You are on page 1of 64

GSM

Networks are based on digital signals.More advanced networks than analogue cellular networks.e.g. GSM,CDMA,DCS1800 are digital cellular networks GSM is one of the main wireless access system in today's fast growing communication systems. GSM service started to be developed by EUROPEANS in 1991.In the same year GSM was renamed to GLOBAL SYSTEM FOR MOBILE COMMUNICATION from GROUP SPECIALE MOBILE. As GSM spread past the boundries of EUROPE and is now operational in over 200 countries around the world.In PAKISTAN there are 4 competitors operating in this industry areMOBILINK,Ufone,Paktel and Instafone GSM is recognized as one of the second generation wireless network with worldwide success. GSM is very similar to IS-136,except that it is not tied to 30kHz AMPS bands.It uses 200kHz bands. KEY FEATURES OF GSM: 1:International Roaming 2:Superior speech quality. 3:High level of security 4:New services. 5:Digital convenience. 6:Digital compatibility. 7:Universal and inexpensive mobile handsets. FREQUENCY ALLOCATION FOR GSM : GSM-900 890-915 MHz (uplink) GSM-1800 1710-1785 MHz (uplink) GSM-1900 1850-1910 MHz (uplink) GSM ARCHITECTURE: GSM system architecture can be divided in to three main parts, the mobile station,the base station and network subsystem. Every GSM mobile phone has a SUBSCRIBER IDENTITY MODULE (SIM) which provide the mobile phone with a unique identity. CONCLUSION: The GSM standard was digital from the begining.Now,GSM provides GPRS to its operators and users to support high data rate services.With the advancement of WORLDWIDE WEB, Internet has grown faster than the current wireless technology can support.With the continued globalization of telecommunication standards,GSM is converging with other wireless technologies to better position its network to the evolution of 3G wireless networks. 933-960 MHz (downlink) 1805-1880 MHz (downlink) 1930-1990 MHz (downlink)

Overview of the Global System for Mobile Communications Table of Contents


1. History of GSM 2. Services provided by GSM 3. Architecture of the GSM network
3.1. Mobile Station 3.2. Base Station Subsystem 3.3. Network Subsystem

4. Radio link aspects


4.1. Multiple access and channel structure
4.1.1. Traffic channels 4.1.2. Control channels 4.1.3. Burst structure

4.2. Speech coding 4.3. Channel coding and modulation 4.4. Multipath equalization 4.5. Frequency hopping 4.6. Discontinuous transmission 4.7. Discontinuous reception 4.8. Power control

5. Network aspects
5.1. Radio resources management
5.1.1. Handover

5.2. Mobility management


5.2.1. Location updating 5.2.2. Authentication and security

5.3. Communication management


5.3.1. Call routing

6. Conclusion and comments

History of GSM
During the early 1980s, analog cellular telephone systems were experiencing rapid growth in Europe, particularly in Scandinavia and the United Kingdom, but also in France and Germany. Each country developed its own system, which was incompatible with everyone else's in equipment and operation. This was an undesirable situation, because not only was the mobile equipment limited to operation within national boundaries, which in a unified Europe were increasingly unimportant, but there was also a very limited market for each type of equipment, so economies of scale and the subsequent savings could not be realized. The Europeans realized this early on, and in 1982 the Conference of European Posts and Telegraphs (CEPT) formed a study group called the Groupe Spcial Mobile (GSM) to study and develop a pan-European public land mobile system. The proposed system had to meet certain criteria:

Good subjective speech quality Low terminal and service cost Support for international roaming Ability to support handheld terminals Support for range of new services and facilities Spectral efficiency ISDN compatibility

In 1989, GSM responsibility was transferred to the European Telecommunication Standards Institute (ETSI), and phase I of the GSM specifications were published in 1990. Commercial service was started in mid-1991, and by 1993 there were 36 GSM networks in 22 countries [6]. Although standardized in Europe, GSM is not only a European standard. Over 200 GSM networks (including DCS1800 and PCS1900) are operational in 110 countries around the world. In the beginning of 1994, there were 1.3 million subscribers worldwide [18], which had grown to more than 55 million by October 1997. With North America making a delayed entry into the GSM field with a derivative of GSM called PCS1900, GSM systems exist on every continent, and the acronym GSM now aptly stands for Global System for Mobile communications. The developers of GSM chose an unproven (at the time) digital system, as opposed to the then-standard analog cellular systems like AMPS in the United States and TACS in the United Kingdom. They had faith that advancements in compression algorithms and digital signal processors would allow the fulfillment of the original criteria and the continual improvement of the system in terms of quality and cost. The over 8000 pages of GSM recommendations try to allow flexibility and competitive innovation among suppliers, but provide enough standardization to guarantee proper interworking between

the components of the system. This is done by providing functional and interface descriptions for each of the functional entities defined in the system.

Services provided by GSM


From the beginning, the planners of GSM wanted ISDN compatibility in terms of the services offered and the control signalling used. However, radio transmission limitations, in terms of bandwidth and cost, do not allow the standard ISDN B-channel bit rate of 64 kbps to be practically achieved. Using the ITU-T definitions, telecommunication services can be divided into bearer services, teleservices, and supplementary services. The most basic teleservice supported by GSM is telephony. As with all other communications, speech is digitally encoded and transmitted through the GSM network as a digital stream. There is also an emergency service, where the nearest emergency-service provider is notified by dialing three digits (similar to 911). A variety of data services is offered. GSM users can send and receive data, at rates up to 9600 bps, to users on POTS (Plain Old Telephone Service), ISDN, Packet Switched Public Data Networks, and Circuit Switched Public Data Networks using a variety of access methods and protocols, such as X.25 or X.32. Since GSM is a digital network, a modem is not required between the user and GSM network, although an audio modem is required inside the GSM network to interwork with POTS. Other data services include Group 3 facsimile, as described in ITU-T recommendation T.30, which is supported by use of an appropriate fax adaptor. A unique feature of GSM, not found in older analog systems, is the Short Message Service (SMS). SMS is a bidirectional service for short alphanumeric (up to 160 bytes) messages. Messages are transported in a store-and-forward fashion. For point-to-point SMS, a message can be sent to another subscriber to the service, and an acknowledgement of receipt is provided to the sender. SMS can also be used in a cell-broadcast mode, for sending messages such as traffic updates or news updates. Messages can also be stored in the SIM card for later retrieval [2]. Supplementary services are provided on top of teleservices or bearer services. In the current (Phase I) specifications, they include several forms of call forward (such as call forwarding when the mobile subscriber is unreachable by the network), and call barring of outgoing or incoming calls, for example when roaming in another country. Many additional supplementary services will be provided in the Phase 2 specifications, such as caller identification, call waiting, multi-party conversations.

Architecture of the GSM network


A GSM network is composed of several functional entities, whose functions and interfaces are specified. Figure 1 shows the layout of a generic GSM network. The GSM

network can be divided into three broad parts. The Mobile Station is carried by the subscriber. The Base Station Subsystem controls the radio link with the Mobile Station. The Network Subsystem, the main part of which is the Mobile services Switching Center (MSC), performs the switching of calls between the mobile users, and between mobile and fixed network users. The MSC also handles the mobility management operations. Not shown is the Operations and Maintenance Center, which oversees the proper operation and setup of the network. The Mobile Station and the Base Station Subsystem communicate across the Um interface, also known as the air interface or radio link. The Base Station Subsystem communicates with the Mobile services Switching Center across the A interface.

Figure 1. General architecture of a GSM network

The GSM system, and its sibling systems operating at 1.8 GHz (called DCS1800) and 1.9 GHz (called GSM1900 or PCS1900, and operating in North America), are a first approach at a true personal communication system. The SIM card is a novel approach that implements personal mobility in addition to terminal mobility. Together with international roaming, and support for a variety of services such as telephony, data transfer, fax, Short Message Service, and supplementary services, GSM comes close to fulfilling the requirements for a personal communication system: close enough that it is being used as a basis for the next generation of mobile communication technology in Europe, the Universal Mobile Telecommunication System (UMTS). Another point where GSM has shown its commitment to openness, standards and interoperability is the compatibility with the Integrated Services Digital Network (ISDN) that is evolving in most industrialized countries, and Europe in particular (the so-called Euro-ISDN). GSM is also the first system to make extensive use of the Intelligent Networking concept, in in which services like 800 numbers are concentrated and handled from a few centralized service centers, instead of being distributed over every switch in

the country. This is the concept behind the use of the various registers such as the HLR. In addition, the signalling between these functional entities uses Signalling System Number 7, an international standard already deployed in many countries and specified as the backbone signalling network for ISDN. GSM is a very complex standard, but that is probably the price that must be paid to achieve the level of integrated service and quality offered while subject to the rather severe restrictions imposed by the radio environment. The GSM group proposed the following criteria for the new mobile wireless system:

good speech quality low cost for terminals and service international roaming handheld terminals support for introduction new services spectral efficiency compatibility with Integrated Digital Services Network (ISDN)

GSM uses a combination of both the time division multiple access (TDMA) and frequency division multiple access (FDMA) technologies. With this combination, more channels of communications are available, and all channels are digital. The GSM service is available in four frequency bands: 450-MHzUpgrade of older analog cellular systems in Scandinavia 900-MHzOriginal band used everywhere except North America and most of South America 1800-MHzNew band to increase capacity and competition used everywhere except North America and most of South America 1900-MHzPersonal communications service band used in North America and much of South America

The higher frequency bands provide additional capacity and higher subscriber densities. One of the unique benefits of GSM service is its capability for international roaming because of the roaming agreements established between the various GSM operators worldwide. GSM Technology Differentiator One of the advantages of GSM is that it offers a subscriber identity module (SIM), also known as a smart card. The smart card contains a computer

chip and some non-volatile memory and is inserted into a slot in the base of the mobile handset. The memory on the smart card holds information about the subscriber that enables a wireless network to provide subscriber services. The information includes:

The subscriber's identity number The telephone number The original network to which the subscriber is subscribed

A smart card can be moved from one handset to another. A handset reads the information off the smart card and transmits it to the network. GSM Network Elements A GSM network consists of the following network components:

Mobile station (MS) Base transceiver station (BTS) Base station controller (BSC) Base station subsystem (BSS) Mobile switching center (MSC) Authentication center (AuC) Home location register (HLR) Visitor location register (VLR)

Base Transceiver Station When a subscriber uses the MS to make a call in the network, the MS transmits the call request to the base transceiver station (BTS). The BTS includes all the radio equipment (i.e., antennas, signal processing devices, and amplifiers) necessary for radio transmission within a geographical area called a cell. The BTS is responsible for establishing the link to the MS and for modulating and demodulating radio signals between the MS and the BTS. Base Station Controller The base station controller (BSC) is the controlling component of the radio network, and it manages the BTSs. The BSC reserves radio frequencies for communications and handles the handoff between BTSs when an MS roams from one cell to another. The BSC is responsible for paging the MS for incoming calls. Base Station Subsystem

A GSM network is comprised of many base station subsystems (BSSs), each controlled by a BSC. The BSS performs the necessary functions for monitoring radio connections to the MS, coding and decoding voice, and rate adaptation to and from the wireless network. A BSS can contain several BTSs. Mobile Switching Center The mobile switching center (MSC) is a digital ISDN switch that sets up connections to other MSCs and to the BSCs. The MSCs form the wired (fixed) backbone of a GSM network and can switch calls to the public switched telecommunications network (PSTN). An MSC can connect to a large number of BSCs. Equipment Identity Register The equipment identity register (EIR) is a database that stores the international mobile equipment identities (IMEIs) of all the mobile stations in the network. The IMEI is an equipment identifier assigned by the manufacturer of the mobile station. The EIR provides security features such as blocking calls from handsets that have been stolen. Home Location Register The home location register (HLR) is the central database for all users to register to the GSM network. It stores static information about the subscribers such as the international mobile subscriber identity (IMSI), subscribed services, and a key for authenticating the subscriber. The HLR also stores dynamic subscriber information (i.e., the current location of the mobile subscriber). Visitor Location Register The visitor location register (VLR) is a distributed database that temporarily stores information about the mobile stations that are active in the geographic area for which the VLR is responsible. A VLR is associated with each MSC in the network. When a new subscriber roams into a location area, the VLR is responsible for copying subscriber information from the HLR to its local database. This relationship between the VLR and HLR avoids frequent HLR database updates and long distance signaling of the user information, allowing faster access to subscriber information. The HLR, VLR, and AuC comprise the management databases that support roaming (including international roaming) in the GSM network. These databases authenticate calls while GSM subscribers roam between the private network and the public land mobile network (PLMN). The types of

information they store include subscriber identities, current location area, and subscription levels. Network and Switching Subsystem The network and switching subsystem (NSS) is the heart of the GSM system. It connects the wireless network to the standard wired network. It is responsible for the handoff of calls from one BSS to another and performs services such as charging, accounting, and roaming. Figure 2-1 shows a GSM network and the network elements it contains.
Figure 2-1 GSM Network Elements

GSM Interfaces

The GSM uses various interfaces for communication among its network elements. Figure shows these interfaces.

