Chap 5

2G: GSM System

Outlines
z
z
z
z
z
z
z

Introduction
GSM Architecture
Air Interface
Location Tracking and Call Setup
HandOff
Security
Summary

Introduction

Introduction
z
z

z
z

Global System for Mobile Communications

(GSM) is a digital wireless network standard.
It was developed by Group Special Mobile of
Conference Europeenne des Postes et
Telecommunications (CEPT) and European
Telecommunications Standards Institute
(ETSI).
GSM Phases 1 and 2 define digital cellular
telecommunications system.
GSM Phase 2+ targets on Speech Codec
and Data Service.

The Basic Requirements of

GSM
Basic Requirements set out by GSM

z
z

z
z
z
z
z

Original text as written by the committee in 1985

Services
Quality of Services and Security
Radio Frequency Utilization
Network
Cost

GSM Architecture

GSM System Structure

AUC

PSTN
PSTN

GMSC

ILR

SS

HLR
EIR

DTI

MSC/
VLR

MS

BSS
RBS

BSC

OMC

GSM Architecture
BTS
BTS
ME

EIR
BSC

HLR VLR

AUC

BTS
Cloud

SIM
MS

Abis interface

Um interface

Cloud

BTS
BTS

GMSC

MSC

BSC

BTS
Base Station
Subsystems (BSS)

A interface

Network
Network and
and Switching
Switching
Subsystem
Subsystem
(NSS)

PSTN

Cloud

Cloud

Mobile Station (MS)

z
z

Also called Mobile Terminal (MT)

The MS consists of two parts:
z
z

Subscriber Identity Module (SIM)

Mobile Equipment (ME)

SIM
z

A SIM contains subscriber-related information

z

z
z

A list of abbreviated and customized short dialing

numbers
Short message
Names of preferred Networks to provide service

Personal Identity Number (PIN) .

SIM
z

SIM contains important information including

z
z
z
z
z
z

IMSI
Ki
TMSI
Access Control Code
Kc
LAI

SIM information can be modified:

z
z

By the subscriber either by keypad or a PC using an

RS232 connection
By sending codes through short messages (network
operators)

Mobile Equipment (ME)

z

ME: non-customer-related hardware and

software specific to the radio interface
ME can not be used if no SIM is on the MS.
z

Except for emergency calls

The SIM-ME design supports portability:

z
z

The MS is the property of the subscriber.

The SIM is the property of the service provider.

Base Station System (BSS)

z

The Base Station System (BSS) connects the

MS and NSS.
BSS contains
z
z

Base transceiver station (BTS)

Base station controller (BSC)

BTS
z

Base Transceiver Station (BTS) contains

z
z
z

Transmitter
Receiver
Signaling equipment specific to the radio
interface in order to contact the MSs.
Transcoder/Rate Adapter Unit (TRAU)
z

GSM-specific speech encoding/decoding and rate

adaptation in data transmission

Omni-directional Antenna
GSM 1800
GSM 900

Lightning
conductor

Directional Antenna
Lightning
conductor
GSM 900

GSM 1800

Directional Antenna

BSC (1/2)
z

Base Station Controller (BSC)

z
z
z
z

Radio channel assignment

Handoff management
Connect to an MSC
Connect to several BTSs
z
z

Maintain cell configuration data of these BTSs.

The BSC communicates with the BTSs via the A-bis.

BSC (2/2)
z

The processor load of a BSC:

z
z

Call activities (around 20-25%)

Paging and short message service (around 1015%)
Mobility management (handoff and location
update, around 20-25%
Hardware checking/network-triggered events
(around 15-20%)

When a BSC is overloaded, it first rejects

location update, next MS originating calls,
then handoff.

NSS (1/2)
z

Network and Switching Subsystem (NSS)

z
z
z

Telephone switching functions

Subscriber profiles
Mobility management

Components in NSS:
z
z

MSC: provide basic switching function

Gateway MSC (GMSC): route an incoming call to
an MSC by interrogating the HLR directory.

NSS (2/2)
z

Components in NSS (continuous):

z

HLR and VLR maintain the current location of the

MS.
Authentication Center (AuC) is used in the
security management.
Equipment Identity Register (EIR) is used for
the registration of MS equipment.

