Professional Documents
Culture Documents
doc
CS domain
Course Objectives:
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 1/22
7/27/2019 TN_SP019_E1_0 Mobility Management Flow in CS domain-25.doc
Contents
1.1 Introduction.............................................................................................................................................1
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 2/22
7/27/2019 TN_SP019_E1_0 Mobility Management Flow in CS domain-25.doc
Key points
1.1 Introduction
As shown in Fig. 1.1 -1, the mobility management sub-layer (MM) is the function
provided by the terminal and network to support user mobility. It belongs to the radio
network application layer, and supports transparent transmission in the radio network
system (RNS).
The MM sub-layer implements the mobility and roaming of UEs in the PLMN, such as
location update, TMSI re-allocation, authentication and security management. In
addition, the MM sub-layer provides connection management service for the upper
connection management (CM) sub-layer, that is, when the CM sub-layer needs to
communicate with its peer entity, the signaling connection set up by the MM sub-layer
is required.
The MM process can be implemented only when the RRC connection between the UE
and the network is established, and the RRC connection shall be initiated by the MM
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 3/22
7/27/2019 TN_SP019_E1_0 Mobility Management Flow in CS domain-25.doc
sub-layer.
In the ZXWN MSCS, mobility management services involve the location update unit,
security management unit, user data management unit and error recovery processing
unit, as shown in Fig. 1.1 -2.
Because of the mobility of mobile users, the locations of mobile users frequently
change. To easily obtain location information about mobile users in processing call
services, SMS and supplementary services and improve radio resource utilization
efficiency, the system registers the location information about mobile users in the
network and reports the activation status of mobile users, that is, to initiate the location
update service.
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 4/22
7/27/2019 TN_SP019_E1_0 Mobility Management Flow in CS domain-25.doc
users periodically.
When the roaming location area of a mobile user changes, the MS initiates the
location update operation. If the original location area (LA) and the new LA
belong to the same MSCS/VLR, the data can be modified easily in the VLR. If
they do not belong to the same MSCS/VLR, the new MSCS/VLR requests the
data of the MS from the HLR. The HLR sends the information that the new
MSCS/VLR requests and notifies the original MSCS/VLR to delete the location
information and register the MS in the new MSCS/VLR. When the MS updates
the location to the new MSCS/VLR with the TMSI and PLAI which is not in the
new MSCS/VLR, the new MSCS/VLR can calculate the previous VLR (PVLR)
address according to the TMSI and PLAI, send a discrimination request to the
PVLR, and request the IMSI of the MS and unallocated authentication
parameter set from the PVLR.
The specific process varies with the difference between the location information
reported by the MS and that registered in the VLR and HLR. When the new
location area registered by the MS is not in the original MSCS/VLR, or the
location area information about the MS is undetermined, it is required to initiate
the location update to the HLR. Otherwise, there is no need to initiate the
location update to the HLR. The following describes these two cases.
Fig. 1.1 -3 shows the process without initiating location update to the HLR.
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 5/22
7/27/2019 TN_SP019_E1_0 Mobility Management Flow in CS domain-25.doc
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 6/22
7/27/2019 TN_SP019_E1_0 Mobility Management Flow in CS domain-25.doc
5:(TMSI_Reallocation_CMD)
If the user subscribes the relevant encryption service, the MSCS/VLR initiates
this operation to allocate new TMSI number for the user.
6: (Update_Location_Area_ack)
After the MSCS/VLR finishes processing the location update initiated by the
MS, it returns an acknowledgement message to the MS.
7: (TMSI_Reallocation_COM)
If the new TMSI of the user is set successfully, the result is returned to the
MSCS/VLR.
8: (IU_REL_CMD/IU_REL_COMPLETE)
After receiving the new TMSI setting completion message, the MSCS/VLR
sends a clear command to the user. The MS returns an acknowledgement
message. The processing ends.
Fig. 1.1 -4 shows the process with initiating location update to the HLR.
