Professional Documents
Culture Documents
suppliers to the wireless industry. Its • It is today cheaper to set up a wireless communication system
members provide digital wireless from the scratch, than a wire-line system.
services to more than 777.5 million • Wireless systems have been instrumental for the deregulation
customers (end November 2002) in over of telecom markets: Easy to establish competition between
operators, leading to massive price reductions…
191 countries today – approximately
71% of the total digital wireless market • Speed of innovation (features, size of terminals, prices etc.)
are unprecedented in history. And it continues …
today. (source www.gsmworld.org)
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
2 4
1
1.1. Introduction
Communications
– From the subscriber’s point of view, the quality for voice
telephony in the GSM system shall be at least as good as that
achieved by the first generation of 900 MHz analogue systems
(GSM)
over the range of practical operating conditions.
2
1.1. Introduction 1.2.-1 Two dimensional view of a network
• Network aspects Physical grouping
– The identification plan shall be based on the relevant CCITT (machine)
Increasing Distributed
Recommendations. level of functional plane
– The numbering plan shall be based on the relevant CCITT abstraction
Recommendations. (field of co-
– The system design must permit different charging structures and operation)
rates to be used in different networks.
– For the interconnection of the mobile switching centres and
location registers, an internationally standardised signalling
system shall be used.
– No significant modification of the fixed public network must b
required.
– The GSM system shall enable implementation of common Spatial distribution
coverage PLMNs
– Protection of signalling information and network control Physical groupings (machines or entities) are represented by vertical blocks, whereas
information must be provided for in the system. co-operating functions are grouped in horizontal layers, each one corresponding to a
U.A.Hermann: GSM
functional domain U.A.Hermann: GSM
4/2/2003 9 4/2/2003 11
3
1.2.-2. The three axes of description 1.2. Architecture
Static functional view Static equipment view Dynamic view • 1.2.1.2. The borders of GSM (figure 1.2.-3.)
– BSS= Base Station Subsystem,
In charge of providing and managing transmission paths between the mobile
stations and NSS machines (primarily MSC), including management of
radio interface.
– NSS= Network and Switching Subsystem
In charge of managing the communications and connecting the mobile
station to the relevant networks or other mobiles. NSS is only indirectly
via BSS in contact with the mobiles.
– OSS = Operation and maintenance sub-system
In charge of managing the GSM network.
– A interface = Interface between BSS and NSS
GSM functions can be described along several axes, each one from a different
and complementary viewpoint
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
13 15
es
Ex twork
Mo S
NS
bil
Ne
BS
er s
ter
S
nal s
Us
Following logically the three borders of the GSM domain, GSM can be defined
as composed of subsystems which interact between themselves and with the
outside world along with the black border lines shown
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
14 16
4
1.2. Architecture 1.2. Architecture
1.2.-4. Mobile station functional architecture 1.2.-5. BSS components and interfaces
BSS
BTS
BSC OSS
(q3-if)
5
1.2. Architecture 1.2.-6. Internal structure of the NSS
Control flow
1.2.2.3. Network and switching sub-system (NSS, figure 1.2.-6.) User data flow
• Main task= manage communications between GSM users and other telecom SS7
SS7
network users. backbone
backbone
• MSC (Mobile services switching centre)= coordinate setting-up of calls
from and to GSM users. MSC interface to other nets may require a gateway HLR AUC
for adaptation (interworking functions or IWF)
• One MSC controls several BSCs, with a traffic capacity of 1 … 10 Mio
subscribers.
• HLR (Home Location Register)= database containing subscriber data.
GMSC
AUC (Authentication Centre ) is a functional subdivision of the HLR.
• VLR= (visitors location register), linked to one or more MSCs, temporarily PSTN, PSPDN,
ISDN
MSC/VLR
storing subscriber data for mobile currently located in the MSC area
Here the VLR is integrated into the MSC. The fixed network between GMSC and
MSC/VLR as well as the SS7 net may or may not be part of the GSM network
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
21 23
1.2.2.3. Network and switching sub-system (continued) 1.2.2.4. Operation Sub-System (figure 1.2.-7.)
OSS is typically very vendor dependent, as it is equipment dependent.
• GMSC (Gateway MSC)= a call is always first routed to the next GMSC. • Cost sensitivity for operators: remote and automatic control of thousands of
This fetches routing information from the HLR and routes the call to the BTSs plus BSCs and MSCs. (BTSs are processed via BSCs). The better the
visited MSC. GMSC needs not to be a MSC, but could be a general O&M system is, the less and less qualified personnel is needed for
interconnection point . operation!
• SS7 network as “glue” between the MSCs. STPs (Signalling transfer • TMN (Telecommunication Management Network) concept: all OMCs
points” are the connectors between MSC and external SS7 networks. compose a network which as a whole is connected to all traffic handling
• Transit exchanges (TE) may be used in order to route the outgoing calls as machines.
close as possible to the destination • OMC-R= Radio OMC=> functions: CM (configuration management),
FM (fault management), PM (performance management). One OMC-R
is in charge of several BSCs.
• Different OMCs are for NSS, Voice Mail, SMS, transmission network etc.
6
1.2. Architecture 1.3. Functional Planes
Network
Subscription operation and
management maintenance
and charging BSC MSC/VLR HLR GMSC
CM
Communication
Management
SIM
MM
Mobility
Management
Mobile equipment
management RR Radio
Resource Man.
7
1.3. Functional Planes 1.3. Functional Planes
1.3.4. Overview of Mobility Management •MTP: Massage Transfer Part are the protocols used for signalling in SS7.
•TUP, ISUP, …: call related signalling between MSCs and external networks.
Involved machines: •MAP: “Mobile Application Part”, group of non call related signalling of
•SIM inside mobile station different protocols between different entities.
•HLR •TCAP: “Transaction Capabilities Application Part” of SS7.
•MSC/VLR •SCCP: “Signalling Connection Control Part” of SS7
•For security: AuC inside the HLR.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
30 32
8
1.4.-1. Overview of GSM Signalling Architecture 1.5. Transmission
Anchor
MS BTS BSC Relay MSC MSC/VLR HLR 1.5.1. Basic Aspects of Transmission
CM RIL3-CC
MAP/D
MM RIL3-MM •To provide means of transmission between users: “Connecting People”
•This means adaptation to different optimisation schemes on the successive
RR RIL3-RR BSSMAP MAP/E
RSM segments along the transmission way.
•This requires translation functions between different transmission segments which
increases complexity.
TCAP
•GSM is a multi-service network, so it requires interconnection with various kinds
Layer 2 SCCP SCCP SCCP of external networks in order to provide consistent end-to-end services.
LAPDm LAPD MTP MTP MTP
9
1.5.-1. Schematic of Data Transmission Planes 1.5. Transmission
End-to-end
1.5.2.1 The PSTN Case (continued)
communication
Plane 1: end-to-end trans-
mission between •Similar interworking problems as between ISDN and PTSN arose:
terminals
• Difference between the user bit rate (e.g. 9600 bit/sec) and the carrying bit
rate (e.g. 12000 bit/sec.): between a Modem and the TE there are typically not
only 2 wires for data transmission (one in each direction), but also for clock and
modem control. Additionally multiplexing and demultiplexing of these control
GSM signals is needed.
Plane 2: TAF-IWF plane inside
TAF IWF External Network •Asynchronous transmission: but GSM is basically synchronous, so an
GSM
adaptation between the data flows is needed.
•Synchronous transmission: clock adaptation between the different clocking
systems is needed.
Plane 3: generic GSM transmission
plane MSC/VLR
3,1 kHz
Audio Audio line
•Analogue audio MODEM needed on the network side, so only certain types are Audio
Modem Modem
supported by the Standard: Digital/ Analogue Analogue/Digital
10
1.5. Transmission 1.5. Transmission
analogue terminal in a PSTN in order to facilitate the CCITT V.110 specified •The GSM IWF is aware, that it is a PSPDN access, and it interferes with the
capability of an ISDN modem to communicate with a slower analogue modem in transmission protocol, mainly to add the required identification of the PDPDN (not
the PSTN (see next picture) the subscriber).
•X.32 is a modification of X.25 allowing to transport the subscriber identification
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
41 43
1.5.-3. Schematic Interconnection with ISDN 1.5.-4. Schematic Interconnection with PSPDN
GSM User
User PSTN User User PSPDN
ISDN
3,1 kHz 64 kbit/sec
Circuit
Audio Audio line +V.110 Modem Modem PAD
Audio RA RA
Modem analogue Modem
Digital/ Analogue
b) GSM user to ISDN user b) Dedicated direct access to PSPDN from GSM
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
42 44
11
1.5. Transmission 1.5. Transmission
1.5.4. Transmission inside GSM 1.5.4.2. Transcoder Rate Adaptation Unit (TRAU), continued
1.5.4.1. Speech
•Time alignment: in the downlink direction, transmission on the radio path can
•GSM full rate uses a 13 kbit/sec coding scheme by RPE-LTP (= Regular Pulse
start only, when a whole 20 msec block is received from the MSC. So there is an
Excitation – Long Term Prediction) Codec.
optimum time relationship between the moment of the beginning of a block
•Speech is transmitted in groups of 260 bit every 20 msec. transmission on the radio path and the end of the reception of a block on the 16
•Discontinuous Transmission (= DTX) and Voice Activity Detection (= VAD) kbit/sec link. Otherwise an additional 20 msec delay would result.
•DTX aims at increasing the efficiency of the radio interface by decreasing •Speech/Data and Full/Half Rate discrimination: inband information is needed
the cochannel interference, by suppressing transmission in case no in order to control the TRAU.
information is transmitted. •Reception Quality: receiver (demodulator and decoder) in the BTS signals,
•VAD is created by the speech codec and indicates when silence is when the reception was under a quality threshold. “Bad” frames are ignored by
transmitted. the speech transcoder.
•Comfort noise is injected on the receiver site in order to improve the
subjective speech impression. Only one 20 msec frame is transmitted every
480 msec.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
45 47
•This creates some additional overhead for inband signalling between BTS and TRAU
TRAU:
MSC/VLR
BSC
•Synchronisation: the speech encoded data stream does not contain
synchronisation information. This must be gained separately. On the air 16 kbit/sec transmission
interface this is provided by the general synchronisation . On the 2Mbit/sec 16 kbit/sec transmission physical site
terrestrial line this is achieved by additional synchronisation bits.
12
1.5. Transmission 1.5. Transmission
1.5.4.3. Data 1.5.4.3.1. Connection Types (continued)
1.5.4.3.1. Connection Types
•“NT” (Non Transparent Connections):
•Particular problem for radio transmission (as opposed to wire line •additional “Error/Repeat” scheme is used in case of bad reception.
communication):high bit error rates, e.g. over 10-3. •The transmission on the GSM circuit connection is considered as a packet
•GSM (like all transmission systems) had to find a compromise between data flow.
transmission quality, throughput and delay. •The throughput varies with the quality of basic transmission (the higher
•In GSM different compromise solutions had been developed in order to cater for the the BER, the lower the throughput), as well as the delay.
different sorts of applications. •Basic rates are 12000 bit/sec and 6000 bit/sec for 9600 kbit/sec (FR) and
4,8 kbit/sec (HR)
•Two categories: •Bits are grouped in successive frames of 240 bit incl. redundancy bits to
•“T” (Transparent) connections: FEC (Forward Error Correcting Code) allow the receiver to detect errors and start the repeat protocol called RLP
supplied by the radio interface. Derived from ISDN V.110. Path between (Radio Link Protocol)
TAF and IWF is seen as a synchronous circle. User data rates between 600 •RLP is operated between TAF and IWF.
bit/sec and 9600 bit/sec. Better protection for slower data rate.User data •Problem of data rate: if the T mode already leads to a user rate of 9600
rates below 2400 bit/sec are grouped into one category. bit/sec with a 12000 bit/sec connection, where does so the additional bits
for the RLP protocol come from ?
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
49 51
13
1.5. Transmission 1.5. Transmission
1.5.4.3.1. Connection Types (continued) •The RA1 Function (continued):
Name Quality of service Delay (two-way, TAF-IWF) •For this synchronisation is required between multiplexer and demultiplexer.
TCH/F9.6, T Low 330 ms •Bit rates lower than 4800 bit/sec are increased by by repeating each bit so
many times, till the required 4800 bit/sec are achieved.
TCH/F9.6, NT High > 330 ms
•The RA2 Function :
TCH/F4.8, (T) Medium 330 ms
•… rate adapts the intermediate rate to 64 kbit/sec, by simply adding 6 or 7
TCH/F2.4, (T) Medium 200 ms bits to each 1 bit in an octet.
TCH/H4.8, T Low 600 ms
TCH/H4.8, NT High > 600 ms Asynchronous raw rate, synchronous
e.g. 300 or 9600 bit /sec Intermediate rate
TCH/H2.4(T) Medium 600 ms RA1 (8 or 16 kbit/sec)
RA0
TCH/F = “full rate” channel , 23 kbit/sec raw bit rate. RA2
The quality indications are only indicative in a statistical sense, as they depend sampling sync 64 kbit/sec
on the specific radio conditions. fill fill
“plug”
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
53 55
14
1.5. Transmission 1.6. The Radio Interface
RA1’/RA1
sampling
RA1’ sync RA2
64 kbit/sec
“plug” fill •“Traffic Channels”
fill
TAF BTS+TRAU •THC/F (F= Full Rate) for 13 kbit/sec speech and 12, 6 or 3,6 kbit/sec data.
•TCH/H (H= Half Rate) fro 7 kbit/sec speech and 6 or 3,6 kbit/sec data.
Adaptation functions RA0 (for asynchronous data only) and part of RA1
(called RA1’) are performed in the TAF (inside the mobile station), whereas the
Complement of RA1 and RA2 are performed in the BTS/TRAU
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
57 59
15
1.6. The Radio Interface 1.6. The Radio Interface
1.6.1.2. Signalling (continued) 1.6.1.3. Idle Mode (continued)
•Signalling outside a Call is done if a connection between MS and network is Cell Broadcast Messages
established only for signalling purposes, like SMS, location update etc.
•SDCCH= Stand alone Dedicated Control Channel or FCH/8 (eighth of a TCH/F) •CBCH= Cell Broadcast Channel
•Similar characteristic as a TCH, however lower rate. •… has half the capacity of a TCH/8
•TCH/8 also has an SDCCH, so it perfectly looks as a TCH and could •Constraints: it must be possible for a MS to listen to the CBCH in parallel to the
theoretically be used as such for user data … BCCH and PCH.
•Idle Mode as opposed to Dedicated Mode is the phase, when the mobile is switched •CCITT: “a channel is an identified portion of an interface”
on. But no radio communication is ongoing (hence none of the precious radio resource •GSM: confusion is created by using the term channel in two different ways:
is being used. •Sometimes a specific resource , like TCH
•During idle the MS still has to listen to the BTS for “Paging”, measurement of radio •Sometimes a specific usage of a resource, like FACCH
environment in order to choose the most suitable BTS to “camp on”, listen to the Cell
Broadcast (CB) SMS. U.A.Hermann: GSM U.A.Hermann: GSM
4/2/2003 61 4/2/2003 63
•Downlink, unidirectional channels: •Burst= finite duration and major part of energy is in a finite part of the radio
•FCCH = Frequency Correction Channel: transmitted by the BTS for the mobiles spectrum
to synchronize their internal clock frequency. •Slots= the central frequencies of the slots are positioned every 200 kHz
•SCH= Synchronisation Channel transmitted by the BTS for the MS to (FDMA aspect) and they recur every 15/26 msec (TDMA aspect).All slot time
synchronize its internal Clock (time synchronisation) limits are simultaneous in a given cell.
•BCCH= Broadcast Control Channel= transmitted by the BTS to e.g. identify the •Bidirectional channels are separated by a frequency gap (45 MHz for GSM-
network to which a given cell belongs. 900 and 75 MHz for DCS-1800) and a time shift depending on the channel
•PAGCH= Paging and Access Grant Channel= PCH (Paging Channel) and type.
AGCH (Access Grant Channel). The partition between PCH and AGCH varies in
time.
16
1.6. The Radio Interface 1.6. The Radio Interface
1.6.2.1. The Time Axis 1.6.2.1.1. Dedicated Channel (continued)
•Organisation of the time axis is always cyclic, but the length of cycles as well as •Coding follows cycles based on grouping 4 successive bursts. For the TCH/F a
number of slots in a cycle varies according to the type of channel. cycle contains 6 times 4 bursts. However for the SACCH, the full cycle, taking into
•Each time slot has a number ( which is cyclic) account this grouping 4*4, lasts 4* 26* 8= 104* 8 BP= 480 msec.
•120 msec period was chosen as a multiple of 20 msec (GSM Speech frame) and TCH/8
fixed network frame (ISDN) to obtain synchronism. •From the perspective of the time organisation many different kinds of TACH/8
exist:
•So a burst period = 120 msec/ 26* 8 slots = 15/26 msec •Some a grouped by 8 in order to form the equivalent of TACH/F = SDCCH/8
•Others are grouped by 4 and combined with common channels to form
•TACH/F 26 slot cycle includes 24 slots in which TCH/F bursts are sent , 1 slot on together the equivalent of TACH/F= SDCCH/4
which a SACCH burst is sent and one slot with no transmission (See next picture).
•Common properties of all TACH/8:
•In order to spread the arrival of SACCH messages at the base station, the cycles of •All follow a cycle of 102* 8 BPs, where 8 slots are used for TCH/8 and 4 slots
two TACHs using successive slots are separated by 97 BP (= 12* 8 + 1 slot) are used for SACCH
•Period 102 is different from period 104. This is because the Common
7 T T T T T T T T T T T T T T T T T T T T T T T T S Channels follow a period of 51* 8 BPs.
0 T T T T T T T T T T T T S T T T T T T T T T T T T •The TACCH/8 vary in their phase relations between the TCH slots and the
1 T T T T T T T T T T T T T T T T T T T T T T T T S SACCH ones, as well between UL and DL
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
•Considering the measurement reporting period as well, there are 12 different
schedulings for the TACH/8
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
66 68
17
1.6.-1 Time organisation of TACH/8 1.6. The Radio Interface
1.6.2.1.2. Common Channel (continued)
T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T T S S S S S S S S S S S S S S S S
Grouping by 8 (each TACH/8 is marked with the same colour). During this cycle, BCCH PAGCH
2 blocks of 4 slots are used for the TCH/8 and 1 block of 4 slots for the SACCH
0 2 6 12 22 32 42
T T T T T T T T T T T T T T T T S S S S S S S S
•A BCCH/T (T for third) uses 16 slots per 51* 8 BP, all with the same TN
0 22 26 29 32 36 39 42 46 50
BCCH PAGCH
T T T T T T T T T T T T T T T T S S S S S S S S
51 73 77 80 83 87 90 93 97 101 0 2 6 12
Grouping by 4
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
69 71
18
1.6. The Radio Interface 1.6. The Radio Interface
1.6.2.1.2. Common Channel (continued) 1.6.2.1.2. Common Channel (continued)
•In order to save spectrum, the common channels are always grouped together. •For big capacity sites more capacity for paging and access grant might be used, so
•3 possible combinations are used, depending on traffic capacity of a given cell that additional extension sets of PAGCH/F and RACH/F are used.
