You are on page 1of 8

Mobile@Home—GSM services over wireless LAN

Martin Bäckström, Andreas Havdrup, Tomas Nylander, Jari Vikberg and Peter Öhman

What do you get when you combine mobile telephony with voice over IP In late 2003, Ericsson helped establish the
(VoIP)? Mobile@Home. The solution is a new access network for mobile Unlicensed Mobile Access (UMA) forum for
core networks that has the same role in the mobile network as this idea. The forum labored for nine months
GSM/EDGE and WCDMA radio access networks (GERAN/UTRAN) but to produce a set of specifications that sup-
ported every major GSM service over unli-
makes use of unlicensed spectrum and IP-based broadband access net-
censed radio. The specifications were re-
works. It is based on the 3GPP Generic Access Network (GAN) specifica-
leased in September 2004.
tion (formerly known as Unlicensed Mobile Access, UMA). Just before the release of the first specifi-
With Mobile@Home, end users can use their GSM terminals at home to cation, UMA was included as a work item
access mobile services over wireless LAN (WiFi or Bluetooth). The solu- in the Third Generation Partnership Project
tion minimizes operator investment by reusing the existing mobile core (3GPP) under the name Generic Access to A
network and other support nodes. and Gb Interface (GAAG). Within 3GPP, the
UMA technology specification is called
Generic Access Network or GAN. The
GAN specifications have since been ap-
proved for inclusion in 3GPP Release 6
(Rel-6). All future work related to unli-
censed mobile access will take place in 3GPP
and will be coordinated with standardiza-
tion and development of the GSM and
UMTS networks.
In 2000, Ericsson began investigating how
Benefits of Mobile@Home
unlicensed radio in a mobile handset could
be used to access mobile network services. Operator benefits
Not long afterward it developed a demo sys- Ericsson’s Mobile@Home solution enables
tem to show that every major GSM service operators to explore new business opportu-
can indeed be supported over Bluetooth nities including improved indoor coverage.
radio and an IP-access network. This is especially interesting in North


3GPP Third Generation Partnership Project GPRS General packet radio service PAN Personal area network
AAA Authentication, authorization and GSM Global system for mobile PLMN Public land mobile network
accounting communications PS Packet switched
AKA Authentication and key agreement GUI Graphical user interface RADIUSRemote authentication dial-in user
AP Access point HBSC Home BSC server/service
AUC Authentication center HLR Home location register SCCP Signaling connection control part
BSC Base station controller HPLMN Home PLMN SEGW Security gateway
BSSAP Base station subsystem application HSN Mobile@Home support node SGSN Serving GPRS support node
part HSS Home subscriber server SIM Subscriber identity module
BSSMAP Base station subsystem IEEE Institute of Electrical and Electronics SMLC Serving mobile location center
management application part Engineers SMS Short message service
CBC Cell broadcast center IETF Internet Engineering Task Force SS Supplementary service
CC Call control IKE IPsec key exchange TCP Transmission control protocol
CDMA Code-division multiple access IMS IP Multimedia Subsystem UMA Unlicensed mobile access
CGI Cell global identity IMSI International mobile subscriber UMTS Universal mobile
CS Circuit switched identity telecommunications system
DHCP Dynamic host configuration protocol IP Internet protocol UNC UMA network controller
DNS Domain name server/service IPsec IP security protocol USIM Universal SIM
DSL Digital subscriber line LAI Location area identity UTRAN UMTS terrestrial radio access
DTAP Direct transfer application part MAC Media access control network
EAP Extensible authentication protocol MAP Mobile application part VoIP Voice over IP
EDGE Enhanced data rates for GSM MM Mobility management VPLMN Visited PLMN
evolution MSC Mobile services switching center WCDMA Wideband CDMA
FQDN Fully qualified domain name MTP Message transfer part WiFi Wireless fidelity (IEEE 802.11
GA-CSR Generic access circuit-switched NAT Network address translation/ wireless networking)
resource translator WLAN Wireless local area network
GAN Generic access network O&M Operation and maintenance (see also WiFi)
GANC GAN controller OSI Open Systems Interconnection Wm An interface developed in 3GPP for
GERAN GSM/EDGE radio access network OSS Operation support system interworking with WLAN