Update_Location_Area_REQ
Step 1
Update_Location
Step2
Cancel_Location
Step3
Cancel_Location_ack
Step 4
Activate_Trace_Mode
Activate_Trace_Mode_ack Step 5
Insert_Subscriber_Data
Step6
Insert_Subscriber_Data_ack
Step 7
Forward_Check_SS_Indication
Step8
Update_Location_ack
Step 9
Update_Location_Area_ack
Step10
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 7/22
7/27/2019 TN_SP019_E1_0 Mobility Management Flow in CS domain-25.doc
Process description:
1: (Update_Location_Area_REQ)
The MS initiates a location update request to the MSCS/VLR. The MSCS/VLR
receives the location update request sent by the MS, checks the validity of user
data, and judges the location update type to determine the subsequent
operations.
2: (Update_Location)
· The user powers on the mobile phone for the first time.
· The user data is incorrect or inconsistent with that in the HLR due to the VLR
restartup or specific reasons.
3: (Cancel_Location )
The MSCS/VLR receives the location deletion request from the HLR, deletes
the record from user data according to the IMSI in the parameters, and releases
the TMSI of the user.
4: (Cancel_Location_ack)
No matter whether the user registers in the VLR, the MSCS/VLR returns the
location deletion acknowledgement to the HLR, and closes the session.
5: (Activate_Trace_Mode/Activate_Trace_Mode_ack)
The MSCS/VLR receives the Activate_Trace_Mode request from the HLR, and
returns the Activate_Trace_Mode acknowledgement to the HLR directly. The
MSCS sets user tracing flag in the related data area and traces the user.
6: (Insert_Subscriber_Data )
The MSCS/VLR sends a location update request to the HLR which initiates the
user data insertion operation, and sends the user data stored in the HLR to the
VLR.
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 8/22
7/27/2019 TN_SP019_E1_0 Mobility Management Flow in CS domain-25.doc
The MSCS/VLR verifies that all the user data sent by the HLR is correct, and
returns the acknowledgement primitive to the HLR.
8: (Forward_Check_SS_Indication)
9: (Update_Location_ack)
10: (Update_Location_Area_ack)
The MSCS/VLR finishes processing the location update initiated by the MSCS,
and then returns the acknowledgement message to the MS.
If the Gs interface is connected, the SGSN notifies the VLR to initiate the
location update after the GPRS location update ends. This is combined location
update, as shown in Fig. 1.1 -5.
MAP_UPDATE_GPRS_LOCATION_REQ
Step1
MAP_INSERT_SUB._DATA_REQ
Step2
MAP_INSERT_SUB._DATA_ACK
Step3
MAP_UPDATE_GPRS_LOCATION_ACK
Step4
Gs_GPRS_LOCATION_UPDATING_REQ
Step5
MAP_UPDATE_LOCATION_REQ
Step6
MAP_INSERT_SUB._DATA_REQ
Step7
MAP_INSERT_SUB._DATA_ACK
Step8
MAP_UPDATE_LOCATION_ACK
Step9
Gs_GPRS_LOCATION_UPDATING_ACK
Step10
This location update service process is the same as the common location update service
process.
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 9/22
7/27/2019 TN_SP019_E1_0 Mobility Management Flow in CS domain-25.doc
When an MS is switched off, the MSCS cannot obtain this state due to poor radio
quality or other reasons, but considers that the MS is in “attach” state. When an MS is
switched on but it roams beyond the coverage, namely in the dead zone, the MSCS
cannot know the actual state of the MS, and it considers that the MS is still in “attach”
state. In these two cases, if the user is called, the system constantly sends paging
messages. This wastes radio resources.
To solve the above problem, the MSCS takes the compulsory register measure. The MS
shall register at a regular interval. This is periodical location update.
If the user does not perform any operation for a long time (The system administrator
can set the time flexibly. In general, it is 24 hours), the system administrator requires
that the invalid user record in the VLR shall be deleted through the OMC. The VLR
deletes the user data and notifies that to the HLR.
The periodical location update process is the same as the common location update
process.