•Downlink channel structure for normal capacity cells: •Each such extension set has an additional BCCH, but no FCH and SCCH, as they
must be unique in a cell.
FCH SCH BCCH PAGCH/F •The extension sets are for TN=2, 4 and 6, due to following reasons:
•All common channels of one cell must use the same frequency.
•Cells of very large radius may allow RACH bursts to overflow into th enext
0 1 2 6 10 12 20 21 30 32 40 42 time slot. This would not be possible, if this slot is allocated.
•The number of possible combinations should be limited in order to simplify
• … and the related uplink channel structure implementation.
RACH CBCH
•CBCH cycle = 8* 51* 8 BP (lasting about 2 sec), where 4* 4 time slots are used.
•Allowed poitions in the 51* 8 BPs cycle and allowed TNs are limited, so that the
MS can listen to BCCH and PAGCH.
•2 different cases can be distinguished:
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
73 75
•For small capacity sites less capacity for paging and access grant might be used, so 1. If the common channel is a small one with a PAGCH/T and a RACH/H, the
that instead TACH/8 for additional signalling is combined: CBCH can use the same TN=0 and frequency as the the common channel.
2. For all common channel configurations: CBCH I son TN=0 (not for beacon
frequency), 1, 2 or 3 . The CBCH must than again be on a specific position in
FCH SCH BCCH PAGCH/T TACH/8 (used for signalling) the 51* 8 BP cycle, which would otherwise belong to a TCH/8. In this case the
MS in idle mode has to listen to the bursts of different TNs. This increases
scheduling complexity and is the only case where an idle MS has to listen to 2
0 1 2 6 10 12 20 21 30 32 40 42
time slots!
• When a CBCH is used, the first block of the PAGCH in the 51* 8 cycle cannot
• … and the related uplink channel structure be used fro paging.
• Inside the 8* 51* 8 BP cycle, the CBCH can be seen as a half downlink TCH/8,
RACH using for out of eight 4-burst blocks.
• The 4 other blocks, i.e. the slots else used by the SACCH, and the uplink
corresponding slots are not used by the CBCH and cannot be used for anything
0 4 14 36 45
else. In case of congestion CBCH can be stopped and used for TACH/8
19
1.6. The Radio Interface 1.6. The Radio Interface
1.6.2.1.3. Channel Organisation in a Cell 1.6.2.1.5. Frames (GSM Standard definitions)
• “TDMA Frame” consists of 8 time slots, FN= TDMA Frame Number
• In a cell one or more TRX (= Transmitter / Receiver) may be combined into • “26 or 51Multiframe“= 26 or 51 TDMA frames”= 26 or 51* 8 BPs
one BTS. • Superframe= 51* 26 TDMA frames = ca. 6,12 sec. This is the shortest period
• The combinations of logical channels on the frequencies is optimised for the for which the organisation of all channels is repeated.
traffic capacity needed in a given cell • “Hyperframe”= 2048* 51* 26* 8 BP = 12533,760 sec.= 3 h, 28 min. 53,760 sec
• … and optimized to use all available time slots. is a multiple of all cycles and the shortest period for freq.hopping and ciphering
• Typical small capacity cell with only 1 TRX:
• TN= FCCH, SCH, BCCH, PAGCH/T, RACH/H, 4 TACH/8
• TN1 …7= 1 TACH/F each. Hyperframe= 2048 superframes= 3 h 28 min 53,760 sec.
• Medium Capacity Cell with e.g. 4 TRX:
• One TN0 group: FCCH, SCH, BCCH, PAGCH/F, RACH/F
• Twice 8 TACH/8 Superframe = 26* 51 multiframes= 6,12 sec
• 29 TACH/F
• Large Capacity Cell with 12 TRX:
• One TN0 group: FCH, SCH, BCCH, PAGCH/F, RACH/F
0 1 2 24 25 0 1 2 3 48 49 50
• TN= 2, 4 and 6 groups: BCCH, PAGCH/F, RACH/F
26 multiframes= 51 multiframes= 235 msec
• 5 times 8 TACH/8 120 msec 0 7
• 87 TACH/F TDMA Frame= 4,615 msec
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
77 79
20
1.6. The Radio Interface 1.6. The Radio Interface
1.6.2.2.3. Hopping Sequences 1.6.2.2.5. The Case of Common Channels
• GSM uses slow FH as opposed to fast FH in e.g. military systems. • Common Channels (FCCH, SCH, BCCH, PAGCH, RACH) never hop, in order to ease
• GSM hopping period = burst period. initial synchronisation.
• Fast FH= quicker than modulation rate. • Extension sets of common channels are as well forbidden to hop.
• Common Channels must always transmit at full power in order to allow MSs the
• FH was introduced due to 2 reasons: “neighbour station monitoring” of field strength. This again is needed by the mobiles in
1. Compensate for Rayleigh fading in case of stationary or slowly moving order to prepare handover, I.e. measure field strength in order to find the best candidate
mobiles: in case of a “fading hole” at a certain place and frequency, there for a potential HO.
• So if no information is to be transmitted, “fill frames” with predefined content are
might not be a such a hole at another, decoupled frequency. Typically
transmitted.
decoupling is achieved at more than 1 MHz frequency difference. FH gain • This is why the BCCH frequency also is called beacon frequency.
is about 6,5 dB. • Interesting case: in small cells (minimum would be only one TRX) still FH might be
2. Interferer diversity: Interference by e.g. a nearby mobile is statistically required by the operator in order to gain on frequency and interferer diversity:
distributed. The system capacity is best for a given C/I, if the spread • But TN= 0 with the common channels must not hop!
around the mean value is as small as possible. • The other time slots should hop at least over 4, better 8 different frequencies in
order to gain the desired effects.
• So the beacon frequency must be filled up with “fill frames” on each TN≠ 0 which
has just “hopped off” to another frequency.
• In GSM 64 different FH sequences are foreseen. They are pseudo random with • The intention of this chapter is not explain channel coding and modulation, as these are
exception of the first sequence (number= 0), which is one frequency after the other. topics covered by other text books and lectures, but rather how these technologies had
• The FH sequences have each a “Hopping Sequence Number” (HSN) = 0… 63. been applied on. (for more on these subjects, see e.g. [Sklar- 1988]
• For a set of n available frequencies in a given cell, GSM allows 64* n different hopping • The operations described here are standard for all transmission systems on the
sequences to be build, depending on which frequency of the given set is defined as the transmitter side (and inversely on the receiver side):
starting frequency for the hopping sequence. • Channel Coding: introduction of redundancy in order to enable error detection and
• MAIO (Mobile Allocation Index Offset)= starting number of frequency in a set. correction. In GSM e.g. a code word for full rate speech is 456 bits long
• Properties: • Interleaving: mixing up bits which are “close” to each other over several code
• 2 channels with identical HSN, but different MAIO never use the same frequency words. Since the error probability of successive bits in the modulated data stream is
on the same burst. highly correlated and channel coding performs better with decorrelated errors,
• 2 channels with identical frequency lists, same TN but different HSNs interfere for interleaving aims at decorrelating errors. After interleafing the block structure is
1/n of the bursts, as if the sequences were random. created: one block for one burst.
• Ciphering: creates data confidentiality by applying a ciphering code, which is only
• Inside one cell, typically identical HSN, but different MAIOs are used in order to avoid known by the BTS and the MS.
interference between mobiles. • Burst Formatting: Adds some binary information (midamble) to the blocks in order
• In distant cells using the same frequency set, different HSNs should be used in order to to help synchronisation and equalisation.
gain from interferer diversity. • Modulation: transforms the binary signal into an analogue signal of the right
frequency.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
82 84
21
1.6.-2. Sequence of operations from Speech to Radio Waves and back 1.6.-3 The Normal Burst
Level (dB)
correlation
+4
+1
-1
-6
Digitizing and Source 16
Source Coding Decoding
-30
Channel Channel 147 bits
Coding Decoding
Interleaving De-Interleaving
-70
or
Burst Formatting Burst Formatting -36
dBm 7056 / 13 T (µsec)
10 10 10 10 -5 5
8 1 burst period (7500/13 µsec.) 8
Ciphering Deciphering
Figure 1.6.-3.a: time mask of a normal burst Figure 1.6.-3b. Autocorrelation
Power level during guard time mustbe below function of a GSM training
Modulation Demodulation
-70 dB or –36 dBm, whichever is higher. sequence
22
1.6.-4 The Access Burst 1.6. The Radio Interface
Level (dB)
+1
+4 Total Delay 1.6.3.2. Interleaving and Channel Coding
-6
-1
1.6.3.2.1 General principles of Interleaving
BTS • Interleaving is meant to decorrelate the relative position of bits respectively in the code
-30 word and in the modulated radio bursts. (better performance of decoding is achieved, if
87 bits
errors are randomised and not appearing burst wise)
MS • b bits of a code word are spread into n bursts. The larger n, the better the transmission
performance but the longer the transmission delay.
• Different compromises were found in GSM, depending on the channel usage.
-70
or
-36
DL delay UL delay time 1.6.3.2.2 General principles of Channel Coding
dBm 4176 / 13 T (µsec)
10 10 10 10 • Channel coding intends to improve transmission quality, so it compensates for different
8 1 burst period (7500/13 µsec.) 8 disturbances (noise at low reception level, interference, multipath propagation, Doppler
shift, …)
Figure 1.6.-4.a: An access burst has the Figure 1.6.-3b. Autocorrelation • In GSM several codes are concatenated:
same ramping specification as a normal burst, function of a GSM training • Block convolution codes: used with likelihood estimation data from demodulator. Good
results for error correction.
but the useful duration is much shorter sequence
• Fire code: used after convolutional decoder in order to cope with “bursty”, residual errors.
• Simple parity code for error detection.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
89 91
23
1.6. The Radio Interface 1.6. The Radio Interface
1.6.3.2.5 Parity Codes 1.6.3.2.7 Example TCH/FS transmission mode (continued)
• Parity codes are linear block codes , derived (like the Fire code) from cyclic codes. • Interleaving:
• 3 different codes are used: • Full rate speech blocks are interleaved on 8 bursts: 456 bits of one block are split in 8
• For speech: a 3-bit redundancy code, enables detection of most important bits groups of 57 bits, each transmitted on a different burst. So each block carries
of speech codec. Only one-error patterns can be detected, two or more errors contributions from 2 successive speech blocks.
can not be detected.
• For RACH: 6-bit redundancy code, used for error detection • So 1 burst contains 116 bits of coded data:
• 57 bits from block B
X6 + X5 + X3 + X2 + X + 1 = (X + 1) (X5 + X2 + 1)
• 1 “stealing” bit indicating whether this half burst is speech or FACCH
• For SCH: 10-bit cyclic redundancy code, used for error detection • 57 bits from block B+1
X10 + X8 + X6 + X5 + X4 + X2 + 1 = (X4 + X3 + X2 + X + 1) (X3 + X + 1) (X3 + X2 + 1)= • 1 “stealing” bit indicating whether this half burst is speech or FACCH
= (X5 + 1) (X7 + 1)
(X +1)(X +1 )
1.6.3.2.6. Decoding
• GSM does (like most modern standards) not describe reception, but just transmission.
• Only minimum performance criteria are given fro receivers. Typically they are fulfilled by
maximum likelihood decoder (Viterbi) using soft decision input from the demodulator.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
93 95
24
1.6. The Radio Interface 1.6. The Radio Interface
1.6.3.4. Modulation 1.6.3.4. Modulation (continued)
• In GSM a GMSK (Gaussian Minimum Shift Key) with BT= 0,3 and a modulation • Properties of GMSK modulation in case the modulating bits di are constant ( all 0
rate of 270 5/6 kbaud is used. or 1): πt
• Demodulation is typically done by a Viterbi or a linear relaxation algorithm.
ϕ (t ) =ϕ 0 + ∑ Φ(t − iT ) =ϕ 0 +
i 2T
• Formula: This is a sine wave of frequency
• Electrical field generated: E(t) = a(t) cos (ω0t + φ(t)) ω0 1
f1 =( + )
a(t) follows a ramping curve in order to avoid spurious emissions due to sharp 2π 4T
changes between emission and silence. Additionally a(t) is subject to power
Control. • Properties of GMSK modulation in case di is alternating ( 0, 1, 0 , 1, 0, …):
ω0 is the respective centre frequency. πt
ϕ (t ) =ϕ 0 − ∑ Φ (t − iT ) =ϕ 0 −
2T
• φ(t) = φ0 + Σ ki Ф(t- iT) with infinite bit stream …, di-1 , di, di+1,… i
This is a sine wave of frequency
ki = 1 if di = di-1,
ki = -1 if di ≠ di-1 ω0 1
Ф(xT)= ½π (G(x + ½) – G(x- ½))
f1 =( − )
2π 4T
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
97 99
25
1.7. Signalling Transfer 1.7. Signalling Transfer
1.7.1. Basics (continued)
•Most functions in GSM are involving distant machines, which have to
communicate with each other •Relaying: messages between distant nodes are transported via “relay nodes”
•This chapter describes how these messages (or signalling information) are between distant machines.
transported from one machine to another. •Relay nodes :
•The next chapter will describe, what these messages do, what they trigger etc. • … sometimes adapt messages (format , encoding etc.) to the interface
•Message sending is triggered by an event and message reception triggers again requirements,
other events. •… route messages to the correct output directions,
•A typical message consists of: •But handle the data in a “transparent way”. “Transparent” data or message in
•Message type= indication what reaction the message will trigger this context means: the relay node does not read or interprete the message (“it
•Qualifying information= mandatory or optional parameters. does not need to understand it”)
•Tasks pf transmission protocols (link layer functions):
•Delimitation of bit streams. •Slightly more complex case:
•Error protection… •Intermediate node is triggered by the reception of a messages from node A to
•Organisation of message flows and … transmit a message to node B, containing part of the information carried by the
•… their routing. original message.
•This is called “Protocol Interworking”
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
101 103
26
1.7. Signalling Transfer 1.7. Signalling Transfer
1.7.2.1. Structuring in Frames
1.7.2.2. Segmentation and Re-Assembly (continued)
•In signalling the “atomic” unit is the “frame”.
•In MTP2 and LAPD a frame is (like in HDLC, from which both protocols are •The maximum frame length at the air interface is too short (21 or 23 octets).
derived) start and end with a “flag”. •Therefore segmentation and message reassembly is defined for LAPDm.
•“More” bit is signalling that further frames are coming.
Flag
Flag
(frame start)
(frame end) Header and trailer of
Upper layer message each link frame
01111110 Frame Content 01111110
1 Segmentation Fill bits
•To prevent false starts and ends, a mechanism (“0 bit insertion” after 5
1
consecutive 1 is introduced in order to disguise the flag pattern, if it appears inside
1
data. 1 time
•Advantage of flag mechanism: frame content may have different length.
1 1 1 1
•Difference on the air interface: for LAPDm the flag was not needed, as each frame
fits in one physical block of 23 octets length in case of TCH (FCCH signalling). Re-assembly
•In case of SACCH, 21 octets are used, as 2 octets are needed for timing advance Upper layer message
and transmission power control)
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
105 107
27
1.7. Signalling Transfer 1.7. Signalling Transfer
1.7.2.3. Error Detection and Correction (continued)
1.7.2.3. Error Detection and Correction (continued)
•Window size (see next figure):
•Link Quality monitoring on the GSM radio path: •Size K of a sending window = number of frames which can at any given time be sent and not
•SACCH channel is used for quality monitoring. yet acknowledged.
•A counter is incremented and decremented according to the validity of a block. •Window size K must be high enough to allow a sender to transmit messages without waiting
•Link failure is reported, when the counter reaches Zero. for the acknowledgment delay.
•The initial value of the counter RADIO_LINK_TIMEOUT is set by operator. •The frames of the sending window have to be stored at sender side till they are acknowledged.
•Numbering Cycle
•Frame acknowledge and repetition function: •of LAPD and MTP2 = 128
•LAPD, LAPDm and MTP2 use backward error correction as HDLC: •of LAPDm = 8, in order to reduce the size of the frame header.
•Non-acknowledged mode: frames are transmitted once, whatever the outcome
at the receiver side. •Window size of LAPDm = 1,
•Acknowledged mode, ensuring correction of erroneous frames by repetition. •in order to simplify the protocol.
•The non-acknowledged mode is e.g. more adequate for recurrent measurement •Window size 1 corresponds to a simple send-and-wait protocol.
messages send by mobiles, as a lost message does not harm and a repetition of an •In case of TCH/8 used for signalling, performance does not suffer from this
old measurement value would not render the latest information. simplification, because this channel is of basically alternating nature.
•In case of the other channels, transmission of signalling messages will be additionally
delayed when several frames are send in a row, due to window size = 1
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
109 111
the number of the expected next frame to the sender in the indicator N(R).
4 3 2
•In MTP2 the number of the last frame correctly received is transmitted back to the 6
7 0
2 7 0 Frame 2 has been successful-
Ack.0 6
sender. 5 1 1 ly received, but the time win-
5 dow can not be changed, as
•In any cases the sender repeats non acknowledged frames. 4 3 2 1 4 3 2 frame 1 is still missing.
•The total number of repetitions is limited in order to avoid endless loops.
•Repetition is triggered by the 6 7 0
sender, if 5 1
Sender Receiver When the ack. for frame 2 7 0
•it receives an acknow-
0 is received, the send window 6 4 3 2
ledgement for a frame Supervision 0 acknowledged
is shifted from 1 to 3 5 1 Ack.2
which is not the last timer 1 1 expected
lost
4 3 2
one send or
2
•when it doesn’t receive 0 acknowledged
Timer 1 expected Windows (here red figures) represent a sliding set of contiguous frames, which can be either:
an acknowledgement Expiry (1) 1 •sent and not yet acknowledged (sending window) , or
after a certain time Timer 2
2 acknowledged
Expiry (1)
3 expected •accepted for reception (receiving window) at a given moment
28
1.7. Signalling Transfer 1.7. Signalling Transfer
1.7.2.3. Error Detection and Correction (continued)
SABM 1.7.2.4. Multiplexing (continued)
•Acknowledge mode setting procedure:
Initialisation/resetting of context on both UA •The only case on the air interface, where real independent message flows are transmitted
sides of an interface in acknowledged mode. simultaneously with acknowledgment and repetition (see table): TCH/8
SABM = Set Asynchronous Balanced Mode 0 •TCH/F was reserved for speech and data connections, no pre-emption for SMS …
UA = Unnumbered Acknowledge. 1 Numbered frame •In consequence transmission of SMS is slow: 80 octets/sec or 600 bit/sec.
transmission
2
•Multiplexing on Abis interface:
“SAPI” Type of flow
•In LAPD exchange of upper layer information can only start after such an exchange. •Additional to the radio signalling
•In LAPDm : SABM carries a “piggyback” message which is repeated in UA answer. Procedures, the Abis interface also carries 0 Radio signalling
A flow dedicated to the operation and 62 Operation and maintenance
•Acknowledge mode release procedure: Maintenance of the BTS 63 Layer 2 management
•Normal release of a link Numbered frame •… and Layer 2 management flow.