92 Ericsson Review No. 2, 2005

America where the majority of GSM net-
works operate on the 1900MHz spectrum
and only limited coverage is provided
in many residential areas. Thanks to
Mobile@Home, operators can now deploy
and extend local indoor coverage without af-
fecting end-user behavior or sacrificing
functionality. Indeed, Mobile@Home pro-
vides a seamless user experience between the
operator and home networks.
Operators might also opt to deploy voice
services over broadband access. There are cur-
rently several alternatives for doing so, but
most of them require a personal
computer, which severely limits interoper-
ability, functionality and convenience.
Mobile@Home, by contrast, combines the
broadband network with the infrastructure Figure 1
of the mobile core network while preserving Ericsson Mobile@Home.
the role of the mobile handset. And because
it reuses existing functionality in the mobile
core network, such as charging, authentica-
tion and end-user administration, the impact
of deploying Mobile@Home is limited to
the configuration of the new access network.
End-user benefits GAN overview
Ericsson’s Mobile@Home solution guaran-
tees a consistent end-user experience in Figure 2 shows the GAN architecture. The
WiFi and wide area radio domains. Each Up interface, which is the heart of the stan-
end-user handset has only one number, dard, determines how a handset communi-
which works independently of access cates with the network, represented by the
method and location. generic access network controller (GANC),
Mobile@Home-enabled handsets come formerly the UMA network controller
preconfigured and do not require any more (UNC). The Up interface assumes that the
end-user configuration than an ordinary handset is capable of exchanging IP packets
GSM handset would. End users experience
transparent functionality, seamless mobili-
ty between the two domains and two-way
roaming and handover.
IP Multimedia Subsystem (IMS) services
Figure 2
function equally well in the Mobile@Home Architecture of the generic access network (GAN).
network as in GERAN and UTRAN.
Therefore, new services introduced through
IMS for GERAN and UTRAN will be avail-
able in Mobile@Home with full end-user
transparency and mobility.

The Mobile@Home solution is based on the
3GPP GAN standard, which was developed
through a process that involved handset and
network vendors to minimize the impact on
mobile handsets by drawing on existing im-
plementations. This approach reduces time
to market, ensures interoperability between
a wide range of handsets and networks, and
promotes the commercial availability of
handsets from multiple vendors.

