GSM GPRS: Global System For Mobile Communication

GSM
Global System for Mobile communication
GPRS
General Packet Radio Service
Examples of digital wireless systems

(all originally specified by ETSI)
TETRA (TErrestrial Trunked RAdio) is an example of a

Professional/Privat Mobile Radio (PMR) system
limited access (mainly for professional usage)
limited mobility (but other advanced features)
DECT (Digital Enhanced Cordless Telecommunications)
is a cordless system
low mobility (only within isolated islands)
next lecture
GSM (Global System for Mobile communication) is a

cellular mobile system
cellular concept
high mobility (international roaming)
Digital PLMN systems (status 2002)

(PLMN = Public Land Mobile Network)
2nd Generation (2G)
GSM
GSM
IMT-2000
FDD
FDD
GPRS
GPRS
Packet
services
IS-136
IS-136
IS-95
IS-95
USA
3rd Generation (3G)
UMTS:
UMTS:
More radio
capacity
EDGE
EDGE
UTRA
UTRAFDD
FDD
UTRA
UTRATDD
TDD
CDMA
CDMA
2000
2000
4G
Duplexing
(separation of uplink/downlink transmission directions)
FDD (Frequency Division Duplexing)
(GSM/GPRS, TETRA, UTRA FDD)
Uplink
Downlink
duplex separation
frequency
TDD (Time Division Duplexing)

(DECT, UTRA TDD)
...
UL
DL
UL
DL
...
time
FDD vs. TDD

FDD
TDD
Duplex filter is large and

expensive
Large MS-BS separation

=> inefficient => indoor
Different fading in
Same fading in UL/DL
UL/DL
=> effect on power control
Same UL/DL
bandwidth
Flexible UL/DL bandwidth

allocation
asymmetric services
GSM => cellular concept

The GSM network contains a large number of cells with
a base station (BS) at the center of each cell to which
mobile stations (MS) are connected during a call.
BS
BS
MS
BS
BS
If a connected MS
(MS in call phase)
moves between two
cells, the call is not
dropped.
Instead, the network
performs a handover
(US: hand-off).
GSM => mobility concept

The GSM network is divided into location areas (LA),
each containing a certain number of cells.
Location Area 1
Location
Area 2
Location Area 3
As long as an idle MS
(idle = switched on)
moves within a location
area, it can be reached
through paging.
If an idle MS moves between

two location areas, it cannot be
reached before it performs a
location update.
Original GSM system architecture

BSS
NSS
BSC
BSC
ME
ME
SIM
SIM
MS
BTS
BTS
GMSC
GMSC
MSC
MSC
VLR
VLR
HLR
HLR
AuC
AuC
EIR
EIR
BTS
BTS
= BS
MS
MS
MS
MS
database
GSM: circuit switched connections

BSS
NSS
ME
ME
SIM
SIM
MS
GMSC
GMSC
BSC
BSC
TRAU
TRAU
BTS
BTS
MSC
MSC
VLR
VLR
HLR
HLR
AuC
AuC
EIR
EIR
Circuit switched
connection
Signaling
Database
GPRS: packet switched connections

BSS
TE
TE
NSS
BSC
BSC
PCU
PCU
ME
ME
SIM
SIM
MS
BTS
BTS
GMSC
GMSC
MSC
MSC
VLR
VLR
SGSN
SGSN
Packet switched
connection
Signaling
Database
IP
backbone
HLR
HLR
AuC
AuC
EIR
EIR
GGSN
GGSN
Upgrading from GSM to GSM/GPRS

BSS
TE
TE
NSS
BSC
BSC
PCU
PCU
ME
ME
SIM
SIM
MS
BTS
BTS
GMSC
GMSC
MSC
MSC
VLR
VLR
SGSN
SGSN
New MS/terminals
Packet Control Unit (PCU)
SGSN and GGSN routers
software updates (BTS, HLR)
IP
backbone
HLR
HLR
AuC
AuC
EIR
EIR
GGSN
GGSN
Task division between MSC and TRAU

(TRAU = Transcoding and Rate Adaptation Unit)
BSS
MS
MS
MS
MS
NSS
BSC
BSC
BSC for
signalling only
BTS
BTS
MSC
MSC
VLR
VLR
TRAU
TRAU
Conventional
64 kbit/s
PCM signal
13 kbit/s encoded speech is

packed into 16 kbit/s frame
Radio interface - multiple access techniques

frequency
Time division
time
code nr.
Frequency division
Code
division
Radio interface - physical channels

