um interface lesson
TRANSCRIPT
7/29/2019 Um Interface Lesson
http://slidepdf.com/reader/full/um-interface-lesson 1/12
Um Interface
From Wikipedia, the free encyclopedia
The Um Interface is the air interface for the GSM mobile telephone standard. It is the interface between the
mobile station (MS) and the Base transceiver station (BTS). It is called Um because it is the mobile analog tothe U interface of ISDN. Um is defined in the GSM 04.xx and 05.xx series of specifications. Um can also
support GPRS packet-oriented communication.
Contents
1 Um layers
1.1 Physical Layer (L1)
1.1.1 Radiomodem
1.1.2 Multiplexing and timing
1.1.3 Coding
1.2 Data Link Layer (L2)
1.3 Network Layer (L3)
2 Um logical channels
2.1 Traffic channels (TCH)
2.1.1 Full-rate channels (TCH/F)
2.1.2 Half-rate channels (TCH/H)
2.2 Dedicated Control Channels (DCCHs)
2.2.1 Standalone Dedicated Control Channel (SDCCH)2.2.2 Fast Associated Control Channel (FACCH)
2.2.3 Slow Associated Control Channel (SACCH)
2.3 Non-Dedicated Control Channels (NDCCHs)
2.3.1 Broadcast Control Channel (BCCH)
2.3.2 Synchronization Channel (SCH)
2.3.3 Frequency Correction Channel (FCCH)
2.3.4 Common Control Channel (CCCH)
2.3.5 Random Access Channel (RACH)
2.4 Allowed channel combinations
3 Fundamental Um Transactions
3.1 Radio Channel Establishment
3.2 Location updating
3.3 Mobile-Originating Call (MOC) establishment
3.4 Mobile-Terminating Call (MTC) establishment
3.5 Call clearing
4 SMS Transfer on Um
4.1 Mobile-Originated SMS (MO-SMS)
4.2 Mobile-Terminated SMS (MT-SMS)
5 Um Security Features5.1 Authentication of Subscribers
5.2 Um Encryption
5.3 Anonymization of Subscribers
Interface - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Um_Interface
12 9/24/2009 2:58 PM
7/29/2019 Um Interface Lesson
http://slidepdf.com/reader/full/um-interface-lesson 2/12
6 See also
7 Further reading
8 External links
Um layers
The layers of GSM are initially defined in GSM 04.01 Section 7 and roughly follow the OSI model. Um is
defined in the lower three layers of the model.
Physical Layer (L1)
Main article: Physical Layer
The Um physical layer is defined in the GSM 05.xx series of specifications, with the introduction and
overview in GSM 05.01. For most channels, Um L1 transmits and receives 184-bit control frames or 260-bit
vocoder frames over the radio interface in 148-bit bursts with one burst per timeslot. There are three
sublayers:
Radiomodem. This is the actual radio transceiver, defined in largely in GSM 05.04 and 05.05.1.
Multiplexing and Timing. GSM uses TDMA to subdivide each radio channel into as many as 16 traffic
channels or as many as 64 control channels. The multiplexing patterns are defined in GSM 05.02.
2.
Coding. This sublayer is defined on GSM 05.03.3.
Radiomodem
GSM uses GMSK or EDGE modulation with a 13/48 MHz (270.833 kHz) symbol rate and a channel spacing
of 200 kHz. Since adjacent channels overlap, the standard does not allow adjacent channels to be used in thesame cell. The standard defines several bands ranging from 400 MHz to 1990 MHz. Uplink and downlink
bands are generally separated by 45 or 50 MHz. Uplink/downlink channel pairs are identified by an index
called the ARFCN. Within the BTS, these ARFCNs are given arbitrary carrier indexes C0..Cn-1, with C0
designated as a Beacon Channel and always operated at constant power.
The channel is time-multiplexed into 8 timeslots, each with a duration of 156.25 symbol periods. These 8
timeslots form a frame of 1,250 symbol periods. The capacity associated with a single timeslot on a single
ARFCN is called a physical channel (PCH) and referred to as "CnTm" where n is a carrier index and m is a
timeslot index (0-7).
