Transcript Week12_2
GSM Continued
GSM Burst Format
• Each time slot is 577us. They are (in this order)
1.
2.
3.
4.
5.
6.
7.
8.
Trailing bits (3 bits)
Data (57 bits)
Flag (1 bit)
Training sequence (26 bits)
Data (57 bits)
Flag (1 bit)
Trailing bits (3 bits)
Guard Period (8.25bit)
GSM Bursts
• In addition,
– Frequency Correction Burst
– Synchronization Burst
– Random Access burst
GSM Channels
• Traffic Channels (TCH)
• Control Channels (CCH)
– Common Control Channels (CCCH)
• Paging Channel (PCH): Used by the BTS to inform the MS about an
incoming call. Broadcast channel.
• Random Access Channel (RACH): Used by the MS for call
establishment. Shared by all MS in cell. Slotted-ALOHA random
access.
• Access Grant Channel (AGCH): Used to indicate the slot
assignment.
GSM Channels
• Control Channels (CCH)
– Dedicated Control Channels (DCCH): Used to control individual MS
• Standalone Dedicated Control Channel (SDCCH) : Two-way channel
assigned to each MS for keeping track of movement and call
establishment. Certain slots periodically. About 2Kbps per MS.
• Slow Associated Control Channel (SACCH): Two-way channel
assigned to a TCH or SDCCH. Used to report parameters, such as
signal power, to maintain the link.
• Fast Associated Control Channel (FACCH) : Two-way channel used
to support fast transitions when SACCH is not adequate. FACCH
steals the TCH.
GSM Channels
• Control Channels (CCH)
– Broadcast Channels (BCH). Used to broadcast information to the MSs
in the cell
• Frequency Correction Channel (FCCH) and Synchronization
Channel (SCH): Keep the MS synchronized
• Broadcast Control Channel (BCCH): provides information such as
cell ID, available services, … Can also be used to keep track of
signal strength for handoff
http://elm.eeng.dcu.ie/~kaszubow/Biography/Lecture5.pdf
Management of GSM
•
Mobile System (MS)
– Mobile Equipment (ME)
– Subscriber Identity Module (SIM)
•
Base Station Subsystem
– Base Transceiver Station (BTS)
•
In charge of physical communication in the air. Has 1 to 16 transceivers
– Base Station Controller (BSC)
•
•
Controls hundreds of BTS
Network Switching Subsystem
– Mobile Switching Center (MSC)
•
•
•
•
–
–
–
–
Typical MSC supports up to 100,000 mobiles and 5000 simultaneous calls
MSC are connected with each other.
Gateway MSC connects the GSM system to external networks, e.g. PSTN.
Each MSC controls at least one Base Station System (BSS)
Visitor’s Location Register (VLR)
Home Location Register (HLR).
Authentication Center (AuC). Holds different algorithms for authentication and encryption.
Operations and maintenance center (OMC)
HLR and VLR
• HLR: database of all cellphones permanently registered in the system.
Stores
– The address of the VLR currently associated with the phone
– Encryption keys for data transmission and user authentication
– Service type
– …
• VLR: Each MSC connects to a VLR. The VLR is a data base with the
information about cellphones temporarily located in the area served by
particular MSC.
ME and SIM
• ME, has the IMEI (International Mobile Equipment Identity)
• SIM card, has
– Ki: Subscriber Authentication Key. 128 bit key shared by the subscriber
and the operator. Stored in the SIM card and the HLR
– PIN: to protect the SIM card
– IMSI: International Mobile Subscriber Identity
– TMSI: Temporary Mobile Subscriber Identity. To prevent
eavesdropping, TMSI is used instead of IMSI. IMSI is used as rarely as
possible. TMSI is randomly generated by the VLR.
– MSISDN: Mobile Station International Service Digital Network
– LAI: Location Area Identification
GSM Security
• When a mobile station needs to be authenticated,
1.
2.
3.
4.
5.
The operator generates a random number, RAND (128 bit),
and sends to the MS.
The MS and the operator both runs an algorithm, called the
A3 algorithm, with Ki as the key, to produce SRES (32 bit) from
RAND
The MS sends the SRES to the operator, and if SRES matches
the operator’s SRES, consider passed authentication
RAND is passed to an algorithm called A8 as input with Ki as
the key, to produce Kc (64 bit). Done by both the MS and the
operator
Kc becomes the key for the A5 algorithm. A5 is a stream
cipher for encrypting the data.
GSM Registration (simplified)
•
When an MS needs registration (first turned on, found the current cell has a
different ID)
1. MS sends Channel Request to BSC
2. BSC replies with Activation Response
3. MS sends Activation ACK
4. BSC assigns a channel to process registration
5. MS sends Location Update Request to MSC
6. MSC replies with Authentication Request
7. MS replies with Authentication Response
8. MSC checks the authentication
9. MSC assigns TMSI to MS
10. MS sends ACK for TMSI
11. MSC updates VLR and HLR
12. BSC informs the MS to release the channel for registration
GSM Call Flow (Simplified)
•
When the MS wishes to make a phone call
1.
2.
3.
4.
5.
6.
7.
8.
9.
User enters the phone number and presses the “send” button.
To set up the phone call, the MS needs to send information to the MSC. The MS sends
“Radio Resource Channel Request” to the associated BSS on the Random Access Channel
(RACH) according to ALOHA The phone then waits to hear from the BSS at the Access Grant
Channel (AGCH).
The BSS allocates a Traffic Channel (TCH), including the frequency and time slot, and
broadcast it in the AGCH. It also contains information about time and frequency corrections.
The MS applies the corrections and tune to the assigned TCH.
MSC checks whether the MS is authenticated.
