GSM-mob-mgmt

Document Sample
GSM-mob-mgmt Powered By Docstoc
					            GSM Mobility Management

    • GSM architecture overview
         – Network layout
         – Protocols
         – Addresses & identifiers
    • Location management
         – Call delivery + location update
         – Security
    • Handover management
Originals by: Rashmi Nigalye, Mouloud Rahmani, Aruna Vegesana, Garima Mittal, Fall 2001
Prof. M. Veeraraghavan, Polytechnic University, New York
                                                                                   1
           GSM network layout


                    PLMN: Public Land Mobile Network
GSM Network         MSC: Mobile Switching Center

(PLMN)              BTS: Base Transceiver Station
                    BSC: Base Station Controller

  MSC region                                        MSC region

   Location area                 Location
                    BSC          area
    BSC
    BTS       BTS                                   MSC region


                                                                 2
GSM network layout

                                                     PSTN
                                                     ISDN
                   OMC

         BSC
                                 MSC                  GMSC
                                               E
           Abis
BTS               BSC        A     B,C

                                         HLR
                                  EIR
   BTS                                         VLR
                                         AUC
                  BTS   Um
                                                            3
        GSM MAP protocol

• GSM MAP similar to IS41 MAP
• MAP uses Transactions Capabilities
  Part (TCAP) of the SS7 stack
• MAP functions:
  – Updating of location information in VLRs
  – Storing routing information in HLRs
  – Updating and supplementing user profiles
    in HLRs
  – Handoff of connections between MSCs

                                           4
  What is a location area (LA)?

• A powered-on mobile is informed of an incoming
  call by a paging message sent over the PAGCH
  channel of a cell
• One extreme is to page every cell in the network
  for each call - a waste of radio bandwidth
• Other extreme is to have a mobile send location
  updates at the cell level. Paging cut to 1 cell, but
  large number of location updating messages.
• Hence, in GSM, cells are grouped into Location
  Areas – updates sent only when LA is changed;
  paging message sent to all cells in last known LA

                                                         5
        Addresses and Identifiers
  • International Mobile Station Equipment Identity (IMEI)
      – It is similar to a serial number. It is allocated by equipment
        manufacturer, registered by network, and stored in EIR
  • International Mobile Subscriber Identity (IMSI)


     MCC               MNC               MSIN
MCC: Country Code
MNC: Mobile Network Code
MSIN: Mobile Subscriber Identification Number


  When subscribing for service with a network, subscriber receives (IMSI)
       and stores it in the SIM (Subscriber Identity Module) card.
         The HLR can be identified by a VLR/MSC from the IMSI.
                                                                         6
     Addresses and Identifiers

• Mobile Subscriber ISDN (MSISDN)
    – The “real telephone number”: assigned to
      the SIM
    – The SIM can have several MSISDN
      numbers for selection of different
      services like voice, data, fax
      CC             NDC            SN

NDC: National Destination Code (NDC identifies operator);
SN: Subscriber Number; CC: Country Code;
Digits following NDC identifies the HLR
                                                            7
   Addresses and Identifiers

• Mobile Station Roaming Number
  (MSRN)
  – It is temporary location dependent
    ISDN number
  – It is assigned by local VLR to each MS in
    its area.

      CC         NDC         SN



                                                8
    Addresses and identifiers

• Temporary Mobile Subscriber
  Identity (TMSI)
  – It is an alias of the IMSI and is used in its place for
    privacy.
  – It is used to avoid sending IMSI on the radio path.
  – It is an temporary identity that is allocated to an MS by
    the VLR at inter-VLR registration, and can be changed by
    the VLR
  – TMSI is stored in MS SIM card and in VLR.