GSM Interfaces
BTS
BTS
ME

EIR
BSC

HLR VLR

AUC

BTS
MAP interface

SIM
MS

Abis interface

Um interface

Cloud

BTS
BTS

GMSC

MSC

BSC

BTS
Base Station
Subsystems (BSS)

A interface

Network
Network and
and Switching
Switching
Subsystem
Subsystem
(NSS)

Cloud

PSTN

Cloud

Cloud

Air Interface

Radio InterfaceUm (1/3)

z

The GSM radio link uses TDMA/FDD

technology.
z
z
z
z
z
z

890-915 MHz (uplink)

935-960 MHz (downlink)
124 pairs 200 KHz
8 time slots (bursts) per carrier
A frame consists 8 timeslots (each 0.577 msec for
a time slot).
The length of GSM frame in a frequency carrier is
4.615 msec.

Radio InterfaceUm (2/3)

Downlink
FDMA
C0
C1

TS0 TS1 TS2 TS3 TS4

TS0 TS1 TS2 TS3 TS4

TS5 TS6 TS7

TS5 TS6 TS7

Frame
MS
Control channel
Traffic channel

TS0 TS1 TS2

TS0 TS1 TS2

TS3 TS4
TS3 TS4

Frame (TDMA)

892.2 MHz
892.4 MHz

GSM Normal Burst

Tailing
3

Data
57 bits

Flag Training Flag

1

26 bits

Data
57 bits

Tailing Guard
3

8.25 bits

Burst (148 bits/0.564 msec)

Time Slot (156.25 bits or 0.577 msec)

z
z

Begin with 3 head bits, and end with 3 bits.

Two groups are separated by an equalizer
training sequence of 26 bits.
The flags indicates whether the information
carried is for speech/data, or signaling.

Logical Channels

Traffic Channel (TCH)

z

TCHs are intended to carry user information

(speech or data).
z

Full-rate TCH (TCH/F)

z
z
z

Transmission speed: 13 Kbps for speech

Transmission speed: 9.6, 4.8 or 2.4 Kbps for data
Enhanced full-rate (EFR) speech coders for improving
the speech quality

Half-rate TCH (TCH/H)

z
z

Transmission speed: 6.5 Kbps speech

Transmission speed: 4.8 or 2.4 Kbps of data.

Control Channels (CCH)

z
z

CCHs: to carry signaling information

Three types of CCHs :
z
z
z

Broadcast channel (BCH)

Common control channel (CCCH)
Dedicated control channel (DCCH)

Broadcast Channels (BCHs)

z

BTS broadcasts system information to the

MSs through BCHs.
Two types in BCH:
z

Frequency Correction Channel (FCCH) and

Synchronization Channel (SCH)
z

The information allows the MS to acquire and stay

synchronized with the BSS.

Broadcast Control Channel (BCCH) (downlink)

z
z

Access information for the selected cell

Information related to the surrounding cells to support
cell selection
Location registration procedures in an MS

Common Control Channel (CCCH)

z

Three types in CCCH:

z

Random Access Channel (RACH) (uplink)

z
z
z

Access Grant Channel (AGCH) (downlink)

z

Used by the MSs for initial access to the network

Collision may occurs.
Slotted Aloha protocol is used to resolve access
collision.
Used by the network to indicate radio link allocation
upon prime access of an MS

Paging Channel (PCH) (downlink)

z

Used by the network to page the destination MS in

call termination

Dedicated Control Channel (DCCH) (1/2)

z
z

DCCH is for dedicated use by a specific MS.

Four types in DCCH:
z

Standalone Dedicated Control Channel (SDCCH)

(down/uplink)
z

used only for signaling and for short message

Slow Associated Control Channel (SACCH)

(down/uplink)
z
z
z

Associated with either a TCH or an SDCCH

For non-urgent procedures
Power and time alignment control information
(downlink)
Measurement reports from the MS (uplink)

Dedicated Control Channel

(DCCH) (2/2)
z

Four types in DCCH (continuous):

z

Fast Associated Control Channel (FACCH)

(down/uplink)
z

z
z

Used for time-critical signaling, such as callestablishing progress, authentication of subscriber, or

handoff.
FACCH use TCH during a call.
May cause user data loss.

Cell Broadcast Channel (CBCH) (downlink)

z

Carries only the short message service cell broadcast

messages, which use the same time slot as the
SDCCH.