Ericsson Review No. 2, 2005 93

with the GANC as described in other stan- between the handset and the Provisioning
dards – for example, the Bluetooth standard GANC, which is the initial point of contact
for personal area networks (PAN), the WiFi in the GAN. The handset is either given the
standard (IEEE 802.11), and a variety of address of the Provisioning GANC or can
broadband access standards (cable, xDSL, derive the address from information in the
and so on). In other words, one may use a SIM or USIM. The main tasks of the Provi-
standard WiFi access point. sioning GANC are to allow access to the
Figure 2 also shows that the GANC em- GAN and to allocate a Default GANC to
ploys standard A and Gb interfaces to the each handset. Allocation is based on sub-
mobile core network. As a consequence, the scription information in the Provisioning
core network is not aware that the GANC GANC and information provided by the
represents a different type of access network. handset during the discovery procedure.
It treats the GANC as an ordinary GSM ac- The best default GANC, for example, might
cess network, permitting all major GSM ser- be one that is close to the end user’s resi-
vices including IMS packet-based services. dence.
An IPsec tunnel between the handset and The Default GANC is the handset’s main
the security gateway (SEGW) in the gener- point of contact in the GAN. Any time the
ic access network protects information sent handset tries to access the GAN from a new
over the Up interface. All traffic over the Up location, it must initiate registration with
interface is sent inside this tunnel and the Default GANC, providing information
switched or routed between the SEGW and on the current GERAN or UTRAN cell.
GANC. The SEGW makes use of the Wm The Default GANC then determines which
interface to an authentication, authorization GANC can best serve the handset at its pre-
and accounting (AAA) server. A subset of sent location. If the Default GANC redirects
the Wm interface is used to authenticate the handset to a different Serving GANC,
users when the IPsec tunnel is being estab- the handset will have to initiate registration
lished. The GAN standard defines the func- with that GANC.
tions and procedures needed in the Up in- The Default GANC might also accept the
terface registration and become the Serving
• to support seamless mobility (handover GANC. Indeed, assuming the correct De-
and roaming) between GAN and GSM fault GANC has been allocated, this will be
and between GAN and WCDMA; and the regular outcome. Once the registration
• to provide access to services in the mobile has been accepted, the Serving GANC re-
core network. turns relevant GAN system information to
the handset over the established connection.
Security This information is thus not broadcasted in
GAN security is based on the security mech- the GAN. The GANC stores information
anisms defined for the Interworking WLAN about the handset for mobile terminating
IP Access scenario (3GPP). The IPsec tunnel procedures, such as paging.
Figure 3 protects all control signaling and user plane Ordinarily, the Serving GANC has a con-
The handset displays a symbol to indicate traffic over the Up interface between the nection to the mobile services switching
that it is being served by the GAN.
handset and the network. Therefore an IPsec center (MSC), which controls the macro cell
tunnel must be established before the hand- in which the user resides. This makes it eas-
set can communicate with the GANC. ier to support handover between the GAN
Using SIM or USIM credentials (similar to and macro network. The Serving GANC ac-
GERAN/UTRAN) the system authenti- cepts all service requests from the handset.
cates the handset when the tunnel is being The handset stores the address of the GANC
established. IETF specifications define the and information on the current cell. The
protocols for this procedure. They include next time the handset connects to the GAN
IKEv2, EAP-SIM and EAP-AKA. in this macro cell, it sends its request di-
rectly to the Serving GANC. If the GANC
Allocation of the correct GANC reports a new location area, the handset
The access network between the handset and sends a location update message via the
the GANC is based on internet protocols. GAN. The handset may then display a sym-
In principle, this means the handset has ac- bol to indicate that it is being served by the
cess to different GANC nodes in the GAN. GAN (Figure 3). When this symbol is dis-
Discovery and registration procedures are played, end users know that all originating
used to allocate the best GANC for the hand- and terminating traffic is being routed via
set in its current location. Discovery is used the GAN.

94 Ericsson Review No. 2, 2005

Figure 4
Rove-in example (see also Box B).

Rove-in and rove-out Transparent access to services in the

The GAN standard uses the term roving to mobile core network
describe roaming between WiFi coverage The protocols in the Up interface provide
and GERAN/UTRAN coverage. Rove-in transparent support for services in the mo-
means the handset has begun communicat- bile core network. All upper-layer messages
ing actively using the protocols in the Up are tunneled over the Up interface and inter-
interface to serve the upper OSI layers in the worked with existing mechanisms in the A
handset (Box B). These upper layers include and Gb interfaces.
mobility management and support for SMS,
call control and supplementary services. GPRS support in GAN
Rove-out means the handset has stopped The Up interface also transports GPRS con-
communicating via the protocols in the Up trol signaling and user-plane traffic. Specif-
interface; instead, relevant GERAN/ ic procedures and design principles for
UTRAN protocols are used to serve the GPRS support in GAN allow the network
upper layers in the handset. to support a very large number of handsets,