2-2

Figure 2-2 GSM Interfaces

Mobile wireless communication occurs over the interfaces between the network elements in a sequential manner. In Figure 2-2, the MS transmits to the BTS, the BTS to the BSC, and the BSC to the MSC. Communications also occur over the interfaces to the management databases (HLR, VLR, AuC, and EIR). Communications might traverse multiple MSCs but ultimately must reach the gateway MSC (GMSC). The GMSC provides the gateway to the public switched telephone network (PSTN). A separate interface exists between each pair of elements, and each interface requires its own set of protocols. In the BSS block, mobile communication occurs over the air interface to the BTS using the ISDN Link Access Procedure-D mobile (LAP-Dm). This traffic channel carries speech and data. In this example, voice operates at full-rate 13 kbps (supported by LAP-Dm), and data operates at full-rate 9.6 kbps.The BTS communicates to the BSC over the Abis interface using the ISDN LAPD signaling protocol. The BSC communicates to the GMSC via the transcoder rate adapter unit (TRAU), which translates between 16 kbps on

the BTS side to 64 kbps on the GMSC side. This interface uses the signaling system 7 (SS7) protocol, which defines call set-up and call services across the interface. At the NSS, the GMSC is the central node. Link-level traffic and signaling control occurs over the interface between the GMSC and MSC and the interface to the external network (PSTN, ISDN or PDN). Different signaling protocols are used on the interfaces. Some NSS interfaces involve only control signaling protocols with no traffic. For example, no traffic is generated on the interfaces between the GMSC, HLR, and VLR. Instead, these interfaces carry only signaling using the Mobile Application Part (MAP) of the SS7 protocol. The MAP is specified in IS-41 and defines the application layer, signaling protocols, and procedures for registering mobile users and handling handoffs between cellular systems. The GMSC establishes call traffic (at 64 kbps) onto the PSTN via the ISDN user part (ISUP), which is an SS7-based protocol. The GMSC and MSC exchange traffic (over LAP-D at 64 kbps) and use SS7 (MAP and ISUP) control. GSM Data Services GSM networks handle both voice and data traffic requirements of the mobile communication by providing two modes of operation:

Circuit switched (high-speed circuit switched data) Packet switched (GPRS)

Circuit switching provides the customer with a dedicated channel all the way to the destination. The customer has exclusive use of the circuit for the duration of the call, and is charged for the duration of the call. With packet switching, the operator assigns one or more dedicated channels specifically for shared use. These channels are up and running 24 hours a day, and when you need to transfer data, you access a channel and transmit your data. Packet switching is more efficient than circuit switching. The standard data rate of a GSM channel is 22.8 kbps.

Traffic channels A traffic channel (TCH) is used to carry speech and data traffic. Traffic channels are defined using a 26-frame multiframe, or group of 26 TDMA frames. The length of a 26frame multiframe is 120 ms, which is how the length of a burst period is defined (120 ms divided by 26 frames divided by 8 burst periods per frame). Out of the 26 frames, 24 are

used for traffic, 1 is used for the Slow Associated Control Channel (SACCH) and 1 is currently unused (see Figure 2). TCHs for the uplink and downlink are separated in time by 3 burst periods, so that the mobile station does not have to transmit and receive simultaneously, thus simplifying the electronics. In addition to these full-rate TCHs, there are also half-rate TCHs defined, although they are not yet implemented. Half-rate TCHs will effectively double the capacity of a system once half-rate speech coders are specified (i.e., speech coding at around 7 kbps, instead of 13 kbps). Eighth-rate TCHs are also specified, and are used for signalling. In the recommendations, they are called Stand-alone Dedicated Control Channels (SDCCH).

Figure 2. Organization of bursts, TDMA frames, and multiframes for speech and data

Control channels Common channels can be accessed both by idle mode and dedicated mode mobiles. The common channels are used by idle mode mobiles to exchange the signalling information required to change to dedicated mode. Mobiles already in dedicated mode monitor the surrounding base stations for handover and other information. The common channels are defined within a 51-frame multiframe, so that dedicated mobiles using the 26-frame multiframe TCH structure can still monitor control channels. The common channels include: Broadcast Control Channel (BCCH) Continually broadcasts, on the downlink, information including base station identity, frequency allocations, and frequency-hopping sequences. Frequency Correction Channel (FCCH) and Synchronisation Channel (SCH) Used to synchronise the mobile to the time slot structure of a cell by defining the boundaries of burst periods, and the time slot numbering. Every cell in a GSM

network broadcasts exactly one FCCH and one SCH, which are by definition on time slot number 0 (within a TDMA frame). Random Access Channel (RACH) Slotted Aloha channel used by the mobile to request access to the network. Paging Channel (PCH) Used to alert the mobile station of an incoming call. Access Grant Channel (AGCH) Used to allocate an SDCCH to a mobile for signalling (in order to obtain a dedicated channel), following a request on the RACH. Burst structure There are four different types of bursts used for transmission in GSM [16]. The normal burst is used to carry data and most signalling. It has a total length of 156.25 bits, made up of two 57 bit information bits, a 26 bit training sequence used for equalization, 1 stealing bit for each information block (used for FACCH), 3 tail bits at each end, and an 8.25 bit guard sequence, as shown in Figure 2. The 156.25 bits are transmitted in 0.577 ms, giving a gross bit rate of 270.833 kbps. The F burst, used on the FCCH, and the S burst, used on the SCH, have the same length as a normal burst, but a different internal structure, which differentiates them from normal bursts (thus allowing synchronization). The access burst is shorter than the normal burst, and is used only on the RACH.

Speech coding
GSM is a digital system, so speech which is inherently analog, has to be digitized. The method employed by ISDN, and by current telephone systems for multiplexing voice lines over high speed trunks and optical fiber lines, is Pulse Coded Modulation (PCM). The output stream from PCM is 64 kbps, too high a rate to be feasible over a radio link. The 64 kbps signal, although simple to implement, contains much redundancy. The GSM group studied several speech coding algorithms on the basis of subjective speech quality and complexity (which is related to cost, processing delay, and power consumption once implemented) before arriving at the choice of a Regular Pulse Excited -- Linear Predictive Coder (RPE--LPC) with a Long Term Predictor loop. Basically, information from previous samples, which does not change very quickly, is used to predict the current sample. The coefficients of the linear combination of the previous samples, plus an encoded form of the residual, the difference between the predicted and actual sample, represent the signal. Speech is divided into 20 millisecond samples, each of which is encoded as 260 bits, giving a total bit rate of 13 kbps. This is the so-called Full-Rate speech coding. Recently, an Enhanced Full-Rate (EFR) speech coding algorithm has been implemented by some North American GSM1900 operators. This is said to provide improved speech quality using the existing 13 kbps bit rate.

Channel coding and modulation

Because of natural and man-made electromagnetic interference, the encoded speech or data signal transmitted over the radio interface must be protected from errors. GSM uses convolutional encoding and block interleaving to achieve this protection. The exact algorithms used differ for speech and for different data rates. The method used for speech blocks will be described below. Recall that the speech codec produces a 260 bit block for every 20 ms speech sample. From subjective testing, it was found that some bits of this block were more important for perceived speech quality than others. The bits are thus divided into three classes:

Class Ia 50 bits - most sensitive to bit errors Class Ib 132 bits - moderately sensitive to bit errors Class II 78 bits - least sensitive to bit errors

Class Ia bits have a 3 bit Cyclic Redundancy Code added for error detection. If an error is detected, the frame is judged too damaged to be comprehensible and it is discarded. It is replaced by a slightly attenuated version of the previous correctly received frame. These 53 bits, together with the 132 Class Ib bits and a 4 bit tail sequence (a total of 189 bits), are input into a 1/2 rate convolutional encoder of constraint length 4. Each input bit is encoded as two output bits, based on a combination of the previous 4 input bits. The convolutional encoder thus outputs 378 bits, to which are added the 78 remaining Class II bits, which are unprotected. Thus every 20 ms speech sample is encoded as 456 bits, giving a bit rate of 22.8 kbps. To further protect against the burst errors common to the radio interface, each sample is interleaved. The 456 bits output by the convolutional encoder are divided into 8 blocks of 57 bits, and these blocks are transmitted in eight consecutive time-slot bursts. Since each time-slot burst can carry two 57 bit blocks, each burst carries traffic from two different speech samples. Recall that each time-slot burst is transmitted at a gross bit rate of 270.833 kbps. This digital signal is modulated onto the analog carrier frequency using Gaussian-filtered Minimum Shift Keying (GMSK). GMSK was selected over other modulation schemes as a compromise between spectral efficiency, complexity of the transmitter, and limited spurious emissions. The complexity of the transmitter is related to power consumption, which should be minimized for the mobile station. The spurious radio emissions, outside of the allotted bandwidth, must be strictly controlled so as to limit adjacent channel interference, and allow for the co-existence of GSM and the older analog systems (at least for the time being).

Multipath equalization
At the 900 MHz range, radio waves bounce off everything - buildings, hills, cars, airplanes, etc. Thus many reflected signals, each with a different phase, can reach an antenna. Equalization is used to extract the desired signal from the unwanted reflections. It works by finding out how a known transmitted signal is modified by multipath fading,

and constructing an inverse filter to extract the rest of the desired signal. This known signal is the 26-bit training sequence transmitted in the middle of every time-slot burst. The actual implementation of the equalizer is not specified in the GSM specifications.

Frequency hopping
The mobile station already has to be frequency agile, meaning it can move between a transmit, receive, and monitor time slot within one TDMA frame, which normally are on different frequencies. GSM makes use of this inherent frequency agility to implement slow frequency hopping, where the mobile and BTS transmit each TDMA frame on a different carrier frequency. The frequency hopping algorithm is broadcast on the Broadcast Control Channel. Since multipath fading is dependent on carrier frequency, slow frequency hopping helps alleviate the problem. In addition, co-channel interference is in effect randomized.