GSM Burst Structure

Tailing
3

Data

Flag Training Flag

57 bits

26 bits

Data

Tailing Guard

57 bits

8.25 bits

Normal Burst
Tailing

Fixed Bits

Tailing Guard

142 bits

8.25 bits

Frequency Correction Burst

Tailing
3

Data

Training

39 bits

64 bits

Data

Tailing Guard

39 bits

Synchronization Burst
Tailing
3

Synch. Seq.
41 bits

Data
36 bits

Access Burst

Tailing
3

Guard
68.25 bits

8.25 bits

Example of Channel Usage

(GSM Call Origination)

Example of Channel Usage

(GSM Call Termination)

Mobility Databases

Mobility Databases
z

The hierarchical databases used in GSM.

z

The home location register (HLR) is a database

used for MS information management.
The visitor location register (VLR) is the database
of the service area visited by an MS.
HLR
VLR 1
MSC 1

MSC 2

VLR 2

Key Terms
z

GSM uses some identifiers

z
z
z
z
z

z
z

Mobile system ISDN (MSISDN)

Mobile Station Roaming Number (MSRN)
International Mobile Subscriber Identity (IMSI)
Temporary Mobile Subscriber Identity (TMSI)
International Mobile station Equipment Identity
(IMEI)
Location Area Identity (LAI)
Cell Global Identity (CAI)

MSISDN
z

Mobile System ISDN

z

MSISDN uses the same format as the ISDN

address (based on ITU-T Recommendation
E.164).
HLR uses MSISDN to provide routing instructions
to other components in order to reach the
subscriber.
Total up to 15 digits

Country code
(CC)

National destination
code (NDC)

Subscriber
number (SN)

MSRN
z
z

Mobile Station Roaming Number

The routing address to route the call to the
MS through the visited MSC.
z

MSRN=CC+NDC+SN

IMSI
z

International Mobile Subscriber Identity

z

Each mobile unit is identified uniquely with an

IMSI.
IMSI includes the country, mobile network, mobile
subscriber.
Total up to 15 digits
3 digits

1- 2 digits

Up to 10 digits

Mobile country Mobile network Mobile subscriber

code (MCC)
code (MNC)
identification code (MSIC)

TMSI
z

Temporary Mobile Subscriber Identify

z
z

TMSI is an alias used in place of the IMSI.

This value is sent over the air interface in place of
the IMSI for purposes of security.

IMEI
z

International Mobile Station Equipment

Identity
z
z

IMEI is assigned to the GSM at the factory.

When a GSM component passes conformance
and interoperability tests, it is given a TAC.
Up to 15 digits
3 digits

2 digits

Up to 10 digits

Type approval Final assembly

Serial number (MSIC)
code (FAC)
code (FAC)
Spare 1 digit

LAI
z

Location Area Identity

z
z

LAI identifies a location area (LA).

When an MS roams into another cell, if it is in the
same LAI, no information is exchanged.
Total up to 15 digits

3 digits

1-2 digits

Up to 10 digits

Mobile country Mobile network Location area code (LAC)

code (MCC)
code (MNC)

CGI
z
z

Cell Global Identity

CGI = LAI + CI
= MCC + MNC + LAC + CI
z

CI : Cell Identity

Home Location Register (HLR)

z

An HLR record consists of 3 types of

information:
z

Mobile station information

z
z

Location information
z
z

IMSI (used by the MS to access the network)

MSISDN (the ISDN numberPhone Number of the
MS)
ISDN number of the VLR (where the MS resides)
ISDN number of the MSC (where the MS resides)

Service information
z
z
z

service subscription
service restrictions
supplementary services

Visitor Location Register (VLR)

z

The VLR information consists of three parts:

z

Mobile Station Information

z
z
z

Location Information
z
z

IMSI
MSISDN
TMSI
MSC Number
Location Area ID (LAI)

Service Information
z

A subset of the service Information stored in HLR

Identifiers and Components

MSISDN

HLR VLR/MSC BSC

BTS

MS
9

MSRN

TMSI

LAI

IMSI

9
9

CGI
MSC

Location Tracking
(Mobility Management)

Location Update

BS 1

BS 2

BS 3

Two-level Hierarchical
Strategy
z

The current location of an MS is maintained

by a two-level hierarchical strategy with the
HLR and the VLRs.
HLR
VLR 1
MSC 1

MSC 2

VLR 2

Location Area
z

Location area (LA) is the basic unit for

location tracking.

MSC

MSC

MSC

LA 2
LA 3
LA 1

GSM Location Area Hierarchy

HLR

VLR1

MSC1

MSC2

LA2

LA1
MS

VLR2

HLR : HOME Location Register

VLR : VISITOR Location Register
MSC : Mobile Switching Center
LA : Location Area
MS : Mobile Station

Location Update Concept

z

Registration: the location update procedure

initiated by the MS:
z

Step 1. BS periodically broadcasts the LA

address.
Step 2. When an MS finds the LA of BS different
from the one stored in it memory, it sends a
registration message to the network.
Step 3. The location information is update.

