You are on page 1of 27

GSM Information

Contents
GSM Related Information ......................................................................................................................... 1 GSM (Global System for Mobile Communications) .................................................................................. 4 Technical details........................................................................................................................................ 4 GSM frequency bands ............................................................................................................................... 5 Voice codec ............................................................................................................................................... 6 The structure of a GSM network .............................................................................................................. 6 Subscriber Identity Module (SIM) ............................................................................................................. 7 Phone locking ............................................................................................................................................ 7 GSM service security ................................................................................................................................. 8 Network structure..................................................................................................................................... 9 The base station subsystem (BSS)............................................................................................................. 9 Base transceiver station ............................................................................................................................ 9 Base transceiver station (BTS) ................................................................................................................ 10 Sectorisation ........................................................................................................................................... 11 Base station controller ............................................................................................................................ 11 Transcoder .......................................................................................................................................... 12 Packet control unit .................................................................................................................................. 13 BSS interfaces.......................................................................................................................................... 13 Network switching subsystem (NSS)....................................................................................................... 14 Mobile switching center (MSC) ............................................................................................................... 14 Mobile switching centre server (MSCS) .................................................................................................. 15 Home location register (HLR) .................................................................................................................. 15 Other GSM core network elements connected to the HLR ................................................................ 16 Procedures implemented ................................................................................................................... 16 Authentication centre (AuC) ................................................................................................................... 16 Other GSM core network elements connected to the AuC ................................................................ 17 Procedures implemented ................................................................................................................... 17 2

Visitor location register (VLR) ................................................................................................................. 18 Other GSM core network elements connected to the VLR ................................................................ 19 Procedures implemented ................................................................................................................... 19 Equipment identity register (EIR)............................................................................................................ 19 Other support functions ......................................................................................................................... 19 The GPRS core network is the central part of the General Packet Radio Service which allows 2G, 3G and WCDMA mobile networks to transmit IP packets to external networks such as the Internet. The GPRS system is an integrated part of the GSM network switching subsystemGeneral support functions ................................................................................................................................................................ 20 GPRS core structure ................................................................................................................................ 20 GPRS tunnelling protocol (GTP) .............................................................................................................. 21 GPRS support nodes (GSN) ..................................................................................................................... 22 Gateway GPRS Support Node (GGSN) ................................................................................................ 22 Serving GPRS Support Node (SGSN).................................................................................................... 23 Access point ............................................................................................................................................ 24 PDP Context ............................................................................................................................................ 24 Operations support system..................................................................................................................... 25 A brief history of OSS architecture ......................................................................................................... 25 TM Forum (formerly the TeleManagement Forum) ............................................................................... 26 NGOSS models .................................................................................................................................... 26 NGOSS architectural standards ........................................................................................................... 26

GSM (Global System for Mobile Communications)


GSM (Global System for Mobile Communications), originally Group Special Mobile), is a standard set developed by the European Telecommunications Standards Institute (ETSI) to describe technologies for second generation (or "2G") digital cellular networks. Developed as a replacement for first generation analog cellular networks, the GSM standard originally described a digital, circuit switched network optimized for full duplex voice telephony. The standard was expanded over time to include first circuit switched data transport, then packet data transport via GPRS. Packet data transmission speeds were later increased via EDGE. The GSM standard is succeeded by the third generation (or "3G") UMTS standard developed by the 3GPP. GSM networks will evolve further as they begin to incorporate fourth generation (or "4G") LTE Advanced standards. "GSM" is a trademark owned by the GSM Association. The GSM Association estimates that technologies defined in the GSM standard serve 80% of the world's population, encompassing more than 5 billion people across more than 212 countries and territories, making GSM the most ubiquitous of the many standards for cellular networks.

Technical details

GSM cell site antennas in the Deutsches Museum, Munich, Germany GSM is a cellular network, which means that cell phones connect to it by searching for cells in the immediate vicinity. There are five different cell sizes in a GSM networkmacro, micro, pico, femto and umbrella cells. The coverage area of each cell varies according to the implementation environment. Macro cells can be regarded as cells where the base station antenna is installed on a mast or a building above average roof top level. Micro cells are cells whose antenna height is under average roof top level; they are typically used in urban areas.
4

Pico cells are small cells whose coverage diameter is a few dozen meters; they are mainly used indoors. Femto cells are cells designed for use in residential or small business environments and connect to the service providers network via a broadband internet connection. Umbrella cells are used to cover shadowed regions of smaller cells and fill in gaps in coverage between those cells. Cell horizontal radius varies depending on antenna height, antenna gain and propagation conditions from a couple of hundred meters to several tens of kilometers. The longest distance the GSM specification supports in practical use is 35 kilometers (22 mi). There are also several implementations of the concept of an extended cell, where the cell radius could be double or even more, depending on the antenna system, the type of terrain and the timing advance. Indoor coverage is also supported by GSM and may be achieved by using an indoor pico cell base station, or an indoor repeater with distributed indoor antennas fed through power splitters, to deliver the radio signals from an antenna outdoors to the separate indoor distributed antenna system. These are typically deployed when a lot of call capacity is needed indoors; for example, in shopping centers or airports. However, this is not a prerequisite, since indoor coverage is also provided by in-building penetration of the radio signals from any nearby cell. The modulation used in GSM is Gaussian minimum-shift keying (GMSK), a kind of continuousphase frequency shift keying. In GMSK, the signal to be modulated onto the carrier is first smoothed with a Gaussian low-pass filter prior to being fed to a frequency modulator, which greatly reduces the interference to neighboring channels (adjacent-channel interference).

