GSM Concepts

Telecommunications MSc in Software Development

Dr. D H Pesch, CIT, 2000

GSM Handover
Handover is the process of switching a radio connection from one BS to another in order to maintain seamless radio connection during mobile station movement Handover in GSM is implemented as Mobile Assisted Handover (MAHO) and backward handover signalling GSM handover is hard handover as the old radio link is released before the new radio link has been fully established due to non-synchronised BTSs

The overall handover process is implemented in the MS, BSS and MSC. Measurement of radio subsystem downlink performance and signal levels received from surrounding cells, is made in the MS. These measurements are signalled to the BSS for assessment. The BSS measures the uplink performance for the MS being served and also assesses the signal level of interference on its idle traffic channels. Initial assessment of the measurements in conjunction with defined thresholds and handover strategy may be performed in the BSS. Assessment requiring measurement results from other BTS or other information resident in the MSC, may be performed in the MSC.

Dr. D H Pesch, CIT, 2000

Handover Process
The handover process in GSM consists of the following four steps 1. Measurements 2. Handover request 3. Handover decision 4. Handover execution

In any cellular mobile radio system handover is an essential part of radio link maintenance. In order to maintain a radio link in the light of mobility it is essential for the cellular system to be able to switch the radio link from one base station to another when the radio link quality with the exisitng base station drops below an acceptable level and/or the radio link quality with a target base station is better. The main input data into the handover process are radio link quality measurements taken by mobile station and/or base station. The handover decision can be made in the mobile station, in the base station or somewhere else in the network. The GSM handover process is divided into four parts as indicated in the slide above. In a normal handover process, the handover request is generated by the BSC, and the handover decision and the actual handover are the responsibility of the MSC. Depending on the type of handover, functions 3 and 4 (see slide) can be implemented in the BSC.

Dr. D H Pesch, CIT, 2000

Handover Criteria
Permanent data such as transmitter power of
MS, BTS in supplying cell, BTSs in neighbour cells

Results of real-time measurements by MS

downlink signal quality (gross bit-error-rate) - RXQUAL downlink receive signal levelof current channel - RXLEV downlink receive signal levelfrom neighbour cells (BCCHs)

Results of real-time measurements by BTS

uplink signal quality (gross bit-error-rate) - RXQUAL uplink receive signal levelof current channel - RXLEV uplink receive signal level from neighbour cells

Traffic-oriented aspects (cell capacity, no. of free channels, no. of new connections waiting for TCH)

Handover is initiated by the network based on radio subsystem criteria (RF level, quality, distance) as well as network directed criteria (e.g. current traffic loading per cell, maintenance requests, etc.). In order to determine if a handover is required, due to RF criteria, the MS shall take radio measurements from neighbouring cells. These measurements are reported to the serving cell on a regular basis. When a network determines a need for a handover the procedures given in GSM 08.08 are followed. Additionally, the handover decision by the network may take into account both the measurement results from the MS and network directed criteria. The same decision process is used to determine when to perform both the Intra-MSC and Inter-MSC handover in all the procedures described in the following.

Dr. D H Pesch, CIT, 2000

Measurement Protocol
Measurements on current radio channel
measurement of signal strength and link quality of slot in every frame (4.615ms measurement interval) 100 samples per reporting period of 480ms reporting of average values once or twice per second (one or two 480ms SACCH blocks

Measurement of channels in neighbour cells

up to six neighbour cells are considered between UL and DL MS has about 2.3ms interval for measurement of signal level from neighbour cells and 6.9ms interval to scan for neighbour cells BCCH frequency MS can measure up to 100 signal level samples per 480ms divided between the 6 strongest neighbour cells

Dr. D H Pesch, CIT, 2000

Measuring Neighbour Cell Signals

Dr. D H Pesch, CIT, 2000

Measurement Parameters
Signal Field Strength dBm . . . -110 -109 -108 -107 RXLEV 0 1 2 3 . . . 60 61 62 63 Bit error [%] 0.2 0.4 0.8 1.6 3.2 6.4 12.8 Signal Quality Average 0.14 0.28 0.57 1.13 2.26 4.53 9.05 18.10 RXQUAL 0 1 2 3 4 5 6 7