Periodically Registration
z

z
z

The MS periodically send registration

messages to the network.
The period is 6 minutes to 24 hours.
Periodic registration is useful for faulttolerance purposes.

GSM Basic Location Update

Procedure
z

In GSM, registration or location update

occurs when an MS moves from one LA to
another.
Three cases of location update:
z
z
z

Case 1. Inter-LA Movement

Case 2. Inter-MSC Movement
Case 3. Inter-VLR Movement

Inter-LA Registration

Inter-LA Movement (1/2)

z
z

Two LAs belong to the same MSC.

Four major steps:
z

Step 1. MS sends a location update request

message (MSBTSMSC) .
z

Parameters included: TMSI, Previous LA, target LA,

previous MSC and previous VLR.
IMSI (International Mobile Subscriber Identity) is used
to identify MS.
However, the MS identifies itself by the Temporary
Mobile Subscriber Identity (TMSI).
TMSI is used to avoid sending the IMSI on the radio
path.
TMSI is temporary identity is allocated to an MS by
the VLR at inter-VLR registration.

Inter-LA Movement (2/2)

z

The Process continues:

z

Step 2. The MSC forwards the location update

request to the VLR by a TCAP message,
MAP_UPDATE_LOCATION_AREA.
z

Parameter includes: Address of the MSC, TMSI,

previous Location Area Identification (LAI), target LAI,
Other related information

Steps 3 and 4.
z

z
z

Part I. The VLR find that both LA1 and LA2 belong to
the same MSC.
Part II. The VLR updates the LAI field of the MS.
Part III. The VLR replies an ACK to the MS through
the MSC.

Inter-MSC Registration

Inter-MSC Movement (1/2)

z

The two LAs belong to different MSCs of the

same VLR.
The process is:
z

Steps 1 and 2. MS sends a location update

request message (MSBTSMSC) .
Step 3.
z

z
z

Part I. VLR1 finds that the LA1 and LA2 belong to

MSC1 and MSC2, respectively. Two MSCs are
connected to VLR1.
Part II. VLR1 updates the LAI and MSC fields of MS.
Part III. The VLR1 derives the HLR address of the MS
from the MSs IMSI.

Inter-MSC Movement (2/2)

z

The process continues:

z

Step 3.
z

Part IV. The VLR1 sends the

MAP_UPDATE_LOCATION to the HLR.
Parameter includes: IMSI, previous MSC Address,
target MSC Address, VLR Address, other related
information

Step 4. HLR updates the MSC number field of

the MS. An acknowledgement is sent to VLR1.
Steps 5 and 6. The acknowledgement is
forwarded to the MS.

Inter-VLR Registration
Message Flow
f
5

HLR

VLR2

VLR1

8
3

h
c

1
2

MSC2

MSC1

6
1

LA2

LA1

MS

MSC2

VLR2

HLR

VLR2

1. MAP_UPDATE_LOCATION_AREA
2. MAP_SEND_IDENTIFICATION
3. MAP_SEND_IDENTIFICATION_ack
4. MAP_UPDATE_LOCATION
5. MAP_UPDATE_LOCATION_ack
6. MAP_UPDATE_LOCATION_AREA_ack

7. MAP_CANCEL_LOCATION
8. MAP_CANCEL_LOCATION_ack

MS Registration Process (2/2)

HLR

deregistration
VLR
5

Old
VLR

HLR
3 location update

TMSI

New
VLR

MSs IMSI
1

TMSI

new TMSI

Inter-VLR Movement (1/2)

z

Two LAs belong to MSCs connected to

different VLRs.
The process is:
z

Step 1. MS sends a location update request.

MSC2 sends MAP_UPDATE_LOCATION_AREA
to VLR 2 with MSs TMSI.
Steps 2 and 3.
z
z

VLR2 does not have the record of MS.

VLR2 identifies the address the VLR1 and sends
MAP_SEND_IDENTIFICATION (with TMSI) to VLR1.
VLR1 sends IMSI to VLR2.

Inter-VLR Movement (2/2)

z

The process continues:

z

Steps 4 and 5.
z
z
z
z

Step 6.
z

VLR2 creates a VLR record for the MS.