Typically used for signaling
TS0
TS1
Carrier00
Carrier
Carrier11
Carrier
TT
TS2
Physical channel = time slot TS2
Carrier22
Carrier
Carrier33
Carrier
Frame of length 8 time slots
Time Slot
Radio interface - logical channels (GSM)

Traffic
Trafficchannels
channels
TCH/F
TCH/F
TCH/H
TCH/H
bidirectional
downlink
uplink
Control
Controlchannels
channels(for
(forsignaling)
signaling)
Broadcast
Broadcast
Common
Commoncontrol
control
Dedicated
Dedicated
SCH
SCH
PCH
PCH
AGCH
AGCH
SDCCH
SDCCH
RACH
RACH
FACCH
FACCH
FCCH
FCCH
BCCH
BCCH
SACCH
SACCH
GSM burst structure

GSM normal burst: 156.25 bits (0.577 ms)
33
57
57encrypted
encryptedbits
bits
11
26
26training
trainingbits
bits
11
57
57encrypted
encryptedbits
bits
33 8.25
8.25
traffic or signaling info in burst?
TDMA frame (4.615 ms):

TS7
TS7 TS0
TS0 TS1
TS1 TS2
TS2 TS3
TS3 TS4
TS4 TS5
TS5 TS6
TS6 TS7
TS7 TS0
TS0 TS1
TS1
TDMA multiframe:
11
22
33
44
55
SACCH
66
77
88
99 10
10 11
11 12
12 13
13 14
14 15
15
= 26 TDMA frames (in case of TCH)
Idle
23
23 24
24 25
25 26
26
GSM speech encoding

Voice coding: 260 bits in 20 ms blocks (13 kbit/s) MS - TRAU
260
260bits
bits
260
260bits
bits
Channel coding: 456 coded bits (22.8 kbit/s) MS - BTS
456
456bits
bits
Interleaving: 8 x 57 bits (22.8 kbit/s)
57
57bits
bits
57
57bits
bits
57
57bits
bits
bits 4, 12, 20, 28,

36, 44, etc. from
the 456 bit frame
GSM signaling message encoding

Signaling message is segmented into blocks of 184 bits:
184
184bits
bits
Each block is coded into 456 bits (22.8 kbit/s)
456
456bits
bits
Interleaving: 8 x 57 bits (22.8 kbit/s)
57
57bits
bits
57
57bits
bits
57
57bits
bits
bits 4, 12, 20, 28,

36, 44, etc. from
the 456 bit frame
Task Management in GSM/GPRS

Radio Resource Management (RM)
1 Random access and channel reservation
Handover management
3 Ciphering (encryption) over radio interface
Number
refers to the
remaining
slides
Mobility Management (MM)

4
IMSI/GPRS Attach (switch on) and Detach (switch off)

Location updating (MS moves to other Location/Routing Area)
2 Authentication
Call Control (CC) in GSM

Session Management (SM) in GPRS
MOC, MTC
PDP Context
5
6
Who is involved in what?

MS
MS
BTS
BTS
BSC
BSC
RR
MM
CM / SM
MSC/VLR
MSC/VLR
SGSN
SGSN
Random access in GSM/GPRS (1)
Communication between MS and network is not possible

before going through a procedure called random access.
Random access must consequently be used in
network originated activity
paging, e.g. for a mobile terminated call in GSM
MS originated activity
IMSI attach, IMSI detatch
GPRS attach, GPRS detach
location updating in GSM or GPRS
mobile originated call in GSM
SMS (short message service) message transfer
Random access in GSM/GPRS (2)
1. MS sends a short access burst over the Random

Access CHannel (RACH) in uplink using Slotted Aloha
(collision possibility retransmission)
2. After detecting the access burst, the network (BSC)
returns an immediate assignment message which
includes the following information:
- allocated physical channel (frequency, time slot) in
which the assigned signalling channel is located
- timing advance (for correct time slot alignment)
3. The MS now sends a message on the dedicated
signalling channel assigned by the network, indicating
the reason for performing random access.
Four security measures in GSM

1) PIN code (authentication of SIM = local security
measure, network is not involved)
2) User authentication (performed by network)
3) Ciphering of information sent over air interface
4) Usage of TMSI (instead of IMSI) over air interface
IMSI = International Mobile Subscriber Identity
(globally unique identity)
TMSI = Temporary Mobile Subscriber Identity
(local and temporary identity)
Basic principle of user authentication