GSM frequency bands


GSM networks operate in a number of different carrier frequency ranges (separated into GSM frequency ranges for 2G and UMTS frequency bands for 3G), with most 2G GSM networks operating in the 900 MHz or 1800 MHz bands. Where these bands were already allocated, the 850 MHz and 1900 MHz bands were used instead (for example in Canada and the United States). In rare cases the 400 and 450 MHz frequency bands are assigned in some countries because they were previously used for first-generation systems. Most 3G networks in Europe operate in the 2100 MHz frequency band. Regardless of the frequency selected by an operator, it is divided into timeslots for individual phones to use. This allows eight full-rate or sixteen half-rate speech channels per radio frequency. These eight radio timeslots (or eight burst periods) are grouped into a TDMA frame. Half rate channels use alternate frames in the same timeslot. The channel data rate for all 8 channels is 270.833 kbit/s, and the frame duration is 4.615 ms. The transmission power in the handset is limited to a maximum of 2 watts in GSM850/900 and 1 watt in GSM1800/1900.
5

Voice codec
GSM has used a variety of voice codecs to squeeze 3.1 kHz audio into between 5.6 and 13 kbit/s. Originally, two codecs, named after the types of data channel they were allocated, were used, called Half Rate (6.5 kbit/s) and Full Rate (13 kbit/s). These used a system based upon linear predictive coding (LPC). In addition to being efficient with bitrates, these codecs also made it easier to identify more important parts of the audio, allowing the air interface layer to prioritize and better protect these parts of the signal. GSM was further enhanced in 1997[8] with the Enhanced Full Rate (EFR) codec, a 12.2 kbit/s codec that uses a full rate channel. Finally, with the development of UMTS, EFR was refactored into a variable-rate codec called AMR-Narrowband, which is high quality and robust against interference when used on full rate channels, and less robust but still relatively high quality when used in good radio conditions on half-rate channels.

The structure of a GSM network


The network is structured into a number of discrete sections:

The Base Station Subsystem (the base stations and their controllers). the Network and Switching Subsystem (the part of the network most similar to a fixed network). This is sometimes also just called the core network. The GPRS Core Network (the optional part which allows packet based Internet connections). The Operations support system (OSS) for maintenance of the network.

Subscriber Identity Module (SIM)


One of the key features of GSM is the Subscriber Identity Module, commonly known as a SIM card. The SIM is a detachable smart card containing the user's subscription information and phone book. This allows the user to retain his or her information after switching handsets. Alternatively, the user can also change operators while retaining the handset simply by changing the SIM. Some operators will block this by allowing the phone to use only a single SIM, or only a SIM issued by them; this practice is known as SIM locking.

Phone locking
Sometimes mobile network operators restrict handsets that they sell for use with their own network. This is called locking and is implemented by a software feature of the phone. Because the purchase price of the mobile phone to the consumer may be subsidized with revenue from subscriptions, operators must recoup this investment before a subscriber terminates service. A subscriber may usually contact the provider to remove the lock for a fee, utilize private services to remove the lock, or make use of free or fee-based software and websites to unlock the handset themselves. In some countries (e.g., Lebanon, Bangladesh, Hong Kong, India, Malaysia, Pakistan, Singapore) all phones are sold unlocked. In others (e.g., Finland, Singapore) it is unlawful for operators to offer any form of subsidy on a phone's price.[9]

GSM service security


GSM was designed with a moderate level of service security. The system was designed to authenticate the subscriber using a pre-shared key and challenge-response. Communications between the subscriber and the base station can be encrypted. The development of UMTS introduces an optional Universal Subscriber Identity Module (USIM), that uses a longer authentication key to give greater security, as well as mutually authenticating the network and the user whereas GSM only authenticates the user to the network (and not vice versa). The security model therefore offers confidentiality and authentication, but limited authorization capabilities, and no non-repudiation. GSM uses several cryptographic algorithms for security. The A5/1 and A5/2 stream ciphers are used for ensuring over-the-air voice privacy. A5/1 was developed first and is a stronger algorithm used within Europe and the United States; A5/2 is weaker and used in other countries. Serious weaknesses have been found in both algorithms: it is possible to break A5/2 in real-time with a ciphertext-only attack, and in January 2007, The Hacker's Choice started the A5/1 cracking project with plans to use FPGAs that allow A5/1 to be broken with a rainbow table attack.[10] The system supports multiple algorithms so operators may replace that cipher with a stronger one. On 28 December 2009 German computer engineer Karsten Nohl announced that he had cracked the A5/1 cipher.[11] According to Nohl, he developed a number of rainbow tables (static values which reduce the time needed to carry out an attack) and have found new sources for known plaintext attacks. He also said that it is possible to build "a full GSM interceptor ... from open source components" but that they had not done so because of legal concerns. [12] New attacks have been observed that take advantage of poor security implementations, architecture and development for smart phone applications. Some wiretapping and eavesdropping techniques hijack[13] the audio input and output providing an opportunity for a 3rd party to listen in to the conversation. At present such attacks often come in the form of a Trojan, malware or a virus and might be detected by security software.[citation needed][original research?] GSM uses General Packet Radio Service (GPRS) for data transmissions like browsing the web. The most commonly deployed GPRS and EDGE ciphers were publicly broken in 2011, and the evidence indicates that they were once again intentionally left weak by the mobile industry designers.[14] The researchers revealed flaws in the commonly used GEA/1 and GEA/2 ciphers and published the open source "gprsdecode" software for sniffing GPRS/EDGE networks. They also noted that some carriers don't encrypt the data at all (i.e. using GEA/0) in order to detect the use of traffic or protocols they don't like, e.g. Skype, leaving their customers unprotected. GEA/3 seems to remain relatively hard to break and is said to be in use on some more modern networks. If used with USIM to prevent connections to fake base stations and downgrade attacks, users will be protected in the medium term, though migration to 128-bit GEA/4 is still recommended.
8