VLR2 sends a registration message to HLR.
HLR updates the record of the MS.
HLR sends an acknowledge back to VLR2.
VLR2 generates a new TMSI and sends it to the MS.

Steps 7 and 8.
z

The obsolete record of the MS in VLR1 is deleted.

Call Origination and

Termination

Call Origination Operation

VLR V2

u1
2
3

PC
ST
loN
ud
C lo u d

VLR

M SC

T e r m in a tin g
S w itc h
2 . M A P _ S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L
3 . M A P _ S E N D _ IN F O _ F O R _ O U T G O IN G _ C A L L _ a c k
4 . IA M

M SC

GSM Basic Call Origination

z

The process is
z

Step 1. MS sends the call origination request to

MSC.
Step 2. MSC forwards the request to VLR with
message
MAP_SEND_INFO_FOR_OUTGOING_CALL.
Step 3. VLR checks MSs profile and sends
MAP_SEND_INFO_FOR_OUTGOING_CALL_ac
k to MSC to grant the call request.
Step 4. MSC sets up the trunk according to the
standard PSTN call setup procedure.

Call Termination Message Flow

Call Termination (1/2)

z
z

Routing information for call termination can

be obtained form the serving VLR.
The basic call termination process:
z

Step 1. A MSs ISDN (MSISDN) number is

dialed by a PSTN user. The call is routed to a
gateway MSC by an SS7 ISUP IAM message.
Step 2. GMSC sends
MAP_SEND_ROUTING_INFORMATION with
the MSISDN to HLR.

Call Termination (2/2)

z

The process continues:

z

Step 3. HLR sends a

MAP_PROVIDE_ROAMING_NUMBER to VLR.
z

Steps 4 and 5. VLR creates Mobile Subscriber

Roaming Number (MSRN) by using the MSC
number stored in the VLR record.
z
z

Parameter included: IMSI of the MS, the MSC number.

MSRN is sent back to the gateway MSC through HLR.

MSRN provides the address of the target MSC where
the MS resides.

Step 6. An SS7 ISUP IAM message is directed

from the gateway MSC to the target MSC to setup
the voice trunk.

The Mobile Call Termination

(Delivery) Procedure
IMSI
MSISDN

1
1

MSISDN

IMSI

GMSC

HLR

MSRN

Cloud
Other
Cloud
Cloud
Switches

VLR

MSRN

PSTN

Cloud
Other
Cloud
Cloud
Switches

MSC

Handoff (Handover)

Handoff

Two Aspects of Mobility in a

PCS Network
z

Handoff
z
z

Link transfer, or Handover

A mobile user moves from one coverage area of
an old BS to the coverage area of a new BS
during the conversation.
The radio link to the old BS is disconnected and
a radio link to the new BS should be established
to continue the conversation.

Roaming
z

When a mobile user moves from one system to

another, the user location should tell the PCS
system.

BS Coverage Area
z
z

BS coverage areairregular.
In the cell boundary
z
z

Signal from a neighboring BS u

Signal from the serving BS v

Otherwise: Forced termination

Handoff Cost
z
z
z

Handoffs are expensive.

Special for the system with small cell sizes
Small cell size for
z
z

To increase the capacity of the systems

To reduce power requirements of MSs.

Issues for Handoff

Management
z

Handoff detection
z

z
z

Who and how

Channel assignment
Radio link transfer

Handoff Detection

Strategies for Handoff

Detection
z
z

Who makes a decision for handoff

Three handoff detection schemes:
z
z
z
z

Mobile-Controlled Handoff (MCHO)

Network-Controlled Handoff (NCHO)
Mobile-Assisted Handoff (MAHO)
Others

Mobile-Controlled Handoff
(MCHO)
z
z

MCHO is used in DECT and PACS.

Part I. The MS continuously monitors the
signals of the surrounding BSs.
Part II. The MS initiates the handoff process
when some handoff criteria are met.

Network-Controlled Handoff
(NCHO)
z
z

Used in CT-2+ and AMPS

Part I. The surrounding BSs measure the
signal from the MS.
Part II. The network initiates the handoff
process when some handoff criteria are met.
MSC controls the handoff.

Mobile-Assisted Handoff
(MAHO)
z
z

Used in GSM, IS-136 and IS-95

Part I. The network asks the MS to measure
the signal from the surrounding BSs.
Part II. The network makes the handoff
decision based on the reports from the MS.