Discontinuous transmission
Minimizing co-channel interference is a goal in any cellular system, since it allows better service for a given cell size, or the use of smaller cells, thus increasing the overall capacity of the system. Discontinuous transmission (DTX) is a method that takes advantage of the fact that a person speaks less that 40 percent of the time in normal conversation [22], by turning the transmitter off during silence periods. An added benefit of DTX is that power is conserved at the mobile unit. The most important component of DTX is, of course, Voice Activity Detection. It must distinguish between voice and noise inputs, a task that is not as trivial as it appears, considering background noise. If a voice signal is misinterpreted as noise, the transmitter is turned off and a very annoying effect called clipping is heard at the receiving end. If, on the other hand, noise is misinterpreted as a voice signal too often, the efficiency of DTX is dramatically decreased. Another factor to consider is that when the transmitter is turned off, there is total silence heard at the receiving end, due to the digital nature of GSM. To assure the receiver that the connection is not dead, comfort noise is created at the receiving end by trying to match the characteristics of the transmitting end's background noise.

Discontinuous reception
Another method used to conserve power at the mobile station is discontinuous reception. The paging channel, used by the base station to signal an incoming call, is structured into sub-channels. Each mobile station needs to listen only to its own sub-channel. In the time between successive paging sub-channels, the mobile can go into sleep mode, when almost no power is used.

Power control

There are five classes of mobile stations defined, according to their peak transmitter power, rated at 20, 8, 5, 2, and 0.8 watts. To minimize co-channel interference and to conserve power, both the mobiles and the Base Transceiver Stations operate at the lowest power level that will maintain an acceptable signal quality. Power levels can be stepped up or down in steps of 2 dB from the peak power for the class down to a minimum of 13 dBm (20 milliwatts). The mobile station measures the signal strength or signal quality (based on the Bit Error Ratio), and passes the information to the Base Station Controller, which ultimately decides if and when the power level should be changed. Power control should be handled carefully, since there is the possibility of instability. This arises from having mobiles in co-channel cells alternatingly increase their power in response to increased co-channel interference caused by the other mobile increasing its power. This in unlikely to occur in practice but it is (or was as of 1991) under study.

Network aspects
Ensuring the transmission of voice or data of a given quality over the radio link is only part of the function of a cellular mobile network. A GSM mobile can seamlessly roam nationally and internationally, which requires that registration, authentication, call routing and location updating functions exist and are standardized in GSM networks. In addition, the fact that the geographical area covered by the network is divided into cells necessitates the implementation of a handover mechanism. These functions are performed by the Network Subsystem, mainly using the Mobile Application Part (MAP) built on top of the Signalling System No. 7 protocol.

Figure 3. Signalling protocol structure in GSM

The signalling protocol in GSM is structured into three general layers [1], [19], depending on the interface, as shown in Figure 3. Layer 1 is the physical layer, which uses the channel structures discussed above over the air interface. Layer 2 is the data link layer. Across the Um interface, the data link layer is a modified version of the LAPD protocol used in ISDN, called LAPDm. Across the A interface, the Message Transfer Part

layer 2 of Signalling System Number 7 is used. Layer 3 of the GSM signalling protocol is itself divided into 3 sublayers. Radio Resources Management Controls the setup, maintenance, and termination of radio and fixed channels, including handovers. Mobility Management Manages the location updating and registration procedures, as well as security and authentication. Connection Management Handles general call control, similar to CCITT Recommendation Q.931, and manages Supplementary Services and the Short Message Service. Signalling between the different entities in the fixed part of the network, such as between the HLR and VLR, is accomplished throught the Mobile Application Part (MAP). MAP is built on top of the Transaction Capabilities Application Part (TCAP, the top layer of Signalling System Number 7. The specification of the MAP is quite complex, and at over 500 pages, it is one of the longest documents in the GSM recommendations [16].

Radio resources management


The radio resources management (RR) layer oversees the establishment of a link, both radio and fixed, between the mobile station and the MSC. The main functional components involved are the mobile station, and the Base Station Subsystem, as well as the MSC. The RR layer is concerned with the management of an RR-session [16], which is the time that a mobile is in dedicated mode, as well as the configuration of radio channels including the allocation of dedicated channels. An RR-session is always initiated by a mobile station through the access procedure, either for an outgoing call, or in response to a paging message. The details of the access and paging procedures, such as when a dedicated channel is actually assigned to the mobile, and the paging sub-channel structure, are handled in the RR layer. In addition, it handles the management of radio features such as power control, discontinuous transmission and reception, and timing advance. Handover In a cellular network, the radio and fixed links required are not permanently allocated for the duration of a call. Handover, or handoff as it is called in North America, is the switching of an on-going call to a different channel or cell. The execution and measurements required for handover form one of basic functions of the RR layer. There are four different types of handover in the GSM system, which involve transferring a call between:

Channels (time slots) in the same cell

Cells (Base Transceiver Stations) under the control of the same Base Station Controller (BSC), Cells under the control of different BSCs, but belonging to the same Mobile services Switching Center (MSC), and Cells under the control of different MSCs.

The first two types of handover, called internal handovers, involve only one Base Station Controller (BSC). To save signalling bandwidth, they are managed by the BSC without involving the Mobile services Switching Center (MSC), except to notify it at the completion of the handover. The last two types of handover, called external handovers, are handled by the MSCs involved. An important aspect of GSM is that the original MSC, the anchor MSC, remains responsible for most call-related functions, with the exception of subsequent inter-BSC handovers under the control of the new MSC, called the relay MSC. Handovers can be initiated by either the mobile or the MSC (as a means of traffic load balancing). During its idle time slots, the mobile scans the Broadcast Control Channel of up to 16 neighboring cells, and forms a list of the six best candidates for possible handover, based on the received signal strength. This information is passed to the BSC and MSC, at least once per second, and is used by the handover algorithm. The algorithm for when a handover decision should be taken is not specified in the GSM recommendations. There are two basic algorithms used, both closely tied in with power control. This is because the BSC usually does not know whether the poor signal quality is due to multipath fading or to the mobile having moved to another cell. This is especially true in small urban cells. The 'minimum acceptable performance' algorithm [3] gives precedence to power control over handover, so that when the signal degrades beyond a certain point, the power level of the mobile is increased. If further power increases do not improve the signal, then a handover is considered. This is the simpler and more common method, but it creates 'smeared' cell boundaries when a mobile transmitting at peak power goes some distance beyond its original cell boundaries into another cell. The 'power budget' method [3] uses handover to try to maintain or improve a certain level of signal quality at the same or lower power level. It thus gives precedence to handover over power control. It avoids the 'smeared' cell boundary problem and reduces co-channel interference, but it is quite complicated.

Mobility management
The Mobility Management layer (MM) is built on top of the RR layer, and handles the functions that arise from the mobility of the subscriber, as well as the authentication and security aspects. Location management is concerned with the procedures that enable the system to know the current location of a powered-on mobile station so that incoming call routing can be completed.

Location updating A powered-on mobile is informed of an incoming call by a paging message sent over the PAGCH channel of a cell. One extreme would be to page every cell in the network for each call, which is obviously a waste of radio bandwidth. The other extreme would be for the mobile to notify the system, via location updating messages, of its current location at the individual cell level. This would require paging messages to be sent to exactly one cell, but would be very wasteful due to the large number of location updating messages. A compromise solution used in GSM is to group cells into location areas. Updating messages are required when moving between location areas, and mobile stations are paged in the cells of their current location area. The location updating procedures, and subsequent call routing, use the MSC and two location registers: the Home Location Register (HLR) and the Visitor Location Register (VLR). When a mobile station is switched on in a new location area, or it moves to a new location area or different operator's PLMN, it must register with the network to indicate its current location. In the normal case, a location update message is sent to the new MSC/VLR, which records the location area information, and then sends the location information to the subscriber's HLR. The information sent to the HLR is normally the SS7 address of the new VLR, although it may be a routing number. The reason a routing number is not normally assigned, even though it would reduce signalling, is that there is only a limited number of routing numbers available in the new MSC/VLR and they are allocated on demand for incoming calls. If the subscriber is entitled to service, the HLR sends a subset of the subscriber information, needed for call control, to the new MSC/VLR, and sends a message to the old MSC/VLR to cancel the old registration. For reliability reasons, GSM also has a periodic location updating procedure. If an HLR or MSC/VLR fails, to have each mobile register simultaneously to bring the database up to date would cause overloading. Therefore, the database is updated as location updating events occur. The enabling of periodic updating, and the time period between periodic updates, is controlled by the operator, and is a trade-off between signalling traffic and speed of recovery. If a mobile does not register after the updating time period, it is deregistered. A procedure related to location updating is the IMSI attach and detach. A detach lets the network know that the mobile station is unreachable, and avoids having to needlessly allocate channels and send paging messages. An attach is similar to a location update, and informs the system that the mobile is reachable again. The activation of IMSI attach/detach is up to the operator on an individual cell basis.

AUC
The AUC is basically just a database full onf confidential subscriber information attached to the back of the HLR. Its located in a "secure place" and the data is stored in "coded" form (sounds like encryption to me). The AUC is responsible for controlling the rights of usage of the network services, i.e. phone calls, data, internet, etc... The AUC allows the Network Operator (Cingular, AT&T) to know

"unambiguiusly" who is on the network for billing purposes. The AUC also protects the user from fraud (somehow ...) and contains the secret information necessary to handle authentication and encryption. Authentication with the network Authentication on the network works as follows. First the mobile terminal is asked to perform a computation on a random number supplied by the system using a secret key stored on the SIM card. The system does this calculation internally, and compares the outputs. Both the algorithm and key are stored in secure formats. More detailed authentication ... When a terminal connects to the network, a RNG gives it a number N which is encrypted with a secret personal key Kp. The resulting number is encrypted with an algorithm called A3 and transmitted back to the network and compared. The subscriber then generates a session key for encrpytion using the algorithm A8. The encryption algorithm A5 is used to encrypt each packet. After the subscriber is verified, the encryption of radio packets is handled by a different algorithm, called A5 (A3 is used during subscriber verification). The encryption key is supplied during authentication, using some key agreement scheme and each packet is also encrypted using a changing IV of some variety, which appears to be a packet number. I do not think either of these algorithms are officially public (LINKS?). Encryption and Security There are 3 main algorithms used in GSM. Each of these algorithms is a trade secret and only released to people who the GSM committee determines has a need-to-know. Na Use me A3 Authentication Encryption/Decryption Algorithm for A5 packet encryption A8 Cipher Key Generator Basics None 3 Sparsely loopedback LFSRs in the original version, lots of variants Basically a one way function

A5 is a stream algorithm and is reset for each packet with the orignal key plus some key frame number. Ross Anderson in [1] suggests that A5/1 has about an equivalent key strength of about 40 bits. Code? No?
typedef struct { unsigned long rl,r2,r3; } a5 ctx; static int threshold(rl, r2, r3) unsigned int rl; unsigned int r2. unsigned int r { int total; total = (((r1 >> 9) & 0x1) == 1) + (((r2 >> 11) & 0x1) == 1) +

} unsigned long clock_r1(ctl, r1) int ctl unsigned lonq r1: { unsigned long feedback; ctl ^= ((rl >> 9) & Oxl); if (ctl) { feedback = (r1 >> 18) ^ (r1 >> 17) ^ (r1 >> 16) ^ (r1 >> 13); r1 = (r1 << 1) & Ox7ffff; if (feedback & 0x01) r1 ^= 0x01: } return (r1); } unsigned long clock_r2(ctl, r2) int ctl; unsigned long r2; { unsigned long feedback; ctl ^= ((r2 >> 11) & 0x1); if (ctl) { feedback = (r2 >> 21) ^ (r2 >> 20) ^ (r2 >> 16) ^ (r2 >> 12); r2 = (r2 << 1) & 0x3fffff; if (feedback & 0x01) r2 ^= 0x01; } return (r2): } unsigned long clock_r3(ctl, r3) int ctl unsigned long r3; { unsigned long feedback; ctl ^= ((r3 >> 11) & 0x1, if (ctl) { feedback = (r3 >> 22) ^ (r3 >> 21) ^ (r3 >> 18) ^ (r3 >> 17); r3 = (r3 << 1) & 0x7fffff; if (feedback & 0x01) r3 ^= 0x01: } return (r3); } int keystream(key, frame, alice, bob) unsigned char *key; /* 64 bit session key */ unsigned long frame; /* 22 bit frame sequence number */ unsigned char *alice; /* 114 bit Alice to Bob key stream */ unsigned char *bob; /* 114 bit Bob to Alice key stream */ {