                                                            9
     TMSI, IMSI, MSRN and MSISDN

• Unlike MSISDN, IMSI is not known to the GSM user. The
  CC of MSISDN translates to an MCC of IMSI as follows,
  e.g, Denmark CC: 45 MCC: 238
• TMSI is used instead of IMSI during location update to
  protect privacy. As user moves, TMSI is used to send
  location update. Thus a third party snooping on the wireless
  link cannot track a user as he/she moves.
• MSRN is the routing number that identifies the current
  location of the called MS.
    – MSRN is temporary network identity assigned to a mobile
      subscriber.
    – MSRN identifies the serving MSC/VLR.
    – MSRN is used for call delivery (calls incoming to an MS).
• MSISDN is the dialed number to reach a GSM user

                                                             10
   Addresses and Identifiers

• Location Area ID (LAI)
  – CC: Country Code, MNC:Mobile Network
    Code, LAC: Location Area Code
  – LAI is broadcast regularly by Base
    Station on BCCH
  – Each cell is identified uniquely as
    belonging to an LA by its LAI

    CC         MNC       LAC


                                           11
       Location management

• Set of procedures to:
  – track a mobile user
  – find the mobile user to deliver it calls
• Current location of MS maintained by
  2-level hierarchical strategy with
  HLRs and VLRs.



                                               12
         Ways to obtain MSRN
1.   Obtaining at location update – MSRN for the MS
     is assigned at the time of each location update,
     and is stored in the HLR. This way the HLR is in
     a position to immediately supply the routing info
     (MSRN) needed to switch a call through to the
     local MSC.
2.   Obtaining on a per call basis – This case requires
     that the HLR has at least an identification for
     the currently responsible VLR. When routing
     info is requested from the HLR, it first has to
     obtain the MSRN from the VLR. This MSRN is
     assigned on a per call basis, i.e. each call involves
     a new MSRN assignment

                                                        13
    Routing information: case when MSRN
      is selected per call by VLR/MSC

                                    MSISDNIMSI, VLR number
                              HLR



                                        

                                    
        MSISDN
                           MSRN
                  GMSC                 MSC/VLR

•   If MSRN is allocated to each subscriber visiting at an MSC, then
    the number of MSRNs required is large. If instead, an MSRN is
    allocated only when a call is to be established, then the number of
    MSRNs is roughly equal to number of circuits at MSC – a much
    smaller number – hence MSRNs typically allocated per call by
    VLR/MSC                                                             14
                  Call routing to a mobile station:
                  case when HLR returns MSRN
                                                                                 1
                                                                           MSISDN


                                                            GMSC                           ISDN
LA 1                                              4                                    1
                                                 MSRN

                                                                             2
                                                                     3
                                                                           MSISDN
                    BSC                                             MSRN               MSC
  BTS                                                 MSC                        HLR
                                           7
                                          TMSI

                                                                5
                          7
                                                            MSRN
                         TMSI
LA 2
                                BSC
                                                        EIR
            BTS
                   8                  7
                  TMSI            TMSI
                                                                             VLR
                                                                    AUC
                                                            6
       MS                                 BTS
                                                         TMSI                                15
          Messages exchanged: call delivery

                    1        GMSC     5                      4
           PSTN
                                      2        HLR      3         VLR

                                                        6
                                                                  Target
                                                                  MSC


                                                                           Target
                                                            VLR             MSC
                  GMSC          HLR
Originating
        1. ISUP IAM
  Switch            2. MAP_SEND_ROUTING_INFO
                                    3. MAP_PROVIDE_ROAMING_NUMBER

                                  4. MAP_PROVIDE_ROAMING_NUMBER_ack

                  5. MAP_SEND_ROUTING_INFO_ack
                                          6. ISUP IAM
                                                                               16
        Find operation in GSM
• ISDN switch recognizes from the MSISDN that
  the call subscriber is a mobile subscriber.
  Therefore, forward the call to the GMSC of the
  home PLMN (Public Land Mobile Network)
• GMSC requests the current routing address
  (MSRN) from the HLR using MAP
• By way of MSRN the call is forwarded to the local
  MSC
• Local MSC determines the TMSI of the MS (by
  querying VLR) and initiates the paging procedure in
  the relevant LA
• After MS responds to the page the connection can
  be switched through.
                                                   17
                GSM security
• Authentication
   • What signed response (SRES) are you able to
     derive from the input challenge RAND by
     applying the A3 algorithm with your personal
     key Ki (Ki is per subscriber)?