When an MS is switched off (or the SIM card is taken off), the MS cannot set up any
connection. If the MSCS still implements normal paging, the resources are wasted. To
introduce the IMSI attach/detach procedure is to avoid resource waste.
The user will initiate the location update operation when switching on the MS. The
current location area will be registered in the MSCS/VLR where the user is located. If
the current MSCS/VLR has no user record, it requests user data from the HLR
according to the IMSI of the user. The HLR records the current location of the user
(records the current MSCS/VLR number), and transmits the user data to the
MSCS/VLR. The MSCS/VLR sets the user state to “attach”.
If the MSCS/VLR has user data, it does not need to request data from the HLR. The
system initiates the location update operation in the MSCS/VLR, and then sets the user
state to “attach”.
When the MS is being switched off, the MS sends a message to the MSCS/VLR. The
network considers that the MS is switched off after receiving the message, and sets the
user state to “detach”.
The IMSI attach process is the same as the location update process. The location
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 10/22
7/27/2019 TN_SP019_E1_0 Mobility Management Flow in CS domain-25.doc
update type parameters in different location update request are different. The location
update type parameters include these values: Normal location update, periodical
location update and IMSI attach. For the location update procedure, the location update
type parameter value is “Normal location update” or “Periodical location update”. For
the IMSI attach procedure, the location update type parameter value is “IMSI attach”.
1.1.3.1 Overview
From the perspective of technologies, the radio transmission is unsafer than the fixed
line transmission. The ZXWN MSCS ensures the security of the system in the
following ways:
2. Protecting the privacy of users. This is implemented through the encryption and
integrity protection.
3. Preventing the fraud of user IMSI. This is implemented through the TMSI
allocation.
The authentication is to protect legal users and void intrusion of illegal users.
The authentication of the UMTS is implemented through the authentication and key
agreement (AKA) procedure. During the AKA procedure, the bidirectional
authentication is adopted. Not only the network can authenticate users, but also users
can authenticate the network. This prevents unauthorized illegal users from access to
the network, and prevents unauthorized illegal network from providing services for
users. Compared with the GSM authentication, the UMTS authentication has these
advantages:
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 11/22
7/27/2019 TN_SP019_E1_0 Mobility Management Flow in CS domain-25.doc
· The RAND, Ki, AMF and SQNhe generate the authentication code MAC-A
through the f1 algorithm.
· The RAND and Ki generate the response number XRES through the f2
algorithm of the AUC.
· The RAND and Ki generate the encryption key CK through the f3 algorithm of
the AUC.
· The RAND and Ki generate the integrity key IK through the f4 algorithm of the
AUC.
· The RAND and Ki generate the anonymity key AK through the f5 algorithm of
the AUC.
If the SQN is to be protected, use the AK to encrypt the SQN ( XOR ), and link
the SQN, AMF and MAC-A to form an authentication token AUTN. In this way,
the RAND, XRES, CK, IK and AUTN form an authentication quintuple. The
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 12/22
7/27/2019 TN_SP019_E1_0 Mobility Management Flow in CS domain-25.doc
RAND
K K K
AMF
The generation process of the XMAC-A, RES, CK and IK in the USIM is shown
in the figure below.
RAND
SQN ⊕ AK
K K K
AMF
11
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 13/22
7/27/2019 TN_SP019_E1_0 Mobility Management Flow in CS domain-25.doc
MS VLR/SGSN HLR/AUC
Step1:
Step1: Step1: Generate
Calculate according Transmit authentication
to Ki and AUTN to AuthReq RAND and SendAuthInfoReq vector according
check to the parameters
XMAC_A=XMAC_ AUTN to the
such as Ki, SQN
A? Check whether MS and AMF
the SQN is within
the correct range? (RAND, AUTN,
RES, CK, IK).
invokes the AUC interface function to obtain the authentication parameter set.
The UMTS user applies for the quintuple, and the GSM user applies for the
triplet. The number of applied sets is up to 5.
· The AUC searches the parameters such as Ki, SQN and AMF in the database
table according to the IMSI of the user, generates several sets of RANDs, and
computes the corresponding XRES, CK, IK and AUTN.
