logical architecture of Node B. Tdoc SMG2 UMTS-ARC 102/98, July 1998.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 8 of 49

3 Abbreviations

Abbreviations and acronyms are usually written in full at their first occurrence in the text and in titles. For abbreviations and acronyms for GSM we refer to [01.04], other abbreviations are listed below: AN Access Network ASCI Advanced Speech Call Items (GSM Phase 2+) BS Base Station (IMT-2000) BSSAP+ Base Station System Application Part + (GPRS) CLNS Connectionless Network Service (GPRS) CN Core Network (UMTS, IMT-2000) CONS Connection-Oriented Network Service (GPRS) CTS Cordless Telephone System eMLPP Enhanced Multi-Level Precedence and Pre-emption (ASCI) FP Fixed Part (CTS) FT Fixed Terminal (IMT-2000) GGSN Gateway GSN GSN GPRS Support Node GTP GPRS Tunnelling Protocol HN Home Network IE Infrastructure Equipment IFPEI International Fixed Part Equipment Identity (CTS) IMGI International Mobile Group Identity (GPRS) IP Internet Protocol (IP) MAP Mobile Application Part (GPRS) MExE Mobile Execution Environment (GSM Phase 2+) MT Mobile Termination (UMTS) / Mobile Terminal (IMT-2000) NNI Network-to-Network Interface (IMT-2000) PDN Packet Data Network (GPRS) PDP Packet Data Protocol (GPRS) PDU Protocol Data Unit (GPRS) PTM Point-to-Multipoint PTP Point-to-Point RAN Radio Access Network (IMT-2000) RNC Radio Network Controller (UMTS) RNS Radio Network System (UMTS) RP Remote Party PN Private Network SGSN Serving GSN SN Serving Network TCP Transmission Control Protocol (GPRS) TN Transit Network (UMTS) UE User Equipment (UMTS) UDP User Datagram Protocol (GPRS) UIM User Identity Module (IMT-2000) UMTS Universal Mobile Telecommunication Service USIM User Services Identity Module (UMTS) UTRAN UMTS Terrestrial Radio Access Network (UMTS) VBS Voice Broadcast Service (ASCI) VGCS Voice Group Call Service (ASCI)

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 9 of 49

4 Global System for Mobile Communication (GSM)

This chapter describes briefly the GSM network architecture. It is based on specifications GSM 03.02 [12] and the GSM book [32]. The reader is referred to [12] for references to the appropriate specifications on the different network entities and network interfaces.

4.1 Overall network architecture

An overall network architecture of GSM is presented in Figure 1. Circles indicate the roles with which GSM has its most important external interfaces: the user, the operator and external networks. The latter plays an important role since GSM is part of the global telecommunications system and often acts as an access network that allows its mobile subscribers to communicate with subscribers from other (fixed-line or mobile) telecommunications networks.

The subsystems of GSM are represented by rectangles, they are:

- Mobile Station (MS), - Base Station Subsystem (BSS), - Network and Switching Subsystem (NSS), - Operation Subsystem (OSS).

operator

OSS GSM External NSS BSS MS networks user

Figure 1: GSM – Network architecture

4.2 Mobile Station (MS)

The MS consists of the physical equipment used by a Public Land Mobile Network (PLMN) subscriber. It includes the Mobile Equipment (ME) and the Subscriber Identity Module (SIM) (see Figure 2).

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 10 of 49

Mobile Station SIM

Mobile Equipment Um-interface User TE TA MT to BSS

Figure 2: GSM – MS architecture a) Mobile Equipment (ME)

The ME consists of:

- Mobile Termination (MT), carrying out all functions related to transmission on the radio interface. That radio interface is called the Um-interface.

In addition, depending on the application and services, support various combinations of

- Terminal Equipment (TE), carrying out functions specific to the service, without any GSM-specific functions: e.g., a fax machine, a speech terminal. - Terminal Adapter (TA), acting as a gateway between MT and TE functional groups. b) Subscriber Identity Module (SIM)

The SIM is a smart card or a cut-out thereof, containing all subscriber-related information stored on the user’s side of the radio interface. Its functionality includes, among others, the provision of secure identifi- cation of the subscriber identity towards the network (challenge-response authentication) and key settle- ment for subsequent ciphering over the radio interface.

The interface between the SIM and the ME is fully standardized.

4.3 Base Station Subsystem (BSS)

The BSS groups the infrastructure that is specific to the radio cellular aspects of GSM (Figure 3). It acts as an intermediate between the NSS and the MS. Its boundaries are the A-interface (between NSS and BSS) and the radio interface called Um (between BSS and MS).

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 11 of 49

BSS

BTS Abis

Asub BTS BSC TRAU

Um-interface A-interface to MS to NSS BTS

Figure 3: GSM – BSS architecture

It consists out of the following elements:

- Base Transceiver Stations (BTS): comprise radio transmission and reception devices, up to and including antennas and all signal processing specific to the radio interface. A BTS provides for the radio resource in one GSM cell. - Base Station Controller (BSC): The BSC is in charge of all the radio interface management through the remote command of the BTS and the MS, mainly the allocation and release of radio channels and the handover management. A typical BSC can handle tens of BTSs, depending on their traffic capac- ity. - Transcoder/Rate Adapter Unit (TRAU): Although the specifications consider it part of the BTS, it is usually placed between the BSC and the NSS. The device converts the 64 kbit/s speech signal used in the NSS and in external networks to GSM full (13 kbit/s) or half (6.5 kbit/s) bitrate speech. Its re- mote position allows the advantage of more compressed transmission in the BSS.

4.4 Network and Switching Subsystem (NSS)

The NSS includes the main switching functions of GSM, as well as the databases needed for user authen- tication, terminal management and mobility management (Figure 4).

NSS HLR AuC EIR

C VLR F A-interface B to BSS Other E Networks MSC G-MSC

Figure 4: GSM – NSS architecture

The main elements are:

- Mobile services Switching Centre (MSC): The entity that performs all the switching functions for

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 12 of 49

mobile stations, as well as the co-ordination and the setting-up of calls to and from GSM users which are registered in the so-called MSC-area. An MSC typically controls a few BSCs. The visited-MSC is the MSC that controls the MSC-area in which the MS is registered. - Gateway-MSC (G-MSC): This is a sub-class of MSCs that have an external interface to another network such as a PSTN, an ISDN, a PSPDN, a CSPDN or another PLMN. Many of these intercon- nections require adaptations of the data stream, which are performed in units called Interworking Functions (IWFs). These IWF are integrated in the MSC. Currently, the G-MSC function is usually implemented in the same machines as the MSC function itself, i.e., every MSC has the ability to inter- connect to other networks. - Home Location Register (HLR): Subscriber information relevant to the provision of telecommuni- cations services is held on the infrastructure side in the HLR. Two kinds of information are stored: a) subscription information consisting of the International Mobile Subscriber Identity (IMSI), the Mobile Station International ISDN Number (MS-ISDN), service restrictions, supplementary services, … and b) location information enabling the routing of calls towards the visited MSC, when the HLR is interrogated by the G-MSC or another MSC about the location of a user in case of a mobile ter- minating call. - Visitors Location Register (VLR): A database usually integrated with the MSC that stores tempo- rarily subscription information and location information of those GSM users that are registered in the MSC-area controlled by the MSC or VLR-area consisting of several MSC-areas, where a VLR is shared by several MSCs. It has a (logical) G-interface to the HLR, not shown in the figure, to interro- gate the HLR. - Authentication Centre (AuC): The AuC stores the information that is necessary to authenticate the user’s identity and to protect the communication on the radio interface from eavesdropping and ma- nipulation. It contains the subscriber’s secret key as well as the possibly network operator proprietary authentication algorithms A3/A8 for response and cipher key generation which are also implemented on the SIM. - Equipment Identity Register (EIR): This optional entity managed by some network operators con- tains the International Mobile Equipment Identity (IMEI) and maintains a white, a grey and a black list of terminal equipment. It allows the operator to deny access to mobile equipment that has been re- ported stolen or malfunctioning.

4.5 Operation Subsystem (OSS)

GSM specifications are far less detailed on the OSS than on the interfaces in and between NSS, BSS and MS. Therefore the solutions are manufacturer specific and based on similar functionality for the operation of equipment for other networks.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 13 of 49

5 GSM Phase 2+ extensions

5.1 Advanced Speech Call Items (ASCI)

ASCI comprises the following three services:

- Enhanced Multi-Level Precedence and Pre-emption Service (eMLPP): GSM 02.67 [8] and GSM 03.67 [17]. - Voice Group Call Service (VGCS); GSM 02.68 [9] and GSM 03.68 [18]. - Voice Broadcast Service (VBS); GSM 02.69 [10] and GSM 03.69 [19]. These services originate from trunked radio systems and their integration into GSM Phase 2+ was initiated by the Union International des Chemins de fer (UIC).

The user of an ASCI service is understood to be as a GSM subscriber who uses a GSM-MS that is able to handle the ASCI services or a fixed network (ISDN) subscriber who is allowed to use the ASCI services as initiator or participant.

5.1.1 Enhanced Multi-Level Precedence and Pre-emption (eMLPP) service The eMLPP service is an enhancement for GSM networks of the ISDN MLPP service to meet the UIC requirements [8]. The service is applicable within one PLMN. In case of inter-PLMN calls a mapping function has to be established.

The eMLPP service specifies how to handle precedence levels for subscribers within a PLMN including the possibility of pre-emption of ongoing calls and how to handle the subscribers who do not subscribe to this service. eMLPP defines set-up classes which specify the set-up time and the pre-emption capability. eMLPP is applicable to tele- and bearer services. eMLPP service consists of two parts: precedence and pre-emption.

- Precedence involves assigning a priority level to a call in combination with fast call set-up. - Pre-emption involves the seizing of resources that are in use by a call of a lower precedence by higher-level precedence call. This can also involve the disconnection of an on-going call of lower precedence to accept an incoming call of higher precedence. eMLPP provides different levels of precedence for call set-up and for call continuity in case of handover. There are at maximum seven priority levels (see Table 1).

Table 1: ASCI – Priority levels A (highest) for network internal use B for network internal use 0 for subscription 1 for subscription 2 for subscription 3 for subscription 4 (lowest) for subscription

The two highest levels A and B are reserved for network internal use, e.g. for emergency calls or network related service configurations like voice group call services. They can only be used locally, i.e., within the domain of a MSC. The other five levels (0-4) are offered for subscription and can be applied globally if supported by all related network elements.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 14 of 49

Usually, the priority depends on the calling subscriber who can select the priority level at set-up. If the subscriber has no eMLPP subscription (or no MLPP subscription in case of a call from the fixed network) a default priority level is given.