(((r3 >> 11) & 0x1) == 1); if (total > 1) return (0); else return (1):

unsigned long rl; /* 19 bit shift register */ unsigned long r2; /* 22 bit shift register */ unsigned long r3; /* 23 bit shift register */ int i; /* counter for loops */ int clock_ctl; /* xored with clock enable on each shift register unsigned char *ptr; /* current position in keystream */ unsigned char byte; /* byte of keystream being assembled */ unsigned int bits; /* number of bits of keystream in byte */ unsigned int bit; /* bit output from keystream generator */ /* Initialise shift registers from session key */ r1 = (key[0] I (key[1] << 8) 1 (key[2] << 16) ) & 0x7ffff; r2 = ((key[2] >> 3) 1 (key[3] << 5) 1 (key[4] << 13) 1 (key[5] << 21)) & 0x3fffff; r3 = ((key[5] >> 1) 1 (key[6] << 7) 1 (key[7] << 15) ) & 0x7fffff; /* Merge frame sequence number into shift register state, by xor'ing it * into the feedback path */ for (i=0;i<22;i++) { clock_ctl = threshold(r1, r2, r2); r1 = clock r1(clock_ctl, r1); r2 = clock_r2(clock_ctl, r2); r3 = clock_r3(clock_ctl, r3); if (frame & 1) { r1 ^= 1; r2 ^= 1; r3 ^= 1; frame = frame >> 1; } /* Run shift registers for 100 clock ticks to allow frame number to * be diffused into all the bits of the shift registers */ for (i=0;i<100;i++) { clock_ctl = threshold(r1, r2, r2); r1 = clock r1(clock_ctl, r1); r2 = clock_r2(clock ctl, r2); r3 = clock r3(clock_ctl, r3); } /* Produce 114 bits of Alice->Bob key stream */ ptr = alice; bits = 0; byte = 0; for (i=0;i<114;i++) { clock_ctl = threshold(r1, r2, r2); r1 = clock rl(clock_ctl, r1); r2 = clock_r2(clock ctl, r2); r3 = clock_r3(clock_ctl, r3); bit = ((rl >> 18) ^ (r2 >> 21) ^ (r3 >> 22)) & 0x01; byte = (byte << 1) | bit;

bits++; if (bits { *ptr = ptr++; bits = byte = }

== 8) byte; 0; 0;

} if (bits) *ptr = byte; /* Run shift registers for another 100 bits to hide relationship between * Alice->Bob key stream and Bob->Alice key stream. for (i=0;i<100;i++) { clock_ctl = threshold(r1, r2, r2); r1 = clock_r1(clock_ctl, r1); r2 = clock r2(clock_ctl, r2); r3 = clock r3(clock ctl, r3); } /* Produce 114 bits of Bob->Alice key stream ptr = bob; bits = 0: byte = 0; for (i=U;i<114;i++) { clock_ctl = threshold(r1, r2, r2); r1 = clock r1(clock_ctl, r1); r2 = clock_r2(clock ctl, r2); r3 = clock_r3(clock ctl, r3); bit = ((r1 >> 18) ^ (r2 >> 21) ^ (r3 >> 22)) & 0x01; byte = (byte << 1) | bit; bits++; if (bits == 8) { *ptr = byte; ptr++ bits = 0; byte = 0; } } if (bits) *ptr = byte; return (0); } void a5_key(a5_ctx *c, char *k)( c->rl = k[0]<<11|k[1]<<3 | k[2]>>5 ; /* 19 */ c->r2 = k[2]<<17|k[3]<<9 | k[4]<<1 I k[5]>>7; /* 22 */ c->r3 = k[5]<<15|k[6]<<8 | k[7] ; /* 23 */ } /* Step one bit in A5, return 0 or 1 as output bit. */ int a5_step(a5 ctx *c){ int control; control = threshold(c->r1,c->r2,c->r3); c->r1 = clock_r1(control,c->r1); c->r2 = clock_r2(control,c->r2);

c->r3 = clock_r3(control,c->r3); return( (c->r1^c >r2^c->r3)&1); } /* Encrypts a buffer of len bytes. */ void a5_encrypt(a5_ctx *c, char *data, int len)l int i,j; char t; for(i=0:i<len i++) for(j=0;j<8;j++) t = t<<1 | a5_step(c) data[i]^=t; } } void a5_decrypt(a5_ctx *c, char *data, int len){ a5_encrypt(c,data,len); } void main(void){ a5_ctx c; char data[100]; char key[] = {1,2,3,4,5,6,7,8}; int i,flag; for(i=0;i<100;i++) data[i] = i; a5_key(&c,key); a5_encrypt(&c,data,100); a5_key(&c,key); a5_decrypt(&c,data,1); a5_decrypt(&c,data+1,99); flag = 0; for(i=0;i<100;i++) if(data[i]!=i)flag = 1; if(flag)printf("Decrypt failed\n"); else printf("Decrypt succeeded\n"); }

I haven't had time to look at this code yet, but it looks interesting ... maybe its A5? Who knows. Keep going. A3 is another algorithm which is "secret" algorithm called COMP128 for this and A8. COMP128 takes a key and a random number and produces the answer to verify the subscriber during authentication as well as the key to start encrypting the packets with. At the same time! What a deal! The signed response is 32 bits, and the encryption key is 54 (64 with the last 10 bits = 0).

Communication management
The Communication Management layer (CM) is responsible for Call Control (CC), supplementary service management, and short message service management. Each of these may be considered as a separate sublayer within the CM layer. Call control attempts to follow the ISDN procedures specified in Q.931, although routing to a roaming mobile subscriber is obviously unique to GSM. Other functions of the CC sublayer include call establishment, selection of the type of service (including alternating between services during a call), and call release. Call routing

Unlike routing in the fixed network, where a terminal is semi-permanently wired to a central office, a GSM user can roam nationally and even internationally. The directory number dialed to reach a mobile subscriber is called the Mobile Subscriber ISDN (MSISDN), which is defined by the E.164 numbering plan. This number includes a country code and a National Destination Code which identifies the subscriber's operator. The first few digits of the remaining subscriber number may identify the subscriber's HLR within the home PLMN. An incoming mobile terminating call is directed to the Gateway MSC (GMSC) function. The GMSC is basically a switch which is able to interrogate the subscriber's HLR to obtain routing information, and thus contains a table linking MSISDNs to their corresponding HLR. A simplification is to have a GSMC handle one specific PLMN. It should be noted that the GMSC function is distinct from the MSC function, but is usually implemented in an MSC. The routing information that is returned to the GMSC is the Mobile Station Roaming Number (MSRN), which is also defined by the E.164 numbering plan. MSRNs are related to the geographical numbering plan, and not assigned to subscribers, nor are they visible to subscribers. The most general routing procedure begins with the GMSC querying the called subscriber's HLR for an MSRN. The HLR typically stores only the SS7 address of the subscriber's current VLR, and does not have the MSRN (see the location updating section). The HLR must therefore query the subscriber's current VLR, which will temporarily allocate an MSRN from its pool for the call. This MSRN is returned to the HLR and back to the GMSC, which can then route the call to the new MSC. At the new MSC, the IMSI corresponding to the MSRN is looked up, and the mobile is paged in its current location area (see Figure 4).

Figure 4. Call routing for a mobile terminating call

Conclusion and comments


In this paper I have tried to give an overview of the GSM system. As with any overview, and especially one covering a standard 6000 pages long, there are many details missing. I believe, however, that I gave the general flavor of GSM and the philosophy behind its design. It was a monumental task that the original GSM committee undertook, and one that has proven a success, showing that international cooperation on such projects between academia, industry, and government can succeed. It is a standard that ensures interoperability without stifling competition and innovation among suppliers, to the benefit of the public both in terms of cost and service quality. For example, by using Very Large Scale Integration (VLSI) microprocessor technology, many functions of the mobile station can be built on one chipset, resulting in lighter, more compact, and more energy-efficient terminals. Telecommunications are evolving towards personal communication networks, whose objective can be stated as the availability of all communication services anytime, anywhere, to anyone, by a single identity number and a pocketable communication terminal [25]. Having a multitude of incompatible systems throughout the world moves us farther away from this ideal. The economies of scale created by a unified system are enough to justify its implementation, not to mention the convenience to people of carrying just one communication terminal anywhere they go, regardless of national boundaries. General Packet Radio Service The general packet radio system (GPRS) provides packet radio access for mobile Global System for Mobile Communications (GSM) and time-division multiple access (TDMA) users. In addition to providing new services for today's mobile user, GPRS is important as a migration step toward thirdgeneration (3G) networks. GPRS allows network operators to implement an IP-based core architecture for data applications, which will continue to be used and expanded for 3G services for integrated voice and data applications. The GPRS specifications are written by the European Telecommunications Standard Institute (ETSI), the European counterpart of the American National Standard Institute (ANSI). GPRS is the first step toward an end-to-end wireless infrastructure and has the following goals:

Open architecture Consistent IP services Same infrastructure for different air interfaces Integrated telephony and Internet infrastructure Leverage industry investment in IP Service innovation independent of infrastructure

Benefits of GPRS The GPRS provides the following benefits: Overlays on the existing GSM network to provide high-speed data service Always on, reducing the time spent setting up and taking down connections Designed to support bursty applications such as e-mail, traffic telematics, telemetry, broadcast services, and web browsing that do not require detected connection.

By implementing Cisco GPRS products and related solutions, mobile service providers can optimize their networks to deploy high quality mobile voice and data services. They can also benefit from new operating efficiencies, peer-to-peer IP-based architecture for scalability, and IP standard interfaces to billing and customer support. GPRS Applications GPRS enables a variety of new and unique services to the mobile wireless subscriber. These mobile services have unique characteristics that provide enhanced value to customers. These characteristics include the following: MobilityThe ability to maintain constant voice and data communications while on the move ImmediacyAllows subscribers to obtain connectivity when needed, regardless of location and without a lengthy login session LocalizationAllows subscribers to obtain information relevant to their current location

The combination of these characteristics provides a wide spectrum of possible applications that can be offered to mobile subscribers. The core network components offered by Cisco enable seamless access to these applications, whether they reside in the service provider's network or the public Internet. In general, applications can be separated into two high-level categories: corporate and consumer. These include: CommunicationsE-mail; fax; unified messaging; intranet/Internet access Value-added servicesInformation services; games E-commerceRetail; ticket purchasing; banking; financial trading Location-based applicationsNavigation; traffic conditions; airline/rail schedules; location finder

Vertical applicationsFreight delivery; fleet management; sales-force automation Advertising

Communications Communications applications include those in which it appears to users that they are using the mobile communications network as a pipeline to access messages or information. This differs from those applications in which users believe that they are accessing a service provided or forwarded by the network operator. Intranet Access The first stage of enabling users to maintain contact with their offices is through access to e-mail, fax, and voice mail using unified messaging systems. Increasingly, files and data on corporate networks are becoming accessible through corporate intranets. These intranets can be protected through firewalls by enabling secure tunnels or virtual private networks (VPNs). Internet Access As a critical mass of users is approached, more and more applications aimed at general consumers are being placed on the Internet. The Internet is becoming an effective tool for accessing corporate data and manipulating product and service information. More recently, companies are using the Internet as an environment for conducting business through e-commerce. Email and Fax E-mail on mobile networks may take one of two forms. E-mail can be sent to a mobile user directly or the user can have an e-mail account maintained by the network operator or their Internet service provider (ISP). In the latter case, a notification is forwarded to the mobile terminal and includes the first few lines of the e-mail, details of the sender, the date and time, and the subject. Fax attachments can also accompany e-mails. Unified Messaging Unified messaging provides a single mailbox for all messages, including voice mail, faxes, e-mail, short message service (SMS), and pager messages. Unified messaging systems allow for a variety of access methods to recover messages of different types Value Added Services

Value-added services refer to the content provided by network operators to increase the value of services to their subscribers. Two terms that are frequently used to describe delivery of data applications are push and pull, as defined below. Push describes the transmission of data at a predetermined time or under predetermined conditions. It also refers to the unsolicited supply of advertising (for example, delivery of news as it occurs or stock values when they fall below a preset value). Pull describes the request for data in real time by the user (for example, checking stock quotes or daily news headlines).