•No piggybacking is allowed transmission
•At any time an unacknowledged frame of info.
may be send. DISC
When no frame is pending: “fill frames” are send
UA
consisting of UI frames (“Unnumbered Information”)
U.A.Hermann: GSM U.A.Hermann: GSM
4/2/2003 0 113 4/2/2003 115
•On LAPD this multiplexing is e.g. used for point-to-multipoint installations. •However in case of resource sharing: the available resources are typically smaller than the
sum of the maximum capacities for each flow.
•LAPDm: on the TACHs this multiplexing is provided as well, even so they are only Point-
to-Point connections: •Flow control has to prevent, that the overall system capacity crashes to 0 due to an overload.
•On the air interface two independent message flows can exist independently:
Transfer of signalling (SAPI= 0) and SMS (SAPI= 1). •So flow control along the transmission line is need:
•Both are distinguished by SAPI (= Service Access Point Identifier), which are the link •“stop-and-go” control using 2 commands
identifiers transmitted in the protocol. •Provided by LAPD, MTP2 , not LAPDm
•Not all channels are suitable for all combinations of the 2 SAPIs:
TCH/F TCH/8 SACCH
Signalling (SAPI0) Ack.mode Ack. mode Non-ack.mode
SMS (SAPI3) - Ack.mode Ack. mode
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
114 116
29
1.7. Signalling Transfer 1.7. Signalling Transfer
1.7.2.6. Summary: LAPD and LAPDm Frames 1.7.3. Networking
•Link protocols described before enable exchange between 2 entities, which are directly,
Frame Frame Type Meaning Role
physically connected.
SABM Unnumbered frames Set Asynch.Balanced Mode 1st frame to set-up acknowledged mode •In many cases however application protocols involve entities, which are not directly
DISC Disconnect first frame to release ack. Mode interconnected.
UA Unnumbered Ackn. Ack to e.g. the above 2 frames
DM Disconnect Mode Response indicating disconnected mode •For this purpose different mechanisms are available:
•“Elementary links”: are single links on the route between start and destination of a
UI Unnumbered Information Information frame (non-ack.mode)
message.
I Info. transfer frames Information Information Frame (ack.mode) •An elementary link may be used for a number of different network connections
RR supervisory frames Receive Ready “you may go on” (flow control) between potentially different start and end points.
Also used for acknowledgement
•Routing is done by 2 different mechanisms:
RNR Receive not ready “you should stop” (flow control) •“Datagram”: each message is analysed on its arrival
REJ Reject Negative acknowledgement •“Virtual Circuit”: the route is established by the first message and the following
FRMR FRaMe Reject Error back-reporting messages follow the same route.
RNR and FRMR are not used in LAPDm •Multiple parallel connections between the same entities are generally possible.
•Tags with addresses are used to discriminate between the different message flows
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
117 119
30
1.7. Signalling Transfer 1.7. Signalling Transfer
1.7.3.1.1. The Mobile Station Point of View (continued) 1.7.3.1.2. Abis Interface (continued)
• Discrimination between CC and SS messages of different user communications: •Messages on the Abis interface, for which the BTS acts as a transparent relay, are put into
• Done by TI= Transaction Identifier an “envelope” of additional messages.
• Each transaction belongs to a communication. •These messages are of the following types:
• TI is inserted by the originator (MSC or MS)
• TI is used by receiver to relate a message to the right context. From BSC to BTS From BTS to BSC Use
ESTABLISH REQUEST ESTABLISH INDICATION link establishment
ESTABLISH CONFIRM
1.7.3.1.2. Abis Interface
DATA REQUEST DATA INDICATION acknowledged info. transfer
• In principle the BTS can be considered as a remote radio link entity of the BSC. UNIT DATA REQUEST UNIT DATA INDICATION Non acknowledged
• Many different messages flow over the Abis IF, belonging to information transfer
• BTS – BSC communication, RELEASE REQUEST RELEASE INDICATION Link release
• Communication of MS with BSC, MSC, HLR etc. RELEASE CONFIRM
• Communication with TRXs (Transmitter/Receiver Unit) inside the BTS.
ERROR INDICATION Link error notification
• In order to reach different message destinations, each message on the Abis inteface
carries a “message discriminator” with complementary data. (see next table).
• So there are 4 different message groups transmitted via the Abis interface
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
121 123
Message discriminator + Communication Use •DTAP (Direct Transfer Application Part) = message flow to MSC.
complementary data end nodes •BSSMAP ( BSS Management Part)= message flow to BSC.
•SCCP (Signalling Connection Control Part) is an SS7 protocol, used to route messages to
Radio Link Layer Mngmt. + MS- BSC or Relay of radio path messages particular MS or to BSC.
Channel reference + beyond transparently through the BTS
Radio link reference BSSMAP DTAP
Dedicated Channel Mngmt. + BTS- BSC Interworking for a given TACH
Channel reference
Distribution layer
Common Channel Mngmt. + BTS- BSC Interworking for a given BCCH
Channel reference or PAGCH/RACH SCCP
TRX management BTS- BSC Control of TRX status BSC MSC/VLR
MTP 3
•The “channel reference” determines the MS to be addressed and contains additionally the MTP 2
type of channel (TACH/F, TACH/8, BCCH, etc.) and time slot number.
MTP 1
•“radio link reference” indicates the LAPDm link on which the message is to be send or
received. It discriminates between SAPI 0 and 3 and between TCH and SACCH .
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
122 124
31
1.7. Signalling Transfer 1.7. Signalling Transfer
1.7.3.1.3. A Interface between BSC and MSC (continued) 1.7.3.1.4. Networking on MAP/E (continued)
MTP3 features/aspects: •The information fields of these messages contain the information exchanged between MS and
•Management of SS7 network ( traffic, channels and routers) anchor MSC:
•Routing of messages in an SS7 network. In GSM it is only used to route between BSC – MSC •same information as on A interface when transported by a DTAP message or
•Redundancy: a “linkset” of redundant lines may be established for safety reasons. •…on Abis when transported as a Radio Link Layer message or
•“Load sharing”: between different lines of a linkset. •… on the radio interface
SCCP features/aspects:
In GSM only 2 out of several classes of services are used:
PROCESS ACCESS
SIGNALLING
Message
•Basic connectionless mode (class 0): (message from MS) From MS
•Related to system management tasks, like reset or overload indication Anchor Relay
BSS
•Connection oriented mode (class 2): MSC MSC
•Enables separate independent connections to be set up. This is used on A interface to
FORWARD ACCESS
SIGNALLING
Message
distinguish transactions with different MS. (message to MS) To MS
•Connection are only set up when needed and released when not needed any longer, e.g.
for handover, call set-up or location update. •As the MAP protocol is used, the relay MSC has to use TCAP in order to address the different
•BSC and MSC have to store a context per connection in order to be able to map MS. Therefore the relay MSC has to maintain a context for each connection with a MS in order
•messages from/to BTS and the right radio channel to translate between SCCP references (towards BSC) and TCAP references (to anchor MSC)
•from/to MSC using a certain SCCP connection.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
125 127
32
1.7. Signalling Transfer 1.7. Signalling Transfer
1.7.3.1.5. Summary: Connections in the BSS (continued) 1.7.3.2. Networking in the NSS
•SS7 standards are used .
• The next picture shows the hierarchical organisation of message flows from MS to MSC: •Routing and addressing schemes are important, as roaming leads to messages exchanged
•Different links, transactions, connections, … between
•Their identifiers, discriminators, addresses, references, … • different networks,
• operated by different companies,
• The hierarchies are shown as nested boxes. • in different countries.
• 4 different MS are having ongoing calls in parellel in this example. 1.7.3.2.1 The SS7 Network Protocols
•2 network levels in SS7:
•For MSa all levels of detail are shown for •Lower level to build national networks: based on MTP3
• the 2 different calls in progress: TI= and b on PD= CC, on SAPI=0 •Higher level for interconnecting all national nets to a global net: SCCP
•… and 1 SMS transaction (TI= a on SAPI=3) Reason: it is much easier to manage routing tables covering one network (addressing of
entities owned by one company), than many foreign networks.
•MSa and MSb use the same TRX, but different SCCP connections on the A interface •2 levels of addressing correspond to these 2 network levels:
•SPC (= Signalling Point Code) is used in MTP on national level: each message contains
•2 different TRXs are used in the BTS for the different calls. the SPC of the destination.
•“Global Title”= higher addressing scheme for identifying any SS7 point worldwide.
In GSM it is used in SCCP for addressing of MAP messages between NSS entities.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
129 131
33
1.7. Signalling Transfer 1.7. Signalling Transfer
1.7.3.2.1 The SS7 Network Protocols (continued) 1.7.3.2.2. TCAP (continued)
•In GSM the SCCP address (whether global title or an SPC) includes a sub-address (= sub- •Many cases in MAP where important data are only sent once in a dialogue:
system number), which identifies the type of target entity (= HLR, VLR, MSC, or EIR) •This information is than implicit for the rest of the dialogue.
•The context is than created by
•Gateway function : to establish the interworking between the two levels. •TCAP primitive: TC-Begin
•Gateway is part of the national network and the global SS7 network. •TC-Continue
•SCCP function in gateway node receives a message bound for an international destination •TC-End
⇒SCCP function determines from the global title the appropriate international node &
⇒ … forwards message to this node, using international SPC as the MTP address •Correlation of individual commands and responses in a dialogue is managed in “Component”
•This scenario is repeated each time a gateway is passed, till the destination is reached. sub-layer:
•Correlation between a request and answer issued by a MAP entity is not managed by
•SCCP is a “datagram networking protocol”: each message contains an SCCP address. MAP, but by TCAP.
•Consequence: MAP often does not specify a message name as an answer to a request.
•SPC addresses consist of : •This answer is simply contained in the “Return Result” or “Return Error” messages
•Geographical zone indicator linked by TCAP to the “Invoke” component containing the initial message.
•Network indicator within the zone •This linking is done by the transaction indicator contained in each message.
•Point indicator within the network. •E.g.: “Radio Channel Acknowledgement” is an answer to “PerformHandover” message.
•In NSS the capability of SCCP to manage independent connections (as on A interface) is not “Radio Channel Acknowledgement” is carried in the “Return Result” component of the
used TCAP “PerformHandover” operation.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
133 135
•On top of SCCP: MAP uses TCAP (= Transaction Capabilities Application Part”) •Grouping in TCAP:
•TCAP is considered as an application protocol not transmission protocol. •Several operations belonging to the same dialogue can be grouped inside a TCAP
•TCAP provides means to distinguish different message flows. message.
•TCAP in GSM can be modelled in 2 sublayers: invoke •E.g.result of one operation (e.g. acknowledgment of a subscriber authentication) while
•“Transaction” sublayer return result invoking another one (e.g. start of ciphering)
•“Component” sublayer on top component return error
sub-layer reject •TCAP syntax is ASN.1 (“Abstract Syntax Notation 1”)
•Transaction sublayer manages transactions (= dialogues)
end-to-end. transaction
This is an example for virtual machine approach to sub-layer
distinguish several independent flows in parallel on the Begin, continue,end
Abort, unit-data
same transmission means:
•TCAP adds a transaction indicator to each message
•This indicator relates all messages to their contexts.
•So MAP does not need to consider how to link different exchanges concerning the same
context (e.g.. handover). This is done by TCAP.
34
1.7. Signalling Transfer 1.7. Signalling Transfer
1.7.3.3. Networking for Supplementary Services (= SS) Management 1.7.3.4. Networking for Point-To-Point SMS
•SS messages are transferred between MS and HLR. •For SMS GSM may interwork with external networks
•The management of SS is performed by HLR, even though the service is normally fulfilled by •SMS are transported between MS and SM-SC (=Short Message - Service Centre)
MSC/VLR HLR was chosen as the single point of control to ensure consistency of data
throughout the network. •SM-SC:
•Not specified in GAM standard,
•SS communication between MS and HLR consists of two “legs” •Possibly even outside a given GSM network.
•BSS (carried as stand alone messages or as part of Call Control) •SM-SC is connected to one or several MSCs, which act as gateways between GSM and
•NSS using MTP, SCCP, TCAP SM-SC, called
•MSC/VLR acts as a relay between MS and HLR: e.g. analysing whether messages from •SMS-GMSC: in case of mobile terminating SMS
HLR must be transmitted to the MS or not. •SMS-IWMSC (InterWorking MSC) : in case of mobile originating SMS.
•MAP/I (see next picture ) is the application protocol between MS and HLR: •Transportation specification:
•Between MS and MSC : its messages are carried encapsulated either inside CC messages •Gateway to SM-SC : complete stack is not part of GSM standard.
or inside messages using SS protocol discriminator. •MS to Gateway is part part of the GSM standard.
•Between MSC and HLR: SS7 stack is used (messages are distinguished from other •SM-TP (“Short Message transport Protocol”) between MS and SM-SC is an end-to-end
messages by message type). protocol incl. features of an application protocol (see next picture)
35
1.7. Signalling Transfer 1.7. Signalling Transfer
1.7.3.4.1 BSS leg 1.7.3.4.2 NSS leg
•The lower layers for message transfer have been described in chapter about linking: •Between MSC and GMSC the short messages are transported like signalling messages:
•Radio path: acknowledged-mode SAPI 3 on TCH/8 or SACCH •Using SS7 stack supporting MAP (MTP, SCCP, TCAP)
•Relay protocol on Abis interface between BSC and MSC •On top of this the MAP/H: providing the same functions as SM-RP in the BSS leg.
•DTAP on A interface •The three messages of MAP/H can be directly mapped on SM-RP (see picture).
•SM-CP (= Short Message Control Protocol) is a very small and simple protocol:
•Command/answer procedure with 3 message types.
MSC VLR SMS-gateway
•No reference to correlate messages, as operation is “send and wait”.
•CP-Data message contains higher level information, like SMS itself, upper layer RP-Data Forward Short Message
acknowledgment or error report. message ref (TCAP component reference)
Originator sm-RP-OA
TP-message sm-RP-UI
36
1.8. Radio Resource Management 1.8. Radio Resource Management
37
1.8. Radio Resource Management
1.8. Radio Resource Management
1.8.1.2. Initialisation (continued)
1.8.1.1. Concept of RR Sessions (continued) 1.8.1.2.2 . Paging and Discontinuous Reception
38
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.1.3. Transmission Management 1.8.1.3. Transmission Management
1.8.1.3.1. Transmission Mode Management (continued) 1.8.1.3.2. Terrestrial Channel Management
•“Signalling only” mode used for e.g.: •BSC: is setting up and controlling terrestrial circuit from BTS to BSC.
•At the beginning of a call, •Relay-MSC: is allocating terrestrial circuit from BSC or TRAU to Relay-MSC. MSC
•SMS signals the channel choice to BSC, so that BSC can set the right connection in its switching
•Location updating matrix.
•Anchor-MSC to Relay-MSC: initiated by Anchor-MSC using ISDN procedures for call
•Setting up of transmission mode: establishment.
•… mode is chosen by MSC depending on end-to-end service. •TRAU: if the TRAU is on the MSC side of the BSC:
•First the RR-session is established as a “signalling only” connection. The channel of 1. MSC chooses a circuit towards TRAU
this connection is chosen by the BSC, typically an TACH/8 2. Signalling between BSC and MSC
•… than after the transmission needs are clear, the MSC intervenes and changes the 3. BSC BSC controls set up of circuits between BTS and TRAU.
channel type and transmission mode according to user requirements.
•Procedure for transmission mode management: •Ciphering criteria are determined by the operator (and by export regulations different
•Typically the initial TACH/8 channel for signalling has to be changed to the user ciphering are used in different countries)
required channel (to TACH/F or TACH/H).
•This is “subsequent assignment”: to change a radio channel used by an RR-session •Ciphering is independent from type of transported data.
without changing the cell.
•“mode modification” procedure: if the type of channel is OK, but not the transmission •RR-session is always “clear text”= unciphered, as the network does not yet know the user
mode. identity.
•Handover: above changes may happen in the context of an handover.
•Sometimes subsequent assignment is confusingly called intra-cell handover. GSM •Transition from clear text to ciphered mode
convention however is to use the phrase handover in the context of actions due to •MSC is deciding:
quality or load requirements (why is it done?) •Provides ciphering parameters (mode and user ciphering key Kc)
•Commands change of mode from un-ciphered to ciphered.
•BSC coordinates the change:
•Synchronisation is important: if one entity would e.g. still send un-ciphered and
the other one expects ciphered data, an unrecoverable loss of connection happens,
•BTS and MS are impacted.
39
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.1.3. Transmission Management 1.8.1.4. Handover Preparation
1.8.1.3.4. Discontinuous Transmission (=DTX)
•Handover has 3 phases:
•During DTX radio communication is reduced to a minimum in order to reduce radio •Preparation: important/complex process with heavy impact on QoS & spectral efficiency
interference in the network. •Decision:
•DTX is optional, so it must be managed. •Execution.
•DTX is independently applied for both directions DL and UL.
•DTX only in some transmission modes: 1.8.1.4.1. Handover Purposes
•Speech and non-transparent data: •“Rescue Handover”:
•Not for transparent data: impossible to assess when a user doesn’t need radio connection. •Definition: Call would be lost, if cell is not changed.
•DTX is commanded by the MSC and managed/configured by the BSC. •So QoS is determining element
•Operator can/must optimize DTX behaviour by parameters (e.g. not for MS to MS calls due to •Call reestablishment: extreme form of rescue handover, where communication is lost and
“double clipping” effect). MS attempts to recover with the serving cell.
•BTS derives its behaviour dynamically: •Confinement HO”:
•From MS (UL) •Definition: a HO with the objective to minimize the global interference.
•From TRAU or MSC/IWF in DL. •From interference point of view there is a “best” cell, particularly, if power control is used
•Change of DTX: •“Traffic HO”:
•In UL the MSC can at any moment force MS to use or stop DTX. •Definition: a HO with the objective to unload an overloaded cell.
•In DL changes only possible, when transmission mode changes. •Used e.g. in case of a local “hot spot” cell, e.g. serving a football stadium.
•Traffic HO increases interference and contradicts confinement HO!
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
157 159
Figure 1.8.-1 Procedure for setting of DTX 1.8. Radio Resource Management
Downlink DTX 1.8.1.4. Handover Preparation
BSC 1.8.1.4.2. Handover Criteria
DTX
decision
•Criteria for rescue HO:
•Measurements from BTS and MS.
BTS MSC VLR •Transmission quality : Bit error Rate (= BER)
MS
DTX settings •Signal level: RxLev.