Each timeslot is occupied by a radio burst with a guard interval, two payload fields, tail bits, and a midamble
(or training sequence). The lengths of these fields vary with the burst type but the total burst length is 156.25
symbol periods. The most commonly used burst is the Normal Burst (NB). The fields of the NB are:
8.25 3 57 1 26 1 57 3
Guard
period
Tail
bitsPayload
Stealing
bitMidamble
Stealing
bitPayload
Tail
bits
Guard period8.25-symbols at the start of the burst
Midamble
26-bits for equalizer training at the center of the burst
Interface - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Um_Interface
12 9/24/2009 2:58 PM
7/29/2019 Um Interface Lesson
http://slidepdf.com/reader/full/um-interface-lesson 3/12
"Stealing bits"
each side of the midamble, used to distinguish control and traffic payloads
Payload
two 57-bit fields, symmetric about the burst
Tail bits
3-bit field, at each end of the burst
There are several other burst formats, though. Bursts that require higher processing gain for signal
acquisition have longer midambles. The random access burst (RACH) has an extended guard period to allow
it to be transmitted with incomplete timing acquisition. Burst formats are described in GSM 05.02 Section
5.2.
Multiplexing and timing
Each physical channel is time-multiplexed into multiple logical channels according to the rules of GSM
05.02. Traffic channel multiplexing follows a 26-frame (0.12 second) cycle called a "multiframe". Control
channels follow a 51-frame multiframe cycle. The C0T0 physical channel carries the SCH, which encodes
the timing state of the BTS to facilitate synchronization to the TDMA pattern.
GSM timing is driven by the serving BTS through the SCH and FCCH. All clocks in the handset, including
the symbol clock and local oscillator, are slaved to signals received from the BTS, as described in GSM
05.10. BTSs in the GSM network can be asynchronous and all timing requirements in the GSM standard can
be derived from a stratum-3 OCXO.
Coding
The coding sublayer provides forward error correction. As a general rule, each GSM channel uses a block
parity code (usually a Fire code), a rate-1/2, 4th-order convolutional code and a 4-burst or 8-burst
interleaver. Notable exceptions are the synchronization channel (SCH) and random access channel (RACH)that use single-burst transmissions and thus have no interleavers. For speech channels, vocoder bits are
sorted into importance classes with different degrees of encoding protection applied to each class (GSM
05.03).
Both 260-bit vocoder frames and 184-bit L2 control frames are coded into 456 bit L1 frames. On channels
with 4-burst interleaving (BCCH, CCCH, SDCCH, SACCH), these 456 bits are interleaved in to 4 radio
bursts with 114 payload bits per burst. On channels with 8-burst interleaving (TCH, FACCH), these 456 bits
are interleaved over 8 radio bursts so that each radio burst carries 57 bits from the current L1 frame and 57
bits from the previous L1 frame. Interleaving algorithms for the most common traffic and control channels
are described in GSM 05.03 Sections 3.1.3, 3.2.3 and 4.1.4.
Data Link Layer (L2)
Main article: Data Link Layer
The Um data link layer is defined in GSM 04.05 and 04.06. It is called LAPDm and is the mobile analog to
LAPD. Like LAPD, LAPDm is derived from HDLC, but with these simplifications:
LAPDm frames are always 184 bits, with segmentation for larger messages.
LAPDm allows no more than one outstanding unacknowledged I-frame (GSM 04.06 Sections 5.8.4
and 6).LAPDm does not support extended header formats (GSM 04.06 Section 3).
LAPDm supports only the SABM, DISC, DM, UI and UA U-Frames (GSM 04.06 Sections 3.4, 3.8.1).
LAPDm supports the RR and REJ S-Frames (GSM 04.06 3.4, 3.8.1), but not RNR (GSM 04.06
Sections 3.8.7 and 6).
Interface - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Um_Interface
12 9/24/2009 2:58 PM
7/29/2019 Um Interface Lesson
http://slidepdf.com/reader/full/um-interface-lesson 4/12
LAPDm has just one internal timer, T200 (GSM 04.06 5.8).
LAPDm supports only one terminal endpoint, whose TEI is implied.
The BTS is always able to enter asynchronous balanced mode when requested.
LAPDm can never be in a recevier-not-ready condition (GSM 04.06 Section 3.8.7).
LAPDm supports only two SAPs: SAP3 for SMS and SAP0 for everything else (GSM 04.06 Sections
3.3.3 and 6).
In SAP0, asynchronous balanced mode is always initiated by the MS (GSM 04.06 Sections 5.4.1.1 and
6).
Another important difference between LAPDm and LAPD is the establishment resolution procedure of
GSM 04.06 Section 5.4.1.4, wherein the MS sends an L3 message in the information field of the SABM
frame which is then echoed back by the BTS in the corresponding UA frame.
Network Layer (L3)
Main article: Network Layer
Um L3 is defined in GSM 04.07 and 04.08 and has three sublayers. A subscriber terminal must establish a
connection in each sublayer before accessing the next higher sublayer.