To be valuable to subscribers, this content must possess several characteristics: Personalized information that is tailored to the user (for example, a stock ticker that focusses on key quotes and news or an e-commerce application that knows a user's profile) Localized content that is based on a user's current location and includes maps, hotel finders, or restaurant reviews Menu screens that are intuitive and easy to navigate Security for e-commerce sites for the exchange of financial or other personal information

Several value-added services are outlined in the following sections. E-commerce E-commerce is defined as business conducted on the Internet or data service. This includes applications in which a contract is established for the purchase of goods and services and online banking applications. These applications require user authentication and secure transmission of sensitive data over the data connection. Banking The banking industry is interested in promoting electronic banking because electronic transactions are less costly to conduct than personal transactions in a bank. Specific banking functions that can be accomplished over a wireless connection include balance checking, money transfers between accounts, bill payment, and overdraft alert. Financial Trading The immediacy of transactions over the Internet and the requirement for upto-the-minute information has made the purchasing of stocks online a popular application. By coupling push services with the ability to make

secure transactions from the mobile terminal, a service that is unique to the mobile environment can be provided. Location-Based Services and Telematics Location-based services provide the ability to link push or pull information services with a user's location. Examples include hotel and restaurant finders, roadside assistance, and city-specific news and information. This technology also has vertical applications. These allow, for example, tracking vehicles in a fleet or managing the operations of a large workforce. Vertical Applications In the mobile environment, vertical applications apply to systems using mobile architectures to support the specific tasks within a company. Examples of vertical applications include: Sales supportConfiguring stock and product information for sales staff, integrating appointment details, and placing orders remotely DispatchingCommunicating job details such as location and scheduling and permitting information queries to support the job Fleet managementControlling a fleet of delivery or service staff and vehicle, monitoring their locations, and scheduling their work Parcel deliveryTracking the locations of packages for customers and monitoring the performance of the delivery system

Advertising Advertising services are offered as a push information service. Advertising may be offered to customers to subsidize the cost of voice or other information services. Advertising may be location sensitive. For example, a user entering a mall can receive advertisements specific to the stores in that mall. GPRS Architecture GPRS is a data network that overlays a second-generation GSM network. This data overlay network provides packet data transport at rates from 9.6 to 171 kbps. Additionally, multiple users can share the same air-interface resources simultaneously. GPRS attempts to reuse the existing GSM network elements as much as possible, but to effectively build a packet-based mobile cellular network, some new network elements, interfaces, and protocols for handling packet traffic are required. Therefore, GPRS requires modifications to numerous network elements as summarized in Table 2-1 and shown in Figure 2-3.

Table 2-1 GPRS Network Elements

GSM Network Element Terminal Equipment (TE)

Modification or Upgrade Required for GPRS. New terminal equipment is required to access GPRS services. These new terminals will be backward compatible with GSM for voice calls. A software upgrade is required in the existing base transceiver site. The base station controller (BSC) requires a software upgrade and the installation of new hardware called the packet control unit (PCU). The PCU directs the data traffic to the GPRS network and can be a separate hardware element associated with the BSC. The deployment of GPRS requires the installation of new core network elements called the serving GPRS support node (SGSN) and gateway GPRS support node (GGSN). All the databases involved in the network will require software upgrades to handle the new call models and functions introduced by GPRS.

BTS

BSC

GPRS Support Nodes (GSNs)

Databases (HLR, VLR, etc.)

Figure 2-3 GPRS Reference Architecture

GPRS Subscriber Terminals New terminals are required because existing GSM phones do not handle the enhanced air interface or packet data. A variety of terminals can exist, including a high-speed version of current phones to support high-speed data access, a new PDA device with an embedded GSM phone, and PC cards for laptop computers. These terminals are backward compatible for making voice calls using GSM. GPRS Base Station Subsystem Each BSC requires the installation of one or more PCUs and a software upgrade. The PCU provides a physical and logical data interface to the base station subsystem (BSS) for packet data traffic. The BTS can also require a software upgrade but typically does not require hardware enhancements. When either voice or data traffic is originated at the subscriber terminal, it is transported over the air interface to the BTS, and from the BTS to the BSC in the same way as a standard GSM call. However, at the output of the BSC, the traffic is separated; voice is sent to the mobile switching center

(MSC) per standard GSM, and data is sent to a new device called the SGSN via the PCU over a Frame Relay interface.

GPRS Support Nodes In the core network, the existing MSCs are based on circuit-switched central-office technology and cannot handle packet traffic. Two new components, called GPRS support nodes (GSNs), are added:

Serving GPRS support node (SGSN) Gateway GPRS support node (GGSN)

Serving GPRS Support Node The SGSN delivers packets to mobile stations (MSs) within its service area. SGSNs send queries to home location registers (HLRs) to obtain profile data of GPRS subscribers. SGSNs detect new GPRS MSs in a given service area, process registration of new mobile subscribers, and keep records of their locations inside a predefined area. The SGSN performs mobility management functions such as handing off a roaming subscriber from the equipment in one cell to the equipment in another. The SGSN is connected to the base station subsystem through a Frame Relay connection to the PCU in the BSC. Gateway GPRS Support Node GGSNs are used as interfaces to external IP networks such as the public Internet, other mobile service providers' GPRS services, or enterprise intranets. GGSNs maintain routing information that is necessary to tunnel the protocol data units (PDUs) to the SGSNs that service particular MSs. Other functions include network and subscriber screening and address mapping. One or more GGSNs can be provided to support multiple SGSNs. More detailed descriptions of the SGSN and GGSN are provided in a later section. GPRS Terminals The term terminal equipment is generally used to refer to the variety of mobile phones and mobile stations that can be used in a GPRS environment. The equipment is defined by terminal classes and types. Cisco's gateway GPRS serving node (GGSN) and data network components interoperate with GPRS terminals that meet the GPRS standards.

Three classes of GPRS terminals are provided: Class A, Class B, or Class C. Class A Terminals Class A terminals support GPRS and other GSM services (such as SMS and voice) simultaneously. This support includes simultaneous attach, activation, monitor, and traffic. Class A terminals can make or receive calls on two services simultaneously. In the presence of circuit-switched services, GPRS virtual circuits are held (i.e., placed on hold) instead of being cleared. Class B Terminals Class B terminals can monitor GSM and GPRS channels simultaneously but can support only one of these services at a time. Therefore, a Class B terminal can support simultaneous attach, activation, and monitor, but not simultaneous traffic. As with Class A, the GPRS virtual circuits are not disconnected when circuit-switched traffic is present. Instead, they are switched to busy mode. Users can make or receive calls on either a packet or a switched call type sequentially, but not simultaneously. Class C Terminals Class C terminals support only sequential attach. The user must select which service to connect to. Therefore, a Class C terminal can make or receive calls from only the manually selected (or default) service. The service that is not selected is unreachable. The GPRS specifications state that support of SMS is optional for Class C terminals. GPRS Device Types In addition to the three terminal classes, each handset has a unique form (housing design). Some of the forms are similar to current mobile wireless devices, while others will evolve to use the enhanced data capabilities of GPRS. The earliest available type is closely related to the current mobile phone. These are available in the standard form with a numeric keypad and a relatively small display. PC cards are credit card-sized hardware devices that connect through a serial cable to the bottom of a mobile phone. Data cards for GPRS phones enable laptops and other devices with PC card slots to be connected to mobile GPRS-capable phones. Card phones provide functions similar to those offered by PC cards without requiring a separate phone. These devices may require an ear piece and microphone to support voice services.

Smart phones are mobile phones with built-in voice, nonvoice, and Webbrowsing services. Smart phones integrate mobile computing and mobile communications into a single terminal. They come in various form factors, which may include a keyboard or an icon drive screen. The increase in machine-to-machine communications has led to the adoption of application-specific devices. These black-box devices lack a display, keypad, and voice accessories of a standard phone. Communication is accomplished through a serial cable. Applications such as meter reading utilize such black-box devices. Personal digital assistants (PDAs), such as the Palm Pilot series or Handspring Visor, and handheld communications devices are data-centric devices that are adding mobile wireless access. These devices can either connect with a GPRS-capable mobile phone via a serial cable or integrate GPRS capability. Access can be gained via a PC card or a serial cable to a GPRS-capable phone. Data Routing One of the main requirements in the GPRS network is the routing of data packets to and from a mobile user. The requirement can be divided into two areas: data packet routing and mobility management. Data Packet Routing The main functions of the GGSN involve interaction with the external data network. The GGSN updates the location directory using routing information supplied by the SGSNs about the location of an MS. It routes the external data network protocol packet encapsulated over the GPRS backbone to the SGSN currently serving the MS. It also decapsulates and forwards external data network packets to the appropriate data network and collects charging data that is forwarded to a charging gateway (CG). In Figure 2-4, three routing schemes are illustrated: Mobile-originated message (path 1)This path begins at the GPRS mobile and ends at the Host Network-initiated message when the MS is in its home network (path 2)This path begins at the Host and ends at the GPRS mobile Network-initiated message when the MS roams to another GPRS network (path 3)This path is indicated by the dotted line

In these examples, the operator's GPRS network consists of multiple GSNs (with a gateway and serving functionality) and an intra-operator backbone network.

GPRS operators allow roaming through an inter-operator backbone network. The GPRS operators connect to the inter-operator network through a border gateway (BG), which can provide the necessary interworking and routing protocols (for example, border gateway protocol [BGP]). In the future, GPRS operators might implement quality of service (QoS) mechanisms over the inter-operator network to ensure service-level agreements (SLAs). The main benefits of the architecture are its flexibility, scalability, interoperability, and roaming attributes.
Figure 2-4 Routing of Data Packets between a Fixed Host and a GPRS MS

The GPRS network encapsulates all data network protocols into its own encapsulation protocol called the GPRS tunneling protocol (GTP). The GTP ensures security in the backbone network and simplifies the routing mechanism and the delivery of data over the GPRS network. Mobility Management The operation of the GPRS is partly independent of the GSM network. However, some procedures share the network elements with current GSM functions to increase efficiency and to make optimum use of free GSM resources (such as unallocated time slots). An MS has three states in the GPRS system (Figure 2-5):

Active Standby Idle

The three-state model is unique to packet radio; GSM uses a two-state model (idle or active).