The call set-up time is defined as the time from pressing the send-button to the point at which the called party, or at least one called party in the case of a multi-party call, can receive information. There are three classes of set-up time performances and examples of the call set-up times are:

Table 2 : ASCI –Set-up time according to priority class Class Description Set-up time 1 Fast set-up 1–2 s 2 Normal set-up < 5 s 3 Slow set-up < 10 s For precedence calls, the network shall have the possibility to pre-empt ongoing calls with lower priority, in ascending order of priority. Pre-emption is possible at call set-up or at handover.

Table 3: ASCI – Example on eMLPP service composition Priority level Set-up time Pre-emption Examples A class 1 Yes VBS/VGCS emergency application B class 2 Yes Operators calls 0 class 2 Yes TS 12 Emergency calls 1 class 3 Yes Premium rate calls 2 class 3 No Standard rate calls 3 class 3 No Default for no eMLPP subscription 4 class 3 No Low tariff calls

Note that a call with a high priority requiring a class 1 set-up may not require authentication at call set-up nor confidentiality on the radio link.

5.1.2 Voice Group Call Service (VGCS)

General

The VGCS allows speech conversation of a predefined group within a predefined area (the Group Call Area) [9]. The initiator of a group call may be a service subscriber or a user of a fixed network. The speaker may change during the ongoing call.

Applications for group call services typically involve multiple group members in a small service area.

The calling subscriber may be any service subscriber who has subscribed to the related group ID or any dispatcher who is entitled to it and registered by the network. Destination subscribers are all service sub- scribers which belong to a group identified by the group ID which have their present location in the serv- ice area and pre-registered dispatchers. Destination service subscribers shall be paged with the group ID, dispatchers shall be called individually with their identity.

It shall be possible for a service subscriber to activate or deactivate the group call reception for different group ID’s. The selection list is stored on the SIM corresponding the subscribed group ID’s.

Establishment of a voice group call

The group call shall be established in a service area that is comprised of one or a cluster of cells. Service areas shall be predefined at registration. In case of a service subscriber initiating a VGCS, the service area is uniquely identified by the actual cell in which the service subscriber resides at the moment of VGCS call initialisation and by the group ID they issue. A dispatcher initiating a VGCS call will be connected to a related predefined service area. Since a dispatcher may be registered to more than one service area and group ID an indication of the wanted service area and group ID has to be given in form of a dedicated address called by the dispatcher.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 15 of 49

A number of group calls may exist simultaneously intended for different groups of destination users in the same group call area.

Different levels of priority and pre-emption shall be applied to group calls, see eMLPP.

Ongoing call

The service shall permit only one talking service subscriber at any moment; additionally up to five dis- patchers can be talking simultaneously at one time. Dispatchers should hear all combinations of voices other than their own. Listening service subscribers shall hear the combination of all voices. The talking service subscriber shall gain some audible indication if any dispatchers are talking simultaneously.

Dispatchers shall be able to talk at any moment without any need to signal the wish to talk. They shall only be able to become talking subscribers if there is no other talking service subscriber. Service subscrib- ers who wish to talk shall indicate this. The right to be a talking service subscriber is allocated on a ‘first come first served’-basis without queuing. For an established group call the up-link assignment to a service subscriber who wishes to talk shall be performed in <300ms after a request to talk is made. The service subscriber wishing to talk shall be given an audible indication that he can speak.

Release of a group call

A group call shall be released on demand of the calling subscriber or by a dispatcher or by the network. It is acceptable that the release by the calling subscriber is only possible if the up-link is assigned to the calling subscriber. Automatic release of a group call after a selectable time of no voice activity by any service subscriber is required.

Acknowledgements

The calling subscriber shall be informed by the network with a suitable indication about the successful establishment of the group call so that he can start to speak. A successful establishment means that all group call downlink channels are allocated, whether somebody is listening or not, and the related dis- patchers are alerted. An acknowledgement of receipt of a group call can be required as a network option from all or from nominated destination subscribers (nomination is recorded on the SIM). The acknow- ledgement itself shall be performed after the group call is released, that means, the acknowledgement is not part of the group call.

Optional requirements

As a network option the mobile station of the talking service subscriber can be requested to send its IMSI to the network in order so that the talker’s IMSI be stored in the event records.

- Authentication of calling subscribers at VGCS invocation is optional. - Authentication of the talking service subscriber is optional. - Confidentiality on the radio path for the talker is optional.

5.1.3 Voice Broadcast Service (VBS) The VBS allows to set-up a point to multi-point connection for the distribution of speech [10]. The call is initiated by a service subscriber or a fixed destination (dispatcher) into a predefined geographical area (Broadcast Area or service area) to a predefined group of service subscribers located in this area and ad- ditionally up to eight (including the initiator) fixed destinations.

Definitions

The calling subscriber may be any service subscriber which has subscribed to the related group ID and is entitled to establish a broadcast call by his subscription or any dispatcher who is entitled for it and regis- tered in the network.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 16 of 49

The destination subscriber may be any service subscriber which has subscribed to the related group ad- dress or any dispatcher who is entitled for it and registered in the network.

Destination subscribers are all service subscribers or a group of service subscribers identified by the called group ID which have their present location in the broadcast area, and pre-registered dispatchers. Destina- tion service subscribers shall be paged with the group ID. Dispatchers shall be called individually with their identity.

The broadcast call shall be established in a broadcast area that is comprised of one or a cluster of cells. Broadcast areas shall be predefined at registration.

It shall be possible for a service subscriber to activate or deactivate the broadcast reception for different group ID’s. The selection list is stored on the SIM corresponding to the subscribed group ID’s.

Establishment of a voice broadcast call

In case of a service subscriber initiating a VBS call, the broadcast area is uniquely identified by the actual cell in which the service subscriber resides at the moment of VBS call initialisation and by the called group ID. A dispatcher initiating a VBS call will be connected to a related predefined broadcast area. Since a dispatcher may be registered to more than one broadcast area and group ID an indication of the wanted broadcast area and group ID has to be given in form of a dedicated address called by the dis- patcher.

Different levels of priority and pre-emption shall be applied to group calls, see eMLPP.

Ongoing call

A number of broadcast calls may exist simultaneously intended for different groups of destination sub- scribers in the same broadcast area. Parallel broadcast calls are possible to the same group of destination subscribers in different broadcast areas.

Release of a broadcast call

Service subscribers who leave the broadcast area during an on going VBS call cease to be destination sub- scribers. Service subscribers which enter the broadcast area during an on going VBS call shall become destination subscribers within 500ms after reception of the first paging message related to the VBS call.

The calling subscriber shall remain within the broadcast call until he terminates the call, loses contact with the network or leaves the broadcast area.

Acknowledgements

The calling subscriber shall be informed by the network with a suitable indication about the successful establishment of the broadcast call so that he can start to speak. A successful establishment means that all broadcast downlink channels are allocated, whether somebody is listening or not, and the related dispatch- ers are alerted.

An acknowledgement of receipt of a broadcast call can be required as a network option from all or from nominated destination subscribers (the nomination is recorded on the SIM). The acknowledgement itself shall be performed after the broadcast call is released, that means, the acknowledgement is not part of the broadcast call.

Optional requirements

- Authentication of the destination subscribers is not required. - Authentication of the calling subscriber is optional. - Confidentiality on the radio path is optional.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 17 of 49

5.2 High Speed Circuit Switched Data (HSCSD)

With HSCSD higher transmission rates than the current 9.6 kbit/s can be achieved, see GSM 02.34 [5]. The GSM HSCSD feature is capable of supporting up to 64 kbit/s user rate. This is achieved by two mechanisms:

- Channel combining: Combining up to 8 channels within the same call. - Channel coding: A-channel coding of 14.4 kbit/s instead of 9.6 kbit/s is introduced. HSCSD is a circuit switched service targeted at applications which require higher bandwidth and continu- ous data streams, making it an ideal solution for applications which require a constant delay (e.g. video). It is only applicable for Point to Point communication. For bursty and bulky data transmission the General Packet Radio Service (GPRS) was designed. The following figure shows the different target applications of these services. Covered Applications

Video Group Communication Conferencing Group Cooperation / CSCW

bi-directional Group Call Point to Multipoint Video Multicast Broadcast Broadcast unidirectional Traffic Telematics Internet Surfing Video Phone Dialog Messaging interactive Route Guidance

bi-directional Multimedia 2-way-Paging COMMUNICATION SERVICE Fleet Management Point of Sale Point to Multimedia Database Access Point Video File Transfer Mobile Office Paging

unidirectional FAX e- mail Telemetry continuously bursty GPRS TYPE OF DATA TRANSMISSION HSCSD

Figure 5: GSM 2+ Data services and their applications

HSCSD Characteristics are:

- Channel combining: On the air interface Um up to eight time slots can be combined. These are coded with 14.8 kbit/s. On the Abis-interface n × 16 bit channels can be combined. On the A-interface, there is a maximum of one circuit of 64 kbit/s available, which is thus an overall limitation of capacity. - Efficient and flexible use of higher bandwidth possible (due to the introduction of the General Bearer Service). - Basis for new services and applications (new real time higher bandwidth data service can be offered). - Supporting transparent and non-transparent transmission mode. - Data compression in non-transparent case (in order to increase further the available bandwidth and at the same time reducing the radio resource consumption). - Supplementary services available. Authentication and ciphering are applicable to HSCSD calls with no or minimal reduction in the security of the air interface.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 18 of 49

HSCSD / 14.4 kbps /Channel Combining system impacts

n full rate channels or 1 circuit, PSTN n time slots per TRX n 16 kbit channel maximum 64 kbit/s

ISDN HLR

MSC Internet MT BTS BSC IWF Intranet

Um Abis A

PSPDN

new frame coding & channel combining PLMN

Figure 6: HSCSD – System impact

5.3 Cordless Telephone System (CTS)

5.3.1 Introduction Today, there exists a clear distinction between the public mobile telephone systems for wide area coverage on the one hand, and private cordless telephone systems for local area coverage on the other hand. Re- cently, attempts have been made to integrate the wide area cellular and the local area cordless function into one ME. However, because of the incompatibility between the existing cellular and cordless stan- dards, this results in ME implementations with rather low cost-efficiency.