But since GEA/0, GEA/1 and GEA/2 are widely deployed, applications should use SSL/TLS for sensitive data, as they would on wi-fi networks.

Network structure
The base station subsystem (BSS) The base station subsystem (BSS) is the section of a traditional cellular telephone network which is responsible for handling traffic and signaling between a mobile phone and the network switching subsystem. The BSS carries out transcoding of speech channels, allocation of radio channels to mobile phones, paging, transmission and reception over the air interface and many other tasks related to the radio network

Base transceiver station

Two GSM base station antennas disguised as trees in Dublin, Ireland.

A solar-powered GSM base station on top of a mountain in the wilderness of Lapland

Base transceiver station (BTS)


The base transceiver station, or BTS, contains the equipment for transmitting and receiving radio signals (transceivers), antennas, and equipment for encrypting and decrypting communications with the base station controller (BSC). Typically a BTS for anything other than a pico cell will have several transceivers (TRXs) which allow it to serve several different frequencies and different sectors of the cell (in the case of sectorized base stations). A BTS is controlled by a parent BSC via the "base station control function" (BCF). The BCF is implemented as a discrete unit or even incorporated in a TRX in compact base stations. The BCF provides an operations and maintenance (O&M) connection to the network management system (NMS), and manages operational states of each TRX, as well as software handling and alarm collection. The functions of a BTS vary depending on the cellular technology used and the cellular telephone provider. There are vendors in which the BTS is a plain transceiver which receives information from the MS (mobile station) through the Um (air interface) and then converts it to a TDM (PCM) based interface, the Abis interface, and sends it towards the BSC. There are vendors which build their BTSs so the information is preprocessed, target cell lists are generated and even intracell handover (HO) can be fully handled. The advantage in this case is less load on the expensive Abis interface. The BTSs are equipped with radios that are able to modulate layer 1 of interface Um; for GSM 2G+ the modulation type is GMSK, while for EDGE-enabled networks it is GMSK and 8-PSK. Antenna combiners are implemented to use the same antenna for several TRXs (carriers), the more TRXs are combined the greater the combiner loss will be. Up to 8:1 combiners are found in micro and pico cells only. Frequency hopping is often used to increase overall BTS performance; this involves the rapid switching of voice traffic between TRXs in a sector. A hopping sequence is followed by the TRXs and handsets using the sector. Several hopping sequences are available, and the sequence in use for a particular cell is continually broadcast by that cell so that it is known to the handsets. A TRX transmits and receives according to the GSM standards, which specify eight TDMA timeslots per radio frequency. A TRX may lose some of this capacity as some information is required to be broadcast to handsets in the area that the BTS serves. This information allows the handsets to identify the network and gain access to it. This signalling makes use of a channel known as the Broadcast Control Channel (BCCH).

10

Sectorisation
By using directional antennae on a base station, each pointing in different directions, it is possible to sectorise the base station so that several different cells are served from the same location. Typically these directional antennas have a beamwidth of 65 to 85 degrees. This increases the traffic capacity of the base station (each frequency can carry eight voice channels) whilst not greatly increasing the interference caused to neighboring cells (in any given direction, only a small number of frequencies are being broadcast). Typically two antennas are used per sector, at spacing of ten or more wavelengths apart. This allows the operator to overcome the effects of fading due to physical phenomena such as multipath reception. Some amplification of the received signal as it leaves the antenna is often used to preserve the balance between uplink and downlink signal...test

Base station controller

GSM transmitter The base station controller (BSC) provides, classically, the intelligence behind the BTSs. Typically a BSC has tens or even hundreds of BTSs under its control. The BSC handles allocation of radio channels, receives measurements from the mobile phones, and controls handovers from BTS to BTS (except in the case of an inter-BSC handover in which case control is in part the responsibility of the anchor MSC). A key function of the BSC is to act as a concentrator where many different low capacity connections to BTSs (with relatively low utilisation) become
11