Channel Assignment for

Handoff Calls

Channel Assignment
z

Purposeto achieve a high degree of

spectrum utilization for a given grade of
service
z

ExTo reduce forced terminations

Forced Terminations
z

Blocked callInitial access requests fail

z
z

Forced terminationsHandoff requests fail

z
z

For new call

No available channels on the visited BS
For handoff call
No available channel on the selected BSs

Which one is serious, new call blocking or

force terminating?

Some trade-offs
z
z
z

Service quality
Spectrum utilization
Implementation complexity of the channel
assignment algorithm
Number of database lookups

Flowchart for Non-prioritized

Scheme

New or
handoff
call arrival

Channel
available?

no

Channel
blocked

yes
Channel
assigned

Ongoing
call

Channel
released

Flowchart for Reserved

Channel Scheme
New
call
arrival

Normal
channel
available?

no

Channel
blocked

yes
Channel
assigned

Ongoing
call

yes
Handoff
call
arrival

Normal
channel
available?

Channel
released

yes
no

Reserved
channel
available?

no

Link Transfer

Link Transfer
z

Two operations:
z

The radio link is

transferred from the
old BS to the new BS.
The network bridges
the trunk to the new
BS and drop the trunk
to the old BS.

MSC
Old
BS

New
BS

Five Distinct Link Transfer

Cases (1/3)
1.
2.
3.
4.
5.

Intra-BTS handoff or intra-cell handoff

Inter-BTS handoff or inter-cell handoff
Inter-BSC handoff
Inter-MSC handoff or intersystem handoff
Intersystem handoff between two PCS
networks

Inter-BSC Handoff
(a) Before handoff

(b) After handoff

MSC 1

MSC 1
BSC 1

BSC 1

BSC 2

New
BS

New
BS
Old
BS

BSC 2

Old
BS

Intra-MSC
MS

Serving BSS

MSC

Target BSS

1 STRN_MEAS
2 HAND_REQ
3 HAND_REQ
4 HAND_REQ_ACK
5 HAND_COMM
6 HAND_COMM
7 HAND_ACC
8 CHH_INFO
9 HAND_DET
10 HAND_COMP
11 HAND_COMP
12 REL_RCH
13 REL_RCH_COMP

Inter-MSC Link Transfer

(a) Before handoff

(b) After handoff

PSTN
PSTN

PSTN
PSTN

MSC A

trunk

MSC B

MSC A

BS 2
BS 1

trunk

MSC B

BS 2
BS 1

Inter-MSC (1/2)
MS

Serving
BSS

Serving
MSC

Target
MSC

Target
BSS

1 STRN_MEAS
2 HAND_REQ
3 HAND_PER
4 HAND_NUM
5 HAND_NUM_COMP
6 HAND_REQ
7 HAND_REQ_ACK
8 HAND_PER_ACK
9 NET_SETUP
10 SETUP_COMP
11 HAND_COMM
12 HAND_COMM

Target
VLR

Inter-MSC (2/2)
MS

Serving
BSS

Serving
MSC

Target
MSC

Target
BSS

13 HAND_ACC
14 CHH_INFO
15 HAND_DET
16 HAND_COMP
17 HAND_COMP

18 SEND_ENDING
19 ANSWER
20 REL_RCH
21 REL_RCH_COMP
22 END_SIGNAL
23 NET_REL
24 ERL_HAND_NUM

Target
VLR

Anchor MSC

MSC A
BS 1

MSC B

MSC C

BS 2
BS 3

BS 4

BS 5

4
1

2
3

MSC A is the anchor MSC.

1: inter-BS handoff
2: handoff forward
3: handoff back
4: handoff to the third

Path Minimization
MSCA

MSCB

MSCA

(a) Handoff forwad

(a) Handoff Backwad

MSCB
MSCA

(c) Handoff to the Third

MSCB

MSCB
MSCc

MSCA

(d) Path Minimization

MSCc

Radio Link Transfer

Hard Handoff

Hard Handoff
z
z
z
z

MS connects with only one

BS at a time.
Interruption in the
conversation occurs
Used in TDMA and FDMA
systems
We will study the signaling of
handoff:
z
z
z

MCHO Link Transfer

MAHO/NCHO Link Transfer
Subrating MCHO Link Transfer

MSC
Old
BS

New
BS

Hard Handoff Link Transfer for

MCHO
z

A handoff request message is initiated by the

MS.
z
z

z
z

The network can initiate the handoff.

But always MS chooses the BS.

MS selects a new radio channel.

If a handoff failure occurs, the MS link-quality
maintenance process must decide what to do
next.