SIM
(in terminal)
Air
Interface
Challenge
algorithm
algorithm
Authentication key
Ki
RAND
Response
SRES
Network
Random number
algorithm
algorithm
Authentication key
Ki
The
The same?
same? IfIf yes,
yes,
authentication
authentication isis successful
successful
Ciphering in GSM
3
MS
MS
Time info
Data
Cipher command
(time info...)
Kc
Ciphering key
algorithm
algorithm
algorithm
algorithm
BTS
BTS
Time info
Ciphered data
Kc
Ciphering key
algorithm
algorithm
algorithm
algorithm
Data
For each call, a new ciphering key (Kc) is generated

during authentication both in MS and MSC (in same way
as authentication response).
Three security algorithms in GSM

(in UMTS many more )
Mobile Station (MS)

Ki
A3
A3
Network
RAND (from network)

SRES (to network)
A8
A8
Time info (from network)
Kc
Data
A5
A5
Ciphered data
Three security algorithms in GSM

at the network side ...
MS
Serving MSC
Ki
SRES
AuC
RAND
RAND
?
Time
info
Ciphered data
SRES
SRES
A3
A3
Kc
Kc
A5
A5
Data
A8
A8
Ki
Authentication
vector
Algorithm considerations
Using output and one or more inputs, it is in practice not

possible to calculate backwards other input(s)
brute force approach, extensive search
Key length in bits (N) is important (in case of brute
force approach 2N calculation attempts may be needed)
Strength of algorithm is that it is secret => bad idea!
security through obscurity
Better: open algorithm can be tested by engineering
community (security through strong algorithm)
Usage of TMSI in GSM
3
MS
MS
Random access
TMSI
Network
Network
Authentication
Start ciphering
CM or MM transaction
IMSI detach
New TMSI stored in SIM
IMSI is never
sent over air
interface if
not absolutely
necessary!
New TMSI
allocated by
network
Connectivity states in GSM/GPRS

GSM
Disconnected
Idle
Connected
MS is switched off (circuit mode)

location updates on LA basis
handovers, not location updates
GPRS
Idle
Standby
Ready
MS is switched off (packet mode)

location updates on RA basis
location updates on cell basis
GPRS connectivity state model

No location management,
MS not reachable
Idle
GPRS attach
Standby
timer
expired
GPRS detach
Ready
Timer expired
Location update when MS

changes cell
Transmission of packet
Standby
Location update when MS

changes routing area
MM areas in GSM/GPRS
Cell
Location updating in GPRS

(ready state)
Location Area (LA)

Routing Area (RA)
Location updating in GPRS
(standby state)
Location
updating
in GSM
Trade-off when choosing LA/RA size

If LA/RA size is very large (e.g. whole mobile network)
+ location updates not needed very often
paging load is very heavy
Affects capacity
If LA/RA size is very small (e.g. single cell)

+ small paging load
location updates must be done very often
Affects signalling load
Example: GSM location update (1)

(most generic scenario)
ME
ME
SIM
SIM
LAI 1
IMSI
TMSI
LAI 1
(in broadcast messages)
MSC
MSC
VLR
VLR22
MSC
MSC
VLR
VLR11
IMSI
TMSI
HLR
HLR
IMSI
LAI 1
Most recently allocated TMSI and last visited LAI (Location

Area ID) are stored in SIM even after switch-off.
After switch-on, MS monitors LAI. If stored and monitored
LAI values are the same, no location updating is needed.
GSM location update (2)
ME
ME
SIM
SIM
LAI 1
IMSI
TMSI
(in broadcast
messages)
LAI 2
MSC
MSC
VLR
VLR22
MSC
MSC
VLR
VLR11
IMSI
TMSI
HLR
HLR
IMSI
LAI 1
Different LAI values => location update required !
ME
ME
SIM
SIM
LAI 1
IMSI
TMSI
LAI 1, TMSI
MSC
MSC
VLR
VLR22
MSC
MSC
VLR
VLR11
IMSI
TMSI
HLR
HLR
No TMSI - IMSI
context
IMSI
LAI 1
SIM sends old LAI and TMSI to VLR 2.

VLR 2 does not recognize TMSI since there is no TMSIIMSI context. Who is this user?
ME
ME
SIM
SIM
LAI 1
IMSI
TMSI
MSC
MSC
VLR
VLR11
IMSI
MSC
MSC
VLR
VLR22
IMSI
TMSI
IMSI
TMSI
address:
LAI 1
HLR
HLR
IMSI
LAI 1
However, VLR 2 can contact VLR 1 (address: LAI 1) and

request IMSI.
IMSI is sent to VLR 2.
ME
ME
SIM
SIM
LAI 1
IMSI
TMSI
MSC
MSC
VLR
VLR11
MSC
MSC
VLR
VLR22
IMSI
TMSI
IMSI
TMSI
HLR
HLR
LAI 2
IMSI
LAI 1
LAI 2
Important: HLR must be updated (new LAI). If this is not

done, incoming calls can not be routed to new MSC/VLR.
HLR also requests VLR 1 to remove old user data.
ME
ME
SIM
SIM
LAI 1
IMSI
TMSI
LAI 2
TMSI
MSC
MSC
VLR
VLR11
LAI 2
TMSI
MSC
MSC
VLR
VLR22
HLR
HLR
IMSI
TMSI
TMSI
IMSI
LAI 2
VLR 2 generates new TMSI and sends this to user. User

stores new LAI and TMSI safely in SIM.
Location update successful !
GSM identifiers (1)