The intention of the GSM CTS is therefore to provide cordless functionality to a standard GSM MS with minimum impact on the MS.

In a first phase, CTS aims primarily at an application supporting the speech tele-service (including Dual Tone Multiple Frequency (DTMF) support) in a residential single cell environment. The focus is on the requirements necessary to elaborate the radio interface and the security aspects for such an application.

Later phases may include other services and functions.

References

This section is largely based on Stage 1 description GSM 02.56 [6] and GSM 03.20 [13] Annex A. In addition GSM 03.56 [15] may become relevant.

5.3.2 System Overview The GSM CTS is a radio communications system based on a GSM-compatible cellular interface between a private radio base station called CTS Fixed Part (CTS-FP) and a CTS Mobile Station (CTS-MS). The CTS-FP is connected via a wire-line to the PSTN/ISDN network. From the fixed network point of view, the CTS-FP behaves as a normal telephone terminal. There is no direct radio communication between the CTS-FP and a cellular network or between different CTS-FPs. However, this does not preclude indirect communication, e.g. via the fixed network or via the MS.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 19 of 49

GSM PLMN

GSM CTS

GSM BTS CTS Fixed Part

Figure 7: CTS – System Overview

An illustration of the CTS concept is shown in Figure 7. Due to the low transmit power of the CTS-FP, the coverage area is restricted and limited. When the CTS-MS comes in range of the CTS-FP, it may register to the CTS. From then on the user can make and accept calls directly via the PSTN without the interven- tion of the public cellular network. When registered, the MS checks whether it is still in range of the CTS and whether it is paged. As an option, the MS may simultaneously work in both the cellular and the cord- less mode, in a so-called parallel mode, i.e., be registered both in the GSM-PLMN and the CTS. When the MS comes out of range of the CTS-FP it may switch to the cellular mode. This switch shall be indicated to the user.

The radio interface between the CTS-FP and the CTS-MS is a modified GSM interface. The carrier fre- quencies used are the same as assigned for the cellular service. These carrier frequencies can be reserved by the operator for GSM-CTS usage, or can be shared with the cellular system. In every case, however, the GSM operator controls, on an area and time basis, on which frequencies the CTS is allowed to oper- ate. In case of coexistence in the same operating area, a procedure shall be deployed to minimise interfer- ence between GSM-PLMN and CTS users.

Since the MS uses the same frequency spectrum both for the cellular mode and the cordless mode, the ME hardware can be re-used. The intention is that hardware modifications in the radio transceiver of a stan- dard GSM ME should not be necessary.

The PLMN operator can administer all CTS-FPs and the corresponding CTS-MSs from the cellular net- work. When the CTS is initialised, the required operation parameters are downloaded into the CTS. This can either be done via the fixed network or via the GSM radio interface.

5.3.3 Service aspects In the first phase of CTS, an application for residential environment serving one cell is intended. The services and features to be supported relate to this assumption.

The user of the CTS shall be required to perform a simple installation process in order to initialise the CTS operation. Once initialised, CTS operation shall not require any specific action of the user to main- tain the operation as long as the CTS-FP is not de-activated.

To have service granted by the CTS-FP, a CTS-MS shall register, i.e., attach at the CTS-FP. In order to register, a CTS-MS has to be initialised with the CTS-FP, the user has to bring the CTS-MS in range of the CTS-FP and the appropriate operation mode has to be selected.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 20 of 49

The user of the GSM-CTS service shall have a subscription, which includes this particular service, with a GSM operator. The use of a ‘CTS only’ subscription is not precluded. Corresponding information shall however always be stored in the SIM. Each CTS user must have a CTS subscription.

In order to be able to use the CTS service on the fixed network, a subscription to the fixed network is also required. The fixed network and CTS subscriptions are normally not dependent on each other. How- ever, at CTS-FP initialisation the CTS-FP obtains operation data specific to the GSM operator, the user of the CTS service has subscribed to, thus the CTS-FP operation is tied to a specific GSM operator.

The CTS-FP is normally not subscribed to, it is the users’ property. After the CTS service subscription to one operator is cancelled, it shall be possible to use the same CTS-FP for a CTS service subscription to another operator.

If the CTS subscription is withdrawn, the user looses the right to use a GSM operator’s frequency spec- trum for CTS usage and CTS operation is not allowed for that subscription. As the CTS service is not ob- tained directly from the GSM network like other GSM services (e.g. SMS), means of subscription control have to be defined.

The withdrawal of the CTS subscription does not necessarily include the de-activation of the CTS-FP, as several CTS-MSs may be initialised with a CTS-FP.

The concept should allow CTS operation during all GSM coverage scenarios, e.g. the following:

- area with no GSM coverage; - area with GSM coverage of the HPLMN operator; - area with no HPLMN coverage, but coverage of other PLMN operator(s). a) Registration of the same CTS-MS with multiple CTS-FPs A CTS-MS shall be able to register to all CTS-FPs it is initialised with however it may only be regis- tered with only one CTS-FP at a time. b) Registration of multiple CTS-MSs with the same CTS-FP Initialisation and parallel registration of multiple MS on a single CTS-FP shall be possible. However, the CTS-FP controls which MSs are allowed to be initialised and registered. A minimum number of eight CTS-MSs shall be possible to register with the same CTS-FP. c) Tele-services The first phase of CTS shall support the speech tele-service on the CTS radio interface. Emergency calls shall be supported for registered MSs only. The quality of the speech tele-service shall be at least equal to existing GSM speech qualities. d) Supplementary services In order to enable support of supplementary services in the fixed network, DTMF handling on the CTS Radio Interface, during CTS calls, shall be handled in the same way as in GSM. The CTS-FP shall generate the corresponding tones and messages for the fixed network.

Since some fixed networks make use of hook-flash signalling, it shall be possible for the user to send a hook-flash request to the CTS-FP, which shall then perform the hook-flash signalling on the line interface.

As an option (both in the CTS-MS and CTS-FP) the user should be able to have the Calling Line identity and/or Calling Name information presented, provided this information is made available to the CTS-FP.

In the case when more than one CTS-MS are registered to a CTS-FP, internal calls (without billing) be- tween the MSs at this CTS-FP should be possible, as an option (both in the CTS-MS and CTS-FP).

As an option (both in the CTS-MS and CTS-FP) the user should be able to internally transfer a fixed net- work call from one CTS-MS to another if both CTS-MSs are registered to the same CTS-FP.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 21 of 49

As an option (both in the CTS-MS and CTS-FP) the user should be able to put a fixed network call on internal hold, i.e., to release the call on the CTS Radio Interface but keep it active on the fixed network interface. If this option is supported, it shall also be possible to retrieve the call.

As an option, it should be possible to trigger a general procedure that makes all the registered MSs ring on a special way and therefore allows the user to locate them.

As an option (both in the CTS-MS and CTS-FP) the user should be able to have a Mobile Terminated Short Message presented, provided this message is made available to the CTS-FP.

5.3.4 Security Aspects a) Security requirements

The main requirements are (for the complete list, see [6] §3.4):

Initialisation:

- Initialisation of the MS to the FP shall include authentication of the SIM by the PLMN in accordance with the requirements for subscriber identity authentication defined in clause 3 of GSM 02.09 [3]. - Initialisation of the MS to the FP shall include mutual authentication between the CTS-FP and the CTS-MS. - The mutual authentication of MS and FP shall use a CTS specific secret key.

Registration:

- Registration of the MS to the FP shall include mutual authentication between the CTS-FP and the CTS-MS. - The mutual authentication of MS and FP shall use a CTS specific secret key. This key shall not be a key input to the MS via the MS MMI, but shall be a key installed/derived during the initialisation of the MS to the FP. - It shall not be possible for an MS that has not been initialised to a FP to register to that FP.

Protection of communications:

- Local CTS communication (both signalling and user data) shall be protected against unauthorised eavesdropping. - This protection need not be as secure as for the GSM air interface, but it shall employ cryptographic methods and a CTS specific encryption key. - A CTS mobile subscriber shall be identified on the CTS radio path by a local temporary, number, similar to, but not, the TMSI. - Communication across the fixed network of data required for CTS operation shall be protected against unauthorised eavesdropping.

De-activation:

- It shall be possible, within the operator defined time, for the GSM operator to de-activate the CTS service of its subscribers (i.e., de-activate the MS). - It shall be possible, within the operator defined time, for the GSM operator to de-activate a CTS-FP with respect to the use of the operator’s frequencies by that CTS-FP. b) Security related network functions

The CTS security system can be derived as a set of two subsystems, the CTS local security system and the CTS supervising security system.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 22 of 49

The local security system deals with aspects of CTS-MS/CTS-FP pairs. It is related to security aspects of the CTS user. The different CTS local security services, functions and procedures are grouped as follows:

- Subscriber identity confidentiality; - Identity authentication (including the subscriber identity - and the FP identity authentication); - Confidentiality of user and signalling information between CTS-MS and CTS-FP; - Initialisation of a CTS-MS and CTS-FP pair. The supervising security system deals with aspects of PLMN security. It is related to security aspects of the PLMN operator. The different CTS supervising security services, functions and procedures are grouped as follow:

- Subscriber identity confidentiality; - Identity authentication with the PLMN; - Secure operation control; - Subscription Control; - Equipment checking (IMEI, IFPEI). The general mutual authentication procedure is shown in Figure 8:

CTS-MS sharing CTS-FP sharing the the knowledge of knowledge of the the Ka with the Ka with the CTS- CTS Radio Interface CTS-FP MS

Ka CH2 CH1 Ka CH1

CH2

SRES1 XSRES1 B3 = B3

XSRES2 SRES2 B4 = B4 Ka Ka

Yes/No Yes/No

Figure 8: CTS – Mutual authentication procedure

The embedding of the mutual authentication procedure into the initialisation procedure (using the CTS radio interface) is shown in Figure 9. Finally, Figure 10 shows how the local security part of the initialisa- tion using the GSM radio interface is embedded in the CTS supervising security system:

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 23 of 49

CTS-MS CTS Radio Interface CTS-FP

Enter init. Enter init state and state enter CTS-PIN

Derive FPAC from the CTS-PIN

Establish initial connection on the CTS radio interface OK OK

RIMS

RIFP

Compute Compute KINIT =B2(FPAC, RIMS, RIFP) KINIT =B2(FPAC, RIMS, RIFP)

Mutual CTS-MS/CTS-FP authentication using KINIT OK OK

Compute Compute Kcx = B1(KINIT, CH1) and Kcx = B1(KINIT, CH1) and and switch to encryption switch to encryption

ciphered connection

Rk2

Compute Kax =B2(Ki*, RK1, RK2)

Kax, CTS-IMSI, IMEI, RK1

Check if CTS-IMSI is not yet initialised o.k.