Figure 2-5 GPRS States in a Mobile Station

Active State Data is transmitted between an MS and the GPRS network only when the MS is in the active state. In the active state, the SGSN knows the cell location of the MS. Packet transmission to an active MS is initiated by packet paging to notify the MS of an incoming data packet. The data transmission proceeds immediately after packet paging through the channel indicated by the paging message. The purpose of the paging message is to simplify the process of receiving packets. The MS listens to only the paging messages instead of to all the data packets in the downlink channels. This reduces battery usage significantly. When an MS has a packet to transmit, it must access the uplink channel (i.e., the channel to the packet data network where services reside). The uplink channel is shared by a number of MSs, and its use is allocated by a BSS. The MS requests use of the channel in a random access message. The BSS allocates an unused channel to the MS and sends an access grant message in reply to the random access message. The description of the channel (one or multiple time slots) is included in the access grant message. The data is transmitted on the reserved channels. Standby State In the standby state, only the routing area of the MS is known. (The routing area can consist of one or more cells within a GSM location area). When the SGSN sends a packet to an MS that is in the standby state, the MS must be paged. Because the SGSN knows the routing area of the MS, a packet paging message is sent to the routing area. On receiving the packet paging message, the MS relays its cell location to the SGSN to establish the active state. The main reason for the standby state is to reduce the load in the GPRS network caused by cell-based routing update messages and to conserve the MS battery. When an MS is in the standby state, the SGSN is informed of only routing area changes. By defining the size of the routing area, the operator can control the number of routing update messages.

Idle State In the idle state, the MS does not have a logical GPRS context activated or any packet-switched public data network (PSPDN) addresses allocated. In this state, the MS can receive only those multicast messages that can be received by any GPRS MS. Because the GPRS network infrastructure does not know the location of the MS, it is not possible to send messages to the MS from external data networks. Routing Updates When an MS that is in an active or a standby state moves from one routing area to another within the service area of one SGSN, it must perform a routing update. The routing area information in the SGSN is updated, and the success of the procedure is indicated in the response message. A cell-based routing update procedure is invoked when an active MS enters a new cell. The MS sends a short message containing the identity of the MS and its new location through GPRS channels to its current SGSN. This procedure is used only when the MS is in the active state. The inter-SGSN routing update is the most complicated routing update. The MS changes from one SGSN area to another, and it must establish a new connection to a new SGSN. This means creating a new logical link context between the MS and the new SGSN and informing the GGSN about the new location of the MS. GPRS Interfaces The GPRS architecture consists of signaling interfaces with various protocols that control and support the transmission of packets across the networks and to the mobile stations. The interfaces in a GPRS network are:

GaInterface between GSN nodes (GGSN, SGSN) and charging gateway (CG) GbInterface between SGSN and BSS (PCU); normally uses Frame Relay GcInterface between GGSN and HLR GiInterface between GPRS (GGSN) and an external packet data network (PDN) GnInterface between two GSN nodes, i.e., GGSN and SGSN; this connects into the intra-network backbone, for example, an Ethernet network GpInterface between two GSN nodes in different PLMNs; this is via border gateways and is an inter-PLMN network backbone GrInterface between SGSN and HLR GsInterface between SGSN and the MSC/VLR

GfInterface between SGSN and EIR Figure 2-6 shows these interfaces.
Figure 2-6 GPRS Interfaces

GPRS Protocol Stacks Figure 2-7 shows the GPRS protocol stack and end-to-end message flows from the MS to the GGSN. The protocol between the SGSN and GGSN using the Gn interface is GTP. This is a Layer 3 tunneling protocol similar to L2TP.
Figure 2-7 GPRS Network Protocol Stack

Although Figure 2-7 defines the Gn and Gi interface as IP, the underlying protocols are not specified, providing flexibility with the physical medium. The GGSN software runs on a Cisco 7206VXR hardware platform, which provides a wide range of supported physical interfaces and a high port density. The GGSN software uses a virtual template interface, which is a logical interface within the router and does not depend on the physical medium directly. A list of supported physical interfaces for the 7206VXR can be found at this URL: http://www.cisco.com/univercd/cc/td/doc/product/core/7200vx/portadpt/index .htm . The most common physical interface used with GPRS is Fast Ethernet. This interface provides high bandwidth, low cost, and universal connectivity to other vendor equipment. For the Gi interface, common interfaces are Serial, E1/T1 or Ethernet. Running over the physical WAN interfaces can be a wide range of protocols including Frame Relay, ISDN, and HDLC. GPRS Tunneling Protocol The GTP tunneling protocol is a Layer 3 tunneling protocol. The IP header identifies a session flow between the GGSN and SGSN. The UDP header identifies the GTP application protocol (Port 3386). The GTP header identifies the GTP tunnel session. The payload identifies the session flow between the mobile station and the remote host. See Figure 2-8.
Figure 2-8 GPRS Tunneling Protocol

The GTP packet structure, like any other packet, typically has a fixed-size header and other information called payload or information elements. Currently, bits 1-5 of Octet 1 and Octets 7-12 are not in use. TID is the tunnel ID that identifies a tunnel session. The length field of GTP is different from the length field of IP. In IP, the length includes the header; in GTP, length indicates only the GTP payload. See Figure 2-9.
Figure 2-9 GTP Packet Structure

GPRS Access Modes The GPRS access modes specify whether or not the GGSN requests user authentication at the access point to a PDN (Public Data Network). The available options are: TransparentNo security authorization/authentication is requested by the GGSN Non-transparentGGSN acts as a proxy for authenticating

The GPRS transparent and non-transparent modes relate only to PDP type IPv4. Transparent Mode Transparent access pertains to a GPRS PLMN that is not involved in subscriber access authorization and authentication. Access to PDN-related security procedures are transparent to GSNs. In transparent access mode, the MS is given an address belonging to the operator or any other domain's addressing space. The address is given either at subscription as a static address or at PDP context activation as a dynamic address. The dynamic address is allocated from a Dynamic Host Configuration Protocol (DHCP) server in the GPRS network. Any user authentication is done within the GPRS network. No RADIUS authentication

is performed; only IMSI-based authentication (from the subscriber identity module in the handset) is done. Non-transparent Mode Non-transparent access to an intranet/ISP means that the PLMN plays a role in the intranet/ISP authentication of the MS. Non-transparent access uses the Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) message issued by the mobile terminal and piggy-backed in the GTP PDP context activation message. This message is used to build a RADIUS request toward the RADIUS server associated with the access point name (APN). GPRS Access Point Name The GPRS standards define a network identity called an access point name (APN). An APN identifies a PDN that is accessible from a GGSN node in a GPRS network (e.g., www.Cisco.com). To configure an APN, the operator configures three elements on the GSN node: Access pointDefines an APN and its associated access characteristics, including security (RADIUS), dynamic address allocation (DHCP), and DNS services Access point listDefines a logical interface that is associated with the virtual template Access groupDefines whether access is permitted between the PDN and the MS

The Cisco GGSN is based on the routing technology, Cisco IOS. It integrates GPRS with already deployed IP services, like virtual private data networks (VPDNs) and voice over IP (VoIP). The mobile VPN application is the first service targetted for business subscribers that mobile operators are offering when launching GPRS networks. In GPRS, the selection of the VPN can be based on the same parameters that are used in VPDN applications:

Dialed number identification service (DNIS), i.e., the called number Domain, e.g., user@domain Mobile station IDSN (MSISDN) number, i.e, the calling number

In GPRS, only the APN is used to select the target network.The Cisco GGSN supports VPN selection based on the APN. GPRS Processes

This section describes the following basic processes used in GPRS networks:

Attach processProcess by which the MS attaches (i.e, connects) to the SGSN in a GPRS network Authentication processProcess by which the SGSN authenticates the mobile subscriber PDP activation processProcess by which a user session is established between the MS and the destination network Detach processProcess by which the MS detaches (i.e., disconnects) from the SGSN in the GPRS network Network-initiated PDP request for static IP addressProcess by which a call from the packet data network reaches the MS using a static IP address Network-initiated PDP request for dynamic IP addressProcess by which a call from the packet data network reaches the MS using a dynamic IP address

GPRS Attach Process When a mobile subscriber turns on their handset, the following actions occur: 1. A handset attach request is sent to the new SGSN. 2. The new SGSN queries the old SGSN for the identity of this handset. The old SGSN responds with the identity of the handset. 3. The new SGSN requests more information from the MS. This information is used to authenticate the MS to the new SGSN. 4. The authentication process continues to the HLR. The HLR acts like a RADIUS server using a handset-level authentication based on IMSI and similar to the CHAP authentication process in PPP. 5. A check of the equipment ID with the EIR is initiated. 6. If the equipment ID is valid, the new SGSN sends a location update to the HLR indicating the change of location to a new SGSN. The HLR notifies the old SGSN to cancel the location process for this MS. The HLR sends an insert subscriber data request and other information associated with this mobile system and notifies the new SGSN that the update location has been performed. 7. The new SGSN initiates a location update request to the VLR. The VLR acts like a proxy RADIUS that queries the home HLR.

8. The new SGSN sends the Attach Accept message to the MS. 9. The MS sends the Attach Complete message to the new SGSN. 10. The new SGSN notifies the new VLR that the relocation process is complete. Figure 2-10 and Figure 2-11 show the GPRS attach process (the numbers in the figures correspond to the numbered steps above).
Figure 2-10 GPRS Attach Request Procedure

Figure 2-11 GPRS Attach Request Procedure (continued)

GPRS Authentication Process The GPRS authentication process is very similar to the CHAP with a RADIUS server. The authentication process follows these steps: 1. The SGSN sends the authentication information to the HLR. The HLR sends information back to the SGSN based on the user profile that was part of the user's initial setup. 2. The SGSN sends a request for authentication and ciphering (using a random key to encrypt information) to the MS. The MS uses an algorithm to send the user ID and password to the SGSN. Simultaneously, the SGSN uses the same algorithm and compares the result. If a match occurs, the SGSN authenticates the user. Figure 2-12 describes the GRPS authentication process that the MS uses to gain access to the network (the numbers in the figure correspond to the numbered steps above).
Figure 2-12 GPRS Authentication Procedure

PDP Context Activation Process The events in the PDP context activation process are described next. 1. The SGSN receives the activation request from the MS; for example, the MS requests access to the APN Cisco.com. 2. Security functions between the MS and SGSN occur. 3. The SGSN initiates a DNS query to learn which GGSN node has access to the Cisco.com APN. The DNS query is sent to the DNS server within the mobile operator's network. The DNS is configured to map to one or more GGSN nodes. Based on the APN, the mapped GGSN can access the requested network. 4. The SGSN sends a Create PDP Context Request to the GGSN. This message contains the PAP information, CHAP information, PDP request, APN, and quality of service information. 5. If operating in the non-transparent mode, the PAP and CHAP information in the PDP request packet is sent to the RADIUS server for authentication. 6. If the RADIUS server is to provide a dynamic IP address to the client, it sends a DHCP address request to the DHCP server. In transparent mode, the RADIUS server is bypassed. 7. If IPSec functionality is required, security functions occur between the GGSN and network access server (NAS). 8. The GGSN sends a Create a PDP Context Response message to the SGSN. 9. The SGSN sends an Activate PDP Context Accept message to the MS.

Figure 2-13 shows the PDP context activation procedure. The red arrows indicate the communication between the SGSN and GGSN. The numbers in the figure correspond to the numbered steps above.
Figure 2-13 PDP Context Activation Procedure

Detach Process Initiated by MS When a mobile subscriber turns off their handset, the detach process initiates. The detach process is described below. 1. The MS sends a Detach Request to the SGSN. 2. The SGSN sends a Delete PDP Context Request message to the serving GGSN. 3. The SGSN sends an IMSI Detach Indication message to the MSC/VLR indicating the MS request to disconnect. 4. The SGSN sends a GPRS Detach Indication message to the MSC/VLR. 5. The SGSN sends the Detach Accept message to the MS. Note The GSN nodes must always respond to the detach request with a positive delete response to the MS and accept the detach request requested by the client. The positive delete response is required even if the SGSN does not have a connection pending for that client.