TRAU
•Propagation delay: timing advance
40
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.1.4. Handover Preparation 1.8.1.4. Handover Preparation
1.8.1.4.2. Handover Criteria (continued) 1.8.1.4.3. Measurements (continued)
41
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.1.4. Handover Preparation
1.8.1.4. Handover Preparation 1.8.1.4.3. Measurements (continued)
1.8.1.4.3. Measurements (continued)
•“PLMN permitted” indication in the BCCH: a screening indicator telling the MS, for
•TACH/8 case: which cells to report measurement results. It is an 8 bit indicator with one bit for each of
•Problem: TACH/8 and FCCH have both 51 * 8 BP cycle time the 8 patterns of NCCs. By this reporting on the cells of a neighbour PLMN can be
•Phasing between TACH/8 and FACCH can be anything. blocked.
•Solution: due to the structure of TACH/8, there are big gaps between the reception of
TACH/8 bursts, which may be used by the MS to listen to neighbour stations, so regardless •The measurement period:
of the phasing, there will always be moments, when 1 of the FCCH bursts can be listened
to. •Measurements are averaged over a measurement period, as single measurements are of
little value due to noise: raw BER are averaged and logarithm of reception levels.
•BSIC (=Base Station Identity Code):
•Measurement period = period of message transmission on SACCH.
•Problem : it might happen, that a MS receives more than one beacon channel using a
given frequency (e.g. in boundary areas to neighbour countries or in case cell planning is •Uplink and downlink periods are simultaneous.
done with very few frequencies.
•Solution: BSIC is transmitted in the SCH as
a “colour code” (like the colouring of maps), 1 23 1 2 •Measurement results of MS may be delayed up to half a second due to transmission delay.
3 In order to report UL and DL measurements synchronously to BSC, BTS buffers its own
so that BTS with same beacon frequency use 2
13 12 measurements.
different BSICs. 3
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
165 167
•BSIC is used for many cases, when distinction between cells is required: •Interaction with DTX:
•MS gets from the BTS a list of beacon frequencies to be monitored. •Under DTX, only a minimum of speech blocks are send in order to minimize interference.
In measurement report MS reports BSIC of the monitored cells.
•Screening: network may indicate a subset of BSICs for which no reporting shall be •In order to have some blocks to perform measurements on, it is required, that 12 bursts are
done, because the cells are blocked for handover. send in each reporting period:
•Prevention of spurious reception of RACH bursts by the BTS: it might happen, •4 SACCH bursts (forming a coding block)
that 2 cells receive the RACH burst of the MS. To prevent this , the RACH burst is •8 bursts of TCH containing the SID (= SIlence Descriptor) frame in order to refresh
“exclusive-ored” with the BSIC, so only the right cell decodes the burst comfort noise.
successfully. •(on TCH/8 only 8 bursts per measurement period are send Î DTX is not applicable )
•In idle mode the MS reads the BSIC to make sure, that it is still monitoring the same
cell. •2 sets of measurements are done by MS and BTS on TACH/F:
•Full set of all 100 bursts (better due to longer averaging).
•Between operators inside a given country there are no problems of undue overlapping of •Subset of 12 bursts (available in case of DTX ).
beacon frequencies, as they have per definition disjoint frequency allocations. •For each measurement MS and BTS report whether DTX was used, so that the BSC
can discard the full measurement in this case.
•Between operators of different countries with common borders, a NCC (= National
Colour Code or “PLMN colour code”) is proposed, which are the first 3 bits of the BSIC
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
166 168
42
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.1.4. Handover Preparation 1.8.1.5. Power Control and Timing Advance
1.8.1.4.3. Measurements (continued) 1.8.1.5.1. Power Control (continued)
43
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.1.5. Power Control and Timing Advance 1.8.1.5. Power Control and Timing Advance
1.8.1.5.2. Timing Advance (= TA) 1.8.1.5.2. Timing Advance (= TA) (continued)
•The Problem: • Arrival time offset at MS = transmission time offset between the two BTS -
•TDMA scheme of GSM does have very small guard bands between subsequent bursts ( propagation time 1 – propagation time 2 ) (see green area in picture before)
received by BTS. • Transmission time offset between 2 BTS = 0 by definition for synchronised BTSs
•Far away MS would therefore transmit into the subsequent reception time slot. • So MS can compute the new TA2 = TA1 – 2( prop1 – prop2)
• BTS cannot do this calculation: it does not know (prop1 – prop2) .
•Solution: MS advances its transmission time (which at the first instance was derived from its • … so MS starts transmitting with TA= 0 before switching to normal transmission
reception of bursts), by a time as commanded by BSS. with TA2. This enables BTS to assess the propagation times.
•After dedicated connection has been established: BTS measures time offset of received bursts 3. Neither MS nor BSS can calculate TA beforehand:
and feeds TA via SACCH back to MS. • Happens at HO or initial assignment (= IA) between 2 non-synchronised cells.
• So in both cases ( HO & IA) MS is not allowed to send normal bursts
•TA varies from 0 to 233 µs, corresponding to max. 35 km cell radius, coding 0 … 63 immediately as in synchronised case. MS must first go through random access
•Guard time for access bursts limits delay to 220 µs. sequence in order to allow BTS to calculate and signal TA.
•Guard time between Tx and Rx for implementation of MS with only 1 synthesizer is limited… • So MS sends RACH burst with TA=0. BSS measures ∆T (= 2 * prop.time)
• Disadvantage: this procedure lengthens the HO process and the communication
•Extended Cells (coastal areas)= more than 580 µs guard time by only using channels with even interruption.
TN. TN= 0 must be used for BCCH !
44
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.1.6. Radio Channel Management 1.8.1.6. Radio Channel Management
1.8.1.6.1. Cell Channel Configuration (continued) 1.8.1.6.1. Cell Channel Configuration (continued)
• The MSs are distributed CCCH Number of RACH burst PAGCH message • Frequencies allocated to a cell may change dynamically in time Î frequency redefinition
on the up to 4 different capacity MS groups Rate (bursts per rate procedure
carriers in 4 different (equiv. in TACH/F) second) (messages per second) • Changes in frequency allocation are even possible for FH. Specific mechanisms have been
(other half only for
groups depending on 1/2 4 TACH/8 usable 1 114.7 12.7 developed:
the channel structure • Precisely synchronised change of frequency parameters to MS and BTS for all
(see column 2). 1 1 216.7 38.2 connections
2 2 433.4 76.5 • Precisely timed channel assignment: initial assignment or subsequent assignment for
• MS finds this info on 3 3 650 114.7 HO.
the BCCH • MS view of frequency change: just a normal channel change.
4 4 866.7 152.9 • BSS view: several MS and BTS have to be closely synchronised:
• This access channel structure may change in time, problem : MSs listening to a given 1. OSS informs BSC about required modification of frequency organisation.
channel 2. BSC determines time for transition instant and makes sure all affected MS have time
to receive the related command.
In case of allocation of channels before the actual transition: MS are informed to
perform transition at the commanded time.
Organisation of PAGCH • Infrastructure chooses a given radio channel out of a pool of idle channels in 3 different
cases:
• PAGCH is organised in 2 parts on a CCCH: • Initial assignment: MS is in idle mode and e.g. user wants a call or location update
• Several paging sub-channels, each one allocated to a certain sub-population of MS. happens.
Initial Assignment messages can be send as well on these sub-channels. • Subsequent assignment: when a different channel is required due to change of
• Possible sub-channel reserved exclusively for assignment messages. communication needs, e.g. from TACH/8 to TACH/F.
• Handover.
• PAGCH configuration is broadcast on BCCH to MS. So they know where to listen for calls.
Allocation Strategies
• PAGCH config. May change dynamically, without MS to loose calls.
• MS view is simple: channel assignments are just orders to start transmission & reception.
Traffic Channel configuration • BSS view: first choice of channel by BSC, than transition.
• Optimised algorithms for allocation:
• Set of traffic channels may be changed dynamically in order to meet traffic demand. • E.g. whilst the telephone is ringing, a TACH/8 is sufficient, TACH/F can be allocated
• E.g. one TACH/F may be changed to 8 TACH/8. when call is put through. So several strategies are possible…
• This is controlled by O&M or under BSC control. • Very early assignment (VEA): allocate TACH/F at initial assignment, if usage of this
• Choice is open for manufacturer or/and operator channel is probable.
45
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.1.6. Radio Channel Management
1.8.1.6.2. Dedicated Channel Allocation 1.8.1.6. Radio Channel Management
1.8.1.6.2. Dedicated Channel Allocation (continued)
• Early assignment (EA): allocate TACH/8 first, than TACH/F as soon as need for this
channel is clear.
Interference based channel allocation
• Off Air Call Set Up (OACSU): TACH/8, till called party answers call, than switch to
TACH/F. Disadvantage: lower user comfort as time without contact is noticeable.
• BTS measures UL interference of idle channels Î noise level is known by BSS
• Î BSS selects best channels first for allocation in order to minimise interference.
• Trade offs:
TACH/F • Congestion due to interference:
• VEA is fastest due to
TACH/8 • Problem: traffic in one cell is interference in neighbour cell.
highest bandwidth TACH/F
• Î In case all channels in one cell are occupied, many channels in neighbour cell
• OACSU is most economic TACH/8
TACH/F might be unusable due to interference
spectrum utilisation. Time
• So BSC must not take additional channels into usage, when allowed interference level
• VEA is “overkill” for Access Full Call Called party is reached.
location update. request information answers • This mechanism is used as “dynamic channel allocation”: one cell has more channels
than meaningful in terms of frequency planning, so that high interference with
• Measures in case of overload:
neighbour cells is possible. That means in case of overload, that this cell is “stealing”
• Queuing (user gets voice message from operator)
frequencies from neighbour cells.
• Rejection (occupied tone).
• Queuing strategies are left open to manufacturer and operator. GSM standard just provides • For frequency hopping the BSS needs to tell the MS which hopping sequence to use.
means (e.g. indications to be exchanged between entities). • Problem: with 124 frequencies in GSM and 374 in DCS, there are almost an infinite
• Queuing depends on the conditions in which its is applied: number of possible frequency combinations. Encoding of all these possible frequencies
• At initial assignment (IA) : queuing is not applicable, as there is a repetition algorithm would consume too many bits on the air interface.
in IA, so a not answered request would be repeated. • Solution:
• Subsequent assignment: • MAIO (= Mobile Allocation Index Offset) describes the starting point for the hopping
• Disadvantage: user perceives delay in call set up. recurring function.
• Advantage: user would otherwise be rejected. • HSN (= Hopping sequence Number), 64 bit, describes which of a predefined set of
• Handover: complicated strategy, as in case of e.g. rescue HO, queuing might lead to a hopping frequencies to use.
connection break down. • Cell allocation: two step mechanism:
• Forceful termination of calls: pre-emption • 16 octets in GSM 900 transmitted on BCCH indicate which frequencies are used
in the respective cell.
• When BSC send a channel allocation message to a MS, only a subset of these
frequencies is allocated for FH (coded with 64 bit for 64 frequencies)
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
182 184
46
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.2. Architecture and Protocols (continued) 1.8.2. Architecture and Protocols (continued)
Special aspects of handover: •Functional split inside the BSS. Two basic concepts:
•Central processing of all handover relevant data in the BSC:
•Information needed for handover decision come from: •Advantage: Speed of HO decision, single point of control
•BTS: measurement values (as reported from MS and own measurements). •Disadvantage: High processing load in BSC, high signalling load on Abis.
•BSC: frequency planning and cell layout data. •Pre-processing in the BTS:
•BSC and MSC: traffic information •Advantage: distribution of processing load, lower signalling load on Abis.
•Disadvantage: complex, distributed algorithms for HO control
•Basic split of tasks for HO decision: •Solution: BTS/BSC split of HO architecture is not specified by GSM, but up to
•BSS is managing radio resources and deciding to perform handover on a given the manufacturers. The GSM standard just foresees the mechanisms for both
RR session. solutions.
•MSC may however intervene on this HO decision based on radio criteria, if
there are traffic criteria. •Protocols (see next picture):
•BSC-BTS protocol: BSC configures the transmission path and BTS reports
measurements to the BSC. (specified in GSM Rec. 08.58 and therefore called
08.58 protocol or RSM (Radio Subsystem Management)
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
186 188
47
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.2. Architecture and Protocols (continued) 1.8.3. RR Procedures
•Protocol from BSC to Relay-MSC:
•Is called BSSMAP (= BSS Management Application Part) 1.8.3.1. Initial Procedures: Access and initial assignment
•Used to carry requests for initial connection establishment and …
•… any change in connection attributes as commanded by higher layers. •Purpose of initial Procedures: transition of MS from idle to dedicated mode.
•HO handling between Relay-MSC and BSC
•Protocol between 2 adjacent MSCs: is part of MAP and called MAP/E •Initial assignment is always triggered by request from MS for 1 out of 3 reasons:
•Location updating
Relay-MSC Anchor-MSC •Answering of paging
•Reaction on user request (e.g. outgoing call, SS or SMS)
MS BTS BSC MSC VLR MSC VLR •Access procedure is always the same:
•MS -> BSS: RIL3-RR “channel request” message send on RACH
•BSS -> MS: RIL3-RR “immediate assignment (extended)” message on PAGCH with
RIL3-RR MAP/E the channel allocated to the MS.
RSM BSSMAP
•MS -> BSS: MS establishes the link layer for the signalling transfer on the newly
TCAP allocated channel. MS sends initial message with subscribers identity and reason
SCCP SCCP connection request.
LAPDm LAPD MTP MTP
•In this chapter temporal procedures and the dynamic processes between the different tasks •Problem : Access of MSs can not be scheduled Î random collisions of access bursts happen.
needed for RR management are described.
•In case of collisions only some or none of the random access bursts might be possible to be
•Following procedures will be analysed: decoded correctly by BSS.
•Creating an RR session. •Collisions increase with traffic .
•Paging procedure •GSM uses “slotted Aloha”.
•RR session, e.g. changing channel characteristics (type of channel, ciphering mode)
•Handover execution, incl. call reestablishment. •Access repetition in case of collisions is random and managed by BSS (transmitted on BCCH)
•Release procedure. •“Tx-integer: random scheduling of each attempt over 3 to 50 slots.
•Handling of signal measurements, •Max retrans: up to 1, 2, 4 0r 7 repetitions are allowed
•Timing advance, •Trade of between resistance to overload and QoS! This method is only for short peaks.
•Power control
•Frequency redefinition. •Overload control: all resources must fit to each other, e.g. RACH, PAGCH,TACH capacity.
•Broadcast on BCCH Overload should cut traffic at the source, e.g. prevent RACH in case all TACHs are loaded.
• RIL3-RR “immediate assignment reject” message prevents MS from access attempts
•“Abnormal cases”, like e.g. failures and collisions of events can not be dealt with here, even so •Blocking access for a “class” of MS: by mobile operators, the SIM cards distributed to
they typically consumed a large portion of the R&D effort. “normal” subscribers contain randomly chosen a class (1 out of ten). In case of overload
complete classes are rotating blocked for a certain time (controlled by BSC).
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
190 192
48
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.3.1.3 The initial channel assignment
1.8.3.1.1 Random Access (continued)
MS Channel Request
Channel Required
BTS frame number BSC
•Additionally the following “VIP” classes are defined:
delay
•The corresponding users belong to one of the “special” Subscriber category
classes 1…10 additionally and may access access class Channel Activation
if one of their classes is allowed. 11 Left open to PLMN operator Immediate Assignment
12 Security services (or immediate assignment extended)
•Emergency calls are treated separately, so that frame number
they pass, even if the class is barred. 13 Public utilities ? delay
14 Emergency services
•“Channel required” message: contains estimation of of transmission delay (for timing advance)
•Neighbouring Cells: in case a MS is rejected in 15 PLMN staff •Timing advance is based on the delay estimation, the BSC indicates back to BTS (BTS can not
one cell it may retry in the next (second best )
correlate the assignment of the BSC with the original request of the mobile).
cell. Disadvantage: increase of interference.
•Immediate assignment to MS via PAGCH contains:
•Description of allocated channel.
•The BSS may as well forbid MS to retry in neighbour cells. •Initial timing advance to be used by MS.
•Initial maximum transmission power of MS.
•In case MS has repeated its “channel request”, BSS can not recognise this repetition, so •Reference, so that MS can see whether the response of the BSS is the answer to its request:
multiple channels are allocated to the MS. MS will take the first allocation, the other ones •Exact content of original channel request message + TDMA frame number
remain idle for some seconds, till they are cleared by the BSS. •In order to get this message, MS must continuously decode all PAGCH messages in real time!
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
193 195
49
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.3.1.4 The initial message (continued) 1.8.3.1.5 The Mobile Station Classmark
•There are 4 “initial messages” depending on the reason why the access was triggered: •RF power capability:
•All contain the MS classmark: indicating key features of the MS, like max.transm,power. •Also called transmission power class: max. transmit power of MS.
•GSM: Class 1 was probably never developed, class 4 is for most handhelds.
•After “initial message” has been exchanged between BTS and MS (see previous picture): •RIL3-RR classmarrk change message: allows to change classmark during a RR session, e.g.
•BSC is informed in an “RSM establish indication” message. vehicle mounted MS with antenna amplifier is dismounted during a call.
•MS classmark is stored in the BSS
•BSC sets SCCP connection towards MSC: “SCCP connection request”
•The initial message to MSC is carried in a “BSSMAP complete layer 3 information “
message, allowing MSC to trigger all necessary steps in upper layers.
•With the establishment of the SCCP connection the MSC takes control …
50
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.3.2. Paging Procedures 1.8.3.3. Procedures for transmission mode + cipher mode management
•Paging sequence: •The amount of different transmission modes expands as the GSM standard is enhanced with
•Incoming call from the network side to the GMSC. new features (see table in 1.8.1.3.1.)
•GMSC routes call to the MSC controlling a given location area (= LA) where the •Another property of the transmission chain is the cipher mode.
subscriber is expected to be.
•An LA may consist of 1 or more cells distributed between 1 or more BSC. •At initial assignment the BSC selects the the transmission mode (TACH/8 or TACH/F) for
•MSC sends BSSMAP Paging message to all BSCs of the respective LA. signalling.
•Message contains:
•Temporary IMSI (= International Mobil Subscriber Identity) or •Afterwards the transmission mode is changed according to the communication needs. This can
•IMSI (need for paging sub-channel in case of discontinuous reception). change during a communication as e.g. additional data channels are opened.
•List of cells for paging.
•BSC sends Paging Command to the BTSs. This contains the paging sub-channel. •Transmission mode is changed by the “assignment “ procedure.
•MSC/VLR Î BSC: “BSSMAP assignment request” message containg the transmission
•Paging repetition: characteristics as commanded by MSC.
•Paging repetition algorithm is up to manufacturer and operator. •BSC Î MSC/VLR: “ BSSMAP assignment complete” message acknowledgment after
•Problem: BTS and BSC are best suited for managing repetitions as they manage the successful change or in negative case “BSSMAP assignment failure” or “BSSMAP queuing
physical resources (I.e. the PAGCH), but they cannot relate an answer of a MS to a paging. indication” in case BSC can not immediately follow the command.