Determine CTS-TMSIx IFPEI, CTS-TMSIx

Store on CTS-SIM: Store non volatile: Kax, CTS-TMSIx, IFPEI Kax, CTS-IMSI, CTS-TMSIx, IMEI, RK1, RK2,

Finish initialisation (non security related parts of the procedure)

Figure 9: CTS – Initialisation procedure

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 24 of 49

CTS-SN GSM radio interface CTS-MS CTS Radio Interface CTS-FP

token (operation data)

store token

Local security part of the initialisation ok ok

token (operation data)

Check if token is valid

Figure 10: CTS – Embedding of local security system in supervising security system

5.4 Support for service differentiation and virtual home network

The VHE concept will ensure a uniform appearance, or presentation, of services, features and tools to a service user, or subscriber, in an identical manner independent of serving network or location. Together with a flexible service creation environment, is will enable faster deployment of new services, and service differentiation. VHE capability will be supported from both UMTS and GSM access, subject to the rele- vant limitations of the GSM/GPRS core networks. The provision of a VHE is triggered by the introduction of secure standardized execution environments in the USIM, the ME and the core network. These capa- bilities in UMTS will develop from the GSM Phase 2+ work items SIM Application Toolkit, MExE and CAMEL.

5.4.1 SIM Application Toolkit The SIM Application Toolkit provides mechanisms that allow applications, existing in the SIM, to interact and operate with any ME which supports the specific mechanisms required by the application. Those mechanisms are:

- Profile downloading: a mechanism that allows the ME to tell the SIM what its capabilities are. It is activated when the SIM is initialised in the ME. - Initiate actions by the SIM: display text from the SIM on the ME display, sending of a SMS, set up calls to numbers held in the SIM, etc. - Data download to the SIM - Adaptation of menus on the ME display according to the SIM application in use. - Call control by the SIM, i.e., intercept calls made from the mobile, and block or change the number dialled. - Security functionality (requirements still have to be defined).

5.4.2 Mobile Execution Environment (MExE) MExE provides environmental support for operator-defined services in the MS, with the emphasis on functions in the ME. MExE is still being defined, but it is likely to include standards for:

- A Java execution environment on the MS and mechanisms for downloading Java and other applica- tions;

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 25 of 49

- Control of MMI aspects of the MS in real-time from the network to allow user-friendly control of applications in the network and applications distributed between the MS and the network; - Mobile station clients for common applications such as address books.

5.4.3 Customised Applications for Mobile network Enhanced Logic (CAMEL) The CAMEL network feature enables the use of operator specific services (OSSs) by a subscriber even when roaming outside the Home PLMN (GSM 02.78 [11]). At a service event, the Visited or Interrogat- ing PLMN may suspend the process and make contact with a CAMEL Service Environment (CSE), a new network entity part of the GSM Phase 2+ NSS, to ask instructions or to send a notification. CAMEL is a way to provide GSM Phase 2+ service differentiation and is based on the Intelligent Network (IN) ap- proach that relies on triggers within the supporting network infrastructure to suspend call processing and communicate with a remote computing platform before proceeding to handle the service functions.

Architecture The functional architecture needed for CAMEL support is shown in Figure 11. The two new functional elements are: - GSM Service Control Function (gsmSCF): A functional entity, part of the Home PLMN, which contains the CAMEL service logic to implement OSSs. It is the functional entity contained in the CSE. It interfaces with the gsmSSFs of a G-MSC of an Interrogating PLMN and of a MSC of a Vis- ited PLMN. - GSM Service Switching Function (gsmSSF): A functional entity that interfaces the MSC/G-MSC of Visited or Interrogating PLMN to the gsmSCF of the Home PLMN. The concept is derived from the IN SSF.

Home HLR gsmSCF Network MAP

CAP MAP CAP MAP

gsmSSF VLR gsmSSF

Incoming line G-MSC Roaming leg MSC MS

Interrogating Forwarded leg MO call – Outgoing leg Visited Network (or Forwarding leg) Network

Figure 11: CAMEL – Functional Architecture (GSM 03.78) The functionality of the other functional entities is as follows: - HLR in Home PLMN: stores the Originating/Terminating-Camel Subscriber Information (O/T-CSI) for subscribers requiring CAMEL support. The O-CSI is sent to the serving VLR in case of location update or if the O-CSI is updated. The O/T-CSI is sent to the G-MSC of the Interrogating PLMN in response to a request from there for routing information. - G-MSC in Interrogating PLMN: when incoming calls for subscribers requiring CAMEL support are processed, the G-MSC receives the O/T-CSI from the HLR, indicating it to request instructions from the gsmSSF. The G-MSC then monitors the call states and informs the gsmSSF enabling it to control the execution of the call in the G-MSC.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 26 of 49

- MSC in Visited PLMN: when mobile originated calls requiring CAMEL support are processed, the MSC receives the O-CSI from the VLR, indicating it to request instructions from the gsmSSF. The MSC then monitors the call states and informs the gsmSSF enabling it to control the execution of the call in the MSC. - VLR in Visited PLMN: stores the O-CSI as part of the subscriber data for subscribers roaming in the VLR area.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 27 of 49

6 General Packet Radio Service (GPRS)

6.1 GPRS architecture

GPRS is a data service providing a high-speed packet radio access for GSM MSs and a packet switched routing functionality in GSM infrastructure. GPRS network architecture is built on top of the existing GSM network infrastructure as shown in Figure 12. SMS-GMSC SMS-IWMSC SM-SC

E C Gd

MSC/VLR HLR D Gs A Gc Gr Gb Gi TE MT BSS SGSN GGSN PDN TE Gn R Um Gn Gf Gp EIR

SGSN GGSN

Other PLMN

Signalling Interface Signalling and Data Transfer Interface

Figure 12: GPRS – Network architecture [03.60, Fig. 2] a) GPRS Support Nodes

A GPRS Support Node (GSN) contains the functionality required to support GPRS. In a PLMN, there may be more than one GSN. Two types of GSN exist:

- Gateway GPRS Support Node (GGSN): is the node that is accessed by a PDN (via the Gi reference point) due to evaluation of the PDP address. It contains routing information for attached GPRS users. The routing information is used to tunnel PDUs to the MS’s current point of attachment (the SGSN). The GGSN may request location information from the HLR via the Gc interface.

- Serving GPRS Support Node (SGSN): is the node that is serving the MS (i.e., the Gb interface to the GSM BSS is supported by the SGSN). At GPRS attach, the SGSN establishes a mobility man- agement context containing information pertaining to e.g., mobility and security for the MS. At PDP Context Activation, the SGSN establishes a PDP context, to be used for routing purposes, with the GGSN that the GPRS subscriber will be using. The SGSN and GGSN functionality may be combined in the same physical node, or they may reside in different physical nodes. SGSN and GGSN contain IP routing functionality, and they may be intercon- nected with IP routers. When SGSN and GGSN are in different PLMNs, they are interconnected via the Gp interface. The Gp interface provides the functionality of the Gn interface, and additional security func- tionality required for inter-PLMN communication. The security functionality is based on mutual agree- ments between operators.

The SGSN may send location information to the MSC/VLR via the optional Gs interface. The SGSN may receive paging requests from the MSC/VLR via the Gs interface.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 28 of 49 b) Databases

MSC and VLR are not needed for routing of GPRS data, however they are used and needed for the co- operation between GPRS nodes and MSC nodes. The mobility management data that is in the case of a circuit-switched call stored in the MSC/VLR is now stored in the SGSN.

In addition, the following entities are reused:

- The HLR contains the GPRS subscription and routing information. - The AuC takes care of the generation of authentication as well as ciphering parameters - The EIR is used for authentication of the mobile equipment

6.3 Protocols a) Transmission Plane

Figure 13 shows the protocol stack in the transmission plane between MS and BSS, BSS and SGSN and SGSN and GGSN.

Application IP / X.25 IP / X.25 Relay SNDCP SNDCP GTP GTP

LLC LLC UDP / UDP / Relay TCP TCP RLC RLC BSSGP BSSGP IP IP MAC MAC Network Network L2 L2 Service Service GSM RF GSM RF L1bis L1bis L1 L1 Um Gb Gn Gi MS BSS SGSN GGSN Figure 13: GPRS – Protocol stack in transmission plane [03.60, Fig. 4]

- The Internet Protocol (IP) based backbone network is used for transfer if data and signalling mas- sages between support nodes - Either the Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP) will be used with IP - The GPRS Tunnelling Protocol (GTP) will be used on top of TCP or UDP - The protocol architecture between BSS and SGSN is based on the network service that follows the Frame Relay specifications, and a BSS GPRS protocol (BSS-GP) is used on top of the Frame Relay to provide the message formats and procedures for transfer of data and paging messages and mecha- nisms for management of the link a) Signalling plane

Figure 14 shows the protocol stack in the signalling plane between MS and BSS, between BSS and SGSN, between GSN and GSN, and between SGSN and HLR.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 29 of 49

GMM/SMSGSN GMM/SM GTP MAP MAP GTP TCAP TCAP LLC LLC UDP UDP SCCP SCCP

Relay RLC RLC BSSGP BSSGP IP IP MTP3 MTP3 MAC MAC Network Network L2 L2 MTP2 MTP2 Service Service GSM RF GSM RF L1bis L1bis L1 L1 L1 L1

MS Um BSS Gb (S)GSN Gn (S)GSN Gr HLR

Figure 14: GPRS – Protocol stack in signalling plane [03.60, Figs. 5, 6 and 9]

- MS-SGSN: GPRS Mobility Management and Session Management (GMM/SM) - SGSN-HLR: Mobile Application Part (MAP) - SGSN-MSC/VLR: Base Station System Application Part + (BSSAP+) - SGSN-EIR: Mobile Application Part (MAP) - SGSN-SMS-GMSC or SMS-IWMSC: Mobile Application Part (MAP) - GSN-GSN: GPRS Tunnelling Protocol (GTP), User Datagram Protocol (UDP) - GTP and MAP-based GGSN-HLR

6.4 GPRS Services

Two different GPRS services are defined, Point-to-Point (PTP) and Point-to-Multipoint (PTM)