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 14/22
7/27/2019 TN_SP019_E1_0 Mobility Management Flow in CS domain-25.doc
· The MS obtains the RES through the same f2 algorithm according to the Ki and
RAND, obtains the CK through the same f3 algorithm, obtains the IK through
the same f4 algorithm, and sends the calculated RES to the VLR/SGSN.
· In the VLR/SGSN, compare the RES calculated by the MS with that calculated
by the AUC. If they are the same, it indicates that the user is a legal user. The
network finishes authenticating the user.
3. Re-synchronization procedure
When the MS fails to authenticate the SQN, it indicates that the SQN is not
within a correct range. A re-synchronization procedure shall be initiated to re-
synchronize the sequence number of the MS and that in the HLR/AUC.
1. Encryption service
The user data and some signaling information elements are considered sensitive,
and shall be encrypted and protected. To ensure the confidentiality of the
identity, the TMSI of a temporary user must be transmitted in the protected
format during the allocation and other signaling process. This service is
implemented by using the encryption algorithm on the private channel between
the ME and the RNS.
· Encryption method
The figure below describes how to use the encryption algorithm f8 to obtain the
13
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 15/22
7/27/2019 TN_SP019_E1_0 Mobility Management Flow in CS domain-25.doc
cipher text. The cipher text is obtained in the case of the key stream exclusive or
the plain text. The plain text is obtained in the case of the cipher text exclusive
or the key.
CK f8 CK f8
KEYSTREAM KEYSTREAM
BLOCK BLOCK
Sender Receiver
UE or RNC RNC or UE
COUNT-C: 32 bits. Each logical RLC AM channel and each RLC UM channel
have a COUNT-C value, and the logical channel using the transparent RLC
mode (and mapping to DCH) has a COUNT-C value. The COUNT-C value
consists of two parts: “short” sequence number and “long” sequence number.
CK: 128 bits. The CK is saved in the USIM, and backed up in the ME. Once the
request of the ME is received, the CK is sent to the ME from the USIM.
BEARER: 5 bits. Each user has only one parameter BEARER that is
multiplexed on a separate 10 ms physical layer frame. It is used to avoid using
the same input parameter for different key streams.
DIRECTION: 1 bit. It is used to prevent the integrity algorithm from using the
same input parameter in calculating message authentication code for the uplink
14
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 16/22
7/27/2019 TN_SP019_E1_0 Mobility Management Flow in CS domain-25.doc
and downlink. The DIRECTION of the message from the UE to the RNS is set
to 0, and that of the message from the RNS to the UE is set to 1.
LENGTH: 16 bits. The length indicator indicates the length of the required key
stream.
2. Integrity protection
Fig. 1.1 -10 shows the process of using the integrity protection algorithm f9 to
validate the data integrity of the signaling message.
IK f9 IK f9
MAC -I XMAC -I
Sender Receiver
UE or RNC UE or RNC
The algorithm input parameters include integrity key (IK), integrity sequence
number (COUNT-I), network generated random value (FRESH), direction
(DIRECTION) and signaling data MESSAGE. Based on these input parameters,
the user uses the integrity algorithm f9 to compute the data integrity message
authentication code MAC-I. The MAC-I is transmitted with the message at the
radio access link. The receiver computes the XMAX-I of the message, and
compares it with the MAC-I sent by the transmitter to check the integrity of the
received data.
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 17/22
7/27/2019 TN_SP019_E1_0 Mobility Management Flow in CS domain-25.doc
COUNT-I: 32bits. Each logical signaling channel has a COUNT-I. The COUNT-
I consists of two parts: “short” sequence number and “long” sequence number.
IK: 128 bits. The IK is stored in the USIM, and backed up in the ME. After the
request of the ME is received, the IK is sent to the ME from the USIM.
FRESH: The FRESH at the network side is 32 bits. Each user has only one
FRESH parameter that is used to protect the network for being attacked by the
user signaling replay.