The BSS enables ciphering with the phone. At this step the connection has been set up
between the MS and MSC. The BSS just forwards the message.
The MS sends a connection set up request to the MSC with the called phone number. The
MSC connects to the PSTN and allocates the voice communication channel between the
BSS.
Make the conversation.
User presses the “end” button. The MSC releases the voice channel with the BSS. The MSC
informs the PTSN about the call release and the PTSN will inform the call has been released
on its end. MSC informs the MS then releases the TCH.
GSM: indirect routing to mobile
home
network
HLR
2
home MSC consults HLR,
gets roaming number of
mobile in visited network
correspondent
home
Mobile
Switching
Center
1
3
VLR
Mobile
Switching
Center
4
Public switched
telephone
network
home MSC sets up 2nd leg of call
to MSC in visited network
mobile
user
visited
network
14
call routed
to home network
MSC in visited network completes
call through base station to mobile
GSM: handoff with common MSC
• Handoff goal: route call via new
base station (without interruption)
• reasons for handoff:
VLR
Mobile
Switching
Center
old
routing
old BSS
new
routing
new BSS
– stronger signal to/from new BSS
(continuing connectivity, less
battery drain)
– load balance: free up channel in
current BSS
– GSM doesn’t mandate why to
perform handoff (policy), only
how (mechanism)
• handoff initiated by old BSS
15
GSM: handoff with common MSC
VLR
4
1
8
old BSS
16
5
Mobile
Switching
Center 2
7
3
6
new BSS
1. old BSS informs MSC of impending handoff,
provides list of 1+ new BSSs
2. MSC sets up path (allocates resources) to
new BSS
3. new BSS allocates radio channel for use by
mobile
4. new BSS signals MSC, old BSS: ready
5. old BSS tells mobile: perform handoff to
new BSS
6. mobile, new BSS signal to activate new
channel
7. mobile signals via new BSS to MSC: handoff
complete. MSC reroutes call
8 MSC-old-BSS resources released
General Packet Radio Service (GPRS)
• General Packet Radio Service
– Supports data service.
– Use the same physical link between the network and the MS
• An MS maybe assigned with 1 or multiple time slots in a channel
• The number of time slot in uplink and downlink may be different
– Special network infrastructure added to support data traffic
• Serving GRPS Supporting Node (SGSN): a router serves a group of
BSCs. Send and receive packets from the MS.
• Gateway GRPS Supporting Node (GGSN): interface to the Internet.
Maintains routing information related to the MS, such that given
an IP packet, it knows which SGSN to forward to.
GRPS
• Multiple Access
– Users are assigned frequency channels and time
slots.
– Packets are constant length, determined by the
GSM slot.
– Downlink: first come first served
– Uplink: Slotted ALOHA for reserving, dynamic
TDMA for data transmission
Reading
•
•
•
http://liny.csie.nctu.edu.tw/ch09A4.pdf
http://www.hackcanada.com/blackcrawl/cell/gsm/gsm-secur/gsm-secur.html
http://www.eventhelix.com/realtimemantra/Telecom/GSM_Originating_Call_Flow.pdf
3G Overview
• Use CDMA.
• Generally, 3G will have a much better support for
data services. The numbers are different depending
on the versions, but it will be about at least one
order of magnitude higher than GRPS.
• Defines an air interface and maybe combined with
the GSM/GRPS core network
• There are competing standards:
– W-CDMA
– CDMA2000
– …
CDMA Review
• Users assigned different code, also called chip
sequence
• A data bit is multiplied with the chip
sequence, to spread the baseband bandwidth
to a much larger bandwidth
• The codes for different users are orthogonal
Power Control in CDMA Schemes
• The signal received at the base station are
from multiple users at the same frequency
• If one user is transmitting at a high power,
other users signal will be overshadowed
• CDMA schemes has to limit the transmitting
power of the MS
• The BS may measure the signal strength and
send instructions to the MS about increasing
or decreasing the transmitting power.
W-CDMA
• Key features include
– Radio channels 5MHz wide, both uplink and
downlink
– Chip rate 3.84Mcps
– Frame length 10ms
– Adaptive power control updated 1500 times per
second
– Cells not synchronized (synchronized in
CDMA2000)
Orthogonal variable spreading factor
(OVSF)
• W-CDMA uses Orthogonal variable spreading
factor (OVSF) to provide different data rates to
different users
• The idea is that users may be assigned with
codes of different lengths, but still orthogonal
to each other.
• Because code length are different, a user
assigned a shorter code will have a higher
data rate
OVSF
• Generation of OVSF code based on a simple binary tree
– Start with the root node {1}.
– A node has two children. The upper and lower. If the node as code C,
the upper child is assigned code CC, and the lower child is assigned CC’
(C’ means inverting every bit in C).
– Repeat.
• Two codes are orthogonal as long as no one is the prefix of the other
• A major issue is how to assign codes
HSDPA
• Adaptive modulation and coding (AMC)
– Depending on the channel state, send at different
data rates.
– Use lower data rate if channel is weak
– In wireless LAN, the rate adaptation
High-Speed Downlink Packet
Access (HSDPA)
• Hybrid automatic repeat-request (HARQ)
– When a data packet is received and found to be
corrupted, the receiver does not simply discard it,
but saves it and combines it with the
retransmissions
– When a packet is corrupted, the sender does not
send the packet again, it sends some parity
checking bits
– AMC is coarse grained, HARQ is fine grained
HSDPA
• Fast packet scheduling
– Each user transmits to the base station the signal
quality
– The base station determines which user to send to
for the next 2ms
• Send to users with stronger channels
• May send to multiple users simultaneously with the
channelization code
• Must also ensure fairness
Readings
•
http://www.ericsson.com/technology/whitepapers/innovations_in_wcdma.pdf