IMSI
IMSI
MCC = Mobile Country Code (3 digits)

MNC = Mobile Network Code (2 digits)
MSIN = Mobile Subscriber Identity Number (10 digits)
Globally
unique
LAI
LAI
Globally
unique
GSM internal
information
MSIN
MSIN
LAC
LAC
CI
CI
MCC = Mobile Country Code (3 digits)

MNC = Mobile Network Code (2 digits)
LAC = Location Area Code (10 digits)
LAI + CI
= CGI
Cell Global
Identity
GSM identifiers (2)

for routing to GMSC
MSISDN
MSISDN
CC
CC
subscriber database in HLR

SN
SN
CC = Country Code (1-3 digits)

NDC = National Destination Code (1-3 digits)
SN = Subscriber Number
Globally
unique
for routing to MSC/VLR

MRSN
MRSN
Temporary
allocation
E.164 numbering
format
CC
CC
TN
TN
temporary subscriber ID
E.164 numbering
format
CC = Country Code (1-3 digits)

NDC = National Destination Code (1-3 digits)
TN = Temporary Number
GSM mobile terminated call (1)
Mobile terminated call = MTC
ME
ME
SIM
SIM
MS
GMSC
GMSC
BSC
BSC
BTS
BTS
MSC
MSC
VLR
VLR
HLR
HLR
AuC
AuC
EIR
EIR
Circuit switched connection

(64 kb/s PCM, 16 kb/s between TRAU and BTS,
13 kb/s encoded speech over air interface)
Signaling (ISUP, MAP)
Database
ME
ME
SIM
SIM
MS
GMSC
GMSC
BSC
BSC
BTS
BTS
MSC
MSC
VLR
VLR
HLR
HLR
AuC
AuC
EIR
EIR
Call is routed to GMSC using MSISDN number of called

user (e.g. 040 1234567).
MSISDN number in fact points to database in HLR.
HLR is contacted. Under which MSC/VLR is user?
ME
ME
SIM
SIM
MS
GMSC
GMSC
BSC
BSC
BTS
BTS
MSC
MSC
VLR
VLR
HLR
HLR
AuC
AuC
EIR
EIR
HLR knows location of Serving MSC/VLR (when user

moves to another VLR, this is always recorded in HLR).
HLR requests MSRN (roaming number) from VLR.
MSRN is forwarded to GMSC.
ME
ME
SIM
SIM
MS
GMSC
GMSC
BSC
BSC
BTS
BTS
MSC
MSC
VLR
VLR
HLR
HLR
AuC
AuC
EIR
EIR
Call can now be routed to Serving MSC/VLR using ISUP

(may involve several intermediate switching centers).
MSC/VLR starts paging within Location Area (LA) in
which user is located, using TMSI for identification.
ME
ME
SIM
SIM
MS
GMSC
GMSC
BSC
BSC
BTS
BTS
MSC
MSC
VLR
VLR
HLR
HLR
AuC
AuC
EIR
EIR
Only the mobile user with the corresponding TMSI

responds to the paging.
Using random access procedure, user requests a
channel, e.g. SDCCH, for call control signaling.
ME
ME
SIM
SIM
MS
GMSC
GMSC
BSC
BSC
BTS
BTS
MSC
MSC
VLR
VLR
HLR
HLR
AuC
AuC
EIR
EIR
Signaling channel is set up. After authentication and

ciphering procedures, call control signaling continues.
Finally, the circuit switched connection is established up
to mobile user.
GPRS attach / PDP session

GPRS attach
Separate or combined GSM/GPRS attach
MS registers with an SGSN (authentication...)
Location update possible
PDP context is created
MS is assigned PDP (IP) address
Packet transmission can take place
GPRS detach
PDP context terminated
Allocated IP address released
In case of
dynamic
address
allocation
DHCP
RADIUS
PDP context
PDP context describes characteristics of GPRS session

(session = always on connection)
PDP context information is stored in MS, SGSN and GGSN
MS
123.12.223.9
:::
:::
One user may have several PDP

sessions active
PDP type (e.g. IPv4)
123.12.223.0
SGSN
GGSN
:::
:::
:::
:::
PDP address = IP address of MS