Soft Handoff

Soft Handoff
z

z
z
z

MS connects to multiple BSs

simultaneously.
BSs use the same frequency.
BSs must be synchronized.
The network must combine
the signals form the multiple
BSs simultaneously.
Soft handoff is more
complicated than hard
handoff.

MSC
BS 1

BS 2

Mobility Management
z

Mobility management procedures begin

when a system detects the presence of a
visiting terminal.
z

z
z
z

(1) serving base station serving MSC

(inform MSC the terminals action)
(2) MSC records that the terminal is in its
operating area
(3) MSC send this information to its VLR.
(4) VLR notifies the terminals HLR.
(5) HLR notifies the old VLR to erase record.

VLR

HLR

VLR

BS

Power
on

CSS

Visited
MSC

Home
MSC

-------

BS
: Registration notification invoke,

BS

BS

contains MIN, ECN, SID

: Registration notification invoke,
contains MIN, ECN, SID, address
of VLR.

:Registration cancellation invoke

: profile request invoke
: profile request result

Figure 4.4 Registration of a terminal in a visited service area.

Prior
MSC

Prior
VLR

HLR

Serving
VLR

Figure 4.4 Registration of a terminal in a visited service area

Handoff Categories
z

IS-41 specifies three handoff protocols:

z

handoff forward, handoff back, and handoff to

third.

Intersystem handoff requires dedicated

communication links between a pair of
MSCs:
z

voice trunks: for carrying user information in

calls handed from one MSC to another
data links: for carrying control messages
between the two switch.

Handoff forward:

Figure 4.8 The situation after a handoff

forward from system A(anchor system) to
system B(serving system).

The terminal moves into

the service area of system
B causing MSC-A and
MSC-B to perform a
handoff.
MSC-A is the anchor MSC
MSC-A is responsible for
routing the call to the
remote party.
MSC-B is the serving
MSC because it currently
has control of the call.
After handoff, MSC-B is
the target MSC.

Handoff Back:

The terminal can return to

the service area of system
A.
MSC-B recognizes that
the call arrived from
system A and it initiates a
handoff back protocol,
which releases the voice
circuit between MSC-A
and MSC-B.
Without this protocol, the
systems would tie up two
voice trunks
one taking the call
from system A to
system B
the other taking it from
system B to system A.

Handoff forward:

Figure 4.9 Call path after handoff forward to

system C

It is possible that the

terminal will move from
system B to a third system C.
This produces two
possibilities in Figures 4.9
and 4.10.
In Figure 4.9, MSC-B and
MSC-C perform a handoff
forward procedure the one
that moved the call from
system A to system B.
System B provides a path
from MSC-A to MSC-C.
The situation can continue,
adding more and more
MSCs to the chain, up to a
limit established by the
anchor system.

Handoff to third:

Figure 4.10 If there are circuits connecting MSC-A

and MSC-C, the system performs handoff to third.

An alternative occurs when

there is a direct connection
between systems A and C.
IS-41 includes a protocol
referred to as handoff to
third, which establishes a
direct link between MSC-A
and MSC-C and release the
link between A and B.

Handoff Protocols
z

There are two phases to every handoff

procedure.
z

Location phase
the serving MSC collects measurement reports
from cells in the neighborhood of the cell
presently occupied by a terminal.
z When measurements are required from one or
more cells in a system adjacent to the serving
system, the adjacent system becomes a
candidate system.
z The serving MSC and a candidate MSC
exchange handoff measurement request
messages.
z

A HANDOFF MEASUREMENT REQUEST

INVOKE message, transmitted by the serving
MSC includes:

information about the terminal (station class mark,

SCM, indicates the capabilities of the terminal)
information about the serving base station (SAT and
a base station identifier), and
information about the radio channel carrying the call
(channel number).

Based on the identity of the serving base station,

the candidate MSC selects one or more
candidate cells and transmits a HANDOFF
MEASUREMENT REQUEST RESULT message
to the serving MSC.

The HANDOFF MEASUREMENT REQUEST

RESULT message contains identities of candidate
cells and associated signal strength measurements.
z The serving MSC selects a target cell for the handoff.
z If the target cell is served by a candidate MSC, this
MSC becomes the target MSC for the handoff.
z The handoff procedure then moves from the location
phase to the handoff phase.
z

Handoff phase:
z

the serving MSC determines the type of handoff to

initiate (forward, back, or handoff to third).