The MSC can do this.
•Solution: Stepwise repetition: BTS repeats e.g. 3 times automatically, than MSC
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
201 203
51
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.3.3.1. The Mode Modify Procedure 1.8.3.3.2. The Subsequent Assignment Procedure
• Mode modify procedure consists of 2 parts: • Subsequent assignment is necessary, if additionally to the ”mode modify” another radio
1. Configuration of the transmission devices on infrastructure side (BTS, TRAU, BSC) channel is required (see figure 1.8.-2).
2. Configuration of MS. • The whole operation is centrally controlled by BSC and similar to a HO. (note: the radio
• No synchronisation means between these 2 parts are available Î short period of transmission devices inside a BTS are independent and do not need to communicate!)
inconsistent configuration. • 1st step of channel transfer: setting a new path in the infrastructure consist of
• BSC triggers reconfiguration of BTS and TRAU by “RSM mode modify request” to BTS: • Allocation of new radio channel.
• BTS modifies its coding and decoding • Activation of corresponding BTS device.
• BTS changes in-band information in the BTS-TRAU frames • Allocation of TRAU if needed.
• TRAU reacts by modifying its data processing. • Switching to connect all terrestrial segments.
• If new mode is speech, than synchronisation between TRAU and BTS is needed. • Activation of BTS is started by BSC with “RSM channel activation” message, containing:
• When chain is ready BTS answers the BSC by sending “RSM mode modify • Specification of the required transmission mode,
acknowledge” • required cipher mode,
• BSC triggers in parallel MS by “RIL3-RR channel mode modify” message: • downlink DTX mode,
• Containing the new mode to be applied. • uplink DTX mode.
• MS executes change and responds “RIL3-RR channel mode modify acknowledge” to • After reception of this message BTS starts:
BSC via BTS • in-band signalling with TRAU, to set basic transmission mode and DTX mode,
• BSC alters the circuits between BTS and MSC, if needed. Additionally the connection to • so synchronisation between BTS and TRAU starts.
different circuits in the TRAU is switched if necessary.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
205 207
1.8.-1 The “mode modify” procedure 1.8.-2 Activation of a new channel in the BTS
TRAU TRAU
BSC BSC
MS BTS MS BTS
m1 > m2 change of configuration from mode 1 to mode 2 in-band control Ch. Configuration of the equipment for the new channel in-band control
BSC is in charge of configuring BTS / TRAU and MS. Order of configuration steps is up After activation handshake on Abis, BSC orders MS to change channel by “RIL3-RR assignment
to manufacturer. TRAU is configured through in-band signalling from BTS command” message, which is is acknowledged by the MS on the new channel
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
206 208
52
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.3.3.2. The Subsequent Assignment Procedure (continued) 1.8.3.3.3. The Change of Cipher Mode
• After BTS/TRAU are activated (i.e. BSC has received “RSM channel activation ackn.”) Î • During an RR-session the cipher mode may change on the air interface.
BSC orders MS to perform transfer of channel by “RIL3-RR assignment command”. • Problem: ciphering is applied to all transmitted information: signalling and data !
• Previous path is not yet released, so MS can “fall back” in case of problems by using Î Change of ciphering is a signalling break with the possibility of message loss.
link establishment procedure on the old channel. So all old contexts would be reset.
• MS after reception of RIL3-RR assignment command : • Solution: it would have been to complicated to require the BTS to decode with and without
• In case of “timed assignment” MS stays on the old channel till instant of change as ciphering at the same time. So a stepwise mechanism was developed:
indicated by infrastructure, • Step 1: BTS transmits according to old mode and receives according to new mode.
• else MS transfers immediately to new channel after RIL3-RR assignment command • Step 2: MS is fully in new mode (Rx and Tx)
even without acknowledging the corresponding frame on layer 2 on the old channel. • Step 3: BTS is fully in new mode (Rx and Tx)
• BTS, due to this lack of acknowledgment :
• Repeats message on old channel, till it decides that a link failure has happened, • Critical period with loss for message loss is split in 2, however in no case a single message
• than BTS informs BSC about this, but BSC does not react, because it knows reason. loss can jeopardise the whole connection (see next picture):
• From step 1 to 2: BTS to MS transmission works correctly: so a DL message
• Problem: in both cases (successful or return to old channel) the interruption of the link- triggering step 2 can be repeated by infrastructure if necessary.
layer may result in leaving a message sent by MS in non-acknowledged state: • From step 2 to 3 : MS to BTS transmission is correct: so MS can retransmit the UL
• Solution: after the new link is established, MS sends an “RIL3-RR assignment acknowledgement message required after step 2 (is required for step 3).
complete” message to BSC before any other message (or RIL3-RR assignment failure in
case of return to old channel). Than all messages waiting for transmission can be sent • “Cipher mode change” relies on link layer mechanism: repetition of messages after a given
(non-acknowledged ones and the ones arisen under the procedure) time out period, if no acknowledgment from the other side was received.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
209 211
1.8. Radio Resource Management 1.8.-3 Cipher mode change: the 3 steps
1.8.3.3.2. The Subsequent Assignment Procedure (continued)
• Problem of message duplication:
• Message sent by MS before link interruption cannot be lost but may be duplicated. BTS
• In case of upper layer messages (MM or CC) duplication might be harmful. MS
• So suppression of duplicated messages is done in the anchor MSC, 1
(Non ciphered)
• using the 1 bit sequence number (called N(SD) in the GSM Standard).
• When 2 successive messages are received, the second one is discarded (done on RR (Non ciphered, repeated) BTS deciphers
level). 2 (ciphered) the received flow
• This is performed in anchor MSC, as this is the only one stable during the but sends in clear
transmission. (ciphered, repeated)
MS deciphers the 3
received flow and (ciphered)
ciphers for sending BTS deciphers the
(ciphered, repeated)
received flow and
ciphers for sending
Short interruption of signalling link
In order to avoid a break down of the signalling link due to a message loss during the critical
phase of ”cipher mode change”, the procedure is cut in 3 steps
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
210 212
53
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.3.3.3. The Change of Cipher Mode (continued) 1.8.3.4. Handover Execution
• Command sequence fro cipher mode setting (see picture below): • Handover= network commanded transfer of a MS in dedicated mode from one cell to
• MSC decides on ciphering, than another.
• BSC transmits an order to BTS, than
• BTS manages this procedure, • HO procedure is very similar to the subsequent assignment procedure. Differences:
because it is doing the ciphering and because the correct sequence is crucial. • Fundamental difference is the change of cell.
• Additionally timing advance is applied for HO,
• some additional data specific to new cell are transmitted and
• some limitations are valid …
MS BTS BSC MSC VLR
1 • Another variant of HO is “directed retry”:
RIL3-RR ciphering BSSMAP cipher mode command
mode command RSM Encryption command • When a connection is initially established, the cell is chosen by MS,
2
• however while in connected mode, the cell is determined by the network.
3
• As the 2 selection algorithms are different, the resulting cell may be different as well.
(data indication)
Cipher mode complete • When this happens and the initial channel is TACH/8, a HO directly to the TACH/F
RIL3-RR Ciphering
mode complete
in the right cell is faster than “subsequent assignment” to TACH/F in the old cell and
HO to the new cell.
• This is called directed retry.
• After reception of RIL3-RR ciphering mode complete the BTS fully switches to the
new mode
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
213 215
54
1.8. Radio Resource Management 1.8.-4 HO requirement from the serving BSC to the switching point
1.8.3.4.1 The Set-Up of the New Path Switching
BSC-old BSC-new
MS BSC-old
Switching point
point BSC-new
Decision
phase 1
MS
The MS has accessed new cell
Release of path the new cell
• Purpose of this exchange: transmission of information, that a HO is needed and towards • Purpose of this step:
which cell • Establish signalling path between switching point and BSC-new.
• Different cases depending on the switching point: • Establish circuit if needed.
1. BSC-old is switching point = BSC-new: internal step, no problem • Supply required information to all machines on the signal path.
2. MSC-old is switching point (BSC-old ≠ BSC-new):
• BSC-old sends BSSMAP handover required message to MSC-old, containing • Three different cases, depending on the switching point:
identities of target cell(s) and of the origin cell. A. BSC-new = BSC-old = switching point:
3. Anchor-MSC is switching point (and different from MSC-old): Internal handling in BSC. BSC holds all required information.
• BSC-old does same procedure as under 2. above. B. MSC-new= MSC-old = switching point (BSC-new ≠ BSC-old):
• MSC-old translates the message into MAP/E perform subsequent handover • After reception of indication that HO is required: MSC-new establishes SCCP connection
message toward anchor MSC. to BSC-new
• MSC-new transmits “BSSMAP handover request” message to BSC-new incl. information:
• On both cells (origin and target cell),
• Transmission mode (may be differ from the old connection)
• Cipher mode (must remain unchanged)
• Classmark
• Reference to terrestrial channel between MSC-new and BSC-new if needed
55
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.3.4.1 The Set-Up of the New Path (continued) 1.8.3.4.1 The Set-Up of the New Path (continued)
From switching point to BSC-new (see next picture 1.8.-5) From to BSC-new back to the switching point (see next picture 1.8.-6)
C. Anchor MSC is switching point and different from MSC-new. • Now BSC-new must allocate the radio channel: positive or negative answer is possible.
• More complex case Î several steps, as the new communication path may transit • No queuing, because other machines wait for answer. Timers are running.
through PSTN or ISDN. • BSC exchanges “RSM channel activation” & “RSM channel activation acknowledge” with BTS
• Î standard inter switch procedures are used (e.g. TUP or ISUP). These • BSC-new builds and transmits “RIL3-RR handover command” to MS via switching point and
old resource, containing:
protocols can not convey GSM specific info Î they are just used for circuit set
• Decision, whether synchronous or asynchronous HO is used,
up. • Chooses HO reference
• Than MAP/E procedures are used for HO signalling. • Sets initial MS transmission power.
• Anchor MSC provides the required info to MSC-new through “MAP/E perform • So BSC-new takes over control from this moment!
handover” message.
• After reception: • 3 different cases are distinguished:
• MSC-new establishes SCCP connection with BSC-new a. BSC- new is switching point:
• Allocates A-interface circuit, if needed At this point in time both terrestrial paths to old and new BTS are set up.
• Transmits “BSSMAP handover request” message to BSC-new containing b. MSC-new is switching point:
same information as received in case b above. • BSC-new encapsulates the “RIL3-RR handover command” message in a
“BSSMAP handover request acknowledge” message.
• Nothing else necessary, because the terrestrial path already is completely
established.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
221 223
56
1.8.-6 end of path establishment at handover 1.8. Radio Resource Management
Switching 1.8.3.4.1 The Set-Up of the New Path (continued)
BSC-old BSC-new
point
From the switching point (see next picture 1.8.-7)
HO is required Start of path
establishment • Last step of first phase of handover execution: sending “RIL3-RR handover command” to
MS as shown in next picture.
HO command End of path est. and • The RIL3-RR Handover command message is carried unaltered over different interfaces in
to MS HO command to MS a variety of different envelopes:
Interface between Encapsulating message
• RIL3-RR handover command message identifies the new cell only via beacon frequency
MAP/E perform handover ack BSSMAP handover request ack and BSIC. The full cell identity will be read by the MS on SACCH later on.
C)
57
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.3.4.1 The Set-Up of the New Path (continued) 1.8.3.4.2 MS access and the conclusion of the HO procedure
• RIL3-RR handover command message to MS:
The not successful alternatives • Before reception of this message: MS did not know anything of the HO preparation.
• This message contains all information for transmission on the new channel.
• The HO as described before may fail, e.g. due to lack of radio or terrestrial resources. • (except cipher mode, because assumption is, that this remains unchanged).
• In the failure case either • Message indicates whether asynchronous or synchronous HO is applied.
• a failure message is carried all the way back from BSC-new to BSC-old or
• a timer at BSC-old expires: • MS reception from now on:
• Due to pre-synchronisation: MS receiver synchronises quickly on new channel
• Speech or data reception is now possible, if switching point uses conference bridge.
Anchor MSC
Subsequent handover failure
No radio resource available • MS transmission from now on:
• For synchronous HO:
• MS first sends some access bursts (RIL3-RR handover access)
Handover required MSC-old MSC-new • Than normal transmission with pre-computed TA.
reject • For asynchronous HO (see next picture):
handover failure • MS sends access bursts till it receives RIL3-RR physical information from BTS-new.
• …this contains the timing advance information. Then normal transmission starts.
• RIL3-RR handover message is the only short access burst on a dedicated channel:
BSC-old BSC-new
containing 8-bit HO reference as a reply to the reference send by BTS in RIL3-RR
handover command message as an additional check, that the right MS is accessing.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
229 231
58
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.3.4.2 MS access and the conclusion of the HO procedure (continued) 1.8.3.4.2 MS access and the conclusion of the HO procedure (continued)
• Option for manufacturer/ operator: • Return to old channel in case of problems:
• After reception of RIL3-RR handover access burst, BTS may send RSM handover • Solution: Anchor MSC reacts upon timer expiry and non reception of handover complete
detection message to BSC. message from BSC.
• BSC-new passes message on to MSC-new through BSSMAP handover detection • After detection of failure: switching point releases new path.
message. (not possible in case MSC-new is anchor MSC, as this information is not • Then BSC-old has to decide upon further actions.
carried on MAP/E protocol).
• Effect of this mechanism: MSC may switch communication path, before complete • Intra-BSC HO:
protocol • Normally performed autonomously by BSC.
• BSS implementation option not to involve MSC in selecting the best cell( if inside the
• The RIL3-RR physical information message: domain of this BSC).
• = only message send autonomously by BTS • BSSMAP handover performed message from BSC informs relay MSC about this
• Reason: performance. completed HO.
• Message may be send several times (for efficiency reasons), till reception of a normal • This can be relayed to anchor MSC (if it is different from relay MSC) by MAP/E
burst from MS. note internal handover.
• This message may may also be used in case of MSC-internal HO.
• Sending of message depends on “Operation & Maintenance” setting.
• When MS is in transmission mode:
• MS sets link layer to acknowledged mode for signalling: MS sends SABM, answered
by UA frame.
• MS sends RIL3-RR handover complete message to switching point.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
233 235
59
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.3.5. Call Re-Establishment (continued) 1.8.3.6. RR-Session Release (see figure 1.8.-9.)
• Details of first part: (continued) • When call is over and no RR-connection is needed any more:
• MS must analyse radio criteria of selected cell (required by GSM Standard): • “normal “ release procedure is triggered by anchor MSC..
• Î BCCH must be read • All resources are released and MS goes to “idle” mode.
• Cell must not be barred for call re-establishment (signalled as well in BCCH) • If relay MSC ≠ anchor MSC:
• Then MS sends access request” on RACH, in which • Anchor MSC sends “MAP/E Send End Signal Result” to relay MSC
• Call re-establishment is indicated as cause (so network knows urgency) • … and releases circuit through ISUP release procedure.
• However no required channel (so network might always provide TACH/F).
• Then MS sends“CM Re-Establishment Request”: • Then “BSSMAP Clear Command” from relay MSC to BSC:
• … with minimal information content: subscriber identity and classmark • This message may be “piggybacked” on an “SCCP Release” message, releasing BSC-
• Network has to find out everything else: MSC connection.
• Cell with which connection was lost, • In this case BSC acknowledgement “BSSMAP clear complete” must be piggybacked
• Identity of anchor MSC. on SCCP release complete message.
• Required type and mode of channel. • Clearing action of BSC can be in parallel to this message.
• Then MSC is running the recovery based on the known subscriber identity: • BSC orders MS back to idle with “RIL3-RR Channel Release”
• MS disconnects signalling link.
• Find old context (if not lost due to timer expiry or correspondent who lost patience)
• BTS reports this disconnect by: “RSM Release Indication” message to BSC.
• Then MSC starts assignment procedure & “ciphering start” procedure • This clearing is secured by timers and repetitions against frame loss Î it must be avoided
• Telling BSC the type of required channel, mode etc.
to allocate a channel which is still used to a new MS !
• Allocating BSC-MSC terrestrial path.
• First after BSC is sure MS has left, it deactivates BTS device and adds it to free resources
• Maybe even authentication is started by MSC (additional delay!)
by “RSM RF Channel Release” / “RSM Channel acknowledge” exchange!
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
237 239
RF channel
release ack
60
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.3.6. RR-Session Release (continued)
1.8.3.7. Load Management Procedures
• “Abnormal” RR-session release:
• In case radio connection with MS was lost, network must release its resources. • Load management procedures = Procedures in RR-plane to allow MSC and BSC to deal
• Mechanism: with overload.
• Both in MS and BTS correctly received SACCH frames are counted. • Procedures are available in 2 areas: RACH / PAGCH load and TCH load.
• (SACCH frames are regularly send twice per second in dedicated mode)
• Counter increments (till max. value) in case of good SACCH frame reception • Load on common channels:
and decrements in case of no or damaged reception (SACCH frame loss). • BTS is in charge to assess the load on RACH and PAGCH.
• At minimum threshold of counter the reception is considered broken. • BTS to BSC message on load situation: “RSM CCCH Load Indication”
• In case of broken connection : • Conditions (thresholds, frequency, …) for this message are set by OSS.
• MS goes to idle mode. • Possible reaction by BSC upon reception of this message:
• BTS sends “RSM Connection Failure” message to BSC. • Change of RACH load control parameters on BCCH
• Change assignment priority rules.
radio link counter
• Load on traffic channels:
4
• BSC knows/manages the dedicated channels .
link assumed • Number of currently allocated TACHs can be signalled to MSC by “BSSMAP
broken SACC frame decoded, resource indication” message.
expected, but not decoded • MSC can ask for this information (due to many reasons) with “BSSMAP Resource
0 Request”
SACCH blocks
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
241 243
61
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.3.7. Load Management Procedures (continued) 1.8.3.8. SACCH Procedures
1.8.3.8.1. Radio Transmission Control (continued)
• BSC to MSC:
• only traffic on the Abis interface under the control of MSC are MS terminating
• Power control and timing advance:
calls.
• Commands from network are carried in L1-header (= physical layer in radio path
• So MSC could decide to reject calls from the network side and not send paging.
protocol architecture)
• Paging and the overloaded cells are however controlled by BSC …
• Send once per SACCH burst (= 2 times / second)
• UL: similar coding as DL. Contains the two values used by MS at the end of the
• MSC to BSC: if MSC is overloaded, BSC can reduce MS originated traffic.
measurement period (TA should be the same, Power Level might be different due to
the limited variation speed) .
• TA is managed autonomously by BTS.
• Transmission power is controlled by BSC (“RSM MS Power Control” and “RSM BS
Power Control”) messages.
• Measurement results:
• Send UL by MS at least once per second: RIL3-RR Measurement Report.
• BTS generates at every measurement period (twice / sec.) a “RSM Measurement
Result” message to BSC.
• This contains measurements of MS and BS.