Radio Resource (RR). This sublayer manages the assignment and release of logical channels on the
radio link. It is normally terminated in the BSC.
1.
Mobility Management (MM). This sublayer authenticates users and tracks their movements from cell
to cell. It is normally terminated in the VLR or HLR.
2.
Call Control (CC). This sublayer connects telephone calls and is taken directly from ITU-T Q.931.
GSM 04.08 Annex E provides a table of corresponding paragraphs in GSM 04.08 and ITU-T Q.931
along with a summary of differences between the two. The CC sublayer is terminated in the MSC.
3.
The access order is RR, MM, CC. The release order is the reverse of that. Note that none of these sublayers
terminate in the BTS itself. The standard GSM BTS operates only in layers 1 and 2.
Um logical channels
Um logical channel types are outlined in GSM 04.03. Broadly speaking, non-GRPS Um logical channels fall
into three categories: traffic channels, dedicated control channels and non-dedicated control channels.
Traffic channels (TCH)
These point-to-point channels correspond to the ISDN B channel and are referred to as Bm channels.
Traffic channels use 8-burst diagonal interleaving with a new block starting on every fourth burst and any
given burst containing bits from two different traffic frames. This interleaving pattern makes the TCH robust
against single-burst fades since the loss of a single burst destroys only 1/8 of the frame's channel bits. The
coding of a traffic channel is dependent on the traffic or vocoder type employed, with most coders capable
of overcoming single-burst losses. All traffic channels use a 26-multiframe TDMA structure.
Full-rate channels (TCH/F)
A GSM full rate channel uses 24 frames out of a 26-multiframe. The channel bit rate of a full-rate GSM
channel is 22.7 kbit/s, although the actual payload data rate is 9.6-14 kbit/s, depending on the channel
coding. This channel is normally used with the GSM 06.10 Full Rate, GSM 06.60 Enhanced Full Rate or GSM 06.90 Adaptive Multi-Rate speech codec. It can also be used for fax and Circuit Switched Data.
Half-rate channels (TCH/H)
Interface - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Um_Interface
12 9/24/2009 2:58 PM
7/29/2019 Um Interface Lesson
http://slidepdf.com/reader/full/um-interface-lesson 5/12
A GSM half rate channel uses 12 frames out of a 26-multiframe. The channel bit rate of a half-rate GSM
channel is 11.4 kbit/s, although the actual data capacity is 4.8-7 kbit/s, depending on the channel coding.
This channel is normally used with the GSM 06.20 Half Rate or GSM 06.90 Adaptive Multi-Rate speech
codec.
Dedicated Control Channels (DCCHs)
These point-to-point channels correspond to the ISDN D channel and are referred to as Dm channels.
Standalone Dedicated Control Channel (SDCCH)
The SDCCH is used for most short transactions, including initial call setup step, registration and SMS
transfer. It has a payload data rate of 0.8 kbit/s. Up to eight SDCCHs can be time-multiplexed onto a single
physical channel. The SDCCH uses 4-burst block interleaving in a 51-multiframe.
Fast Associated Control Channel (FACCH)
The FACCH is always paired with a traffic channel. The FACCH is a blank-and-burst channel that operates by stealing bursts from its associated traffic channel. Bursts that carry FACCH data are distinguished from
traffic bursts by stealing bits at each end of the midamble. The FACCH is used for in-call signaling,
including call disconnect, handover and the later stages of call setup. It has a payload data rate of 9.2 kbit/s
when paired with a full-rate channel (FACCH/F) and 4.6 kbit/s when paired with a half-rate channel
(FACCH/H). The FACCH uses the same interleaving and multiframe structure as its host TCH.
Slow Associated Control Channel (SACCH)
Every SDCCH or FACCH also has an associated SACCH. Its normal function is to carry system information
messages 5 and 6 on the downlink, carry receiver measurement reports on the uplink and to performclosed-loop power and timing control. Closed loop timing and power control are performed with a physical
header at the start of each L1 frame. This 16-bit physical header carries actual power and timing advance
settings in the uplink and ordered power and timing values in the downlink. The SACCH can also be used for
in-call delivery of SMS. It has a payload data rate of 0.2-0.4 kbit/s, depending on the channel with which it is
associated. The SACCH uses 4-burst block interleaving and the same multiframe type as its host TCH or
SDCCH.
Non-Dedicated Control Channels (NDCCHs)
These are unicast and broadcast channels that do not have analogs in ISDN. These channels are used almost
exclusively for radio resource management. The CCCH and RACH together form the medium access
mechanism for Um.