Possible PTP services: (between two users)

- Internet (WWW) - Messaging (user-to-user) - Real-time conversational (bi-directional communication) - Tele-action services (low data volume) Possible PTM services: (user to multiple users with a single request)

- Distribution services (news, weather, …) - Dispatching services (Taxi and public utility) - Conferencing services (Real-time information Transfer between multiple users) a) Point-to-Point (PTP) Services

- PTP Connectionless Network Service (PTP-CLNS): One or more Single Packets are sent from a sin- gle user to a single user. Each packet is independent of the preceding and succeeding packets. Uses IP Internet Protocol) - PTP Connection Oriented network Service (PTP-CONS): Multiple packets are sent between a single user and a single user that is intended to support transactional or interactive applications. Uses the Connection Oriented Network Protocol (CONP) i.e., (X.25 protocol for data terminal equipment) b) Point-to-Multipoint (PTM) Services

PTM-Multicast (PTM-M)

- Messages are transmitted throughout the geographical area(s) as defined by service requester - No knowledge of the receiver group present within the given area at any point in time is required

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 30 of 49

- Message reception is anonymous - Message scheduling available - PTM-M service does not provide ciphering - Unidirectional messaging only

PTM-Group Call (PTM-G)

- Messages are transmitted to a specified geographical area defined by the sender - Messages are addressed to a specified group - Anonymous reception - Knowledge of present participants within the geographical area - Real-time messaging delivery - May be unidirectional, bi-directional or multi-directional - Messages are transmitted or received only by group members which have explicitly joined the call by registering with the network - Data ciphering is performed prior to transmission

IP Multicast (IP-M)

- Messages are transmitted between participants of an IP-M group - IP-M group can be internal to the PLMN or distributed across the Internet - Uses IP c) Identification of subscriber groups in PTM

- A PTM group is identified by the International Mobile Group Identity (IMGI) which shall support two levels of ID, Service Provider Level, and Application Level - It shall be possible to store the IMGI on the SIM and as an option to the ME - The service requester shall be able to route PTM messages to a subset of GPRS subscribers - Adequate protection of the storage on the SIM and for transmission is required - Storage of 50+ IMGIs and the capability to securely modify the IMGI via the SIM-Toolkit is required - The IMSI shall be used for authentication of the individual subscriber

6.5 Mobility Management

The Mobility Management (MM) activities related to a GPRS subscriber are characterised by one of three different MM states (GSM 03.60 [16], subclause 6.1): a) IDLE The subscriber is not attached to the GPRS MM, the GPRS MS is seen as not reachable but can re- ceive PTM-M transmissions. In order to establish a MM context and maybe PDP context, the MS has to successfully perform an attach procedure and change to STANDBY or READY state. b) STANDBY The subscriber is now attached to the MM, which means that the SGSN maintains location infor- mation on the MS, i.e., it keeps track of the Routing Area (RA) in which the MS roams. A RA is the SGSN counterpart for the Location Area (LA) used in the MSC/VLR. However, a RA is smaller (a LA contains one or more RA) and therefore a SGSN keeps track of the location more accurately than a MSC does.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 31 of 49

The MS can receive PTM-M messages like before. In addition, he is now reachable for PTP or PTM-G messages upon reception of which, or on the MS’s own initiative, a PDP context will be established between MS and SGSN, i.e., they change to the READY state. c) READY In the READY state MS and SGSN have established a PDP context. The MS is able to send and receive PTP messages, as well as receive PTM-G and PTM-M messages. To achieve that, MS and SGSN have established a MM context as well, such that the SGSN keeps track of the position of the mobile on cell level. On its own initiative or on the initiative of the SGSN, the MS can change to the IDLE state when it performs a DETACH procedure. At the SGSN the READY state is addi- tionally supervised by a timer, that initiates a transition to the STANDBY state after a certain pe- riod of time.

6.6 GPRS Security Services

To protect the GPRS system from misuse of their resources and eavesdropping of information being ex- changed on the radio path (GSM 02.60 [7], subclause 5.4.3), the following security services are provided:

- Subscriber identity authentication: the confirmation of the land-based part of the system that the subscriber identity transferred by the MS is the one claimed (GSM 03.20 [13], Annex D.3). The GPRS subscriber authentication protocol is identical to the GSM subscriber authentication protocol ([13], clause 3). - Access control: the network can restrict access to different GPRS subscribers either by location, screening lists, etc. - Subscriber identity confidentiality: the property that the user identity is not normally made avail- able. The means used to identify a mobile subscriber on the radio path consists of a Temporary Logi- cal Link Identity (TLLI) and a Routing Area Identity [RAI] ([13], Annex D.2), analogously to the Temporary Mobile Subscriber Identity [TMSI] and Location Area Identity [LAI] used in the MSC/VLR ([13], clause 2). The protocol used is further identical, which means that normally the IMSI is not transmitted, but in case that the SGSN cannot retrieve the connection between the TLLI and the IMSI (for instance in case a GPRS subscriber enters a new SGSN-area and the old SGSN is not reachable) the SGSN asks the MS to send the IMSI in clear text. - User information and signalling confidentiality: the property that user information is not made available to intruders eavesdropping on the radio interface. Additionally, GPRS attach shall only be possible by entry of the current GSM PIN if this option is active ([7], subclause 5.4.3). Additionally, GPRS services can be offered to a subscriber using a password to control access to the services, if he desires so. For that purpose, the existing GSM security mechanisms for supplementary services GSM 02.04 [2] and GSM 02.30 [4] will be used if possible.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 32 of 49

7 Universal Mobile Telecommunication System (UMTS)

7.1 Phased concept

UMTS is the third generation mobile telecommunication system currently being standardized by ETSI SMG in close co-operation with the GSM MoU and the UMTS Forum. The main principles are stated in UMTS 30.01 [28]. The introduction and evolution of UMTS is planned to occur as follows:

- UMTS Phase 0: implementation of UMTS services in an evolved GSM network (using the GSM Phase 2+ BSS). It is not clear what these services might be. - UMTS Phase 1: introduction of the UMTS radio access network, interworking with an evolved GSM Phase 2+ NSS. The GSM Core Network used for UMTS Phase 1 might be an extension of GSM Re- lease 99. The commercial launch is planned for 2002. - From 2002 on, UMTS will evolve in annual releases. All documents on the UMTS architecture are therefore applicable on UMTS Phase 1 and onwards.

7.2 Domain-strata model

The general UMTS architecture is defined along the domain-strata model described in UMTS 23.01 [24].

A domain is a grouping of physical nodes. Reference points are defined between domains. The interfaces at these boundaries should be appropriately standardized as to allow interoperability between equipment from different suppliers. The different domains and reference points are described in 7.2.1.

A stratum is defined as the grouping of protocols related to one aspect of the services and is typically provided by some functionality in one or several domains. In less recent documents like UMTS 23.05 [26] the term “plane” is used instead of “stratum”.

7.2.1 UMTS network domains In [24] the UMTS domains and reference points are described (see Figure 15).

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 33 of 49

TE HN Terminal Home Equipment Network Domain Domain

[Zu]

USIM MT AN SN TN

Cu Uu Iu [Yu]

Mobile Serving Transit Termination Network Network Domain Domain Domain

USIM Mobile Access Core Network Domain Domain Equipment Network Domain Domain

User Equipment Domain Infrastructure Equipment Domain

Figure 15: UMTS – Network architecture (based on UMTS 23.01)

The following reference points are identified:

Cu Reference point between USIM and ME Uu Reference point between UE and the IE Iu Reference point between AN and SN [Yu] Reference point between SN and TN [Zu] Reference point between SN and HN Note: It is not explained in the document why Yu and Zu are between square brackets. A basic architectural split is between the User Equipment (UE) domain and the Infrastructure Equip- ment (IE) domain. This first split differentiates between UE that is typically within the premises of end users and the IE typically operated for the benefit of a number of users. In an implementation offering mobility, the boundary between the two domains is the main place where mobility is offered to users.

I. User Equipment (UE) domain

UE is the equipment used by the user to access UMTS services. This domain encompasses a variety of equipment types (mobile, fixed, etc.) with different levels of functionality and may be compatible with one or more existing access interfaces, e.g. dual-mode UMTS-GSM UE.

The UE includes Mobile Equipment (ME) and one or more User Services Identity Modules (USIMs); the UE domain is accordingly subdivided into the ME Domain and the USIM Domain. The reference point between the ME and the USIM is termed the “Cu” reference point.

- USIM domain: contains functionality used for accessing UMTS services of a certain home network. The USIM is an application that may reside on a removable smart card that may contain other appli- cations. It may also be irremovable from the mobile equipment.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 34 of 49

Mobile Equipment (ME) domain

The ME performs both the radio transmission functionality at the user’s side and contains end-to-end ap- plications. Therefore the ME domain is subdivided in two sub-domains that concentrate on each of these functions:

- Terminal Equipment (TE) domain: contains functionality related to the end-to-end applications (e.g., microphone, speaker, and screen of a laptop). - Mobile Termination (MT) domain: contains functionality related to radio transmission.

II. Infrastructure Equipment (IE) domain

The Uu reference point between UE and IE will be realised by a particular access interface. UMTS might provide more than one access interface, however, only a single terrestrial radio interface will be standard- ized and developed: the UMTS Terrestrial Radio Access (UTRA) interface. Other access interfaces might be standardized or agreed upon later, e.g., to provide for access via satellites or via fixed network wires.

The IE domain consists of the physical nodes that perform the various functions required to terminate the radio interface and to support the telecommunication services requirements of the users. The IE domain is a shared resource that provides services to all authorised end users within its coverage area.

The IE domain is further split into the Access Network (AN) domain, which is characterised by being in direct contact with the UE and the Core Network (CN) domain. This split is intended to assist the de- coupling of access related functionality from non-access related functionality and is in line with the modular principle adopted for the UMTS which prescribes that parts of the network should be allowed to develop independently from one another.

The AN domain comprises roughly the functions specific to the access technique, while the functions in the CN domain may potentially be used with information flows using any access technique. This split al- lows for different approaches for the CN, each approach specifying distinct types of CNs connectable to the AN Domain, as well as different access techniques, each type of AN connectable to the CN domain. Another argument for such a spit, this time also arguing for a complete physical split, is the potential in- dependent operation of ANs and CNs. The reference point between AN and CN is termed the “Iu” refer- ence point.