Figure 2-14 describes the detach process initiated by the MS. The numbers in the figure correspond to the numbered steps above.
Figure 2-14 MS Initiate Detach Procedure

Network Initiated PDP Request For A Static IP Address The PDP protocol data unit (PDU) initiated from the network side is not fully specified by ETSI standards. A connection request generated from the Internet/intranet site specifies only the IP address of the client in the IP packets destined for the MS. The requesting host provides no indication of the mobile device IMSI (i.e., the MAC address of the MS). In mobile communications, all communications are based on the MS MAC address called the IMSI. The IP address must be mapped to an IMSI to identify a valid GTP tunnel. Cisco's GGSN implementation provides a mapping table via command line interface (CLI) that allows the operator to key in the MS IMSI and the associated static IP address. The following steps describe a PDP request initiated from the network side when the client has been assigned a static IP address. 1. When the GGSN receives a packet, it checks its mapping table for an established GTP tunnel for this packet. 2. When the GGSN locates the IMSI associated with this IP address, it sends a Send Routing Information message to HLR through an intermediate SGSN. The intermediate SGSN notifies the GGSN of the actual SGSN currently serving this client. 3. On locating the appropriate SGSN, the GGSN sends a PDU Notification Request message to the serving SGSN. 4. The SGSN sends a Request PDP Context Activation message to the MS and notifies it of the pending connection request.

5. If the MS agrees to accept the call, it enters the PDP Context Activation procedure with the requesting GGSN. Figure 2-15 shows a PDP request initiated from the network side when the client has been assigned a static IP address. The numbers in the figure correspond to the numbered steps above.
Figure 2-15 Network Initiate PDP (Static IP Address)

Network Initiated PDP Request For A Dynamic IP Address The ETSI standards do not fully specify requirements for a networkgenerated PDP request when the client is dynamically assigned a temporary IP by a DHCP server. The following message sequence is Cisco's implementation for this scenario. This method uses Cisco's Network Registrar (CNR), which includes a DHCP, DNS, and an LDAP server. 1. The host initiates a DNS query to obtain the IP address of the MS from a DNS server. The DNS server resolves the client's name to an IP address previously assigned to the client by the DHCP server. 2. The host sends a request to the GGSN for a connection using this IP address. 3. The GGSN queries the LDAP server to obtain the MS IMSI. The LDAP server stores a record for the MS with the client IMSI, name, and IP address. 4. The GGSN sends a PDU Notification Request message to the serving SGSN.

5. The SGSN sends a Request PDP Context Activation message to the MS and notifies it of the pending connection request. 6. If the MS agrees to accept the call, it enters the PDP Context Activation procedure with the requesting GGSN. Figure 2-16 describes a PDP request initiated from the network side when the client has been assigned a dynamic IP address. The numbers in the figure correspond to the numbered steps above.
Figure 2-16 Network Initiate PDP (Dynamic IP Address)

Universal Mobile Telecommunication System The Universal Mobile Telecommunication System (UMTS) is a third generation (3G) mobile communications system that provides a range of broadband services to the world of wireless and mobile communications. The UMTS delivers low-cost, mobile communications at data rates of up to 2 Mbps. It preserves the global roaming capability of second generation GSM/GPRS networks and provides new enhanced capabilities. The UMTS is designed to deliver pictures, graphics, video communications, and other multimedia information, as well as voice and data, to mobile wireless subscribers.

The UMTS takes a phased approach toward an all-IP network by extending second generation (2G) GSM/GPRS networks and using Wide-band Code Division Multiple Access (CDMA) technology. Handover capability between the UMTS and GSM is supported. The GPRS is the convergence point between the 2G technologies and the packet-switched domain of the 3G UMTS. UMTS Services The UMTS provides support for both voice and data services. The following data rates are targets for UMTS:

144 kbpsSatellite and rural outdoor 384 kbpsUrban outdoor 2048 kbpIndoor and low range outdoor

Data services provide different quality-of-service (QoS) parameters for data transfer. UMTS network services accommodate QoS classes for four types of traffic:

Conversational classVoice, video telephony, video gaming Streaming classMultimedia, video on demand, webcast Interactive classWeb browsing, network gaming, database access Background classE-mail, short message service (SMS), file downloading

The UMTS supports the following service categories and applications:

Internet accessMessaging, video/music download, voice/video over IP, mobile commerce (e.g., banking, trading), travel and information services Intranet/extranet accessEnterprise application such as email/messaging, travel assistance, mobile sales, technical services, corporate database access, fleet/warehouse management, conferencing and video telephony Customized information/entertainmentInformation (photo/video/music download), travel assistance, distance education, mobile messaging, gaming, voice portal services Multimedia messagingSMS extensions for images, video, and music; unified messaging; document transfer Location-based servicesYellow pages, mobile commerce, navigational service, trading

UMTS Architecture The public land mobile network (PLMN) described in UMTS Rel. '99 incorporates three major categories of network elements:

GSM phase 1/2 core network elementsMobile services switching center (MSC), visitor location register (VLR), home location register (HLR), authentication center (AuC), and equipment identity register (EIR) GPRS network elementsServing GPRS support node (SGSN) and gateway GPRS support node (GGSN) UMTS-specific network elementsUser equipment (UE) and UMTS terrestrial radio access network (UTRAN) elements

The UMTS core network is based on the GSM/GPRS network topology. It provides the switching, routing, transport, and database functions for user traffic. The core network contains circuit-switched elements such as the MSC, VLR, and gateway MSC (GMSC). It also contains the packet-switched elements SGSN and GGSN. The EIR, HLR, and AuC support both circuitand packet-switched data. The Asynchronous Transfer Mode (ATM) is the data transmission method used within the UMTS core network. ATM Adaptation Layer type 2 (AAL2) handles circuit-switched connections. Packet connection protocol AAL5 is used for data delivery. The UMTS architecture is shown in Figure 2-17.
Figure 2-17 UMTS Architecture

General Packet Radio System The General Packet Radio System (GPRS) facilitates the transition from phase1/2 GSM networks to 3G UMTS networks. The GPRS supplements GSM networks by enabling packet switching and allowing direct access to external packet data networks (PDNs). Data transmission rates above the 64 kbps limit of integrated services digital network (ISDN) are a requirement for the enhanced services supported by UMTS networks. The GPRS optimizes the core network for the transition to higher data rates. Therefore, the GPRS is a prerequisite for the introduction of the UMTS. UMTS Interfaces The UMTS defines four new open interfaces (see Figure 2-17): Uu interfaceUser equipment to Node B (the UMTS WCDMA air interface) Iu interfaceRNC to GSM/GPRS (MSC/VLR or SGSN)

Iu-CSInterface for circuit-switched data Iu-PSInterface for packet-switched data Iub interfaceRNC to Node B interface Iur interfaceRNC to RNC interface (no equivalent in GSM) The Iu, Iub, and Iur interfaces are based on the transmission principles of aynchronous transfer mode (ATM). UMTS Terrestrial Radio Access Network The major difference between GSM/GPRS networks and UMTS networks is in the air interface transmission. Time division multiple access (TDMA) and freqency division multiple access (FDMA) are used in GSM/GPRS networks. The air interface access method for UMTS networks is wide-band code division multiple access (WCDMA), which has two basic modes of operation: frequency division duplex (FDD) and time division duplex (TDD). This new air interface access method requires a new radio access network (RAN) called the UTMS terrestrial RAN (UTRAN). The core network requires minor modifications to accommodate the UTRAN. Two new network elements are introduced in the UTRAN: the radio network controller (RNC) and Node B. The UTRAN contains multiple radio network systems (RNSs), and each RNS is controlled by an RNC. The RNC connects to one or more Node B elements. Each Node B can provide service to multiple cells. The RNC in UMTS networks provides functions equivalent to the base station controller (BSC) functions in GSM/GPRS networks. Node B in UMTS

o o

networks is equivalent to the base transceiver station (BTS) in GSM/GPRS networks. In this way, the UMTS extends existing GSM and GPRS networks, protecting the investment of mobile wireless operators. It enables new services over existing interfaces such as A, Gb, and Abis, and new interfaces that include the UTRAN interface between Node B and the RNC (Iub) and the UTRAN interface between two RNCs (Iur). The network elements of the UTRAN are shown in Figure 2-18.
Figure 2-18 UTRAN Architecture

Radio Network Controller The radio network controller (RNC) performs functions that are equivalent to the base station controller (BSC) functions in GSM/GPRS networks. The RNC provides centralized control of the Node B elements in its covering area. It handles protocol exchanges between UTRAN interfaces ( Iu, Iur, and Iub). Because the interfaces are ATM-based, the RNC performs switching of ATM cells between the interfaces. Circuit-switched and packet-switched data from the Iu-CS and Iu-PS interfaces are multiplexed together for transmission over the Iur, Iub, and Uu interfaces to and from the user equipment (UE). The RNC provides centralized operation and maintenance of the radio network system (RNS) including access to an operations support system (OSS). The RNC uses the Iur interface. There is no equivalent to manage radio resources in GSM/GPRS networks. In GSM/GPRS networks, radio resource management is performed in the core network. In UMTS networks, this function is distributed to the RNC, freeing the core network for other functions. A single serving RNC manages serving control functions such as connection to the UE, congestion control, and handover procedures. The functions of the RNC include:

Radio resource control Admission control

Channel allocation Power control settings Handover control Macro diversity Ciphering Segmentation and reassembly Broadcast signalling Open loop power control

Node B Node B is the radio transmission/reception unit for communication between radio cells. Each Node B unit can provide service for one or more cells. A Node B unit can be physically located with an existing GSM base transceiver station (BTS) to reduce costs of UMTS implementation. Node B connects to the user equipment (UE) over the Uu radio interface using wideband code division multiple access (WCDMA). A single Node B unit can support both frequency division duplex (FDD) and time division duplex (TDD) modes. The Iub interface provides the connection between Node B and the RNC using asynchronous transfer mode (ATM). Node B is the ATM termination point. The main function of Node B is conversion of data on the Uu radio interface. This function includes error correction and rate adaptation on the air interface. Node B monitors the quality and strength of the connection and calculates the frame error rate, transmitting this information to the RNC for processing. The functions of Node B include:

Air interface transmission and reception Modulation and demodulation CDMA physical channel coding Micro diversity Error handling Closed loop power control

Node B also enables the UE to adjust its power using a technique called downlink transmission power control. Predefined values for power control are derived from RNC power control parameters. UMTS User Equipment The UMTS user equipment (UE) is the combination of the subscriber's mobile equipment and the UMTS subscriber identity module (USIM). Similar to the SIM in GSM/GPRS networks, the USIM is a card that inserts into the mobile equipment and identifies the subscriber to the core network.

The USIM card has the same physical characteristics as the GSM/GPRS SIM card and provides the following functions:

Supports multiple user profiles on the USIM Updates USIM information over the air Provides security functions Provides user authentication Supports inclusion of payment methods Supports secure downloading of new applications

The UMTS standard places no restrictions on the functions that the UE can provide. Many of the identity types for UE devices are taken directly from GSM specifications. These identity types include:

International Mobile Subscriber Identity (IMSI) Temporary Mobile Subscriber Identity (TMSI) Packet Temporary Mobile Subscriber Identity (P-TMSI) Temporary Logical Link Identity (TLLI) Mobile station ISDN (MSISDN) International Mobile Station Equipment Identity (IMEI) International Mobile Station Equipment Identity and Software Number (IMEISV)

The UMTS UE can operate in one of three modes of operation: PS/CS modeThe UE is attached to both the packet-switched (PS) and circuit-switched (CS) domain, and the UE can simultaneously use PS and CS services. PS modeThe MS is attached to the PS domain and uses only PS services (but allows CS-like services such as voice over IP [VoIP]). CS modeThe MS is attached to the CS domain and uses only CS services.