Broadcast Control Channel (BCCH)
The BCCH carries a repeating pattern of system information messages that describe the identity,
configuration and available features of the BTS. BCCH brings the measurement reports it bring the
information about LAI And CGI BCCH frequency are fixed in BTS
Synchronization Channel (SCH)
The SCH transmits a Base station identity code and the current value of the TDMA clock.
Frequency Correction Channel (FCCH)
Interface - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Um_Interface
12 9/24/2009 2:58 PM
7/29/2019 Um Interface Lesson
http://slidepdf.com/reader/full/um-interface-lesson 6/12
The FCCH generates a tone on the radio channel that is used by the mobile station to discipline its local
oscillator.
Common Control Channel (CCCH)
The CCCH is a downlink unicast channel that carries paging requests and channel assignment messages
(specifically, immediate assignment messages). The CCCH is subdivided into the paging channel (PCH) and
access grant channel (AGCH). A mobile station that is camped to a BTS monitors the PCH for servicenotifications from the network. The CCCH is the GSM predecessor to the Common Control Physical
Channel in UMTS.
Random Access Channel (RACH)
The RACH is the uplink counterpart to the CCCH. The RACH is a shared channel on which the mobile
stations transmit random access bursts to request channel assignments from the BTS.
Allowed channel combinations
The multiplexing rules of GSM 05.02 allow only certain combinations of logical channels to share a physical
channel. The allowed combinations for single-slot systems are listed in GSM 05.02 Section 6.4.1.
Additionally, only certain of these combinations are allowed on certain timeslots or carriers and only certain
sets of combinations can coexist in a given BTS. These restrictions are intended to exclude non-sensical BTS
configurations and are described in GSM 05.02 Section 6.5.
The most common combinations are:
Combination I: TCH/F + FACCH/F + SACCH. This combination is used for full rate traffic. It can be
used anywhere but C0T0.
Combination II: TCH/H + FACCH/H + SACCH. This combination is used for half rate traffic whenonly one channel is needed. It can be used anywhere but C0T0.
Combination III: 2 TCH/H + 2 FACCH/H + 2 SACCH. This combination is used for half rate traffic.
It can be used anywhere but C0T0.
Combination IV: FCCH + SCH + BCCH + CCCH. This is the standard C0T0 combination for
medium and large cells. It can be used only on C0T0.
Combination V: FCCH + SCH + BCCH + CCCH + 4 SDCCH + 4 SACCH. This is the typical C0T0
combination for small cells, which allows the BTS to trade unnecessary CCCH capacity for a pool of 4
SDCCHs. It can be used only on C0T0.
Combination VI: BCCH + CCCH. This combination is used to provide additional CCCH capacity in
large cells. It can be used on C0T2, C0T4 or C0T6.
Combination VII: 8 SDCCH + 8 SACCH. This combination is used to provide additional SDCCH
capacity in medium and large cells. It can be used anywhere but C0T0.
Fundamental Um Transactions
Basic speech service in GSM requires five transactions: radio channel establishment, location update,
mobile-originating call establishment, mobile-terminating call establishment and call clearing. All of these
transactions are described in GSM 04.08 Sections 3-7.
Radio Channel Establishment
Unlike ISDN's U channel, Um channels are not hard-wired, so the Um interface requires a mechanism for
establishing and assigning a dedicated channel prior to any other transaction. The Um radio resource
establishment procedure is defined in GSM 04.08 Section 3.3 and this is the basic medium access procedure
Interface - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Um_Interface
12 9/24/2009 2:58 PM
7/29/2019 Um Interface Lesson
http://slidepdf.com/reader/full/um-interface-lesson 7/12
for Um. This procedure uses the CCCH (PCH and AGCH) as a unicast downlink and the RACH as a shared
uplink. In the simplest form, the steps of the transaction are:
Paging. The network sends a RR Raging Request message (GSM 04.08 Sections 9.1.22-9.1.23) over
the PCH, using the subscriber's IMSI or TMSI as an address. GSM does not allow paging by IMEI
(GSM 04.08 Section 10.5.1.4). This paging step occurs only if the transaction initiated by the network.
1.
Random Access. The mobile station sends a burst on the RACH. This burst encodes an 8-bit
transaction tag and the BSIC of the serving BTS. A variable number of most-significant bits in the tag
encode the reason for the access request, with the remaining bits chosen randomly. In L3, this tag is
presented as the RR Channel Request message (GSM 04.08 9.1.8). The mobile also records the
TDMA clock state at the time the RACH burst is transmitted. In cases where the transaction is
initiated by the MS, this is first step.
2.