reduced to a smaller number of connections towards the mobile switching center (MSC) (with a high level of utilisation). Overall, this means that networks are often structured to have many BSCs distributed into regions near their BTSs which are then connected to large centralised MSC sites. The BSC is undoubtedly the most robust element in the BSS as it is not only a BTS controller but, for some vendors, a full switching center, as well as an SS7 node with connections to the MSC and serving GPRS support node (SGSN) (when using GPRS). It also provides all the required data to the operation support subsystem (OSS) as well as to the performance measuring centers. A BSC is often based on a distributed computing architecture, with redundancy applied to critical functional units to ensure availability in the event of fault conditions. Redundancy often extends beyond the BSC equipment itself and is commonly used in the power supplies and in the transmission equipment providing the A-ter interface to PCU. The databases for all the sites, including information such as carrier frequencies, frequency hopping lists, power reduction levels, receiving levels for cell border calculation, are stored in the BSC. This data is obtained directly from radio planning engineering which involves modelling of the signal propagation as well as traffic projections. Transcoder The transcoder is responsible for transcoding the voice channel coding between the coding used in the mobile network, and the coding used by the world's terrestrial circuit-switched network, the Public Switched Telephone Network. Specifically, GSM uses a regular pulse excited-long term prediction (RPE-LTP) coder for voice data between the mobile device and the BSS, but pulse code modulation (A-law or -law standardized in ITU G.711) upstream of the BSS. RPE-LPC coding results in a data rate for voice of 13 kbit/s where standard PCM coding results in 64 kbit/s. Because of this change in data rate for the same voice call, the transcoder also has a buffering function so that PCM 8-bit words can be recoded to construct GSM 20 ms traffic blocks. Although transcoding (compressing/decompressing) functionality is defined as a base station function by the relevant standards, there are several vendors which have implemented the solution outside of the BSC. Some vendors have implemented it in a stand-alone rack using a proprietary interface. In Siemens' and Nokia's architecture, the transcoder is an identifiable separate sub-system which will normally be co-located with the MSC. In some of Ericsson's systems it is integrated to the MSC rather than the BSC. The reason for these designs is that if the compression of voice channels is done at the site of the MSC, the number of fixed transmission links between the BSS and MSC can be reduced, decreasing network infrastructure costs. This subsystem is also referred to as the transcoder and rate adaptation unit (TRAU). Some networks use 32 kbit/s ADPCM on the terrestrial side of the network instead of 64 kbit/s PCM
12

and the TRAU converts accordingly. When the traffic is not voice but data such as fax or email, the TRAU enables its rate adaptation unit function to give compatibility between the BSS and MSC data rates. SAGAR tower centre any type of network problem u will be satisfied hand enable tower Packet control unit The packet control unit (PCU) is a late addition to the GSM standard. It performs some of the processing tasks of the BSC, but for packet data. The allocation of channels between voice and data is controlled by the base station, but once a channel is allocated to the PCU, the PCU takes full control over that channel. The PCU can be built into the base station, built into the BSC or even, in some proposed architectures, it can be at the SGSN site. In most of the cases, the PCU is a separate node communicating extensively with the BSC on the radio side and the SGSN on the Gb side.

BSS interfaces

Image of the GSM network, showing the BSS interfaces to the MS, NSS and GPRS Core Network Um The air interface between the mobile station (MS) and the BTS. This interface uses LAPDm protocol for signaling, to conduct call control, measurement reporting, handover, power control, authentication, authorization, location update and so on. Traffic and signaling are sent in bursts of 0.577 ms at intervals of 4.615 ms, to form data blocks each 20 ms Abis

13

The interface between the BTS and BSC. Generally carried by a DS-1, ES-1, or E1 TDM circuit. Uses TDM subchannels for traffic (TCH), LAPD protocol for BTS supervision and telecom signaling, and carries synchronization from the BSC to the BTS and MS.

Network switching subsystem (NSS)


Network switching subsystem (NSS) (or GSM core network) is the component of a GSM system that carries out call switching and mobility management functions for mobile phones roaming on the network of base stations. It is owned and deployed by mobile phone operators and allows mobile devices to communicate with each other and telephones in the wider Public Switched Telephone Network or (PSTN). The architecture contains specific features and functions which are needed because the phones are not fixed in one location. The NSS originally consisted of the circuit-switched core network, used for traditional GSM services such as voice calls, SMS, and circuit switched data calls. It was extended with an overlay architecture to provide packet-switched data services known as the GPRS core network. This allows mobile phones to have access to services such as WAP, MMS, and the Internet. All mobile phones manufactured today have both circuit and packet based services, so most operators have a GPRS network in addition to the standard GSM core network.

Mobile switching center (MSC)


The mobile switching center (MSC) is the primary service delivery node for GSM/CDMA, responsible for routing voice calls and SMS as well as other services (such as conference calls, FAX and circuit switched data). The MSC sets up and releases the end-to-end connection, handles mobility and hand-over requirements during the call and takes care of charging and real time pre-paid account monitoring. In the GSM mobile phone system, in contrast with earlier analogue services, fax and data information is sent directly digitally encoded to the MSC. Only at the MSC is this re-coded into an "analogue" signal (although actually this will almost certainly mean sound encoded digitally as PCM signal in a 64-kbit/s timeslot, known as a DS0 in America). There are various different names for MSCs in different contexts which reflects their complex role in the network, all of these terms though could refer to the same MSC, but doing different things at different times. The Gateway MSC (G-MSC) is the MSC that determines which visited MSC the subscriber who is being called is currently located at. It also interfaces with the PSTN. All mobile to mobile calls and PSTN to mobile calls are routed through a G-MSC. The term is only valid in the context of
14

one call since any MSC may provide both the gateway function and the Visited MSC function, however, some manufacturers design dedicated high capacity MSCs which do not have any BSSs connected to them. These MSCs will then be the Gateway MSC for many of the calls they handle. The visited MSC (V-MSC) is the MSC where a customer is currently located. The VLR associated with this MSC will have the subscriber's data in it. The anchor MSC is the MSC from which a handover has been initiated. The target MSC is the MSC toward which a Handover should take place. A mobile switching centre server is a part of the redesigned MSC concept starting from 3GPP Release 4.