• BSC computes data for power control and HO preparation.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
245 247
• Power control and timing advance: • Purpose of DL SACCH general info.: transmission of radio parameters, which are
• Commands from network are carried in L1-header (= physical layer in radio path particularly needed at the beginning of a channel connection. Information are similar to
protocol architecture) information transmitted on BCCH , including:
• Send once per SACCH burst (= 2 times / second) • Parameters to control the monitoring process:
• UL: similar coding as DL. Contains the two values used by MS at the end of the • List of frequencies to be monitored.
measurement period (TA should be the same, Power Level might be different due to • BSIC screening
the limited variation speed) . • BCCH frequency indication
• TA is managed autonomously by BTS. • Parameters for controlling the radio link failure detection (counter and threshold)
• Transmission power is controlled by BSC (“RSM MS Power Control” and “RSM BS • Requirements for application of UL DTX.
Power Control”) messages. • Further information (like full cell identity etc.)
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
246 248
62
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.3.8. SACCH Procedures 1.8.3.10. General Information Broadcasting
6.3.8.2. General Information
• Data broadcast to MS in idle mode is done via BCCH.
• In dedicated mode SACCH is always used in both directions for transmission (even if no
information is transmitted!): the other side must be able to do measurements and detect • BCCH is a low capacity channel:
radio link failure. • 23-octet every 0.235 seconds
• Repetition rate : trade off between usage of BCCH resource and speed of information
• SMS in dedicated mode: are carried by SACCH . for MS.
• Different periods are used for different information.
• Solution:
• Paging subchannel has half the rate of BCCH Î at worst only half the BCCH is
masked.
• Cell selection information is not transmitted on every second message , but in pairs
(e.g. 11 00 11 00 …)
At worst only every 2nd occurrence of cell selection information on BCCH is masked…
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
250 252
63
1.8. Radio Resource Management 1.8. Radio Resource Management
1.8.3.10. General Information Broadcasting 1.8.3.10. General Information Broadcasting
1.8..3.10.2. Information for Idle Mode Functions 1.8..3.10.4. Information for MS in dedicated mode
• Information for idle mode functions = used by MS once it has selected a cell to “camp on “ • Some information on BCCH is first needed after access by MS.
in idle mode.
• Information contained in “Cell Options” parameter:
• Information contained: • Parameter to control reporting on measurements (BSIC screening information
• “Control Channel Description” parameter contains: preventing to measure cells of “forbidden” PLMNs)
• Configuration of common channels: number of the time slots used for common • “Power Control Indicator”
channels. • Parameter controlling UL DTX.
• Parameters enabling MS to calculate its paging subchannel
• Information about which neighbour cells to monitor: beacon frequencies of neighbour
BTSs contained in “Neighbour Cells Description” parameter. 1.8.3.10.5. Cell Identity
• Configuration for cell broadcast messages: “CBCH Channel Description” (and
“CBCH Mobile Allocation”) parameter tells whether CBCH (Cell Broadcast Channel) • “Cell Identity” parameter transmitted on each 4th message (for network testing purposes,
is available and where. no operative usage in GSM).
• Frequency of transmission: once every 4 messages (for all 3 types of parameters)
64
1.9. Mobility and Security Management 1.9. Mobility and Security Management
1.9.1.1.1. Administrative Aspects
1.9. Mobility and Security Management 1.9. Mobility and Security Management
1.9.1.1. Factors determining the Service •National roaming: e.g. for DCS-1800 operators without complete national coverage.
•International roaming: if a subscriber is not allowed to roam in a foreign PLMN, the
•In GSM the service observed by a subscriber may differ depending on his/her location, e.g. Location Update will be rejected by the network.
•HSCSD or GPRS may for a given PLMN (Public Land Mobile Network) only be •PLMN selection:
available in major cities. •When entering a new PLMN, the subscriber may choose manually or
•In case of roaming again different operates will offer different services at different automatically (as coded in the SIM) one out of several available visited PLMNs.
prices. •MS in idle mode only monitors neighbour stations as encoded on the frequency
list BCCH regularly. Other frequencies are scanned at greater intervals Î in an
•3 different, basic levels of service: overlap area, there might pass some time, before a roaming MS discovers its home
•Normal service: whatever user has subscribed to PLMN. (note monitoring in idle mode consumes battery power !)
•Limited service: emergency calls only .
•No service: outside coverage area. 1.9.1.1.2. Radio considerations
•Radio aspects govern strongly the service which can be given in a particular cell.
•In GSM a MS typically does initial access (e.g. answering a paging) in the cell on which it
camps (exception: directed retry)
•Î cell selection criteria in idle mode are crucial, they are based on :
•MS reception level (Rx lev and RX qual) of beacon frequency,
•Maximum transmission power of MS
•Several parameters as transmitted by BCCH.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
258 260
65
1.9. Mobility and Security Management 1.9. Mobility and Security Management
1.9.1.1.3. System Load Control 1.9.1.1.4. Paging and Location Areas (= LA) (continued)
•Traffic overload in a particular cell : redirect traffic to neighbour cells. • Several outcomes of LA are possible:
• Successful registration or
•Barr a cell: “Cell_Bar_Access” flag • Unsuccessful with a meaningful answer of the network (e.g. rejection)
•Completely locks a cell for all mobiles (e.g. during repair or test) except for special test • Unsuccessful with a meaningless or no answer of the network.
mobiles.
• 3 possible meaningful negative outcomes:
•Access class mechanism: 1. Cell belongs to a PLMN not supported by the subscription :
•Some of the 10 standard user classes may be blocked in a rotating way fro a certain • Mechanisms are available: “forbidden PLMNs” list
period. • So cell will not be tried again.
•The MS are however still allowed to camp on this cell Î swap over of barred MS to • MS looks for cells of other PLMNs.
neighbour cells is prevented. 2. Location area not suitable because of regional subscription:
• MS must stay in that cell, but only with limited service.
3. In case of national roaming - cell does not accept national roamers:
• MS will not do further attempts in the cells of this LA,
• … but look for availability of home PLMN.
1.9. Mobility and Security Management 1.9. Mobility and Security Management
1.9.1.1.4. Paging and Location Areas (= LA) 1.9.1.1.4. Paging and Location Areas (= LA) (continued)
•In order to page a subscriber: infrastructure needs to know MS location. • If reject comes from home PLMN or PLMN connected with home PLMN:
• Subscriber is deregistered in HLR, so he / she can not be called !
•In order to save signalling capacity: Cells are grouped into location areas. Î MS is only • In other cases old HLR state remains and MS considers itself as deregistered
paged in certain location areas. • … because there was no confirmation from the network upon location update .
Î MS must inform infrastructure when it changes location area and infrastructure must store • Generally MS looks for other PLMNs after negative answer.
it: location update procedure.
• If no PLMN can be found: MS goes to limited service state.
•Location areas: must be managed by a single MSC. One MSC may have several LAs.
• There are many “abnormal cases” specified = cases where no reasonable answer can be
•Location updating: received by MS upon location update attempt.
•Must be performed when MS enters new LA. Triggered by MS! • In the first phase MS will try again a couple of times.
•Part of location updating is the registration in the network. • Then MS goes to a “special state” where it assumes no service.
•The status of the registration is stored in the SIM. • From time to time MS will try location update in order to get out of this state
•After successful registration, the MS assumes normal service • In this state MS does not reject a call attempt of the user, but tries a location update .
If this is not answered positively by a network, MS rejects call attempt.
•Status after location updating:
•Several outcomes of LA are possible.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
262 264
66
1.9. Mobility and Security Management 1.9. Mobility and Security Management
1.9.1.2. Cell and PLMN Selection 1.9.1.2.1. PLMN Selection (continued)
1.9.1.2.1. PLMN Selection
• Automatic Mode:
• The GSM Standard details PLMN selection, though it only affects the MS, because: • Selection out of “Found PLMN” list in order as encoded in “Preferred PLMN” list
• Users shall see similar behaviour if ME is exchanged. on SIM.
• PLMN selection shall not be biased by MS… • User may edit this list of preference. Else list is put into SIM by operator.
• User can force automatic PLMN selection at any moment.
• Normal Case: • If no “preferred PLMN” can be found: procedure as defined by ME vendor.
• In normal service mode MS only looks for cells of serving PLMN.
• Change of PLMN only possible, if: • Limited service case:
• User decides so and starts PLMN selection. • Only emergency call is possible.
• Serving PLMN no longer covers area. • Cell selection by MS is independently done from PLMN or LA: by strongest signal.
• PLMN selection is either by • MS keeps on to seek for available PLMNs at certain intervals.
• Automatic mode • Limited service case in home PLMN:
• … or manual mode. • Only possible in case of regional subscription.
• Common aspect for both access modes: • MS will try each new location area of home PLMN,
• Home PLMN: always first try to log on home PLMN after power on, even if • … but no other PLMN, till home PLMN has disappeared (roaming case)
abroad.
• List of forbidden PLMNs (as learned from access attempts) is stored on non • The “No Service Case”: MS regularly scans all 124 GSM carriers (374 DCS carriers).
4/2/2003 volatile section of SIM. U.A.Hermann: GSM 265 4/2/2003 U.A.Hermann: GSM
267
1.9. Mobility and Security Management 1.9. Mobility and Security Management
1.9.1.2.1. PLMN Selection (continued) 1.9.1.2.2. Cell Selection
67
1.9. Mobility and Security Management 1.9. Mobility and Security Management
1.9.1.2.2. Cell Selection (continued) 1.9.1.2.2. Cell Selection (continued)
• Cell selection strategy (for neighbour cells or PLMN): • The cell selection algorithm:
• Only cells with positive C1 are taken into account. • Aim of cell selection: in order to get normal service, the MS must camp on one of
• Between several cells: cell with best C1 is chosen. the cells fulfilling the following conditions:
• Consequence, C1 determines: • A valid SIM must be inserted and the subscriber must b eregistered in the LA
• Coverage limit of each cell in isolation: outside the area with positive C1 the the cell belongs to;
cell does not exist for MS! • Criterion C1 for the cell must be higher than 0;
• The boundary between 2 adjacent cells for selection in idle mode is determined • Cell must not be barred.
a the place where C1= C1’ And if there are several cells fulfilling above criteria:
• Boundary with all adjacent cells determining a second cell limit , usually inside • The chosen cells C1 must be higher than the C1 of any other cell found by the
area delimited by C1= 0. MS in the same LA.
Figure:
• The chosen cells C1 must be higher than the C1 of any other cell found by the
2 cells with there C1= 0 limits and the
MS in different LAs of the same PLMN, corrected by the handicap factor.
(dashed) line with C1A = C1B
B • Note: better cells in PLMNs other than the one the MS is registered in are not taken
• Due to different transmit powers of MS
A into account! PLMN selection is only triggered if MS leaves coverage area or if
classes, different cell limits exist for them.
triggered by user.
• Operator optimises cell boundaries by
adjusting p1 and p2.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
269 271
1.9. Mobility and Security Management 1.9. Mobility and Security Management
1.9.1.2.2. Cell Selection (continued) 1.9.1.2.2. Cell Selection (continued)
68
1.9. Mobility and Security Management 1.9. Mobility and Security Management
1.9.1.2.2. Cell Selection (continued) 1.9.1.3. Architecture for Location and Mobility Management
• If chosen cell belongs to LA as stored in SIM: MS goes directly to normal service,
maybe with “IMSI attach/detach” • HLR: permanently stores subscriber data, e.g. present position (target MSC/VLR) for
• … else MS starts with Location Update. mobile terminating calls.
• If no cell was found in home PLMN, MS looks for other PLMNs.
• VLR: stores temporarily subscriber data for the time a MS is in its area.
• Cell selection at PLMN Change: • VLR is normally part of an MSC: MSC/VLR.
• E.g. if MS has moved out of serving PLMN area and cell selection starts
automatically or if user triggered it. • MSC: routes page to particular LA.
• Similar process as for switch on, but MS has no frequency information Î to analyse
all frequencies: • Consequence: Subscriber data are copied from HLR to VLR each time a MS “registers”
• Search whole GSM/DCS spectrum
• Select 30 strongest beacon frequencies. • Advantage of architecture: signalling load between visited MSC and HLR is limited
• Analyse information on respective BCCHs:
• Which PLMN?
• Barred or not?
• Radio parameters for C1 computation.
• Establish list of acceptable PLMNs (found list)
• Compare with preferred list and access acceptable candidate PLMN.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
273 275
1.9. Mobility and Security Management 1.9. Mobility and Security Management
1.9.1.2.2. Cell Selection (continued) 1.9.1.3.1. Functions of location management
• Cell selection in limited service mode: • Home Location Register (HLR):
• E.g. subscriber Is not entitled to normal service in any found PLMN. • HLR may be one or several distributed machines
• Normal cell selection is performed , however without location updating. • HLR has no switching functionality.
• Cell with best C1 is camped on (but without bias) • HLR is not a simple database (with “store” and “retrieve”), but actively managing
• MS continues to search whole spectrum for acceptable PLMN. subscriber data, e.g.:
• Tell old VLR to delete subscriber record, if subscriber is registered under a new
VLR.
69
1.9. Mobility and Security Management 1.9. Mobility and Security Management
1.9.1.3.1. Functions of location management (continued) 1.9.1.4. The Location Updating Procedures
1.9.1.4.1 The Basic Procedures
• Mobile Station (MS) role on mobility management:
• Canonical work split between Mobile Equipment (ME) and SIM: • Normal reason for change of LA: MS moved into another cell belonging to a different LA
• Non-volatile memory of SIM holds all user related data (incl. mobility related), • Process of location information updating:
ME not. • MS identifies need for location update.
• Manufacturers are however free to put user specific data in ME… • (1) MS notifies MSC/VLR, to which the new cell belongs.
• Volatile data (e.g. forbidden location area for national roaming or list of beacon • This MSC/VLR may be the same, if it controls both LAs or a new one.
frequencies) are kept in ME. • If it is a new one: MSC/VLR notifies HLR (2), which notifies previous VLR (3).
• SIM Card role on mobility management :
• SIM is a passive information container for: 4’ HLR
• Update status (= result of last LA updating attempt)
• Location area identity “old” MSC/VLR 3
• Î function: avoid location update after power on, if MS still is registered. 4
• List of beacon frequencies (of home PLMN or last serving PLMN) 2
• Forbidden PLMN list (Ordered list of the last 4 entries). 1
• Preferred PLMN list (Typically supplied by the service provider. User may edit
this list) 5 “new” MSC/VLR
MS
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
277 279
1.9. Mobility and Security Management 1.9. Mobility and Security Management
1.9.1.3.2. MM Protocols 1.9.1.4. The Location Updating Procedures
1.9.1.4.1 The Basic Procedures (continued)
• For HLR must be able to communicate with all VLR in the world Î MAP/D (part of
SS7) is used. • In case data base update did not work out due to some failures: special procedures are
• SIM – ME interface: limited to simple read, write, delete commands. executed to correct the failed database.
• In order to cover those cases, following elementary procedures are defined:
HLR • Updating of MSC/VLR storage at the request of the MS.
RIL3-MM MAP/D • Updating of HLR storage at request of MSC/VLR.
• Cancellation of a subscriber record in MSC/VLR at request of HLR.
MSC/VLR
MS • MS to MSC Location Updating Procedure:
• Location Update Request is carried by “RIL3-MM Location Updating Request”
SIM-ME message: contains information to identify subscriber.
• MSC/VLR may respond “on its own”, if the user is already registered there.
• MSCVLR may answer with :
SIM • “RIL3-MM Location Updating Accept” or
• “RIL3-MM Location Updating Reject”.
… with a suitable cause
70
1.9. Mobility and Security Management 1.9. Mobility and Security Management
1.9.1.4. The Location Updating Procedures 1.9.1.4. The Location Updating Procedures
1.9.1.4.1 The Basic Procedures (continued) 1.9.1.4.2 Periodic Updating and Database Failure Recovery (continued)
• MSC to HLR Location Updating Procedure: • No direct attempt is made to restore the inconsistency. Else system overload!
• Procedure is used if, • Than an insecure subscriber record is corrected, when some event happens…
• MS asks for registration under new MSC/VLR • Periodic location updating has been introduced as a means to ensure restoration of
• … or HLR had a failure and asks MSC/VLR for confirmation of subscriber databases:
locations. • periodicity is adjusted by operator and broadcast: trade off between signalling
• Request is send by “MAP/D Update Location” message from MSC/VLR, containing: load and time interval when a MS might not be reachable.
• Subscriber identity, • MS start periodic LA.
• Routing data to send up a mobile terminating call (i.e. SS/ address of
MSC/VLR, not precise location area). MSC/VLR Failure
• If subscriber is entitled to normal service: • After failure MSC/VLR restores all records from backup and marks them as insecure.
• HLR updates its memory and … • Then “MAP/D Reset” is send to all HLRs for which it has subscribers in its memory.
• … triggers a location cancellation in the previous MSC/VLR. • MSC/VLR will notice that an MS is missing in its database, when service is requested for
• HLR sends “MAP/D Update Location result” to MSC/VLR. an unknown MS.
• If subscriber is not entitled: HLR puts “Location unknown” in its memory. • MS does call set-up and MSC/VLR notices missing entry in its database.
• Than MSC/VLR puts subscriber into its database and HLR provides further • ThenMSC/VLR enforces new location update by a call rejection with the failure
subscriber data by “MAP/D Insert Subscriber Data” message. cause “IMSI unknown in VLR”.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
281 283
1.9. Mobility and Security Management 1.9. Mobility and Security Management
1.9.1.4. The Location Updating Procedures 1.9.1.4. The Location Updating Procedures
1.9.1.4.1 The Basic Procedures (continued) 1.9.1.4.2 Periodic Updating and Database Failure Recovery (continued)
• HLR to MSC/VLR Location Cancellation Procedure: • If MS calls from a different LA than registered in VLRÎ record is simply corrected
• Location cancellation from HLR to MSC/VLR consist of “MAP/D Cancel Location” • In case of MS terminating call: VLR notices problem if service request from HLR
message for a MS which is not in its table:
• And acknowledgment in “MAP/D Cancel Location Result” from MSC/VLR. • VLR enters subscriber into its database and
• … asks HLR for subscriber information: “MAP/D Send Parameters” message .
• After reception of “MAP/D Send Parameters” answer the LA addresses are
1.9.1.4.2 Periodic Updating and Database Failure Recovery still missing.
• So MSC/VLR pages to all cells in all LAs !
• An HLR or MSC/VLR may suffer failure and database damage. Recovery:
• From secure backup. • Problem: If MS is in VLR1 area, but HLR imagines, that it is in VLR2 area:
• But if the backup might no longer up to date, several additional recovery • Error will be corrected in VLR1 and HLR, when MS performs periodic location
mechanisms are foreseen: update
• Marking of insecure information in the database and • Error un VLR2 will be corrected by internal house keeping, if e.g. no periodic
• additionally information to all other databases (which share information). location update appeared after a given time.
• These mark the information as well as insecure
• No direct attempt is made to restore the inconsistency. Else system overload!