- Access Network (AN) domain: consists of the physical nodes which manage the resources of the ANs and provides the user with a mechanism to access the CN domain. An AN might provide mobil- ity, such as for instance the UTRAN. Other examples of AN are fixed-line networks and satellite net- works.

Core Network (CN) domain

The CN domain consists of the physical nodes that provide support for the network features and telecom- munication services. The support provided includes functionality such as the management of user location information, control of network features and services, the transfer (switching and transmission) mecha- nisms for signalling and for user generated information.

The CN domain is sub-divided into the Serving Network (SN) domain, the Home network domain and the Transit Network (TN) domain. The reference point between the SN and the HN is termed the Zu ref- erence point. The reference point between the SN and the TN is termed the Yu reference point. SN, TN and HN are to be interpreted as roles that certain networks may play in relation to a certain call. Networks may have the capability to play more than one role and for a single call they are not necessarily different.

- Serving Network (SN) domain: The SN is the part of the CN domain to which the AN that provides the user’s access is connected. It represents the CN functions that are local to the user’s access point and thus their location changes when the user moves. The SN is responsible for routing calls and transport of user data/information from source to destination. It has the ability to interact with the HN to cater for user specific data/services and with the TN for non user-specific data/services purposes. - Home network (HN) domain: The HN represents the CN functions that are conducted at a perma-

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 35 of 49

nent location regardless of the location of the user’s access point. The USIM is related by subscription to the HN. The HN therefore contains at least permanently user-specific data and is responsible for management of subscription information. It may also handle HN-specific services, potentially not of- fered by the SN domain. - Transit Network (TN) domain: The TN is the part of the CN domain located on the communication path between the SN (or HN) and the remote party. If, for a given call, the remote party is located in- side the same network as the originating UE, then no particular instance of the TN domain is acti- vated.

Note on terminology

The serving/home network split originated from UMTS 23.01 [24] drafted by SMG 3/SA (later SMG 12) and is reflected in the IMT-2000 network architecture model (Serving CN/ Home CN) (Q.1701 [30]). SMG 1 for a long time had a role model in UMTS 22.01 [22], in which along the infrastructure side the roles were network operator and service provider. The service provider in the role model was almost a synonym for the home network domain in [24]. Recently SMG 1 has replaced the network operator role by serving network, and introduced the term home environment for home network or service provider.

7.2.2 UMTS strata The functionality and protocols in UMTS are by the domain-strata model grouped in four to five strata:

- the Transport Stratum, - with within it the Access Stratum, - the Serving Stratum, - the Home Stratum and - the Application Stratum. Application Stratum

TE - RP

ServingServing Stratum Stratum TE - MT MTMT - SN- SN USIM - MT

Transport Stratum

Access Stratum

MT - AN AN - SN

TE AN TN RP Home Stratum

USIM - MT MT - SN SN - HN

USIM - HN

USIM MT SN HN

USIM Domain Mobile Equipment Domain Access Domain Core Domain

User Equipment Domain Infrastructure Domain

Figure 16: UMTS – domain-strata model (based on UMTS 23.01)

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 36 of 49

Domain interaction in the different strata is shown in Figure 16.

The direct flows between non-contiguous domains (i.e., between domains non directly interconnected) are transparently transported across all the domains and interfaces located on the communication path be- tween these end domains.

The dotted lines indicate that the protocol used is not specific to UMTS. However, to provide easy roam- ing capabilities, it is desirable to agree upon the protocols used. The definition of these protocols is out- side the scope of the UMTS specifications.

The information flows occur along two different paths with different end points:

- USIM – HN: supports Home Stratum information exchange for (amongst others) authentication con- trol and subscriber-specific service control, especially related to the support of VHE. - TE – RP: supports Application Stratum information exchange. The RP represents the remote party (user or machine) and is included in the figure to show the end-to-end character of the communication, the specification of the remote party is outside the scope of the UMTS specifications.

Transport stratum

This stratum supports the transport of user data and network control signalling from other strata through UMTS. The transport stratum includes consideration of the physical transmission format used for trans- mission and also:

- mechanisms for error correction and recovery, - mechanisms to encrypt data over the radio interface and in the IE domain if required, - mechanisms for adaptation of data to use the supported physical format (if required) and - mechanisms to “transcode” data to make efficient use of, e.g., the radio interface (if required). It may also include resource allocation and routing local to the different interfaces.

Currently no transport protocols outside those part of the access stratum are planned to be standardized for UMTS.

Access stratum

The access stratum, which is specific to UMTS, is the part of the transport stratum located between the Iu and the Uu reference points (see Figure 15).

This is the functional groupings consisting of the parts in the IE and in the UE and the protocols between these parts being specific to the access technique (i.e., the way the specific physical media between the UE and the IE is used to carry information). It includes all the layers embedded in the AN (e.g., the UTRAN) and part of the layers in the ME and in an edge-node (i.e., a CN node that is connected to the AN). Its boundary is the frontier between the layers that are independent of the access technique from the ones that are dependent on it. This frontier is located in the ME (mobile boundary) and in an edge-node (fixed boundary).

The access stratum includes the following protocols:

- Mobile Termination – Access Network: This protocol supports transfer of detailed radio-related in- formation to co-ordinate the use of radio resources between the MT and the AN. - Access Network – Serving Network: This protocol supports the access from the serving network to the resources provided by the AN. It is independent of the specific radio structure of the AN.

Serving stratum

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 37 of 49

This stratum consists of protocols and functions to route and transmit data/information, user or network generated, from source to destination. The source and destination may be within the same or different networks. Functions related to telecommunication services and are located in this stratum.

The serving stratum includes the following protocols:

- USIM – Mobile Termination: This protocol supports access to user-specific information for support of functions in the UE domain. - Mobile Termination – Serving Network: This protocol supports access from the MT to the services provided by the serving network domain. - Terminal Equipment – Mobile Termination: This protocol support exchange of control information between the TE and the MT.

Home stratum

This stratum contains the protocols and functions related to the handling and storage of subscription data and possibly home network specific services. It also includes functions to allow domains other than the home network domain to act on behalf of the home network. Functions related to subscription data man- agement, customer care, including billing and charging, mobility management and authentication are lo- cated in this stratum.

The home stratum includes the following protocols:

- USIM – Home network: This protocol supports co-ordination of user-specific information between the USIM and the home network. - USIM – Mobile Termination: This protocol provides the MT with access to user specific data and resources necessary to perform actions on behalf of the USIM. - Mobile Termination – Serving Network: This protocol supports user specific data exchanges between the MT and the Serving Network. - Serving Network – Home network: This protocol provides the serving network with access to home network data and resources necessary to perform its actions on behalf of the home network, e.g., to support the users communications, services and features (including VHE). Note 1: In GSM the SN authenticates the user on behalf of the HN. The SN uses therefore a set of triples it receives from the HN. In order to allow a similar procedure to be followed in UMTS, the home stratum needs a protocol between USIM and SN. Note 2: In order to provide in a VHE, the HN may use service downloading to the Mobile Terminal. Therefore, it appears that also a protocol between MT and HN needs to be added. Note 3: In UMTS 33.20 a requirement is included that says that the AN knows the user’s real iden- tity for legal intercept purposes (this is however not a working assumption in SMG2). An- other requirement reads that the user shall be able to authenticate the access network iden- tity at any time. These requirements suggest that the AN should be involved in the access stratum too. Application stratum

This stratum represents the application process itself, provided to the end-user. It includes end-to-end protocols and functions which make use of services provided by the home, serving and transport strata and interfaces to support services and/or value added services.

The functions and protocols within the application stratum may adhere to GSM/UMTS standards such as MExE or may be outside the scope of the UMTS standards. However, the definition of the services pro- vided by the other strata, and the interfaces to them, is within the scope of the standards.

End-to-end functions are applications that are consumed by users at the edge of or outside the overall net- work. The applications may be accessed by authenticated users who are authorised to access such appli- cations. The users may access the applications by using any of the variety of available UE.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 38 of 49

7.3 USIM and smart card

A smart card is a device that is removable from the mobile equipment and is associated with a given user and as such allows identification of this user regardless of the ME used. The UMTS smart card shall adopt both of the GSM SIM physical formats [22].

The USIM is an application used for accessing UMTS services of a certain HN. The application may re- side on a removable smart card. It may also be irremovable from the mobile equipment. Besides the USIM, the smart card may contain other applications as well (e.g., banking applications) [22].

The USIM contains data and procedures that allow it to be unambiguously and securely identified. It may contain functionality to produce challenges and subsequently verify the identity of other network ele- ments. It may also contain user-specific functionality and information, as well as information on one or more user profiles. User profiles describe the (personalised) services a user is allowed to use. Each user profile has a subscriber identity associated for billing and a dial number (IMUN) for terminating calls. Each USIM shall contain at least one user profile that is associated with at least one user address.

Multiplicity Issues

Mobile equipment may have more than one slot for smart cards; multiple smart cards can be inserted si- multaneously in mobile equipment.

A smart card may contain more than one USIM, even from different HNs. UMTS shall support the simul- taneous use of such USIMs ([22] §11.1.3).

It shall be possible for the USIM to contain a number of user profiles for the same user, which the user can select and activate on a per call basis. It shall be possible for one or more user profiles associated with the same USIM to be active simultaneously and the user may make or receive calls associated with differ- ent profiles simultaneously. Activation of profiles shall be done in a secure manner, for example with the use of a PIN. A profile identity will need to be associated with the call for accounting and billing pur- poses.

It shall be possible to associate a user profile with several unique USIMs so that the same user can register simultaneously via multiple IC cards on different terminals ([22] §11.1.2). Within one USIM, no two user profiles will have identical user addresses. However, identical user addresses may be found on user pro- files on different USIMs. In that case, the user shall nominate particular terminals for particular types of services. This would allow a user to register on one terminal for fax and on another terminal for telephony but have a single address for both services. Registration of the same user profile (the same user address) on multiple terminals for the same type of service shall not be allowed.

Presence of the USIM

For access to UMTS services, provided via a HN, a valid USIM shall be required. If the smart card is re- moved from the ME during a call (except for emergency calls), the call shall be terminated immediately [22]. In UMTS 22.07 [23] however, a discussion is included and arguments are raised for scenarios to access services from terminals without a USIM present.