Some GSM system parameters are listed in the table below. Multiple Access Method TDMA / FDMA Uplink frequencies (MHz) 933-960 (basic GSM) Downlink frequencies (MHz) 890-915 (basic GSM) Duplexing FDD Channel spacing, kHz 200 Modulation GMSK Portable TX power, maximum / average (mW) 1000 / 125 Power control, handset and BSS Yes Speech coding and rate (kbps) RPE-LTP / 13 Speech Channels per RF channel: 8

Channel rate (kbps) 270.833 Channel coding Rate 1/2 convolutional Frame duration (ms) 4.615

Interfaces
The previous figure also shows the GSM interfaces; they are briefly explained below. Um The air interface is used for exchanges between a MS and a BSS. LAPDm, a modified version of the ISDN LAPD, is used for signalling. Abis This is a BSS internal interface linking the BSC and a BTS, and it has not been standardised. The Abis interface allows control of the radio equipment and radio frequency allocation in the BTS. A The A interface is between the BSS and the MSC. The A interface manages the allocation of suitable radio resources to the MSs and mobility management. B The B interface between the MSC and the VLR uses the MAP/B protocol. Most MSCs are associated with a VLR, making the B interface "internal". Whenever the MSC needs access to data regarding a MS located in its area, it interrogates the VLR using the MAP/B protocol over the B interface. C The C interface is between the HLR and a GMSC or a SMS-G. Each call originating outside of GSM (i.e., a MS terminating call from the PSTN) has to go through a Gateway to obtain the routing information required to complete the call, and the MAP/C protocol over the C interface is used for this purpose. Also, the MSC may optionally forward billing information to the HLR after call clearing. D The D interface is between the VLR and HLR, and uses the MAP/D protocol to exchange the data related to the location of the MS and to the management of the subscriber. E The E interface interconnects two MSCs. The E interface exchanges data related to handover between the anchor and relay MSCs using the MAP/E protocol. F The F interface connects the MSC to the EIR, and uses the MAP/F protocol to verify the status of the IMEI that the MSC has retrieved from the MS. G The G interface interconnects two VLRs of different MSCs and uses the MAP/G protocol to transfer subscriber information, during e.g. a location update procedure. H The H interface is between the MSC and the SMS-G, and uses the MAP/H protocol to support the transfer of short messages. I The I interface (not shown in Figure 1) is the interface between the MSC and the MS. Messages exchanged over the I interface are relayed transparently through the BSS.

Protocols over the A, A-Bis and Um interfaces


Figure 6 below shows the signalling protocols between the MS and BTS, between the BTS and BSC, and between the BSC and the MSC.

The CM, MM and RR layers together correspond to layer three in the ISO OSI protocol suite, and layer two is composed of LAPD and LAPDm. Customarily, the lower three layers terminate in the same node. Not so in GSM, where the functionality is spread over distinct functional entities with standardised interfaces between them. For instance, the RR part of layer three is spread over the MS, BTS, BSC, and MSC. CM The Communication Management (CM) layer consists of setting up calls at the users' request. Its functions are divided in three: Call control, which manages the circuit oriented services; Supplementary services management, which allows modifications and checking of the supplementary services configuration; Short Message Services, which provides point-to-point short message services. MM The Mobility Management (MM) layer is in charge of maintaining the location data, in addition to the authentication and ciphering procedures. RR The Radio Resource (RR) Management layer is in charge of establishing and maintaining a stable uninterrupted communications path between the MSC and MS over which signalling and user data can be conveyed. Handovers are part of the RR layers responsibility. Most of the functions are controlled by the BSC, BTS, and MS, though some are performed by the MSC (in particular for interMSC handovers.). RR' The RR' layer is the part of the RR functionality which is managed by the BTS. LAPDm The layer two protocol is provided for by LAPDm over the air-interface. This protocol is a modified version of the LAPD (Link Access Protocol for the ISDN D-channel) protocol. The main modifications are due to the tight synchronisation required in TDMA and bit error protection mechanism required over the air-interface (and in GSM handled by layer 1), making the corresponding functionality of the LAPD protocol redundant (and thus wasteful over the air-interface). The LAPD frame flags are replaced by a length indicator, and the FEC field is removed. BTSM The Base Transceiver Station Management (BTSM) is responsible for transferring the RR information (not provided for in the BTS by the RR' protocol) to the BSC.

LAPD This is the ISDN LAPD protocol (Link Access Protocol for the ISDN Dchannel) providing error-free transmission between the BSC and MSC. BSSAP The Base Station System Application Part (BSSAP) is split into two parts, the BSSMAP and the DTAP (not shown in the above figure). The message exchanges are handled by SS7. Messages which are not transparent to the BSC are carried by the Base Station System Management Application Part (BSSMAP), which supports all of the procedures between the MSC and the BSS that require interpretation and processing of information related to single calls, and resource management. The messages between the MSC and MS which are transparent to the BSC (MM and CM messages) are catered for by the Direct Transfer Application Part (DTAP). SCCP The Signalling Connection Control Part (SCCP) from SS7. MTP The Message Transport Part (MTP) of SS7.

Logical and physical channels


GSM distinguishes between physical channels (the timeslot) and logical channels (the information carried by the physical channels). Several recurring timeslots on a carrier constitute a physical channel, which are used by different logical channels to transfer information - both user data and signalling. The GSM traffic and associated control channels are illustrated in Figure 7 below.

Common channels

The forward common channels are used for broadcasting bulletin board information, paging and response to channel requests. The return common channel is a slotted Aloha type random access channel used by the MS to request channel resources before timing information is conveyed by the BSS, and uses a burst with an extended guard period. Dedicated point-to-point channels. The dedicated point-to-point channels are divided into two main groups, the dedicated signalling channels and the traffic channels. The dedicated signalling channels are used to set-up the connection, and the traffic channel of a variety of rates is used to convey the user information once the session is established. Both channel types have in-band signalling: SACCH for e.g. link monitoring, and FACCH for time-critical signalling during e.g. a handover. The FACCH "steals" the entire traffic burst for signalling. These logical channels are defined in GSM: TCHf Full rate traffic channel. TCH h Half rate traffic channel. BCCH Broadcast Network information, e.g. for describing the current control channel structure. The BCCH is a point-to-multipoint channel (BSS-to-MS). SCH Synchronisation of the MSs. FCH MS frequency correction. AGCH Acknowledge channel requests from MS and allocate a SDCCH. PCH MS terminating call announcement. RACH MS access requests, response to call announcement, location update, etc. FACCHt For time critical signalling over the TCH (e.g. for handover signalling). Traffic burst is stolen for a full signalling burst. SACCHt TCH in-band signalling, e.g. for link monitoring. SDCCH For signalling exchanges, e.g. during call setup, registration / location updates. FACCHs FACCH for the SDCCH. The SDCCH burst is stolen for a full signalling burst. Function not clear in the present version of GSM (could be used for e.g. handover of an eight-rate channel, i.e. using a "SDCCH-like" channel for other purposes than signalling). SACCHs SDCCH in-band signalling, e.g. for link monitoring

2. Signals and RF Stuff


2.1 Overview
GSM uses Frequency Division Multiplexing AND Time Division Multiplexing. FDMA divides the frequency ranges for GSM, which are 890-915, 935-960 and some others that the book didn't have. Each is divided into 200kHz wide channels. As far as TDMA goes, each time slot is 577 micro seconds long, 8 time slices is a frame, lasting for a grand total of 4.615ms. A multiframe consists of 51 frames,

51 multiframes make up a Superframe, and 2048 Superframes make a Hyperframe which is 2715648 frames. Wow.

2.2 RF Specifics (stolen right from the book)


Parameter Downstream Frequencies Upstream Frequency Channel Spacing Duplex Spacing Radio Power Data Rise/Fall Time Emissions Phase Error Freq Error Recv Sensitivity Co-channel Rejection Intermodulation Rejection Signal Blocking Level Value 935-960MHz, 1805-1880MHz 890-915MHz, 1710-1785MHz 200kHz 45MHz 13-39dBm, 2dB steps 28 microseconds < -36dBm 5 deg RMS 95Hz 104dBm 96dBm below signal 100dBm below signal 100dBm

2.3 Packets and data


During a single time slot is your phone transmitting, and the contents of the time slot is called a packet. Packets are made of bits, and bits are made of magic. A packet can be 4 different things: random access burst - shorter than the normal burst. synchronization burst - same length as the normal burst but a different structure normal burst - carries speech or data information. lasts approximately 0.577 ms and has a length of 156.25 bits frequency correction burst - same length as the normal burst but a different structure

3.4 Unique User Identification


Each mobile radio has a couple security features to keept it from being stolen. Each phone is built with a International Mobile Equipment Identity (IMEI), and this is done in the factory beofore the phone is even activated. Each time the mobile radio is used, the network checks the IMEI against some list of authorized and banned numbers to verify that the phone is allowed to be on the network. Useful Links: Nokia Europe, Middle East, Africa Nokia USA Nokia Asia-Pacific Motorola worldwide sites Sony Ericsson worldwide sites

Useful accessories for travel with mobile Range of phones, etc Comprehensive South African site on cellular phones UUPlus UUplus was originally designed to help increase the throughput of email data through satellite phones. Some work has been done by UUPlus themselves and MAF is undertaking some trials on this in the near future. If UUPlus performs as well over GSM phones as it does over satellite phones, we can expect a 3-5 times increase in data throughput, which should cut call costs substantially. www.uuplus.com SMS to /from Email gateways There are several technologies that allow an SMS originated on a mobile phone to be delivered as an email and messages originated as emails or on web pages can be delivered as SMS messages. This kind of feature is quite useful at times. Example of free services: www.excell.to (register and all you pay is the cost of the SMS.) You can also set up aliases for the email addresses that you use most frequently. You can also set up a signature that will appear with each email sent. The message syntax is then very simple for example: EMA jd .subject.message. (where jd has been set up as an alias for John Doe's email address in this example) There are also other services which will forward emails as SMS messages to your mobile phone. An Example is www.gopherking.com. This is a paid for service at about $25 a year. A mine of information on how to send SMS from the web and email etc is at http://www.cellular.co.za/send_sms2.htm . WAP The Wireless Application Protocol (WAP) allows interactive access to websites that are written using WAP's special WML protocol rather than the web's HTML. WAP is not widely implemented outside the developed nations.

Bluetooth
Abstract This poster introduces the wireless technology Bluetooth. I will show what Bluetooth is? The history of Bluetooth, some technical facts about Bluetooth, how two Bluetooth devices can communicate with each other? What is Bluetooth device discovery? How Bluetooth forms a Piconet and what capabilities ... Abstract This poster introduces the wireless technology Bluetooth. I will show what Bluetooth is? The history of Bluetooth, some technical facts about Bluetooth, how two Bluetooth devices can communicate with each other? What is Bluetooth device discovery? How Bluetooth forms a Piconet and what capabilities the technology has? What are Bluetooth profiles? And discuss Bluetooth while in action. All this is just to explain Bluetooth in a summarized brief introduction of Bluetooth. 1 Bluetooth Definition Bluetooth (http://www.bluetooth.com/) is an evolving short-range networking protocol for

connecting different types of devices; for example, connecting a mobile phone with a desktop or notebook computer, accessing the Internet via the phone's mobile data syste