Mobile switching centre server (MSCS)


The mobile switching centre server is a soft-switch variant of the mobile switching centre, which provides circuit-switched calling, mobility management, and GSM services to the mobile phones roaming within the area that it serves. MSS functionality enables split between control (signaling) and user plane (bearer in network element called as media gateway/MG), which guarantees better placement of network elements within the network. MSS and MGW media gateway makes it possible to cross-connect circuit switched calls switched by using IP, ATM AAL2 as well as TDM. More information is available in 3GPP TS 23.205.

Home location register (HLR)


The home location register (HLR) is a central database that contains details of each mobile phone subscriber that is authorized to use the GSM core network. There can be several logical, and physical, HLRs per public land mobile network (PLMN), though one international mobile subscriber identity (IMSI)/MSISDN pair can be associated with only one logical HLR (which can span several physical nodes) at a time. The HLRs store details of every SIM card issued by the mobile phone operator. Each SIM has a unique identifier called an IMSI which is the primary key to each HLR record. The next important items of data associated with the SIM are the MSISDNs, which are the telephone numbers used by mobile phones to make and receive calls. The primary MSISDN is the number used for making and receiving voice calls and SMS, but it is possible for a SIM to have other secondary MSISDNs associated with it for fax and data calls. Each MSISDN is also a primary key to the HLR record. The HLR data is stored for as long as a subscriber remains with the mobile phone operator. MSISDN is not a distinguishable parameter in case of ported numbers. Instead, LRN and MSISDN combine to form a unique distinguishable parameter.

15

Examples of other data stored in the HLR against an IMSI record is:

GSM services that the subscriber has requested or been given. GPRS settings to allow the subscriber to access packet services. Current location of subscriber (VLR and serving GPRS support node/SGSN). Call divert settings applicable for each associated MSISDN.

The HLR is a system which directly receives and processes MAP transactions and messages from elements in the GSM network, for example, the location update messages received as mobile phones roam around. Other GSM core network elements connected to the HLR The HLR connects to the following elements:

The G-MSC for handling incoming calls The VLR for handling requests from mobile phones to attach to the network The SMSC for handling incoming SMSs The voice mail system for delivering notifications to the mobile phone that a message is waiting The AuC for authentication and ciphering and exchange of data (triplets)

Procedures implemented The main function of the HLR is to manage the fact that SIMs and phones move around a lot. The following procedures are implemented to deal with this:

Manage the mobility of subscribers by means of updating their position in administrative areas called 'location areas', which are identified with a LAC. The action of a user of moving from one LA to another is followed by the HLR with a Location area update procedure. Send the subscriber data to a VLR or SGSN when a subscriber first roams there. Broker between the G-MSC or SMSC and the subscriber's current VLR in order to allow incoming calls or text messages to be delivered. Remove subscriber data from the previous VLR when a subscriber has roamed away from it.

Authentication centre (AuC)


The authentication centre (AuC) is a function to authenticate each SIM card that attempts to connect to the GSM core network (typically when the phone is powered on). Once the authentication is successful, the HLR is allowed to manage the SIM and services described above. An encryption key is also generated that is subsequently used to encrypt all wireless communications (voice, SMS, etc.) between the mobile phone and the GSM core network.

16

If the authentication fails, then no services are possible from that particular combination of SIM card and mobile phone operator attempted. There is an additional form of identification check performed on the serial number of the mobile phone described in the EIR section below, but this is not relevant to the AuC processing. Proper implementation of security in and around the AuC is a key part of an operator's strategy to avoid SIM cloning. The AuC does not engage directly in the authentication process, but instead generates data known as triplets for the MSC to use during the procedure. The security of the process depends upon a shared secret between the AuC and the SIM called the Ki. The Ki is securely burned into the SIM during manufacture and is also securely replicated onto the AuC. This Ki is never transmitted between the AuC and SIM, but is combined with the IMSI to produce a challenge/response for identification purposes and an encryption key called Kc for use in over the air communications. Other GSM core network elements connected to the AuC The AuC connects to the following elements:

The MSC which requests a new batch of triplet data for an IMSI after the previous data have been used. This ensures that same keys and challenge responses are not used twice for a particular mobile.

Procedures implemented The AuC stores the following data for each IMSI:

The Ki Algorithm id. (the standard algorithms are called A3 or A8, but an operator may choose a proprietary one).

When the MSC asks the AuC for a new set of triplets for a particular IMSI, the AuC first generates a random number known as RAND. This RAND is then combined with the Ki to produce two numbers as follows:

The Ki and RAND are fed into the A3 algorithm and the signed response (SRES) is calculated. The Ki and RAND are fed into the A8 algorithm and a session key called Kc is calculated.