7.4 Mobile equipment

According to [23], the ME shall have the following mandatory functionality:

- USIM-ME interface; - Network registration and deregistration; - Location update - Originating or receiving connection oriented and connectionless service; - An unalterable terminal identity - Identification of terminal capabilities

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 39 of 49

- Terminals capable for emergency calls should support emergency calls without the USIM present - Support for the execution o algorithms required for authentication and encryption. - The ME might have additional functionality, such as an Application Programming Interface (API) interface and a mechanism to download service related information (also new parameters and func- tions) over the radio interface into the ME to allow service evolution and to support the Virtual Home Network (VHE).

Application Programming Interface (API)

Some ME will support the execution of HN specific services and applications in the ME. An API will be standardized for hiding terminal-specific implementation issues and support for the execution of down- loadable services. In order to support execution of external applications, a script or a description language will have to be identified. UMTS specific script languages should be avoided to maintain compatibility.

7.5 Access network

7.5.1 Access stratum

Architecture

The access stratum provides services related to the transmission of data over the radio interface and the management of the radio interface to the other parts of UMTS.

It provides a direct or “transparent” dialogue between the UE and the edge-node for the Non-Access Stratum layers [27]. These services are accessed at so-called Service Access Points (SAPs), see Figure 17.

User Equipment CN Edge Node Non-AS Non-AS Uu Iu

GC GC GC Access stratum GC GC GC UMTS Radio Access Network

AS-Uu AS-Uu AS-Iu AS-Iu

Figure 17: UMTS – Access stratum and service access points (from UMTS 23.05)

There are three different SAPs:

- General Control (GC) SAPs: These SAPs are used to enable the CN to provide information and to give commands that do not relate to specific users or specific calls. There is typically one GC-SAP per AN/CN connection point. - Notification (Nt) SAPs: These SAPs are used to broadcast data to identified users. The typical use is for initiating paging in the AN. There is typically one Notification SAP per AN/CN connection point. - Dedicated Control (DC) SAPs: These SAPs are used to establish and release connections with spe- cific UE, and to exchange information related to these connections. There are typically a great number of Dedicated Control SAPs per AN/CN connection point. SAPs are identified by a SAP-Identity (SAPI) at the AS boundary. During the lifetime of a connection, the connection can be identified un- ambiguously by the SAPI of the associated SAP, and the SAPI is used as a reference in the exchanges at the AS boundary on the infrastructure side. On the UE side, one might expect that each UE has but a single GC-SAP, a single Nt-SAP and a single DC-SAP.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 40 of 49

Functionality

[23.05] and Table 4 describe which functionality is in the access stratum and which functionality is not.

Table 4 : UMTS – Functions in/outside the Access stratum [23.05] LOCATION \ FUNCTION Outside the Access Stratum Inside the Access Stratum Call set up/release YesNo (Connection) Bearer CN bearer Radio Bearer Set-up Release Supplementary Services YesNo UE Tracking Yes (IWF/CN related)yes (Radio related) Attach/ Detach Yes FFS Resource Management Yes (for NAS resource) yes (for AS resource incl. ra- dio) Handover Yes*Yes Macrodiversity Yes*Yes Encryption Yes Yes** Authentication YesNo Compression (non source YesYes dependent) Source dependent cod- Yes***, FFSYes***, FFS ing*** Radio channel coding NoYes*** (could be many) (could be many) UE positioning may be supported Yes Charging YesNo NOTE *: Optionally execution. In some CNs, it may not be present but not full service will be supported (e.g. limited to RLL type of service). NOTE **: Contributions expected to clarify the role between encryption and subscriber data. NOTE ***: The relation between source dependent coding and radio channel coding is FFS. As regards to some issues:

- Attach/ Detach: Attach/detach procedures supported in a IWF/CN use IWF/CN specific identifiers unknown to the AN to mark the user attached/detached. Whether attach/detach may be performed in the URAN using the URAN unique identifiers is not clear. - Handover: there are different kinds of handovers (see [27]). Only the most common type, an intra- URAN handover, is pure access stratum functionality. It is performed entirely within the access net- work and all radio specific details are hid to the IWF/CN. All other types, whether changing URAN, URAN and URAN-type, or CN, include some IWF/CN functionality. - Encryption: is seen as a URAN functionality to prevent eavesdropping on the radio-interface. Also IWF/CN may support encryption, possibly on higher protocol layers. - Authentication of user: user data is stored in IWF/CN and therefore authentication should be con- sidered IWF/CN functionality. That data is not stored in URAN, and user authentication can therefore not be URAN functionality.

7.5.2 UMTS Terrestrial Radio Access Network (UTRAN) The UTRAN consists of a set of Radio Network Subsystems (RNSs). Each is controlled by the Radio Network Controller (RNC). RNCs may be connected to CN edge nodes via the Iu interface (see Fig. 15). Not all RNSs need be connected to the CN. The relationship RNC : (CN edge node) is N : 1 [33]. This means that a CN edge node may be connected to one or more RNCs. However, it is not clear whether a RNC can only be connected to a single edge node of one type, or whether it can be connected to more CN edge nodes, each of a different type. The RNCs are interconnected via the Iur interface (see Figure 18).

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 41 of 49

The Iur interface is but a logical interface and not necessarily a physical one. It can be conveyed over a physical direct connection between RNCs or via any suitable transport network.

CoreCore Network Network

Edge node

(S)-RNS Iu (S)-RNS Iu

Iur RNC RNC

Iur

Node B Node B Node B Node B

Figure 18: UMTS – UTRAN Architecture [UTRAN Arc]

Each RNC is responsible for the radio and network resource management for a geographic area divided in a number of radio cells. A number of cells are controlled by what currently is referred to as a Node B. Node B and RNC are connected over the Iub interface. Functions and internal structure of Node B is for further studies. Where it is already decided that the Iu and Iur interfaces will be fully standardized that is not yet decided for Iub interface and standardization is only starting (see [34]).

For each connection, the Serving RNS (S-RNS) is the RNS that is in charge of the radio connection be- tween UE and UMTS network, i.e., the RNS that ends the Iu interface towards the CN. Therefore, it needs to be a RNS that is connected to the CN. A RNS that for a specific connection is not the S-RNS but pro- vides radio resources for a connection, is called a Drift RNS (D-RNS). This might occur for instance when a user enters a new cell belonging to a different RNS than the S-RNS where the call was established first. The connection between the different RNSs is then established via the Iur interface. If the D-RNS has an Iu interface to the CN, the D-RNS may later become the S-RNS. This is called relocation or streamlining and a new connection via a new Iu interface is established between the CN and the new S-RNS and the con- nection via the old S-RNS is removed.

7.6 Core network evolution

As UMTS Phase 1 is dominated by the introduction of a revolutionary new access network, the core net- work of UMTS Phase 1 will most likely be an evolution of the existing GSM Phase 2+ NSS. In [23.20] a number of scenarios are presented for the evolution of the core network.

7.6.1 Coupling the UTRAN to a GSM NSS The starting point for the introduction of the UTRAN is set in 2002. The initial deployment of UTRAN will most likely cover isolated islands (e.g. city centres, business areas, industrial plants, etc.) while the overall (international) coverage will be provided by the GSM Phase 2+ infrastructure. The use of the UTRAN enables access to the broadband UMTS radio interface and offers a step towards network support of the full UMTS variable bit rate, asymmetric, multimedia capability. This implies that data as well as speech services will be available in both the GSM BSS as the UTRAN and both are connected to the same core network, with the circuit-switched transport handled by the MSC architecture and the packet- switched transport handled by the SGSN architecture.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 42 of 49

The approaches depicted in Figure 19 show the use of GSM and GPRS specific IWUs used to connect the UTRAN to the GSM Phase 2+ NSS. UMTS users have broadband radio access to the IP-world for both the Internet and intranets via the GPRS nodes.

CSE

HLR CAP MAP

A ISUP ISUP MSC G-MSC N-ISDN

GSM BSS Gb IP IP SGSN GGSN IP networks

Gbu X.25 IWU1A IWU1Gb X.25

IWU1Gbu

Scenario 1 UTRAN Scenario 2 Iu

Figure 19: UMTS – Interconnection of the UTRAN and GSM BSS via IWUs to GSM NSS

In the first scenario (see Figure 19) an interworking unit is placed between the Gb-interface (GPRS inter- face between SGSN and MSC) and the Iu-interface. In the second scenario, a new Gbu-interface is intro- duced in the SGSN. The latter might be beneficial since the Gb-interface is tailored to efficiently transport IP datagrams in to a GSM BSS and subsequently to a GSM ME making a particular use of the GSM Abis and Um interfaces. It is possible that the UTRAN, which needs to support packet oriented services in an efficient way, cannot easily be adapted to the Gb-interface. It is likely that the UTRAN could include IP routing functionality, being able to use directly the networking capabilities offered by the IP protocol (or its evolution) in order to perform packet routing inside the UTRAN. For these reasons, it could be reason- able to consider an alternative approach, i.e., opening a new interface (a Gbu interface using IP as network layer) in the SGSN in order to allow an IP-based dialogue with the UTRAN.

7.6.2 Introduction of UMTS CN In order to provide real multimedia opportunities for the UMTS customers, the UMTS CN will be de- ployed (see Fig. 17). It will provide the separation of transport (e.g. transmission and switching) and services (e.g. mobility, service intelligence). Additionally it will offer advanced and integrated service control and management by service intelligence which will then be available in both the telecommunica- tion (e.g. using developments of MAP, INAP, ISUP) and the information technology world (e.g. using developments of CORBA, TINA).

However, the UTRAN remains connected to the GSM NSS via IWUs. These IWUs do not serve as inter- connection units between the GSM BSS and the UMTS CN. This means that traffic can be routed from the GSM NSS to the UTRAN but traffic originating in the UMTS CN and destined for the GSM BSS must be routed via the GSM NSS and not via the IWUs.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 43 of 49

The URAN and the UMTS core network will provide a number of bearers that differ in flexibility and offer different capabilities. The bearers provided by UMTS core network will be independent of the radio environments, the radio interface technology and fixed wire transmission systems. Further, UMTS core networks shall be capable of providing a specified core set of service capabilities.

It is seen sufficient to rely on the mobility services already provided by GSM Phase 2+ and to expand them as necessary. This will give customers easy access to the world-wide mobility offered by GSM’s roaming mechanisms and exploit fully the capabilities of UMTS services based on the same mobility management.