Handoff Forward Protocol:

The serving MSC sends a FACILITIES DIRECTIVE
INVOKE message to the target MSC.
z This message contains:
z

information about the terminal (SCM, MIN, ESN)

information about the call:
billing ID (established by the anchor MSC at the beginning
of the call);
inter-MSC circuit (voice trunk that will carry the call from
the serving MSC to the target MSC);
inter-switch count (the total number of MSCs through which
the call will pass after the handoff);
information about the call status (serving cell, serving channel);
and
target cell identifier (based on measurement reports from the
get MSC).

If the target MSC accepts the handoff, it selects a channel

to handle the call in the new cell and then sends a
FACILITIES DIRECTIVE RESULT message to the serving
MSC.
z This message contains information about the new channel:
z

channel number, SAT, and transmit power level (VMAC).

On receiving this message, the serving MSC sends an

AMPS HANDOFF message to the terminal through the
serving cell.
z When the target base station detects the SAT, it sends a
message to the target MSC which completes the handoff
forward operation by sending a MOBILE ON CHANNEL
INVOKE message to the prior serving MSC.
z

Figure 4.11 Message sequence and system operations for handoff forward.

Figure 4.11 Message sequence and system operations for handoff forward.

Handoff Back Protocol:

If the location phase results in a determination by the
serving MSC(MSC-B) that the call would best be handled
in the system(system A) previously occupied by the
terminal, the serving MSC initiates a handoff back
procedure.
z It (MSC-B) sends a HANDOFF BACK INVOKE message
to the previous MSC (MSC-A), which is now the target
MSC of the handoff protocol.
z The message plays the same role as the FACILITIES
DIRECTIVE INVOKE message.
z The target MSC (MSC-A) sends HANDOFF BACK
RESULT message to the serving MSC (MSC-B).
z This message contains the same information as the
FACILITIES DIRECTIVE RESULT message.
z

When the target MSC(MSC-A) learns that the terminal has

arrived on the assigned channel at the target base station,
it sends a FACILITIES RELEASE INVOKE message to the
serving MSC (MSC-B).
z This message identifies the voice trunk that carries the call
between the two MSCs.
z On receiving this message, the serving MSC (MSC-B)
releases the voice trunk and sends a FACILITIES
RELEASE RESULT message to the target MSC.
z Any two MSCs in a chain can perform the handoff back
protocol.
z

Handoff to third Protocol:

z

Handoff to third protocol is an example of path

minimization procedure, in which the system reduces the
number of voice trunks carrying a call through three or
more systems.

Security

Security
z

GSM security is addressed in two aspects:

authentication and encryption.
z

Authentication avoids fraudulent access by a

cloned MS.
Encryption avoids unauthorized listening.

Parameters
z

Parameters:
z

Ki is used to achieve authentication.

z
z

RAND
z

z
z
z

Ki is stored in the AuC and SIM.

Ki is not known to the subscriber.
A 128-bit random number generated by the home
system.

SRES is generated by algorithm A3.

Kc is generated by algorithm A8 for the encryption.
Frame Number
z

A TDMA frame number encoded in the data bits.

Algorithms
z

Authentication Algorithms:
z

A3.
z
z

Authentication function.
In AuC and SIM

Encryption Algorithms:
z

A8.
z
z

To generate the encryption Key

In AuC and SIM

A5.
z

An algorithm stored in the MS (handset hardware) and

the visited system.
Used for the data ciphering and deciphering

Authentication and Encryption

Mobile Station

Home System
RAND

Ki
A8

Ki
A3

reject

A3

A8

No

SRES

Equal
?

SRES
Kc

Yes

authentication
encryption

accept
Visited
System

Kc

Data

A5

Ciphered Data

Frame
Number
A5

Data

Authentication by Triplet
z

Triplet: RAND, SRES, Kc

z

AuCHLRVLR in advance

Example: Authentication in registration

z
z
z

New VLR uses LAI to find old VLR.

Old VLR sends triplets to new VLR.
New VLR challenges MS by using RAND and
SRES.

Encryption
Mobile Station

Home System
RAND

Ki
A8

Ki
A3

reject

A3

A8

No

SRES

Equal
?

SRES
Kc

Yes

authentication
encryption

accept
Visited
System

Kc

Data

A5

Ciphered Data

Frame
Number
A5

Data

Summary
z

GSM Architecture
z
z

z
z
z
z

MS, BSS, NSS

Radio Interface

GSM Radio and Channels

Location Tracking
Hand Off
Security