-110 -109 -108

-51 -50 -49 -48

-50 -49 -48

0.2 0.4 0.8 1.6 3.2 6.4 12.8

Distance:

dTA =

TA c tbit TA 3 108 m s 3.69 10-6 s = = TA 554m 2 2

Dr. D H Pesch, CIT, 2000

Measurement Reports
Measurement reports transmitted periodically every 480ms interleaved over 4 SACCHs Measurements
Signal field strength from -110dBm to -48dBm (RXLEV) with relative accuracy of 1dB and absolute accuracy of 4dB (up to -70dBm) and 6dB Average calculated over SACCH multiframe (480ms) Measurement of RXLEV on the allocated TCH in every frame and at least one neighbour per TDMA frame Signal quality measured in BER before channel decoding (based on training sequence) and mapped onto RXQUAL levels with accuracy of 75% for RXQUAL=1 - 4 and 95% accuracy for RXQUAL=5 - 7 Distance absolute distance based on TA value with 0.5 bit accuracy provides about 1km spatial resolution (not too useful)

Dr. D H Pesch, CIT, 2000

Measurement Result Message

Dr. D H Pesch, CIT, 2000

Handover Decision
Handover decision and selection of target cell made by either BSC or MSC depending on measurements BSC may decide to initiate handover itself by sending HND_CMD message to BTS or to report to MSC by sending HDN_RQD that a handover is required In case of BSC deciding to handover, MSC is informed with HND_PERF message

Dr. D H Pesch, CIT, 2000

10

Handover Scenarios
Intra-BTS Handover Intra-BSC Handover Intra-MSC Handover Inter-MSC Handover Subsequent Handover

Dr. D H Pesch, CIT, 2000

11

Transmitter Power Control

The purpose of power control is reduction of interference and increase in MS battery working time Power control is mandatory for every MS, it is optional for a BTS Depending on radio link quality, BSC requests adjustment of transmitter power for MS and BTS Power adjustments are made over the SACCH every 480ms Maximum power is Pn, BTS adjustments are made relative to Pn in 2dB steps over dynamic range of 30dB BCCH is always transmitted at Pn MS power settings are set in absolute values measured in dBm (relative to 1mW)

Dr. D H Pesch, CIT, 2000

12

GSM MS Transmitter Power Levels

C ode 0 1 2 3 4 5 6 7 8 9 0A 0B 0C 0D 0E 0F G SM 900 39 39 39 37 35 33 31 29 27 25 23 21 19 17 15 13 G SM 1800 PC S1900 30 28 26 24 22 20 18 16 14 12 10 8 6 4 2 0
C ode 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F G SM 900 11 9 7 5 5 5 5 5 5 5 5 5 5 5 5 5 G SM 1800 PC S1900 0 0 0 0 0 0 0 0 0 0 0 0 0 36 34 32

Dr. D H Pesch, CIT, 2000

13

MS and BTS Power Classes

GSM900 Class 1 2 3 4 5 6 7 8 Micro (M1) Micro (M2) Micro (M3) GSM1800 PCS1900 MS BTS MS BTS MS BTS (W/dBm) (W/dBm) (W/dBm) (W/dBm) (W/dBm) (W/dBm) -/320/55 1/30 20/43 1/30 20/43 8/39 5/37 2/33 0.8/29 -/-/-/-/-/-/160/52 80/49 40/46 20/43 10/40 5/37 2.5/34 0.25/24 0.08/19 0.03/14 0.25/24 4/36 -/-/-/-/-/-/-/-/10/40 5/37 2.5/34 -/-/-/-/1.6/32 0.5/27 0.16/22 0.25/24 2/33 -/-/-/-/-/-/-/-/10/40 5/37 2.5/34 -/-/-/-/0.5/27 0.16/22 0.05/17

Dr. D H Pesch, CIT, 2000

14

Sample Algorithm (GSM 05.08) for Handover and Power Control

Averaging of measured values on UL and DL to reduce short-term fading effect. Parameters
HREQAVE: no. of reports averaged HREQT: no. of averaged values in HND_RQD message