(e.g. 123.12.223.9)
Requested QoS (priority, delay )
Access Point Name (GGSN address
as seen from MS)
PDP context activation
MS
SGSN
GGSN
Activate PDP context request

Security functions
Create PDP context request
:::
:::
IP address allocated to MS
:::
:::
Create PDP context response
Activate PDP context accept
:::
:::
Packet transmission (1)
MS
(client)
SGSN
Server
(IP, WAP..)
IP
backbone
?
GGSN
Dynamic IP address allocation has one problem:

it is difficult to handle a mobile terminated transaction
(external source does not know IP address of MS)
Fortunately, packet services are of client-server type
=> MS initiates packet transmission
MS
(client)
SGSN
Server
(IP, WAP..)
Packet is tunneled
through IP backbone
GGSN
Packet is sent to SGSN. SGSN sends packet to GGSN
through GTP (GPRS Tunneling Protocol) tunnel.
Tunneling = encapsulation of IP packet in GTP packet
IP address ...
IP address
IP payload
... = APN of GGSN, used for routing through tunnel
MS
(client)
SGSN
Server
(IP, WAP..)
GGSN
Source IP
address:
GGSN
GGSN sends packet through external IP network (i.e.

Internet) to IP/WAP server.
Source IP addr.
GGSN
Dest. IP addr.
Server
IP payload
MS
(client)
SGSN
Server
(IP, WAP..)
Dest. IP address: MS
Dest. tunnel
address: SGSN
GGSN
Dest. IP
address:
GGSN
Server sends return packet via GGSN, GTP tunnel and

SGSN to MS.
Packets from server to MS are always routed via GGSN
(since this node has PDP context information).
Further information on GSM/GPRS

Books:
Many good books available (GSM)
Andersson: GPRS and 3G wireless applications, Wiley, 2001,
Chapter 3 (GPRS)
Web material:
www.comsoc.org/livepubs/surveys/public/4q99issue/
reprint4q.html (GSM system and protocol architecture)
www.comsoc.org/livepubs/surveys/public/3q99issue/
bettstetter.html (GPRS basics)
Part of this source is required course material

GSM GPRS: Global System For Mobile Communication

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

GSM GPRS: Global System For Mobile Communication

Uploaded by

Copyright:

Available Formats

GSM

Global System for Mobile communication

Examples of digital wireless systems

TETRA (TErrestrial Trunked RAdio) is an example of a

GSM (Global System for Mobile communication) is a

Digital PLMN systems (status 2002)

3rd Generation (3G)

TDD (Time Division Duplexing)

FDD vs. TDD

Duplex filter is large and

Large MS-BS separation

Flexible UL/DL bandwidth

GSM => cellular concept

GSM => mobility concept

If an idle MS moves between

Original GSM system architecture

GSM: circuit switched connections

GPRS: packet switched connections

Upgrading from GSM to GSM/GPRS

Task division between MSC and TRAU

13 kbit/s encoded speech is

Radio interface - multiple access techniques

Radio interface - physical channels

Physical channel = time slot TS2

Frame of length 8 time slots

Radio interface - logical channels (GSM)

GSM burst structure

traffic or signaling info in burst?

TDMA frame (4.615 ms):

= 26 TDMA frames (in case of TCH)

GSM speech encoding

Channel coding: 456 coded bits (22.8 kbit/s) MS - BTS

Interleaving: 8 x 57 bits (22.8 kbit/s)

bits 4, 12, 20, 28,

GSM signaling message encoding

Each block is coded into 456 bits (22.8 kbit/s)

Interleaving: 8 x 57 bits (22.8 kbit/s)

bits 4, 12, 20, 28,

Task Management in GSM/GPRS

Mobility Management (MM)

IMSI/GPRS Attach (switch on) and Detach (switch off)

Call Control (CC) in GSM

Who is involved in what?

Random access in GSM/GPRS (1)

Communication between MS and network is not possible

Random access in GSM/GPRS (2)

1. MS sends a short access burst over the Random

Four security measures in GSM

Basic principle of user authentication

For each call, a new ciphering key (Kc) is generated

Three security algorithms in GSM

Mobile Station (MS)

RAND (from network)

Three security algorithms in GSM

Using output and one or more inputs, it is in practice not

Usage of TMSI in GSM

Connectivity states in GSM/GPRS

MS is switched off (circuit mode)

MS is switched off (packet mode)

GPRS connectivity state model

Location update when MS

Location update when MS

Location updating in GPRS