Figure 4 shows an example of GAN rove-in; interface to the AAA server. The SEGW also handset in its current location and stores all
that is, of a handset that registers to a Default allocates an IP address to the handset from necessary information.
or Serving GANC. The handset in this example the DHCP server. • Step 7
is in idle mode. At the outset it is attached to • Step 3 The GANC informs the handset that it has
the network via GPRS and camped on a Step 3 is dependent on the GANC address accepted the registration and transmits GAN
GERAN cell. information contained in the handset. If the system information.
• Step 1 handset has the FQDN of the GANC (for • Step 8
The handset joins an access point (AP) to instance, it performs a The handset opts for rove-in; the relevant
gain IP connectivity. DNS query via the IPsec tunnel in the private part of the system information is passed to
• Step 2 DNS to retrieve the IP address of the GANC. its upper layers. In this example, the location
Step 2 is dependent on SEGW address • Step 4 area identity (LAI) indicated by the GANC
information contained in the handset. If the The handset establishes the TCP connec- differs from that of the last registered LAI.
handset has the fully qualified domain name tion to the GANC. • Step 9
(FQDN) of the SEGW (for instance, ganc- • Step 5 The upper layers in the handset initiate loca- it performs a DNS The handset initiates registration with the tion area update in the MSC (same proce-
query in the public DNS to retrieve the IP GANC. Among other things, the handset dure as for GERAN/UTRAN).
address of the SEGW (not pictured). It then provides its international mobile subscriber • Step 10
establishes the IPsec tunnel to the SEGW. identity (IMSI) and the GERAN cell identifier. The upper layers in the handset initiate a
As part of this procedure, the SEGW • Step 6 routing area update in the SGSN (same pro-
authenticates the handset using the Wm The GANC accepts registration from the cedure as for GERAN/UTRAN).

Ericsson Review No. 2, 2005 95

particularly as the GAN does not need to over GERAN/UTRAN and existing
keep specific data on idle handsets in the location-determination services are used.
GPRS part of the GANC. The GAN also Otherwise, emergency calls are placed over
supports flexible load distribution. the GAN. Location-determination mecha-
nisms in the GAN are used to guide the core
Location services network in routing to the correct emergency
Several methods may be employed to deter- center, and when requested to do so, to de-
mine the location of a handset registered to liver more exact location information to the
the GAN. These methods use information mobile core network.
configured in the GAN and information re-
ceived from the handset during registration. GAN protocol architecture
The handset informs the GANC where (that Figure 5 describes the protocol architecture
is, on which GERAN or UTRAN cell) it is of the GAN circuit-switched (CS) domain
camped. It also identifies the current WiFi control plane. The new protocols defined in
or Bluetooth access point. The GANC can the GAN standard (generic access circuit-
use an external database to map this data to switched resources, GA-CSR, and below)
the exact geographical location of the access serve mobility management and other upper
point. The handset might also report the ge- OSI layers (in place of the GERAN and
ographic location to the GANC. In addi- UTRAN radio resource-management pro-
tion, the security gateway sees the public IP tocols).
address of the handset. In some situations, A TCP connection between the handset
this information can be used to determine and GANC transports the protocols for the
the geographic location of the handset and CS control plane using the IPsec tunnel be-
to check that the access point has not been tween the handset and the SEGW.
moved. The handset might also include a The protocol layers above GA-CSR –
street address in its registration request to mobility management (MM), call control
the GANC; this information can be mapped (CC), supplementary services (SS), and
to a geographic location using external data- SMS – are unmodified and transported
bases. transparently between the handset and the
MSC. The protocols are tunneled in the GA-
Emergency services CSR protocol over the U p interface and
Operators can stipulate whether emergency transported using standard mechanisms
calls will be directed from handsets through over the A interface, which is the interface
GERAN/UTRAN or GAN. If the GANC between the MSC and GANC. Signaling
indicates GERAN/UTRAN, and this cov- over the A interface complies with the base
erage is available, emergency calls are placed station system application part (BSSAP)

Figure 5
Circuit-switched control plane over the
Up interface.