Calculation of power budget

PBGT(n)=[min(MS_TXPWR_MAX, P) - RXLEV_DL - PWR_C_D] - [min(MS_TXPWR_MAX(n), P) - RXLEV_NCELL(n)]

Dr. D H Pesch, CIT, 2000

15

Power Control Levels

Dr. D H Pesch, CIT, 2000

16

Handover Decision Levels

Dr. D H Pesch, CIT, 2000

17

GSM Handover Threshold Values

Dr. D H Pesch, CIT, 2000

18

BSS Decision Algorithm

When threshold value comparison yields handover required send HND_RQD to MSC indicating conditions:
RXLEV_NCELL(n) > RXLEV_MIN(n) + max(0, MS_TXPWR_MAX(n) - P) PBGT(n) > 0

Conditions must be met by neighbour cell to become target cell Target cells are sorted by PBGT value and cell with highest PBGT is selected for handover If handover is considered imperative, the list can also contain neighbour cells with PBGT(n) < 0. If RXQUAL is low but RXLEV is fine, co-channel interference is high and intra-BTS handover is performed

Dr. D H Pesch, CIT, 2000

19

GSM Power Budget Handover

Dr. D H Pesch, CIT, 2000

20

MSC Decision Algorithm

MSC evaluates handover request based on criteria:
Quality Signal level Distance Power budget

There is also provision for giving individual cells priority in order to distribute traffic load
during congestion situations in hierarchical cellular systems for handover between cell layers

Dr. D H Pesch, CIT, 2000

21

Problems of GSM Handover

Ping-pong Effect
HO_MARGIN = 5-10dB Large HO_MARGIN or averaging window to avoid ping-pong handover loss of power budget handover or delayed handover

Number of Handovers
Due to complexity of handover protocol GSM tries to avoid unneccessary handovers Due to shadow fading variations randomly distributed handover points around best point and can cause large number of handovers

Dr. D H Pesch, CIT, 2000

22

Proposed Improvements
Handover considering evolution of signal strength Handover utilising level crossing rate of received signals provides estimation of MS speed MS speed and signal strength evolution can provide more reliable handover decision to avoid ping-pong effect prediction based handover

Dr. D H Pesch, CIT, 2000

23

Mobile Identifiers
GSM numbering follows the rules of ITU-T Rec. E.164 for ISDN numbering MS numbers/identifiers
MSISDN - Mobile Station ISDN Number IMSI - International Mobile Subscriber Identity MSRN - Mobile Station Roaming Number IMEI - International Mobile Equipment Identity TMSI - Temporary Mobile Subscriber Identity

Dr. D H Pesch, CIT, 2000

24

Mobile Identifiers
National Country Destination Code Code Subscriber Number MSISDN

CC

NDC

SN
14 - 15 digits (7 - 7.5 octets)

Mobile Mobile Country Network Mobile Subscriber Code Code Identification Number IMSI

MCC MNC
3 digits 2 digits

MSIN
10 digits of less ( 5 octets)

Dr. D H Pesch, CIT, 2000

25

Mobile Identifiers
Visitor Visitor National Country Destination Code VMSC = Visitor MSC Code MSRN

VCC VNDC
3 digits 2 digits

SN (VMSC + VSN)
10 digits of less ( 5 octets) Type Final Approval Assembly Serial Number Spare Code Code

TMSI

TMSI
4 octets

IMEI

TAC FAC SNR

SP

6 digits 2 digits 6 digits 1 digit

Dr. D H Pesch, CIT, 2000

26

Network Identifiers
Mobile Network Code (MNC) Location Area Identity (LAI)
MCC - Mobile Country Code, e.g. Ireland = 272 MNC - Mobile Network Code, e.g. Eircell = 01 LAC - Location Area Code (2 octets fixed code)

Routing Area Identity (RAI) - similar to LAI Cell Identity (CI), 2 octets fixed length Global Cell Identity = LAI + CI