The numbers (RAND, SRES, Kc) form the triplet sent back to the MSC. When a particular IMSI requests access to the GSM core network, the MSC sends the RAND part of the triplet to the SIM. The SIM then feeds this number and the Ki (which is burned onto the SIM) into the A3 algorithm as appropriate and an SRES is calculated and sent back to the MSC. If this SRES

17

matches with the SRES in the triplet (which it should if it is a valid SIM), then the mobile is allowed to attach and proceed with GSM services. After successful authentication, the MSC sends the encryption key Kc to the base station controller (BSC) so that all communications can be encrypted and decrypted. Of course, the mobile phone can generate the Kc itself by feeding the same RAND supplied during authentication and the Ki into the A8 algorithm. The AuC is usually collocated with the HLR, although this is not necessary. Whilst the procedure is secure for most everyday use, it is by no means crack proof. Therefore a new set of security methods was designed for 3G phones. A3 Algorithm is used to encrypt Global System for Mobile Communications (GSM) cellular communications. In practice, A3 and A8 algorithms are generally implemented together (known as A3/A8). An A3/A8 algorithm is implemented in Subscriber Identity Module (SIM) cards and in GSM network Authentication Centres. It is used to authenticate the customer and generate a key for encrypting voice and data traffic, as defined in 3GPP TS 43.020 (03.20 before Rel-4). Development of A3 and A8 algorithms is considered a matter for individual GSM network operators, although example implementations are available.

Visitor location register (VLR)


The visitor location register is a database of the subscribers who have roamed into the jurisdiction of the MSC (Mobile Switching Center) which it serves. Each base station in the network is served by exactly one VLR, hence a subscriber cannot be present in more than one VLR at a time. The data stored in the VLR has either been received from the HLR, or collected from the MS (Mobile station). In practice, for performance reasons, most vendors integrate the VLR directly to the V-MSC and, where this is not done, the VLR is very tightly linked with the MSC via a proprietary interface. Whenever an MSC detects a new MS in its network, in addition to creating a new record in the VLR, it also updates the HLR of the mobile subscriber, apprising it of the new location of that MS. If VLR data is corrupted it can lead to serious issues with text messaging and call services. Data stored include:

IMSI (the subscriber's identity number). Authentication data. MSISDN (the subscriber's phone number). GSM services that the subscriber is allowed to access. access point (GPRS) subscribed. The HLR address of the subscriber.
18

Other GSM core network elements connected to the VLR The VLR connects to the following elements:

The V-MSC to pass required data for its procedures; e.g., authentication or call setup. The HLR to request data for mobile phones attached to its serving area. Other VLRs to transfer temporary data concerning the mobile when they roam into new VLR areas. For example, the temporal mobile subscriber identity (TMSI).

Procedures implemented The primary functions of the VLR are:


To inform the HLR that a subscriber has arrived in the particular area covered by the VLR. To track where the subscriber is within the VLR area (location area) when no call is ongoing. To allow or disallow which services the subscriber may use. To allocate roaming numbers during the processing of incoming calls. To purge the subscriber record if a subscriber becomes inactive whilst in the area of a VLR. The VLR deletes the subscriber's data after a fixed time period of inactivity and informs the HLR (e.g., when the phone has been switched off and left off or when the subscriber has moved to an area with no coverage for a long time). To delete the subscriber record when a subscriber explicitly moves to another, as instructed by the HLR.

Equipment identity register (EIR)


The equipment identity register is often integrated to the HLR. The EIR keeps a list of mobile phones (identified by their IMEI) which are to be banned from the network or monitored. This is designed to allow tracking of stolen mobile phones. In theory all data about all stolen mobile phones should be distributed to all EIRs in the world through a Central EIR. It is clear, however, that there are some countries where this is not in operation. The EIR data does not have to change in real time, which means that this function can be less distributed than the function of the HLR. The EIR is a database that contains information about the identity of the mobile equipment that prevents calls from stolen, unauthorized or defective mobile stations. Some EIR also have the capability to log Handset attempts and store it in a log file.

Other support functions


Connected more or less directly to the GSM core network are many other functions.

19

Billing centre (BC) The billing centre is responsible for processing the toll tickets generated by the VLRs and HLRs and generating a bill for each subscriber. It is also responsible for generating billing data of roaming subscriber. Short message service centre (SMSC) The short message service centre supports the sending and reception of text messages. Multimedia messaging service centre (MMSC) The multimedia messaging service centre supports the sending of multimedia messages (e.g., images, audio, video and their combinations) to (or from) MMS-enabled Handsets. Voicemail system (VMS) The voicemail system records and stores voicemails. The GPRS core network is the central part of the General Packet Radio Service which allows 2G, 3G and WCDMA mobile networks to transmit IP packets to external networks such as the Internet. The GPRS system is an integrated part of the GSM network switching subsystemGeneral support functions

GPRS core structure


The GPRS core network provides mobility management, session management and transport for Internet Protocol packet services in GSM and WCDMA networks. The core network also provides support for other additional functions such as billing and lawful interception. It was also proposed, at one stage, to support packet radio services in the US D-AMPS TDMA system,
20

however, in practice, all of these networks have been converted to GSM so this option has become irrelevant. Like GSM in general, GPRS module is an open standards driven system. The standardization body is the 3GPP.