96 Ericsson Review No. 2, 2005

Figure 6
Mobile@Home network architecture.

protocol, which uses the message transfer over the Up interface. It is based on a stan-
part (MTP) and signaling connection con- dard Ericsson base station controller (BSC)
trol part (SCCP). BSSAP messages can be di- with the addition of IP connectivity for Up
vided into two categories: interface support. Therefore, the HBSC has
• transparent direct transfer application inherited support for virtually every core
part (DTAP) messages sent between the network interface and signaling standard. In
handset and MSC; and short, Ericsson designed and built the HBSC
• non-transparent base station subsystem to have the carrier-class performance of its
management application part (BSSMAP) other radio access solutions.
messages sent between the GANC and The Mobile@Home solution can be de-
MSC. ployed in several ways:
The GANC performs the necessary inter- • Few centralized stand-alone HBSC nodes.
working between the BSSMAP and GA- • Distributed stand-alone HBSC nodes.
CSR protocols. • Integrated HBSC functionality in all or
Control signaling and user-plane data for some (Ericsson) BSC nodes.
GPRS are interworked toward the SGSN in The latter approach has several obvious ben-
a similar way using standard Gb interface efits: operators, for instance, do not need ad-
protocols and procedures. ditional floor space or sites, because the nec-
essary hardware and infrastructure (power,
Ericsson’s Mobile@Home cooling, transmission, OSS connection, and
so on) are already in place. In addition, when
solution connected to the HBSC the handset uses ex-
Mobile@Home – Ericsson’s solution for the isting BSC resources, such as transcoders.
GANC – is 100% compatible with UMA Because each handset uses either the GAN
specifications and the GAN standard, and or GERAN there is no need for extra
also offers some security enhancements. Fig- transcoders. The handsets can be redirected
ure 6 shows the main components, or nodes, to the combined HBSC/BSC, which serves
of this solution: the HBSC, SEGW and the macro network. This minimizes net-
HSN. work signaling and the operation and main-
tenance (O&M) needed for handovers, be-
HBSC cause the handovers take place inside the
The home base station controller (HBSC), same piece of hardware (the combined
the main node in the Mobile@Home solu- HBSC/BSC).
tion, implements the three logical roles A stand-alone HBSC can be deployed
(Provisioning, Default and Serving) of the without transcoders, reusing the transcoder
GANC and interworks with the handset pool from an existing BSC/TRC. Each

Ericsson Review No. 2, 2005 97

HBSC can be connected to several MSCs. network’s cell position and comparing it
Initially, one may thus deploy the with the stored position of the access point.
Mobile@Home solution using only a few If a discrepancy is detected the subscriber or
HBSC nodes. operator is informed.

The Mobile@Home support node (HSN) is The security gateway (SEGW), the termi-
an optional part of the Mobile@Home so- nation point for the security part of the Up
lution. It introduces a layered architecture interface on the network side, terminates
that improves the management of informa- the IPsec tunnel from the handset and for-
tion in large networks. Ordinarily, this node wards the IP packets of the unencrypted Up
is placed in a central location where it interface to the HBSC. In the downlink, it
is available to every HBSC in the receives unencrypted IP packets from the
Mobile@Home network. The HSN is used HBSC and routes and encrypts them in the
to centrally configure data for extended reg- IPsec tunnel specified by the destination IP
istration checks, triggering functions and address. The SEGW interworks with AAA
location services. servers via the RADIUS protocol to help au-
thenticate IPsec tunnel establishment. In
Extended registration check addition, by interworking with DHCP
An extended registration check is used to servers, it allocates IP addresses to the hand-
control access to the GAN, for instance, by set during IPsec tunnel establishment. The
checking to see whether or not an access SEGW provides the security functions spec-
point or IP network has been blacklisted. It ified in the GAN standard. These include
may also be used to enhance charging func- IKEv2, EAP-SIM, EAP-AKA and NAT
tions for the core network, so that specific traversal.
cell rates solely apply to specific access SEGWs may run in high-availability (hot
points. The check can also trigger an infor- standby) mode or N+1 redundancy. This
mation message to an external service node way, if one SEGW fails there is always spare
(for example, a presence server). capacity in the remaining SEGWs. Load on
the SEGW is balanced by means of a sepa-
Location service functions rate load balancer or DNS round-robin
Location service functions maintain posi- functionality. In addition, Ericsson has de-
tioning information. If the handset is able veloped enhanced functionality for security
to report its geographic location, this infor- and for controlling and regulating load on
mation can be provided to the HSN auto- the SEGWs.
matically during registration. Location in-
formation can also be provided per access Support and other nodes
point, or in some cases, per IP address. The
address used for a subscription can be auto- AAA server
matically translated into longitude and lat- The Mobile@Home solution reuses the
itude. This information can be verified, for Ericsson AAA server that supports the same
example, by using the serving mobile loca- trusted security mechanism used in stan-
tion center (SMLC) to retrieve the macro dard GSM systems – the EAP-SIM-based