   Ki          RAND (128bit)   Ki            RAND



    A3 algorithm               A3 algorithm


                   MS               SRES            network
        SRES
                                                        18
                                           equal?
                    GSM security
 • Encryption
    • Digital technology – easy to encrypt voice data
    • A5 derives a ciphering sequence of 114 bits for each
      burst independently
    • XOR 114 bits of a radio burst with 114 bits of a ciphering
      sequence generated by A5
                                                     BTS
MS Kc (64 bits) frame number                 Kc          frame number
                     (22 bits)


      A5 algorithm                              A5 algorithm
      S1(114)        S2(114) ciphering      S1      S2
                                                           deciphering
      deciphering                   ciphering                  19
               Key management
• Ciphering key Kc is generated using algorithm A8 in the same
  manner as SRES (from RAND and Ki)
• Each time a mobile station is authenticated the MS and
  network compute the ciphering key Kc by running algorithm
  A8 with the same inputs RAND and Ki as for SRES
• Ciphering with Kc applies only when the network knows the
  identity of the subscriber it is talking to.
   – Bootstrap period during which network does not know
     who the subscriber is
       • Up to and including the first message carrying the non-
         ambiguous subscriber identity is carried in the clear
         (unencrypted)
   – Protection: use TMSI instead of IMSI when possible –
     TMSI should be exchanged during protected signaling
     (ciphered) procedures

                                                                   20
          Location registration
• MS has to register with the PLMN to get communication
  services
• Registration is required for a change of PLMN
• MS has to report to current PLMN with its IMSI and
  receive new TMSI by executing Location Registration
  process.
• The TMSI is stored in SIM, so that even after power on or
  off, there is only normal Location Update.
• If the MS recognizes by reading the LAI broadcast on
  BCCH that it is in new LA, it performs Location Update to
  update the HLR records.
• Location update procedure could also be performed
  periodically, independent of the MS movement.
• The difference in Location Registration and Location Update
  is that in location update the MS has already been assigned
  a TMSI.
                                                           21
  MS              BSS/MSC                    VLR                    HLR                   AUC
                       Location registration
      IMSI Ki
         Loc.Upd.Req
                             Upd Loc.Area                                 Auth.Info.Req
          (IMSI,LAI)                               Aut.Par.Req
                              (IMSI,LAI)                                     (IMSI)
                                                         (IMSI)
                             Authenticate              Aut. Info.
                                                                           Auth.Info
          Authentic. Req                              (IMSI,Kc,            (IMSI,Kc,
                              (RAND)                 RAND,SRES)
            (RAND)                                                        RAND,SRES)

 Ki      RAND

                                              SRES
A3 & A8
Kc       SRES
                Auth.Resp.    Auth.Resp
                 (SRES)
                                (SRES)                    Update
                                                         Location
                                                        (IMSI,MSRN)
                                            Generate                              Contd...
                                             TMSI                                            22
      (…contd) Location registration.


 MS                   BSS/MSC                    VLR                       HLR              AUC
                                               Generate
                                                TMSI

                                 Start Ciph.              Ins.Subsc.Data
                                    (Kc)                    (IMSI)
                                Forw. New TMSI
                                                          Subs.Dat.Ins.Ack
                                    (TMSI)
          Ciph.Mod.Com.                                   Loc.Upd.Accept
Kc        Message M             Loc.Upd.Accept               (IMSI)
     A5
 Kc(M)         Ciph.Mod.

              Kc(M)    Kc       Kc(M)
                                                                  New TMSI is received by MS
                           A5                                (TMSI Reallocation) in ciphering mode.
                            M
      TMSI Realloc.Cmd.

      Loc.Upd.Accept            can be combined
      TMSI Realloc.Ack
                                 TMSI.Ack
                                                                                                  23
MS            BSS/MSC                   VLR                  HLR          AUC
                      Location update
IMSI, TMSI
Ki, Kc, LAI
     Loc.Upd.Req
                     Update Loc.Area
      (TMSI,LAI)
                       (TMSI,LAI)


              Authentication
                                               Update Location
                                               (IMSI,MSRN)

                                    Generate
                                     TMSI

                      Start ciphering     Insert Subscriber. data
                           (Kc)                   IMSI
                                          Subs. Data Insert Ack
 Start ciphering.                                                   (contd..)

                                                                                24
                               (..contd) Location update.

MS           BSS/MSC                      VLR                 HLR                    AUC

 Start ciphering.