GPRS tunnelling protocol (GTP)


GPRS tunnelling protocol is the defining IP-based protocol of the GPRS core network. Primarily it is the protocol which allows end users of a GSM or WCDMA network to move from place to place while continuing to connect to the Internet as if from one location at the Gateway GPRS Support Node (GGSN). It does this by carrying the subscriber's data from the subscriber's current Serving GPRS Support Node (SGSN) to the GGSN which is handling the subscriber's session. Three forms of GTP are used by the GPRS core network. GTP-U for transfer of user data in separated tunnels for each Packet Data Protocol (PDP) context GTP-C for control reasons including:

setup and deletion of PDP contexts verification of GSN reachability updates; e.g., as subscribers move from one SGSN to another.

GTP' for transfer of charging data from GSNs to the charging function. GGSNs and SGSNs (collectively known as GSNs) listen for GTP-C messages on UDP port 2123 and for GTP-U messages on port 2152. This communication is direct within a single network, or in the case of international roaming, via a GPRS roaming exchange (GRX). The Charging Gateway Function (CGF) listens to GTP' messages sent from the GSNs on TCP or UDP port 3386. The core network sends charging information to the CGF, typically including PDP context activation times and the quantity of data which the end user has transferred. However, this communication which occurs within one network is less standardized and may, depending on the vendor and configuration options, use proprietary encoding or even an entirely proprietary system. GTP version zero supports both signalling and user data under one generic header. It can be used with UDP (User Datagram Protocol) or TCP (Transmission Control Protocol) on the registered port 3386. GTP version one is used only on UDP. The control plane protocol GTP-C
21

(Control) using registered port 2123 and the user plane protocol GTP-U (User) using registered port 2152. GPRS support nodes (GSN) A GSN is a network node which supports the use of GPRS in the GSM core network. All GSNs should have a Gn interface and support the GPRS tunneling protocol. There are two key variants of the GSN, namely Gateway and Serving GPRS Support Node. Gateway GPRS Support Node (GGSN) The Gateway GPRS Support Node (GGSN) is a main component of the GPRS network. The GGSN is responsible for the interworking between the GPRS network and external packet switched networks, like the Internet and X.25 networks. From an external network's point of view, the GGSN is a router to a sub-network, because the GGSN hides the GPRS infrastructure from the external network. When the GGSN receives data addressed to a specific user, it checks if the user is active. If it is, the GGSN forwards the data to the SGSN serving the mobile user, but if the mobile user is inactive, the data is discarded. On the other hand, mobile-originated packets are routed to the right network by the GGSN. The GGSN is the anchor point that enables the mobility of the user terminal in the GPRS/UMTS networks. In essence, it carries out the role in GPRS equivalent to the Home Agent in Mobile IP. It maintains routing necessary to tunnel the Protocol Data Units (PDUs) to the SGSN that services a particular MS (Mobile Station). The GGSN converts the GPRS packets coming from the SGSN into the appropriate packet data protocol (PDP) format (e.g., IP or X.25) and sends them out on the corresponding packet data network. In the other direction, PDP addresses of incoming data packets are converted to the GSM address of the destination user. The readdressed packets are sent to the responsible SGSN. For this purpose, the GGSN stores the current SGSN address of the user and his or her profile in its location register. The GGSN is responsible for IP address assignment and is the default router for the connected user equipment (UE). The GGSN also performs authentication and charging functions. Other functions include subscriber screening, IP Pool management and address mapping, QoS and PDP context enforcement. With LTE scenario the GGSN functionality moves to SAE gateway (with SGSN functionality working in MME).

22

Serving GPRS Support Node (SGSN) A Serving GPRS Support Node (SGSN) is responsible for the delivery of data packets from and to the mobile stations within its geographical service area. Its tasks include packet routing and transfer, mobility management (attach/detach and location management), logical link management, and authentication and charging functions. The location register of the SGSN stores location information (e.g., current cell, current VLR) and user profiles (e.g., IMSI, address(es) used in the packet data network) of all GPRS users registered with this SGSN.... Common SGSN Functions

Detunnel GTP packets from the GGSN (downlink) Tunnel IP packets toward the GGSN (uplink) Carry out mobility management as Standby mode mobile moves from one Routing Area to another Routing Area Billing user data

GSM/EDGE specific SGSN functions Enhanced Data Rates for GSM Evolution (EDGE) specific SGSN functions and characteristics are:

Maximum data rate of approx. 60 kbit/s (150 kbit/s for EDGE) per subscriber Connect via frame relay or IP to the Packet Control Unit using the Gb protocol stack Accept uplink data to form IP packets Encrypt down-link data, decrypt up-link data Carry out mobility management to the level of a cell for connected mode mobiles

WCDMA specific SGSN functions


Carry up to about 42 Mbit/s traffic downlink and 5.8 Mbit/s traffic uplink (HSPA+) Tunnel/detunnel downlink/uplink packets toward the radio network controller (RNC) Carry out mobility management to the level of an RNC for connected mode mobiles

These differences in functionality have led some manufacturers to create specialist SGSNs for each of WCDMA and GSM which do not support the other networks, whilst other manufacturers have succeeded in creating both together, but with a performance cost due to the compromises required.