• Mobile@Home is a trademark of
Telefonaktiebolaget LM Ericsson
• UNIX is a registered trademark of the Open
• Windows is a registered trademark of
Microsoft Corporation

98 Ericsson Review No. 2, 2005

authentication mechanism. For handsets without the need for operation and mainte-
with USIM, it also supports authentication nance or cell configuration or planning.
based on the EAP-AKA protocol. The HBSC is based on standard AXE, so
The AAA server supports mobile appli- customers that have an Ericsson OSS need
cation part (MAP) versions 2 and 3 for the only add one further BSC. After that, all
retrieval of GSM, GPRS and UMTS au- alarm-handling, backups, software upgrades,
thentication information. It uses standard and so on work as normal. Customers with-
MAP messages to request authentication out an Ericsson OSS can manage the HBSC
data from the HLR/AUC/HSS. The with an element manager running on Win-
Mobile@Home solution can use any stan- dows or UNIX. Windows-based element
dard AAA server that supports EAP-SIM managers provide some support for handling
and EAP-AKA, and has the necessary func- alarms, collecting statistics and so forth.
tionality for requesting authentication in- Depending on the network scenario, the
formation from the HLR/AUC/HSS. HBSC can be configured to appear (to the
core network) as one or more GSM cells. For
DNS and DHCP servers example, the selection of a cell global iden-
The Mobile@Home solution can use any tity (CGI) for a handset attached to the GAN
standard DNS or DHCP server. For opti- can be matched to the macro location area
mum performance, it can be provided with reported by the handset when it attached to
the Ericsson IPWorks software package, the HBSC. This way, all emergency calls can
which contains DNS and DHCP servers. be routed to the correct city or region.
IPWorks provides the carrier-class charac-
teristics required of telecommunications
systems: high capacity, availability, en-
hanced functionality, a user-friendly and Ericsson’s Mobile@Home solution is not
secure O&M interface, extensive redundan- about new functionality or multimedia ser-
cy functions, statistics, and load balancing. vices. Instead, it is a new access network for
In addition, IPWorks supports dynamic the mobile core network. In short, it turns
DNS and responds to DNS queries with a a mobile handset into a single personal com-
working and available IP address. munication device. When at home, the
handset connects to services through WiFi
Mobile core network and broadband connections but when on the
Mobile@Home can connect to any mobile move it uses GSM and WCDMA networks.
core network node provided the node uses Moreover, it provides seamless transition
standard interfaces. between the access networks.
Mobile@Home also enables operators to
Mobile@Home O&M use existing network infrastructure to
The Mobile@Home solution uses unlicensed launch communication services over IP in
radio frequencies. Therefore, to use it, oper- end users’ homes. And they can reuse their
ators need only configure static equipment, provisioning systems, billing systems and so
such as signaling terminals, A interface cir- on. For operators and end users alike,
cuits, and Gb and IP interfaces. Terminals Mobile@Home is a clear step toward voice
and access points may thus come and go over WiFi through a converged network.


1 3GPP TS 43.318, Generic Access to the

A/Gb Interface; Stage 2
2 3GPP TS 44.318, Generic Access to the
A/Gb Interface; Stage 3

Ericsson Review No. 2, 2005 99