GSM Mob
GSM Mob
GSM Mob
2
GSM network layout
PSTN
ISDN
OMC
BSC
MSC GMSC
E
Abis
BTS BSC A B,C
HLR
EIR
BTS VLR
AUC
BTS Um
3
GSM MAP protocol
4
What is a location area (LA)?
5
Addresses and Identifiers
International Mobile Station Equipment Identity (IMEI)
It is similar to a serial number. It is allocated by equipment
manufacturer, registered by network, and stored in EIR
International Mobile Subscriber Identity (IMSI)
CC NDC SN
8
Addresses and identifiers
9
TMSI, IMSI, MSRN and MSISDN
10
Addresses and Identifiers
CC MNC LAC
11
Location management
12
Ways to obtain MSRN
1. Obtaining at location update MSRN for the MS
is assigned at the time of each location update,
and is stored in the HLR. This way the HLR is in
a position to immediately supply the routing info
(MSRN) needed to switch a call through to the
local MSC.
2. Obtaining on a per call basis This case requires
that the HLR has at least an identification for
the currently responsible VLR. When routing
info is requested from the HLR, it first has to
obtain the MSRN from the VLR. This MSRN is
assigned on a per call basis, i.e. each call involves
a new MSRN assignment
13
Routing information: case when MSRN
is selected per call by VLR/MSC
MSISDN
MSRN
GMSC MSC/VLR
GMSC ISDN
LA 1 4 1
MSRN
2
3
MSISDN
BSC MSRN MSC
BTS MSC HLR
7
TMSI
5
7
MSRN
TMSI
LA 2
BSC
EIR
BTS
8 7
TMSI TMSI
VLR
AUC
6
MS BTS
TMSI 15
Messages exchanged: call delivery
1 GMSC 5 4
PSTN
2 HLR 3 VLR
6
Target
MSC
Target
VLR MSC
GMSC HLR
Originating
1. ISUP IAM
Switch 2. MAP_SEND_ROUTING_INFO
3. MAP_PROVIDE_ROAMING_NUMBER
4. MAP_PROVIDE_ROAMING_NUMBER_ack
5. MAP_SEND_ROUTING_INFO_ack
6. ISUP IAM
16
Find operation in GSM
ISDN switch recognizes from the MSISDN that
the call subscriber is a mobile subscriber.
Therefore, forward the call to the GMSC of the
home PLMN (Public Land Mobile Network)
GMSC requests the current routing address
(MSRN) from the HLR using MAP
By way of MSRN the call is forwarded to the local
MSC
Local MSC determines the TMSI of the MS (by
querying VLR) and initiates the paging procedure in
the relevant LA
After MS responds to the page the connection can
be switched through.
17
GSM security
Authentication
What signed response (SRES) are you able to
derive from the input challenge RAND by
applying the A3 algorithm with your personal
key Ki (Ki is per subscriber)?
A3 algorithm A3 algorithm
MS SRES network
SRES
18
equal?
GSM security
Encryption
Digital technology easy to encrypt voice data
A5 derives a ciphering sequence of 114 bits for each
burst independently
XOR 114 bits of a radio burst with 114 bits of a ciphering
sequence generated by A5
BTS
MS Kc (64 bits) frame number Kc frame number
(22 bits)
A5 algorithm A5 algorithm
S1(114) S2(114) ciphering S1 S2 deciphering
deciphering ciphering 19
Key management
Ciphering key Kc is generated using algorithm A8 in the same
manner as SRES (from RAND and Ki)
Each time a mobile station is authenticated the MS and
network compute the ciphering key Kc by running algorithm
A8 with the same inputs RAND and Ki as for SRES
Ciphering with Kc applies only when the network knows the
identity of the subscriber it is talking to.
Bootstrap period during which network does not know
who the subscriber is
Up to and including the first message carrying the non-
ambiguous subscriber identity is carried in the clear
(unencrypted)
Protection: use TMSI instead of IMSI when possible
TMSI should be exchanged during protected signaling
(ciphered) procedures
20
Location registration
MS has to register with the PLMN to get communication
services
Registration is required for a change of PLMN
MS has to report to current PLMN with its IMSI and
receive new TMSI by executing Location Registration
process.
The TMSI is stored in SIM, so that even after power on or
off, there is only normal Location Update.
If the MS recognizes by reading the LAI broadcast on
BCCH that it is in new LA, it performs Location Update to
update the HLR records.
Location update procedure could also be performed
periodically, independent of the MS movement.
The difference in Location Registration and Location Update
is that in location update the MS has already been assigned
a TMSI.
21
MS BSS/MSC VLR HLR AUC
Location registration
IMSI Ki
Loc.Upd.Req
Upd Loc.Area Auth.Info.Req
(IMSI,LAI) Aut.Par.Req
(IMSI,LAI) (IMSI)
(IMSI)
Authenticate Aut. Info.
Auth.Info
Authentic. Req (IMSI,Kc, (IMSI,Kc,
(RAND) RAND,SRES)
(RAND) RAND,SRES)
Ki RAND
SRES
A3 & A8
Kc SRES
Auth.Resp. Auth.Resp
(SRES)
(SRES) Update
Location
(IMSI,MSRN)
Generate Contd...
TMSI 22
(contd) Location registration.
Kc(M) Kc Kc(M)
New TMSI is received by MS
A5 (TMSI Reallocation) in ciphering mode.
M
TMSI Realloc.Cmd.
Authentication
Update Location
(IMSI,MSRN)
Generate
TMSI
24
(..contd) Location update.
Start ciphering.
(TMSI)
Loc. Upd. Acept
(IMSI)
Loc. Upd. Acept
26
Attributes of radio-link handover
Hard handover
MAHO
Backward
COS selection scheme: static
Cross-over switch: anchor switch
27
Handover (MAHO)
28
Handover procedures in GSM
8
Connection route
MSC-A MSC-B
MSC-C
1
6 8
BSC
4 3
BTS 1 BSC
BSC
BTS 2
2
BTS 3
BTS 3
5 7 29
Inter MSC basic handover
MS/BSS 1 MSC-A MSC-B VLR-B
Handover required Perform Handover Allocate Handover number
Handover report
Radio chan. Ack
IAM MS/BSS 2
ACM
HA Indication HB Indication
HB Confirm
Send End Signal
ANS
RLC
End Signal Handover report
30
Subsequent handover from MSC-B to MSC-A
MS/BSS 1 MSC-A MSC-B MS/BSS 2
HA Required
Perform subsequent
Handover
Subseq. Handover
HB Indication
Acknowledge
HB Confirm
HA Indication
End Signal VLR-B
Handover report
End of Call REL
RLC
31
Subsequent handover from MSC-B to MSC-C
MSC-A MSC-B MS
Handover
MSC-C VLR-C
Perform Handover
Allocate Handover
Number
IAM
ACM
HB Indication
(Contd)
32
(contd) Subsequent handover from MSC-B to MSC-C
MSC-A MSC-B MS
Perform subsequent
HA Indication
Acknowledge
MSC-C
HB Confirm
Send End Signal
ANS
MSC-B VLR-B
End Signal
Handoff Report
REL
RLC
33
Abbreviations
ISC: International switching center
OMC: Operations and maintenance center
GMSC: Gateway switching center
MSC: Mobile switching center
VLR: Visitor location register
HLR: Home Location register
EIR: Equipment Identification register
AUC: Authentication center
BSC: Base station controller
BTS: Base transceiver station
MS: Mobile subscriber
TMSI: Temporary Mobile Subscriber Identity
IMSI: International Mobile Subscriber Identity
34
References
35