23

Access point An access point is:


An IP network to which a mobile can be connected A set of settings which are used for that connection A particular option in a set of settings in a mobile phone

When a GPRS mobile phone sets up a PDP context, the access point is selected. At this point an access point name (APN) is determined Example: aricenttechnologies.mnc012.mcc345.gprs Example: Internet Example: mywap This access point is then used in a DNS query to a private DNS network. This process (called APN resolution) finally gives the IP address of the GGSN which should serve the access point. At this point a PDP context can be activated. PDP Context The packet data protocol (PDP; e.g., IP, X.25, FrameRelay) context is a data structure present on both the Serving GPRS Support Node (SGSN) and the Gateway GPRS Support Node (GGSN) which contains the subscriber's session information when the subscriber has an active session. When a mobile wants to use GPRS, it must first attach and then activate a PDP context. This allocates a PDP context data structure in the SGSN that the subscriber is currently visiting and the GGSN serving the subscriber's access point. The data recorded includes

Subscriber's IP address Subscriber's IMSI Subscriber's o Tunnel Endpoint ID (TEID) at the GGSN o Tunnel Endpoint ID (TEID) at the SGSN

The Tunnel Endpoint ID (TEID) is a number allocated by the GSN which identifies the tunnelled data related to a particular PDP context. Several PDP contexts may use the same IP address. The Secondary PDP Context Activation procedure may be used to activate a PDP context while reusing the PDP address and other PDP context information from an already active PDP context, but with a different QoS profile.[1] Note that the procedure is called secondary, not the resulting PDP contexts that have no such relationship with the one the PDP address of which they reused.
24

A total of 11 PDP contexts (with any combination of primary and secondary) can co-exist. NSAPI are used to differentiate the different PDP context.

Operations support system


Operations support systems (also called operational support systems or OSS) are computer systems used by telecommunications service providers. The term OSS most frequently describes "network systems" dealing with the telecom network itself, supporting processes such as maintaining network inventory, provisioning services, configuring network components, and managing faults. The complementary term business support systems or BSS is a newer term and typically refers to business systems dealing with customers, supporting processes such as taking orders, processing bills, and collecting payments. The two systems together are often abbreviated OSS/BSS, BSS/OSS or simply B/OSS. Different subdivisions of the BSS/OSS systems are made, depending on whether they follow the TM Forum's diagrams and terminology, industry research institutions or BSS/OSS vendors own view. Nevertheless in general, an OSS covers at least the application areas: A brief history of OSS architecture A lot of the work on OSS has been centered on defining its architecture. Put simply, there are four key elements of OSS:

Processes o the sequence of events Data o the information that is acted upon Applications o the components that implement processes to manage data Technology o how we implement the applications

During the 1990s, new OSS architecture definitions were done by the ITU-T in its TMN model. This established a 4-layer model of TMN applicable within an OSS:

Business Management Level (BML) Service Management Level (SML) Network Management Level (NML) Element Management Level (EML)

(Note: a fifth level is mentioned at times being the elements themselves, though the standards speak of only four levels) This was a basis for later work. Network management was further defined by the ISO using the FCAPS model - Fault, Configuration, Accounting, Performance and Security. This basis was adopted by the ITU-T TMN standards as the Functional model for the
25

technology base of the TMN standards M.3000 - M.3599 series. Although the FCAPS model was originally conceived and is applicable for an IT enterprise network, it was adopted for use in the public networks run by telecommunication service providers adhering to ITU-T TMN standards. A big issue of network and service management is the ability to manage and control the network elements of the access and core networks. Historically, many efforts have been spent in standardization fora (ITU-T, 3GPP) in order to define standard protocol for network management, but with no success and practical results. On the other hand IETF SNMP protocol (Simple Network Management Protocol) has become the de-facto standard for internet and telco management, at the EML-NML communication level. From 2000 and beyond, with the growth of the new broadband and VoIP services, the management of home networks is also entering the scope of OSS and network management. DSL Forum TR-069 specification has defined the CPE WAN Management Protocol (CWMP), suitable for managing home networks devices and terminals at the EML-NML interface. TM Forum (formerly the TeleManagement Forum)

TM Forum is an international membership organization of communications service providers and suppliers to the communications industry. While OSS is generally dominated by proprietary and custom technologies, TM Forum is regarded as the most authoritative source for standards and frameworks in OSS. TM Forum has been active in proving a framework and discussion forum for advancements in OSS and BSS. By 2005, recent developments in OSS architecture were the results of the TM Forum's New Generation Operations Systems and Software (NGOSS) program, which was established in 2000. This established a set of principles that OSS integration should adopt, along with a set of NGOSS models

An information model (the Shared Information/Data model, or SID) - now more commonly referred to as the Information Framework, A process model (the enhanced Telecom Operation Map, or eTOM) - now more commonly known as the Business Process Framework, An application model (the Telecom Applications Map) - now known as the Application Framework, an architecture (the Technology Neutral Architecture) and a lifecycle model.

NGOSS architectural standards The TM Forum describes NGOSS as an architecture that is:

"loosely coupled" distributed


26

component based

The components interact through a common communications vehicle (using an information exchange infrastructure; e.g., EAI, Web Services, EJB). The behavior can be controlled through the use of process management and/or policy management to orchestrate the functionality provided by the services offered by the components.

27