Dr. D H Pesch, CIT, 2000

27

Network Identities
Base Station Identity Code (BSIC)
6 bit number consisting of
Network Colour Code - NCC, 3 bits Base Station Colour Code - BCC, 3 bits

allows MS to distinguish between neighbour base stations

Regional Subscription Zone Identifier (RSZI)

consists of CC, MNC, ZC (2 octets fixed size)

Dr. D H Pesch, CIT, 2000

28

SIM Card
Microcontroller based smart card MS = SIM + ME (mobile equipment) SIM card personalises the mobile equipment Two types of SIM
credit card size - ISO SIM plug-in SIM (usually comes as an ISO from which its popped out)

SIM architecture Controller + RAM of 256 - 512 Byte, will to grow to 2KB (2000), several OS are in use ROM - 16 - 24kB (1997), will to grow to 64kB (2000) EEPROM - 16kB (1997), will grow to 64KB (2000) I/O ports SIM power and clock supplied by ME

Dr. D H Pesch, CIT, 2000

29

SIM Card Types

Dr. D H Pesch, CIT, 2000

30

SIM Card Data Organisation

SIM card data structured in Master File (MF) and Dedicated Files (DF) Dedicated files, which are actually directories
DFGSM - GSM related data DFTELECOM telecommunication services related data

Elementary Files (EF) hold the actual data

One record EF to hold IMSI for example Multiple record EF to hold phone book for example

SIM contains security features to protect data in EF

Dr. D H Pesch, CIT, 2000

31

SIM Card Functions

SIM card holds user and network related data SIM card is involved in GSM security
holds the PIN computes SRES and Kc based on algorithms A3 and A8, which are stored in SIMs ROM

SIM card holds data about subscriptions of services in EFSST (service table)
SMS, Last Number Dialled, AoC, CB Message Identifier, Service provider name, etc

SIM card holds access level information EFACC, which determines access restriction to the network Stores current location information Holds account and charge information (for prepaid SIM card)

Dr. D H Pesch, CIT, 2000

32

Example SIM Card Elementary Files

Dr. D H Pesch, CIT, 2000

33

Location Management
GSM is a cellular system and as such divided into location areas to facilitate efficient paging Location areas are identified by the LAI LAI is broadcast within SYSTEM-INFO message on BCCH Size of a location area depends on expected subscriber penetration and PCH capacity Every time MS detects a change of LAI, that is the LAI temporarily stored in the SIM is different to LAI in SYSTEM_INFO message, location update is performed Upon power up of the MS, a location registration procedure is performed of which the user is oblivious

Dr. D H Pesch, CIT, 2000

34

GSM Security Management

Four basic security services provided by GSM
Anonymity: TMSI assignment upon location registration/update Authentication Signalling data and user information protection through encryption SIM module identifying user and IMEI identifying ME independently

GSM algorithms for authentication and encryption are strictly confidential and not publicly available

Dr. D H Pesch, CIT, 2000

35

Authentication
Authentication is required in every mobile radio system
to establish the authenticity of a user/equipment establish whether the user is allowed to access the service

Authentication consists of a challenge and a response

network provides a challenge in form of a random number RAND response SRES is derived based on algorithm A3 from challenge (RAND), authen-tication key Ki and IMSI MS replies to challenge by sending SRES back to network, which then compares MSs SRES with its own SRES

Dr. D H Pesch, CIT, 2000

36

Generation of Authentication Challenge

Dr. D H Pesch, CIT, 2000

37

Authentication Process

Dr. D H Pesch, CIT, 2000

38

Encryption
Protecting analogue information against eavesdropping is not easy but digital transmission allows for excellent level of protection Encryption is the process where a series of bits are transformed by mathematical or logical functions into another series of bits GSM cipher algorithm A5/n uses a cipher key Kc that is generated during authentication process and stored in SIM Kc is generated from RAND by algorithm A8 driven by Ki Kc is 64 bits in length Ciphering is periodic based on TDMA frame number (periodic with length of hyper frame)

Dr. D H Pesch, CIT, 2000

39

Encryption Process

Dr. D H Pesch, CIT, 2000

40