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
282 284
71
1.9. Mobility and Security Management 1.9. Mobility and Security Management
1.9.1.4. The Location Updating Procedures 1.9.2. Security Management
1.9.1.4.2 Periodic Updating and Database Failure Recovery (continued)
1.9.2.1. The requirements
•2 goals of security on the air interface:
HLR Failure
•Protecting the network against unauthorised access (and users against fraudulent
• Problem: HLR is not necessarily contacted in case of location updates or MS
impersonation)
originated calls.,
•Protecting privacy of users.
• Solution:
•Unauthorised access is prevented by authentication:
• HLR sends “MAP/D Reset” to all VLRs for which it has entries in its back up
•A secure check, whether the subscriber identity provided by the MS corresponds to the
files.
SIM.
• MSC/VLR marks the corresponding records as to be marked with HLR,
•Importance: when subscriber is roaming, the visited network can not check the
• … so the next radio contact with the corresponding MS triggers location
subscribers ability to pay his telephone bill.
updating from MSC/VLR to HLR.
•Privacy is achieved by:
•Ciphering of user data,
•Ciphering of signalling to prevent third party from knowing who is calling/called.
•Preventing eavesdropper from tracing mobiles by using temporary identities.
•Security measures are only used on the air interface. Inside the infrastructure all
communication is clear text !
•All security is handled by the operator. The subscriber has no choice.
•GSM specification leave open many options of applying security (e.g. different ciphering)
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
285 287
1.9. Mobility and Security Management 1.9. Mobility and Security Management
1.9.1.4. The Location Updating Procedures 1.9.2.2. The Functions Ki RAND Ki RAND
1.9.1.4.3 The IMSI Attach and Detach Procedures 1.9.2.2.1. Authentication
A3 A3
• Purpose of this procedure: when a MS is switched off, paging attempts to this MS are in •PIN : is only checked locally versus the PIN stored in
vain, load network resources and are not paid for ! the SIM. No radio transmission, as this would be to
• Solution: when MS is switched off Î MS Detach is performed risky against eavesdropping. SRES SRES
• MS Attach is performed, when the MS is switched on again in the same location area. MS Network
Else a normal location update is performed. •RAND= random figure ( one out of 2128- 1) as
• Detach information is stored in the VLR, so HLR will still try to establish a call till it “question” which is asked by the network.
receives the rejection from the VLR. Equal ?
• So call forwarding can be applied by VLR or HLR as a network option. •SRES = Signed RESponse as an answer to that cryptographic question.
• Support of Attach/Detach is a network option as well.
• AT IMSI Detach MS just sends “RIL3-MM IMSI Detach” and does not wait for an •A3 is secret algorithm. Each operator may use his own:
acknowledge. •A3 is a “trap door” function, i.e. easy to compute SRES out of Ki and RAND, but
• When MS is switched on again in the same LA, it performs IMSI Attach (which is difficult the other way around: to compute Ki out of RAND and SRES.
practically identical to Location Update)
•Ki is the secret authentification of a subscriber stored in a secure area of the SIM. Ki may be of
any format and length .
•A broken authentification key is more critical than a broken communication ciphering !
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
286 288
72
1.9. Mobility and Security Management 1.9. Mobility and Security Management
1.9.2.2. The Functions 1.9.2.2.2. Encryption (continued) Ki RAND Ki RAND
Frame nr Kc
1.9.2.2.2. Encryption Frame number
(22 bits)
Kc
(64 bits) (22 bits) (64 bits)
•A8 algorithm is used to compute Kc.
A8 A8
•Either all (speech/data and signalling) or
A5 A5 •RAND is same as for authentication.
nothing is encrypted – due to simplicity.
S1 S2 S1 S2 Kc Kc
(114 bits) (114 bits) (114 bits) (114 bits) •A8 is again operators choice and not part of GSM
•Ciphering and deciphering = EXOR + + MS Network
ciphering deciphering standard.
between 114 bit of burst and 114 bit generated
by A5 algorithm +
deciphering
+ ciphering
•Kc is limited to max. significant 64 bit. Insignificant
MS BTS bits are filled up with 0.
•Ciphering key Kc is agreed between MS and BTS.
•A3 and A8 are always running together and often implemented as a single algorithm.
•Uplink and downlink use different deciphering sequences S1 and S2.
•Frame number representation is a concatenation of 3 values (T1, T3, T2). The resulting cycle is
the “hyper-frame”, lasting about 3,5 hours (if a call ever lasts that long!).
•Kc is controlled by signalling means and typically changes with each call Î Kc does not need
as strong a protection as Ki, e.g. Kc can be read from SIM.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
289 291
1.9. Mobility and Security Management 1.9. Mobility and Security Management
1.9.2.2.2. Encryption (continued) 1.9.2.2.3. User Identity Protection
•A5 is specified on international level, as it must be implemented in each MS and BTS in order •Encryption can only be initiated after the identity of the subscriber has been signalled on the
to support roaming. radio channel.
•Several A5 algorithms are implemented (depending e.g. on export regulations for different
countries) •This would be a security loop hole, as it would allow to eavesdrop on this initial part of the
•Level of protection (“hardness”) depends on the computing power needed to break Kc based signalling exchange.
on FN and 114 bit ciphering sequence
•TMSI (Temporary Mobile Subscriber Identity) has been introduced as an alias in order to
avoid this clear text identification of IMSI.
Key Management:
•TMSI is agreed beforehand between MS and network during protected (i.e. ciphered)
•Kc is agreed between MS and network prior to encryption Î during authentication process. signalling !
•
•Kc is then stored in non volatile part of the SIM and in MSC/VLR = “dormant key”.
•If authentication happens, while transmission already is ciphered, Î the active key for the
running ciphering is not affected, but the new “dormant” key is stored for use at the next
transmission between clear mode and cipher mode.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
290 292
73
1.9. Mobility and Security Management 1.9. Mobility and Security Management
1.9.2.3. Architecture and Protocols 1.9.2.4. The Signalling Mechanisms
1.9.2.4.1. Authentication and Encryption Key Management
•SIM and AUC (typically part of HLR) store Ki and perform A3 and A8 computation.
•2 different procedures:
•Ki is written during card initialisation into SIM under tight control of operator. •Real time authentication procedure and Key setting procedure between MS and
MSC/VLR.
•Ki is only accessed internally in SIM during Kc and SRES computation. •Procedure for transporting security related data between HLR/AUC and MSC/VLR.
SIM AUC •Security breach: if computation in MSC/VLR, than the Ki would be transmitted via SS7
network to another switch. Additionally 2 or more operators would need to share A3/A8 !!!
MSC/VLR
•Computation in AUC requires transmission of (RAND, Kc, SRES) via SS7. Typically
MSC/VLR stores several such triplets for use after roaming subscriber did first location update.
After each call a new triplet (“use and throw away”) is used …
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
294 296
74
1.9. Mobility and Security Management 1.9. Mobility and Security Management
1.9.2.4.2. User Identity Protection 1.9.3. Miscellaneous MM Functions
•TMSI is allocated on LA basis . TMSI code = TMSI + LA code = TIC. Generic Mobile Originating CM-Transaction Establishment
•If MS does location updating attempt in new LA Î TMSI plus LAI is transmitted ! The new
MSC/VLR than asks the old one via MAP/G for the subscriber records … •Why is this procedure needed:
•TIC = 4 octets length, which is shorter than IMSI (consisting of 15 digits coded in 9 octets), so •The initial message of the MS can only be unciphered, as the decision to cipher is made
radio spectrum is saved. by the network.
•However the MS has to give enough information to the network to make the decision to
•TMSI is allocated to a MS when it registers 1st time in an LA and … cipher or not …
•… released, when MS leaves LA.
•TMSI allocation can either be done by a stand alone procedure or in conjunction with a •Solution:
location updating between MS and MSC/VLR: •MS sends “RIL3-MM CM Service Request” message to the network.
•Based on this message th enetwork may start authentication (“RIL3-MM Authentication
MSC/VLR Request” message) or …
MS: Location Updating request Location Updating request
•… answer with “RIL3-MM CM Service Accept” message or …
Location Updating Accept •… by starting the ciphering mode setting procedure (“RIL3-RR Ciphering Mode
or Location Updating Accept Command” message ) …
TMSI Reallocation Command •… or by a rejection: “RIL3-MM CM Service Reject” message
TMSI Reallocation Complete TMSI Reallocation Complete •An equivalent mobile terminated procedure does not exist, as the network decides to apply
ciphering before starting any upper layer procedure.
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
297 299
1.9. Mobility and Security Management 1.9. Mobility and Security Management
1.9.2.4.2. User Identity Protection (continued) 1.9.3. Miscellaneous MM Functions (continued)
•In the combined procedure: TMSI is part of the “RIL3-MM Location Updating Accept”. Upper Layer Synchronisation:
•TMSI Cancellation is normally implicit in MS •Requirement: No MM or CC procedure may be started during a location updating procedure
•upon allocation of new TMSI or in a location area different from the one in which the MS was previously registered Î till
•upon location updating accept. “RIL3-MM Location Updating Accept” message has been received.
•Explicit cancellation:
•By sending IMSI in “RIL3-MM Location Updating” message. This is understood by MS •Reason: A subscriber must be correctly registered, before accessing any network service.
as a cancellation of previous TMSI.
•TMSI is stored in the subscriber record in the VLR, not in HLR: Infrastructure Activity Monitoring:
•Record is deleted upon location cancellation by HLR
•Problem in case of data base crash: •Problem:
•TMSI might be inconsistent and not allocated to the paged subscriber or (worse) to •Radio channel release is done by the infrastructure.
another subscriber. •But due to a signalling failure the MS might be unaware, that the channel had been
•Solution: Network uses a procedure asking MS for its full IMSI: released.
•“RIL3-MM Identity Request “ and “RIL3-MM Identity Response “ from MS. •Solution:
•Used e.g. if authentication failed or a MS calls with unknown TMSI. •MS goes automatically back to idle mode without sending any message to the network, if
there had been no CM-transaction for a given period (T3240 watchdog timer).
4/2/2003 U.A.Hermann: GSM 4/2/2003 U.A.Hermann: GSM
298 300
75
1.9. Mobility and Security Management 1.10. Communication Management
1.9.3. Miscellaneous MM Functions (continued)
1.10.1. Basics of Communication Management
Re-Establishment
•Definition: “A communication is a temporary relationship between
•Problem: telecommunication users for the purpose of exchanging information.”
•A MS might loose contact to the network whilst some service is ongoing.
•Normally handover should salvage this situation.
•But if HO is too slow (e.g. steep propagation loss) there might be a chance to resume
•A communication makes use of a transmission chain established through networks
contact in the next cell … between users.
76
1.10. Communication Management 1.10. Communication Management
1.10.2.1. Routing of Mobile terminating calls (continued) 1.10.4. Short Messages
•First part (Interrogation phase) of call :
•Routing is done as for any ISDN number : with tables in the switches. •SMS is packet oriented, so no end-to-end connection is required.
•A call from an external network is routed to the next GMSC.
•GMSC runs request-answer procedure with HLR. •SMS may go on in parallel to a call .
•HLR answer contains:
•Identity of subscriber (for billing) •SMS is asymmetric: MT SMS is considered as a different service from MO SMS .
•Information for the next routing: routing number pointing to the called subscriber
in present location (or a third user in case of forwarding). •Short message communication is always between a user and an SM-SC. So the ultimate
•Second part of call (after interrogation) is directly switched from GMSC to MSC/VLR destination of the message is not relevant for the GSM infrastructure, but only for the SM-
SC.
Directory
number HLR
MT Call
Routing
number
Directory
Number GMSC
Routing
number
77
1.11. Network Management 1.11. Network Management
•Subscription = entitlement to obtain services from the network. •Defective MS might disturb the network and other users.
•Certain activities have to be performed to manage subscriptions
•Measures:
•Billing and charging: •Preventive approach: type approval : to prevent badly designed MS to enter service.
•Curative approach: to identify faulty mobiles, inform users, bar services
•CDRs (=Charge Data Records) have to be created and managed in order to
calculate call charges.
•Additional aspect compared to fixed networks: Due to roaming inter-PLMN
billing and accounting has to be done.
•Charging information is exchanged between networks.
78
1.11. Network Management
•Operation & Maintenance has to be done from remote and centralized machines:
Due to cost and efficiency reasons a typical German GSM net is managed from
10- 12 OMCs (Operation and Maintenance Centres) and central 1 NMC (=
Network Management Centre) for e.g. night time concentration.
•TMN is about
•the machines designed for these tasks …
•… and the networks and protocols between the machines
4/2/2003 U.A.Hermann: GSM
313
Bibliography
79
2.1. Introduction (continued)
2. •Advantages:
•“Always on” feature.
•Possibility for charging on traffic volume: user doesn’t pay for idle capacity
General •Variable transmission rates up to 171.2 kbps.
•Sharing of scarce system resources for bursty data traffic between several users
•Target applications with transmission of:
Packet Radio •Frequent transmission of small volumes and
•Infrequent transmission of small to medium data volumes
•Not for big volumes: circuit switched connections are more efficient (HSCSD)
Service • Interface between GPRS service and application protocols is based on
•Point-to-point protocol (PPP) or
•Commonly used drivers ( e.g. NDIS= Network Driver Interface Specification)
1
2.2. –1. Logical architecture for GPRS PLMNs 2.2. GPRS Network Architecture and Protocols (continued)
2.2. GPRS Network Architecture and Protocols (continued) 2.2.-2 Protocol architecture in GPRS transmission plane
Um Gb Gn Gi
– Backbone network connects SGSN and GGSN nodes Applications
• Tunneling of data and signalling messages between GPRS support L3
S X25 IP IP X25
nodes is carried over GPRS backbone network. M
MM
S SNDCP
SNDCP GTP GTP
• Protocol architecture is based on Internet Protocol (= IP)
• TCP/IP is used for network protocols requiring reliable transfer over LLC LLC UDP/TCP UDP/TCP
backbone, RLC RLC BSSGP BSSGP IP IP
• … else the User Datagram Protocol (= UDP) I sused with IP (e.g. for MAC Frame
MAC Frame Relay Relay L2 L2
Internet communication.
• Type of Backbone network that is selected by a roaming agreement,
GSM RF GSM RF L1bis L1bis L1 L1
can be a public Internet or a leased line MS BSS SGSN GGSN
SNDCP= Subnetwork Dependent BSSGP= BSS GPRS Application
– Border gateway handles transfer between GPRS PLMNs
Convergence Protocol Protocol
• Provides security over the backbone network
LLC= Logical Link Control GTP= GPRS Tunneling Protocol
MAC= Media Access Control TCP= Transmission Control Protocol
– Domain server can be used for address translation. RLC= Radio Link Control UDP= User Datagram Protocol
RF= Radio Frequency IP= Internet Protocol
(Physical Layer)
2
2.2. GPRS Network Architecture and Protocols (continued) 2.3.-4. State Model of a GPRS mobile station
Standby
3
2.3. GPRS Mobility Management 2.3. GPRS Mobility Management
2.3.2. Attach Procedure (continued)
2.3.1. Mobility Management States (continued) The SGSN controls the data exchange, that means the SGSN may:
–request authentication of the mobile,
–Ready state must be entered, if the mobile intends to receive or transmit data –initiate ciphering,
(except for PTM-M). –check the IMEI.
–…, because the network needs to know the exact location of the cell , –In case of change of location:
where the mobile camps. –Location information in the HLR is updated.
–The mobile informs the SGSN each time, it switches between cells. –Context in the old SGSN is deleted
–Ready state is guarder by a timer: Times is reset after each reception or –Subscription information in the old SGSN is updated.
transmission of a packet. When timer elapses, the mobiles falls back into
standby state. –Location information is delivered to the new MSC/VLR
–Change from Standby to to Ready may be initiated by the network, using a –Information in old MSC/VLR is deleted.
paging procedure. –During Attach the TLLI may be changed.
–When mobile sends data, it transfers data immediately and changes state –After attach is completed, the mobile may
automatically from Standby to Ready. –Transfer SMS
–Receive PTM-M messages
–Activate PDP context for some packet data protocol
4
2.3.-5. PDP context activation 2.3. GPRS Mobility Management
2.3.4. Location Management (continued)
–When a mobile moves to a new RA, it sends a Routing Area Update Request
SGSN GGSN to its assigned SGSN.
MS
–Intra-SGSN Routing Area Update : SGSN already has user profile and
assigns immediately a new P-TMSI
Activate PDP Context Request –Inter-SGSN Routing Area Update: the new RA is admistered by a new
[PDP Type, PDP Address, SGSN. The new SGSN requests the old SGSN to send the PDP context of
QoS Requested, Access Point, …] the user. Afterwards the new SGSN informs the involved GGSN abouit the
user’s new routing context The HLR (if needed) and the MSC/VLR are
Security Functions informed about the new SGSN number.
Create PDP Context Request –Routing area and location area update may be combined, if the mobile is GPRS
[PDP Type, PDP Address, and IMSI attached (I.e. GPRS and GSM service is used at the same time): the
QoS Negotiated, Access point] message Routing Area Update Request contains a parameter update type to
indicate that an LA (= Location Area ) update is requested as well.
Create PDP Context Response –Summary: 2 levels of mobility management:
[PDP Type, PDP Address, –Micro mobility management keeps track of current RA or cell.
Activate PDP Context Accept QoS Negotiated, Access point] –Macro mobility management keeps track of current SGSN and stores it in
[PDP type, PDP Address, HLR, VLR and GGSN.
QoS Negotiated, …]
5
2.4. GPRS Air Interface 2.4. GPRS Air Interface
2.4.1. Multiple Access and Radio Resource Management (continued) 2.4.2. Logical channels
– A cell supporting GPRS must allocate physical channels for GPRS
traffic. The radio resources of the cell are shared by all mobile stations Group Subgroup Channel Function Direction
(GSM and GPRS) in that cell.
– PDCH (= Packet Data Channel), a physical channel which has been Traffic Channels Packet Data traffic PDTCH Packet data traffic MS <> BSS
allocated for GPRS transmission. Channel
– Capacity on demand principle: the number of PDCHs can be adjusted Signalling Channels Packet broadcast PBCCH Packet broadcast control MS << BSS
according to the current traffic demand. E.g. physical channels control channel
currently not used can be allocated as PDCHs for GPRS in order to Packet common PRACH Packet random access MS >> BSS
increase the quality of GPRS service. Equally PDCHs may be de- control channel
allocated, when there is a resource demand for GSM. (PCCCH) PAGCH Packet access grant MS << BSS
– Dynamic channel allocation: a particular PDCH is only allocated for a PPCH Packet paging MS << BSS
particular MS, when it sends or receives data. So multiple MSs can PNCH Packet notification MS << BSS
share one physical channel. For bursty traffic, this results in a much Packet dedicated PACCH Packet associated Control MS <> BSS
more efficient use of the radio resources. control channels
PTCCH Packet timing advance control MS <> BSS
– Channel allocation is controlled by BSC:
2.4.1. Multiple Access and Radio Resource Management (continued) 2.4.2. Logical channels (continued)
– PDTCH: is for transfer of user data. Assigned to 1 mobile (or in case of PTM to
– Channel allocation is controlled by BSC: multiple mobiles). One mobile can use several PDTCHs simultaneously.