CSE CAP HLR

MAP

ISUP A ISUP MSC G-MSC N-ISDN

GSM BSS Gb IP SGSN GGSN IP networks IP Gbu X.25 IWU1A IWU1Gb X.25

IWU1Gbu

UMTS CN UTRAN

Iu

Figure 20: UMTS – Introduction of the UMTS core network

Around the organisation of the core network a great number of open questions remain unanswered at this time, such as whether a dual network structure with separate network nodes for circuit switched and packet switched traffic will emerge or, on the contrary, a single core network will be introduced. Another issue is the possible introduction of ATM in the UMTS core network.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 44 of 49

7 IMT-2000 Network Architecture

ITU-T standardises a family concept for IMT-2000 Networks (previously known as “Future Public Land Mobile Telecommunication Networks (FPLMTS)”). The ITU-T Recommendation Q.1701 “Framework for IMT-2000 Networks” [30] sets out the family of systems concept and sketches the overall network architecture by listing the functional subsystems, lists the network capability set 1 for IMT-2000 Systems and lists the interfaces to be standardized.

The IMT-2000 family is characterised by the ability of its member systems to provide service to the sub- scribers of other family members in a roaming service offering. However, individual family members may have different intra-system specifications (e.g., functionality in physical entities, signalling protocols, etc.)

7.1 Overall network architecture

7.1.1 Functional subsystems At the highest level, an IMT-2000 System can be described by a set of functional subsystems which per- form actions and interact among themselves to support IMT-2000 wireless users. An IMT-2000 System consists of the following functional subsystems:

- User Identity Module (UIM): The UIM functions support user security and services. The functions may reside in either a removable physical card for a MT or it may be integrated into the physical mo- bile terminal. The UIM may be physically removable from the MT or it may be integrated into the MT (non-removable.) A non-removable UIM is functionally equivalent to a removable UIM. Some UIM functionality may be downloadable. - Mobile Terminal (MT): The MT functions provide the ability to communicate with the UIM and radio access network and support user services and mobility. - Radio Access Network (RAN): The RAN functions provide the ability to communicate with the MT and core network. The functions in the RAN act as a bridge, router and gateway as necessary for ex- changing information between the core network and mobile terminal. - Core Network (CN): The CN functions provide the ability to communicate with the RAN and other CNs as well as the functions necessary to support user services and user mobility.

UIM MT RAN CN Functions Functions Functions Functions

CN Functions

Figure 21: IMT-2000 – Functional Subsystems (Q.1701)

These functional subsystems are presented for modelling purposes and may be implemented as one or more physical platforms in a number of arrangements. The functional subsystems are further decomposed in more granular functional elements that are described in [31].

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 45 of 49

7.1.2 Interfaces and functional communications Two complementary figures appear in [30]: Figure 22 shows the physical interfaces between adjacent functional subsystems, Fig. 20 shows the different functional communications between functional subsys- tems that not necessarily are adjacent. If not, then the communication is carried transparently through the intermediate subsystems.

UIM MT RAN CN CN

UIM - MT MT - RAN RAN - CN NNI Interface Interface Interface

Core networks of other IMT-2000 Family members

Figure 22: IMT-2000 – Physical interfaces (Q.1701)

CN to CN Interface (NNI):

This interface is realised by an ITU-T specified Network-to-Network Interface (NNI) protocol and is in- tended for communication between CNs that belong to different IMT-2000 systems. There may be intra- family member communication that performs similar functionality according to system-specific protocols, however that falls outside the scope of ITU-T. The CN-CN inter-working can also be realised by specify- ing an inter-working function (IWF) for protocol (and billing) information conversion between different family members. However, the detailed specification of this inter-working function is outside the scope of ITU.

For a given user in a roaming situation, and for a typical call, Figure 22 shows two CNs: the CN on the left is the Serving CN, the CN on the right represents both the Home CN and the Transit CN. These how- ever need not be the same. Like in UMTS the need is felt to distinguish between different information flows (referred to as “functional communication”) on the CN-CN interface:

- Serving CN to Home CN functional communication: supports information exchange between the serving and the home core network of a subscriber for authentication control and subscriber-specific service control, especially related to the support of the virtual home network, as well as provision of location information. - Serving CN to Transit CN functional communication: supports information exchange between the (originating) serving core network and the terminating home core network to enable establishment of mobile-terminated calls in case of a roaming user. Information exchange between an originating and terminating serving core network for call and service control purposes (incl. call set-up, negotiation of service capabilities, etc.). - Originating Serving CN to Home Serving CN functional communication: supports functional communication between the originating serving core network and the home serving core network for the purpose of service control, in conjunction with the VHE requirements. - CN-CN functional communication for Packet Data: information exchange between serving and home CN for mobility management data and possible delivery of bearer packet data and information exchange between the serving or home and a transit CN for possible delivery of bearer packet data.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 46 of 49

Core networks of other IMT-2000 Family members

UIM MT RAN CN CN

UIM-MT MT - RAN RAN - CN CN - CN

MT - CN

UIM - CN (visited) UIM - CN (home) Figure 23: IMT-2000 –Functional communications (Q.1701)

MT to RAN interface:

The MT-RAN interface is the radio interface between the MT and RAN. This interface supports func- tional communication between the MT-RAN and MT-CN.

- MT to RAN functional communication: supports data protection and resource management. An IMT-2000 network may support multiple dissimilar access techniques (e.g., fixed radio, cellular, cordless, satellite, wireline, etc.) In addition, for the radio cellular access using the IMT-2000 cellular bandwidth, the set of specifications may be different among family members. - MT-CN functional communication: supports amongst others call control and mobility management, and is carried transparently through the RAN.

UIM to MT interface:

This is the physical interface between UIM and MT and is a single, clearly defined interface. In case of a removable UIM, the definition of this interface includes a secure physical (ISO compliant) specification (e.g., size, contacts, electrical specification, voltage, basic information exchange protocols.). Standards for UIM physical interconnection to the MT do not apply to a non-removable UIM. Over the UIM-MT inter- face both UIM-MT and UIM-CN functional communication will be established, exchanging information on

- UIM access control (e.g., PIN transfer to authenticate the user to the UIM), - identity management (e.g., transfer of internationally unique subscriber or user identity), - authentication control (e.g., transfer of challenges and responses for authentication), - service control (e.g., transfer of user service profiles or user service logic) and - man-machine interface control (e.g., transfer of user-specific MMI configuration). The UIM-MT functional communication will allow for the establishment of family-specific information exchange between the UIM and the MT.

RAN to CN interface:

Initial aspects of Stage 2 specification for the RAN-CN interface (identification of FEs and relationships, including preliminary allocation of FEs to RAN and CN functional subsystems) will be addressed as part of ITU-T IMT-2000 CS-1, and the full Stage 2 (IFs, IEs and SDL diagrams) and Stage 3 (protocols) may be addressed as part of later IMT-2000 Capability Sets.

7.2 Access network type diversity

The support of personal mobility, and terminal mobility between the cordless and cellular accesses, as well as fixed-mobile convergence is required. In the case of the public residential environment, it is as- sumed that personal mobility is also supported on the Fixed Terminal (FT).

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 47 of 49

Note: All Interfaces shown are functional and may be carried transparently over lower layer physical intinterfaces

Key: BS: Base Station FT: Fixed Terminal PN: Priviate Network (R)NC: (Radio) Network Controller Equals ISDN-NT Access Network Concentrator for Fixed Terminations FT - (R)NC FT - CN

FT Scenario where the Priviate Network Supports the Core Networks Capabilities of an IMT-2000 Family member. A user of one IMT-2000 Core Network roams UIM - CN (visited) into an IMT-2000 Priviate Network attached to another IMT-2000 Core Network. MT - CN CN - CN

RAN - CN PN UIM (R)NC

MT - RAN Core networks of other IMT- UIM-F/MT BS 2000 Family members MT

RAN CN CN

RAN - CN CN - CN

MT - CN UIM - CN (visited)

UIM - CN (home)

Figure 24: IMT-2000 – Composite functional communication and interface model (Q.1701)

This introduces two new functional communications:

• FT-CN functional communication: the interface from a FT to the CN supporting Call Control func- tionality, extended with Mobility Management procedures to support Personal Mobility via UIM functionality; • FT-NC functional communication: may support the attachment of an IMT-2000 Mobile Terminal to interconnect with the network via a fixed line interface. The NC may support an IMT-2000 Radio Interface for cordless or small cell sites including the Radio functionality. Without the Radio func- tionality it may be used to interconnect with ports to provide fixed line access.

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 48 of 49

Appendix A: List of figures Figure 1: GSM – Network architecture...... 9 Figure 2: GSM – MS architecture...... 10 Figure 3: GSM – BSS architecture ...... 11 Figure 4: GSM – NSS architecture ...... 11 Figure 5: GSM 2+ Data services and their applications...... 17 Figure 6: HSCSD – System impact...... 18 Figure 7: CTS – System Overview...... 19 Figure 8: CTS – Mutual authentication procedure...... 22 Figure 9: CTS – Initialisation procedure...... 23 Figure 10: CTS – Embedding of local security system in supervising security system...... 24 Figure 11: GPRS – Network architecture [03.60, Fig. 2]...... 27 Figure 12: GPRS – Protocol stack in transmission plane [03.60, Fig. 4]...... 28 Figure 13: GPRS – Protocol stack in signalling plane [03.60, Figs. 5, 6 and 9]...... 29 Figure 14: UMTS – Network architecture (based on UMTS 23.01)...... 33 Figure 15: UMTS – domain-strata model (based on UMTS 23.01) ...... 35 Figure 16: UMTS – Access stratum and service access points (from UMTS 23.05)...... 39 Figure 17: UMTS – UTRAN Architecture [UTRAN Arc] ...... 41 Figure 18: UMTS – Interconnection of the UTRAN and GSM BSS via IWUs to GSM NSS...... 42 Figure 19: UMTS – Introduction of the UMTS core network ...... 43 Figure 20: IMT-2000 – Functional Subsystems (Q.1701) ...... 44 Figure 21: IMT-2000 – Physical interfaces (Q.1701)...... 45 Figure 22: IMT-2000 –Functional communications (Q.1701)...... 46 Figure 23: IMT-2000 – Composite functional communication and interface model (Q.1701)...... 47

USECA/DOC/ATEA/011/WP23/C D12 Overview of UMTS architecture 86(&$ Page 49 of 49

Appendix B: List of tables Table 1: ASCI – Priority levels...... 13 Table 2 : ASCI –Set-up time according to priority class...... 14 Table 3: ASCI – Example on eMLPP service composition ...... 14 Table 4 : UMTS – Functions in/outside the Access stratum [23.05] ...... 40

USECA/DOC/ATEA/011/WP23/C