                       Forward new TMSI

                             (TMSI)
                                            Loc. Upd. Acept
                                                   (IMSI)
                        Loc. Upd. Acept

  TMSI Realloc. Cmd.
                                            Auth. Para. Req
                                                   (IMSI)
  Loc. Upd. Acept
                                                Auth. Info.
                                                                     Auth.Info.Req
                                           (IMSI,Kc, RAND,SRES)
 TMSI Reallocation        TMSI Ack                                      (IMSI)
      Complete                                                         Auth.Info
                                                                  (IMSI,Kc, RAND,SRES)
                                                                                         25
             Types of handover
            (same as “handoff”)

• There are four different types of
  handover in the GSM system. Handover
  involves transferring a call between:
  – Channels (time slots) in the same cell
  – Cells (Base Transceiver Stations) under the
    control of the same Base Station Controller
    (BSC),
  – Cells under the control of different BSCs, but
    belonging to the same Mobile services
    Switching Center (MSC), and
  – Cells under the control of different MSCs.

                                                     26
     Attributes of radio-link handover

•   Hard handover
•   MAHO
•   Backward
•   COS selection scheme: static
    – Cross-over switch: anchor switch




                                         27
          Handover (MAHO)

• Handovers are initiated by the BSS/MSC
  (as a means of traffic load balancing).
• During its idle time slots, the mobile scans
  the Broadcast Control Channel of up to 16
  neighboring cells, and forms a list of the
  six best candidates for possible handover,
  based on the received signal strength.
• This information is passed to the BSC and
  MSC, at least once per second, and is used
  by the handover algorithm.

                                                 28
        Handover procedures in GSM
                                                           8
    Connection route

                                          9
                                MSC-A         MSC-B
                                                                MSC-C
                  1
                                                    6                 8
                      BSC
            4     3

BTS 1                                         BSC
                                                                BSC
                 BTS 2

2
                                  BTS 3
                                                        BTS 3
                            5                   7               29
              Inter MSC basic handover
MS/BSS 1              MSC-A                MSC-B                               VLR-B
     Handover required    Perform Handover          Allocate Handover number


                                                           Handover report
                          Radio chan. Ack
                                IAM                           MS/BSS 2
                                ACM
       HA Indication                               HB Indication

                                               HB Confirm
                          Send End Signal

                                ANS


        End of Call            REL

                               RLC
                              End Signal                Handover report
                                                                                 30
  Subsequent handover from MSC-B to MSC-A
MS/BSS 1             MSC-A                MSC-B          MS/BSS 2

                                               HA Required
                       Perform subsequent
                             Handover

                        Subseq. Handover
      HB Indication
                          Acknowledge


       HB Confirm
                                              HA Indication
                             End Signal                                 VLR-B
                                                      Handover report
       End of Call             REL

                               RLC

                                                                           31
Subsequent handover from MSC-B to MSC-C
MSC-A                                     MSC-B                     MS

                Perform subsequent                     HA Request

                      Handover

                 MSC-C                                 VLR-C

   Perform Handover
                                 Allocate Handover
                                      Number

                                 Send Handover report
   Radio chan. Ack.


        IAM

        ACM
                                       HB Indication
                                                                         (Contd…)
                                                                                32
  (…contd) Subsequent handover from MSC-B to MSC-C

MSC-A                                    MSC-B                     MS

                 Perform subsequent
                                                   HA Indication
                      Acknowledge

                 MSC-C
                                      HB Confirm
    Send End Signal
         ANS

                                        MSC-B                            VLR-B
                  End Signal

                                                        Handoff Report
                        REL

                       RLC


                                                                            33
                  Abbreviations
•   ISC: International switching center
•   OMC: Operations and maintenance center
•   GMSC: Gateway switching center
•   MSC: Mobile switching center
•   VLR: Visitor location register
•   HLR: Home Location register
•   EIR: Equipment Identification register
•   AUC: Authentication center
•   BSC: Base station controller
•   BTS: Base transceiver station
•   MS: Mobile subscriber
•   TMSI: Temporary Mobile Subscriber Identity
•   IMSI: International Mobile Subscriber Identity

                                                     34
             References

• The GSM Sytem for Mobile
  communications by Mouly & Pautet
• Wireless and Mobile Network
  Architectures by Yi-Bing Lin & Imrich
  Chlamtac
• Wireless Personal Communications Systems
  by Dr. Goodman
• GSM Switching, Services and Protocols by
  Jorg Eberspacher and Hans-Jorg Vogel

                                         35

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:15
posted:8/18/2011
language:English
pages:35