– The allocation of PDCHs to a mobile depends on its multislot class – PBCCH: unidirectional, point-to-multipoint signalling channel. For BSS to
and the QoS of the session. broadcast information about the organisation of the GPRS radio network to all
– Collision prevention: network indicates in the downlink, which mobiles of a cell. For GSM/GPRS mobiles as well information about circuit
channels are currently available. An Uplink State Flag (= USF) in the switched channels is transmitted, so that the mobiles do not need to listen to
header of downlink packets shows which MS is allowed to use this BCCH (= Broadcast Control Channel).
channel in uplink. – PCCCH: transports signalling information for functions of the network access
management, I.e. allocation of radio channels, medium access control, paging.
Sub-channels:
– PRACH: used by mobile to request one or more PDTCH.
– PAGCH: used to allocate one or more PDTCH to a mobile.
– PPCH: used by the BSS to find the location of a mobile station prior to downlink
packet transmission.
– PNCH: used to inform mobile stations of incoming messages.
6
2.4. GPRS Air Interface 2.4.-2 Paging (mobile terminated packet transfer)
2.4.2. Logical channels (continued)
– Packet Dedicated Control Channel: bi-directional point-to-point signalling
channel containing: MS BSS
– PACCH always allocated in combination with one or more PDTCH. It transports
signalling information related to one specific mobile station (e.g. power control) Packet Paging
– PTCCH: used for adaptive frame synchronisation. Mobile sends over the uplink Request PPCH or PCH
part of the PTCCH (= PTCCH/U) access bursts to the BTS. From the delay of
these bursts, the correct value for Timing Advance (= TA) is derived. This value Packet Channel
is than transmitted in the downlink part (= PTCCH/D) to the mobile.
PRACH or RACH Request
– Figure 2.4.-1. Shows the principle of uplink channel allocation:
– Once the Packet Channel Request is successful, a so-called “Temporary Block
Flow” (= TBF) is established.
– With that TBF, resources (e.g. PDTCH and buffers ) are allocated for the mobile Packet Immediate
station, and data transmission can start. Assignment PAGCH or AGCH
– In the optional case of a 2 phase access, the packet channel request leads to the
reservation of a packet associated control channel (PACCH) The packet resource
request of the mobile will than contain all the details of the requested service
Packet Paging
PACCH Response
– Figure 2.4.-2. Shows the paging procedure of a mobile. Paging may be subject to
discontinuous transmission in order to save battery power
2.4.-1 Uplink channel allocation (mobile originated packet 2.4. GPRS Air Interface
transfer)
7
2.4. GPRS Air Interface 2.4. GPRS Air Interface
– Data link layer is subdivided into 2 sublayers: – Figure 2.4.- 3. Illustrates the data flow between the protocol layers in the mobile
– Logical Link Control (LLC) between MS and SGSN station.
– Radio Link Control / Medium Access Control (RLC/MAC) between MS and – Packets of the network layer (e.g. IP packets) are passed down to the SNDCP
BSS. layer, where they are segmented to LLC frames.
– After adding header information and a Frame Check Sequence (= FCS) for
– LLC provides a reliable logical link between mobile and its assigned SGSN error protection, these frames are segmented into one or several RLC data
including: blocks.
– In-order delivery – Those are then passed down to the MAC layer
– Flow control – One RLC/MAC block contains a MAC and RLC header, the RLC payload
– Error functions ( “information bits”) and a Block Check Sequence (= BCS) at the end..
– Support of variable frame length and – This user data is than mapped on the PDTCH..
– … different QoS classes
– Point-to-multipoint and point-to-point.
2.4. GPRS Air Interface 2.4.-3. Data Flow and segmentation between the protocol
layers in the MS GPRS Air Interface
8
2.5. Summary: example of GPRS data transfer 2. Bibliography
•When the IP datagram arrives at the GGSN: the IP address of the receiver is
extracted and mapped to the current location of the mobile station.
•The IP datagram is tunneled through the backbone network to the SGSN that is
currently serving the mobile station.
•The SGSSN removes the tunneling and the original datagram is encapsulated
into the SNDC protocol data unit.
•This is send to the mobile over the air interface using LLC, RLC/MAC and the
physical protocols
9
3.1. Introducing the Wireless Application Protocol
Wireless Access •
–
Requirement of bearer independence:
GSM, D-AMPS, CDMA, GPRS, PDC,
Protocol
– Even non voice: Mobitex, paging systems
• The WAP Forum Ltd.
– Founded in Dec. 1997 by the four parties (Nokia, Ericsson, Motorola,
(WAP)
Phone.Com)
– WAP 1.0 standard in April 1998
– May 1999: first commercial version WAP 1.1.
– May 2000: more than 200 members
3.1. Introducing the Wireless Application Protocol [Heijden, Taylor - 2000] 3.2. Executive Summary of WAP [Heijden, Taylor - 2000]
3.1.1. Introduction
• WAP= global Standard, independent of underlying bearer.
• First introduction of data-oriented mass services.
• Started 1997 by Ericsson, Nokia, Motorola, Phone.Com 3.2.1. Optimised for wireless communications
• Wireless restrictions:
3.1.2. Why was it done – Display size,
• Fragmentation of market into different, mutually incompatible, – Number of keys
proprietary protocols – CPU capacity
– Phone.Com: HDML (= handheld device markup language) for Internet – Power consumption
access over CDPD (= cellular digital packet data) networks. – Limited bandwidth etc.
– Nokia: TTML (= tagged text markup language), similar focus as Lead to differences compared to Internet
HDML, but designed for GSM
• Over-the-air interface communication = binary coded
– Ericsson: ITTP (= intelligent terminal transfer protocol) for telecom-
related services and messaging inside GSM networks. • Message headers and frequently send plaintext messages =
– Plus lots of others …
represented as bytes
• Market did not take off due to fragmentation. • Original Content is restored in the receiver (WAP browser)
• Need for a worldwide, open, generic standard.
1
3.2. Executive Summary of WAP 3.2. Executive Summary of WAP
2
3.2.-2 simplified WAP network architecture 3.2. Executive Summary of WAP
3.2. Executive Summary of WAP 3.2.-3. Advanced Payment Architecture [Kocsis – 1999]:
3
3.3Wireless Application Environment (= WAE) for 3.3.-1. HTML “page” concept compared to WML “deck
Creating WAP Services and Applications of cards” concept
3.3.1. Introduction
• Advantages of Internet vs. Mobile Networks:
– Internet: rich and comfortable user interface, high data rates.
– Mobility (wherever you are)
• WAE = for application developers 2 1
• WAE consists of
– WML (= wireless markup language) 2 1
– WML Script (= wireless markup language script)
1 3
– WTAI (= wireless telephony application interface)
• WAP communication protocol layers deal with:
– Low bandwidth
3
– Long delays
– Unreliable connection of the air interface
• WAP developer: may achieve data compression by encoding in
binary format HTML “page” concept WML deck of cards concept
3.3Wireless Application Environment (= WAE) for 3.3Wireless Application Environment (= WAE) for
Creating WAP Services and Applications Creating WAP Services and Applications
3.3.2. Wireless markup language 3.3.3. Deck of cards
• WML is described using the extensible markup language (= XML) • The markup part of WML consists of tags (the markup) with attributes
• WML document type definition (DTD) describes the format of a specific XML conveying additional information.
document • Tags may have 2 standard optional attributes:
• Documents that are marked up following the format of XML Spec.= “well – Id = uniquely references a particular element within a deck
formed”, … – Class = for use by the server side
• when also complying with DTD = “valid” • WML file must be enclosed within: <wml> and </wml> tags.
• Internet= “page” metaphor, WML = “deck of cards” metaphor. • Within this pair cards are created by <card> and </card> tags.
– Reduction of required screen area and graphical capabilities • Standard attributes (id and class) and card elements can have a title attribute:
– Reduction of network transactions. can be used by UA (= user agent) to render WML content.
– See figure 3.3.-1 • Id attribute for cards can be used to reference the card directly from an URL.
• Contrast to web browsers: how a UA renders WML depends on device type: • “Shadowing”: template for all cards within a deck, in which certain WML event
– Text only mobile phone, or bindings can be predefined, so they need not be repeated in every card:
– PDA or – Opening tag : <template>, closing tag: </template>
– Smart phone with big graphical display • Head element: specifies information relevant to the entire deck of cards.
• WML endures readability and usability of content regardless of handset type Provides a mechanism for including various types of meta-information related
(problem e.g. how to display an image map… ?!) to the deck, such as access control information, details of character set, …
• WML deck consists of text, with structure provided by elements (= tags) .
• Each element may have attributes (often used to instruct the browser how to
render the content)
4
3.3Wireless Application Environment (= WAE) for 3.3Wireless Application Environment (= WAE) for
Creating WAP Services and Applications Creating WAP Services and Applications
3.3.4. User Input 3.3.6. WML Script
• Input elements are similar to HTML, but detail of implementation is similar: • Scripting language based on JavaScrip,
– however WMLScript code is not embedded within the WML deck,
information is not just send to the remote server, but stored on the UA as
– but compiled into binary files, called compilation units.
“browser variables”. – Compilation units are send to the user agent, rather than textual files.
• input element for numeric or alphanumeric input data. • WMLScript = “dynamically typed language”,
• format, e.g. YYYY-MM-DD, or length of input, empty input etc. – All variables within the language have a type internally, but
– Variables are not explicitly typed: any variable can contain a value of any type !
• select element : presents to the user a set of options from which to choose.
• 4 Datatypes: integer (32 bit signed), boolean (true or false), floating point numbers
• Considering the wide range of possible WAP devices: (IEEEE single precision), strings (any length)
– Intelligent use of attributes • Java operators supported: normal arithmetic, bit-wise, comparison, logical,
– Tuning interface constructs conditional.
• WMLScript standard libraries:
– Intelligent use of options
– String: operations – also promitives useful for array operations
For improving usability – Dialogs: to alert and prompt the user.
– URL: functions for parsing URLs, esacaping and unescaping, and downloading content
directly into WMLScript variables.
– WMLBrowser: interaction with the user agent – refreshing, getting and setting variables,
changing the displayed URL, …
3.3Wireless Application Environment (= WAE) for 3.3Wireless Application Environment (= WAE) for
Creating WAP Services and Applications Creating WAP Services and Applications
3.3.5. Task invocation
• Control for user interaction: 3.3.7. Wireless telephony application interface (WTAI)
– HTML: either hyperlinked text or images, which when activated send the
browser to a different URL
– WML: generalized concept of “task” – additionally different potential tasks upon
• Provides means to access telephony functions (far beyond HTML
the browser. Sending to a new URL is done by go task in WML. URL is given capabilities) of the running WAP applications, e.g.
by the href attribute of go. – An application might make a voice call on behalf of the user
– pref sends the browser to the last task. – Send a text message
– refresh forces browser to redraw the display. – Access the phone book etc.
– noop: does nothing (no operation). • WTAI functions are collected in WTAI libraries:
• Task invocation by: – Public: universally available high-level operations for all WAP applications.
– Events – Network specific functions: specific for the given network (e.g. GSM)
– Selection on a select element – Network common functions: rather low level, not relevant for developers
– As the result of a script action
– On timer expiration
5
3.3Wireless Application Environment (= WAE) for 3.4.-1 High level WAP architecture and its relationship
Creating WAP Services and Applications to the mobile network
Mobile operator’s domain
3.3.8. User Agent capabilities
• Multitude of available channels for providers causes need to minimize development WAP gateway
and maintenance cost and to maintain flexibility for future technologies: WAP enabled handset
– XML [Bray - 1998]: generic presentation of the content. HTTP
– Presentation of data is separated from data themselves. Bearer I/f
– Information is stored in a format portable across platforms, applications and display e.g. SMS)
methods.
• WAP developing is more complex than Web developing - WAP devices vary
Radio I/f WAP server
enormously in their capabilities: different screen resolutions, different methods of HTTP
user interaction, different sets of optional features, etc.
• WAP development requires knowledge of WAP devices;
– User agent can identify itself by means of protocol headers while communicating with Mobile operators
gateway network
– Initiation of connection between client and the gateway includes the negotiation of a set of
mutually acceptable capabilities Wireless telephony
Application server
3.4. Integrating WAP gateways into wireless Networks 3.4. Integrating WAP gateways into wireless Networks
3.4.1. Positioning of WAP functionality in a mobile network (figure 3.4.-1) 3.4.2. Functional Requirements of a WAP gateway
• WAP Gateway provides: • Standardised functionality specified by the WAP Forum (Figure 3.4.-2)
– a link between the mobile network and the Internet – WAP protocol stack is required on both the handset and the WAP gateway, so
– Efficient bandwidth usage by encoding the WML or compiling the WMLScript that peer-to-peer protocol connections can be performed.
into compact binary form, and forwarding the resulting data to the mobile device
– Wireless datagram protocol (= WDP) layer
• WAP enabled mobile devices • Performs adaptation to different bearers as: SMS, Circuit Switched Data (CSD),
• WAP origin server unstructured supplementary service data (USSD), cell broadcast (CB), GPRS
– Provides content in WML or WMLScript (rather than HTML) • Like breaking up data into fragments of an appropriate size for the bearer,
• Wireless telephony application (=WTA) server • Interfacing to the bearer network to transport the data,
– Delivers custom-developed WAP services in order to differentiate from • So that the higher layers of the stack do not need to know about the bearer.
competitor (e.g. advanced telephony or messaging services). • Wireless transaction layer security (= WTLS, optional)
– WTA contains repository management applications, allowing the operator to – Provides security: privacy, data integrity, authentication between communicating
alter WAP handset content.
applications.
– Typically a WTA service reacts to a network event (e.g. incoming call)
– Compressing/decompressing and encrypting/decrypting data
6
3.4.-2 High-level architecture of WAP gateway and interfaces
3.4. Integrating WAP gateways into wireless Networks
3.4. Integrating WAP gateways into wireless Networks 3.4. Integrating WAP gateways into wireless Networks
3.4.2. Functional Requirements of a WAP gateway (continued) 3.4.3. Functions required for a real network implementation of a
• Wireless transaction protocol layer (= WTP) WAP gateway
– Provides retransmission and acknowledgment services. “Gateway intelligence”
– Together with WDP, it forms the transport layer. According OSI model. – The standard specifies “what must be done”, but no implementation.
• Wireless session protocol layer (= WSP) This is up to the industry and manufacturers.
– Provides session service to the WAP application laxer – Therefore additional functions are needed in order to build a WAP
– Allowing to exchange information within a session. gateway.
– Connection oriented service: consists of proprietary gateway management properties and functions like:
• Allows session to be reliable by using acknowledgment and retransmission. – Scalability, flexibility and distribution:
of WTP layer. • Scalability: ability to grow in size, I.e. traffic volume
• Mobile device and WAP gateway can negotiate mutually acceptable set of • Flexibility: ability to introduce new functions and features
capabilities • Distribution: distribute the WAP gateway over more than one geographical
• Suspend and resume session on another bearer if required. region and/or distribute the different layers over different servers.
7
3.4. Integrating WAP gateways into wireless Networks 3. Bibliography
– Subscriber data:
• Provide basic authentication as to whether the subscriber has access to WAP
• … or to a specific URL
• … or to a specific service / application (e.g. based on MSISDN)
• Determine the bearers to which the mobile is subscribed (SMS, GPRS, …)
• Blacklisting-, spamming- service management.
– Caching, in order to reduce processing and response times for the mobile
device
8
4.1. Introduction
Universal – Computer data with Internet access, electronic mail, real time image
transfer, multimedia document transfer, mobile computing;
– Telecommunications with mobility, video conferencing, GSM –based
Telecommunications •
infotainment, electronic newspaper, tele-shopping, value-added Internet
services, TV and radio contribution
Assumption of parallel operation of GSM and UMTS for a long
1
4.1. Introduction 4.2. UTRA Transport Control Function
4.1.2. Basic architectural considerations, evolution from 2nd to 4.2.1. Motivation and basics
3rd generation systems (continued)
• UMTS introduction will start in “hot spots”, islands as business areas, • Unique for UMTS transport control as compared to GSM : ability to
where more capacity and advanced services are needed. seamlessly combine an arbitrary number of different variable-rate data
• For this hot spot introduction of UMTS an evolved GSM core network sources (circuit switched or packet switched) with a flexible set of
comprising MSC, HLR, VLR, SGSN and GGSN is needed transport characteristics.
• The RANs are linked to the related fixed networks: • Approach for UMTS was not bit-exact description of coding for a given
– Via the A interface and the MSC for circuit switched calls, radio bearer service, but definition of concepts that can support ranges
– Via the Gb interface, the serving GPRS support node (SGSN), and the of parameter values.
gateway GPRS support node (GGSN) for packet-oriented services. • This results in many alternative ways to map a set of traffic and QoS
• Mobility Management is based on MAP (mobile application part) by parameters for radio transmission.
reusing the HLR and VLR databases. • Definitions of service capabilities will restrict these limits for given
• The Iu Interface between RNC (radio network controller) and the types of terminals, but still maintain the flexibility to provide different
MSC/SGSN is completely standardised. kinds of network implementations and operator parameterisation without
• Different regions will have different evolution paths. violating the compatibility of equipment conforming the standard.
4.1.-1. Second generation scenario: introduction of 3rd 4.2. UTRA Transport Control Function
generation mobile radio systems
Multiservice Broadband
4.2.1. Motivation and basics (continued)
Corporate Network Network Best
Besteffort
effort
Ethernet, PABX, TDM, ATM, voice, FR, IP, … IP
IPnetwork
network
FR, ATM, best effort IP
ATM • Central aspect of UTRA (= UMTS terrestrial radio access) transport
ATM
Multiservice Global control: multirate support provided by the physical layer - execute a
Backbone
N-ISDN Network FR Internet change of data rate combinations at maximum once per radio frame (10
Internet Access FR msec.)
Broadband Node IN PSTN/ISDN
IN • Task for MAC (Media access control): selects the channel combinations
to be applied based on offered load from the set of logical channel
inputs.
Residential
Residential
SOHO
Direct
DirectInternet
Internet • RLC (radio link control): segmentation and retransmission services for
SOHO MSC/VLR Access
Access both user and control data.
A Gb HLR, AC, • RRC (radio resource control) (RRC): handles all configuration
RAN
RAN
22ndndGen.
IN / Camel operations with peer-to-peer control signalling between network and
Gen.
GSM
GSM IWU IA
terminal. Configuring the operation of all lower radio layers.
2
4.2. UTRA Transport Control Function 4.2. UTRA Transport Control Function
4.2.2. Simplified Radio interface protocol architecture (See figure 4.2.2. Simplified Radio interface protocol architecture (continued)
4.2.-1.)
• Logical channels are defined to be bidirectional where applicable (broadcast
• Blocks represent instances of the respective protocols control and paging control only exist in downlink).