DIRECTION: 1 bit. It is used to prevent the integrity algorithm from using the
same input parameter in calculating message authentication code for the uplink
and downlink. The DIRECTION of the message from the UE to the RNS is set
to 0, and that of the message from the RNS to the UE is set to 1.
The TMSI instead of the IMSI is transmitted over the radio channel. This enhances the
secrecy of the user identity. The value of the TMSI is determined in the VLR, so the
TMSI is only valid in the VLR area. The TMSI includes the time information and the
information used for distinguishing the user identity. Once a new TMSI is allocates
successfully, it is transmitted to the MS in encrypted mode.
The VLR can conduct the IMEI check in setting the location update and access request.
In the CheckIMEI response initiated in the VLR, check whether the IMEI is the same
as the expected value. The VLR also can send the ObtainIMEI request.
After the subscription information in the HLR changes, the synchronization message is
initiated to keep the user data in the VLR consistent with that in the HLR. The
synchronization methods are as follows:
16
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 18/22
7/27/2019 TN_SP019_E1_0 Mobility Management Flow in CS domain-25.doc
VLR HLR
MAP_INSERT_SUBSCRIBER_DATA
(a)
MAP_INSERT_SUBSCRIBER_DATA_ack
(b)
Process description:
1) The HLR initiates a request for inserting user data to the VLR (According to the
amount of user data, the data is transmitted through one or multiple packets).
2) After the user data is inserted into the VLR, the VLR returns a response.
In deleting the subscription information about a user, the HLR deletes the user
data. Fig. 1.1 -12 shows the service process.
VLR HLR
MAP_DELETE_SUBSCRIBER_DATA
(a)
MAP_DELETE_SUBSCRIBER_DATA_ack
(b)
Process description:
1) The HLR initiates a request for deleting user data from the VLR.
2) After the VLR deletes the related subscription information, the VLR returns a
response.
17
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 19/22
7/27/2019 TN_SP019_E1_0 Mobility Management Flow in CS domain-25.doc
1. VLR restart
The VLR may stop working due to faults or sudden power off. After restart-up,
the data in the VLR must be restored. The restoration methods are as follows:
1) When triggering the VLR restoration operation during the operation procedures
such calling and SMS, the HLR transmits the user data to the VLR. The
following figure shows the process.
VLR HLR
MAP_RESTORE_DATA
(a)
MAP_ACTIVATE_TRACE_MODE
(b)
MAP_ACTIVATE_TRACE_MODE_ack
(c)
MAP_INSERT_SUBSCRIBER_DATA
(d)
MAP_INSERT_SUBSCRIBER_DATA_ack
(e)
MAP_RESTORE_DATA_ack
(f)
Process description:
a. During the operation procedures such as calling and SMS, the VLR initiates
the data restoration request to the HLR.
b. If the user is to be activated and traced, the HLR sends a request for activating
the user tracing to the VLR.
c. The VLR responds and sets the user to activated state, and sends an
acknowledgement of activating the user tracing to the HLR.
d. The HLR sends a request to the VLR, and inserts the user data (According to
the amount of user data, the data may be inserted through one or multiple
packets).
18
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 20/22
7/27/2019 TN_SP019_E1_0 Mobility Management Flow in CS domain-25.doc
e. The VLR where the user is located currently responds and sends an
acknowledgement of user data insertion to the HLR.
2) The restoration operation of the user due to location update is the same as that of
the above “IMSI attach”.
Note: In the GSM Phase I, the VLR uses the Send Parameters service to request
user data from the HLR.
2. HLR restart
After restart-up, the HLR sends the RESET message to the VLR to which the
user in the HLR roams. After receiving the message, the VLR attaches an
uncertainty flag to the data of the user of the HLR. The VLR implements the
location update in the subsequent incoming call or outgoing call to obtain user
data. The figure below shows the process.
VLR HLR
MAP_RESET
19
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 21/22
7/27/2019 TN_SP019_E1_0 Mobility Management Flow in CS domain-25.doc
http://slidepdf.com/reader/full/tnsp019e10-mobility-management-flow-in-cs-domain-25doc 22/22