Assignment. On the AGCH, the network sends the RR Immediate Assignment message (GSM 04.08
Section 9.1.18) for a dedicated channel, usually an SDCCH. This message is addressed to the MS by
inclusion of the 8-bit tag from the corresponding RACH burst and a time-stamp indicating the TMDA
clock state when the RACH burst was received. If no dedicated channel is available for assignment,
the BTS can instead respond with the RR Immediate Assignment Reject message, which is similarly
addressed and contains a hold-off time for the next access attempt. Emergency callers receiving the
reject message are not subject to the hold-off and may retry immediately.
3.
Retry. If the RACH burst of step 2 is not answered with an assignment or assignment reject in step 3
within a given timeout period (usually on the order of 0.5 second), the handset will repeat step 2 after
a small random delay. This cycle may be repeated 6-8 times before the MS aborts the access attempt.
4.
Note that there is a small but non-zero probability that two MSs send identical RACH bursts at the same
time in step 2. If these RACH bursts arrive at the BTS with comparable power, the resulting sum of radio
signals will not be demodulable and both MSs will move to step 4. However, if there is a sufficient difference
in power, the BTS will see and answer the more powerful RACH burst. Both MSs will receive and respond
to the resulting channel assignment in step 3. To insure recovery from this condition, Um uses a "contention
resolution procedure" in L2, described in GSM 04.06 5.4.1.4 in which the first L3 message frame from the
MS, which always contains some form of mobile ID, is echoed back to the MS for verification.
Location updating
The location updating procedure is defined in GSM 04.08 Sections 4.4.1 and 7.3.1. This procedure normally
is performed when the MS powers up or enters a new Location area but may also be performed at other
times as described in the specifications. In its minimal form, the steps of the transaction are:
The MS and BTS perform the radio channel establishment procedure.1.
On the newly established dedicated channel, the MS sends the MM Location Updating Request
message containing either an IMSI or TMSI. The message also implies connection establishment in theMM sublayer.
2.
The network verifies the mobile identity in the HLR or VLR and responds with the MM Location
Updating Accept message.
3.
The network closes the Dm channel by sending the RR Channel Release message.4.
There are many possible elaborations on this transaction, including:
authentication
ciphering
TMSI assignment
queries for other identity typeslocation updating reject
Mobile-Originating Call (MOC) establishment
Interface - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Um_Interface
12 9/24/2009 2:58 PM
7/29/2019 Um Interface Lesson
http://slidepdf.com/reader/full/um-interface-lesson 8/12
This is the transaction for an outgoing call from the MS, defined in GSM 04.08 Sections 5.2.1 and 7.3.2 but
taken largely from ISDN Q.931. In the its simplest form, the steps of the transaction are:
The MS initiates the radio channel establishment procedure and is assigned to a Dm channel, usually
an SDCCH. This establishes the connection in the L3 RR sublayer.
1.
The first message sent on the new Dm is the MM Connection Mode service Request, sent by the MS.
This message contains a subscriber ID (IMSI or TMSI) and a description of the requested service, in
this case MOC.
2.
The network verifies the subscriber's provisioning in the HLR and responds with the MM Connection
Mode Service Accept message. This establishes the connection in the L3 MM sublayer. (This is a
simplification. In most networks MM establishment is performed with authentication and ciphering
transactions at this point.)
3.
The MS sends the CC Setup message, which contains the called party number.4.
Assuming the called party number is valid, network response with the CC Call Proceeding message.5.
The network sends an RR Assignment message to move the transaction off of the SDCCH and onto a
TCH+FACCH.
6.
Once the MS has acquired the timing on the TCH+FACCH, it responds on the new FACCH with the
RR Assignment Complete message. From this point on, all control transactions are on the FACCH.
7.
When alerting is verified at the called destination, the network sends the CC Alerting message.8.When the called party answers, the network sends the CC Connect message.9.
The MS response with the CC Connect Acknowledge message. At this point, the call is active.10.
The TCH+FACCH assignment can occur at any time during the transaction, depending on the configuration
of the network. There are three common approaches:
Early Assignment. The network assigns the TCH+FACCH after sending CC Call Proceeding and
completes call setup on the FACCH. This allows the use of in-band patterns (like the ringing or busy
patterns) generated by the network. This is the example shown.
Late Assignment. The network does not assign the TCH+FACCH until after alerting has started. This
forces the MS itself to generate the patterns locally since the TCH does not yet exist to carry thesound.
Very Early Assignment. The network makes an immediate assignment to the TCH+FACCH in the
initial RR establishment and performs the entire transaction on the FACCH. The SDCCH is not used.
Because immediate assignment starts the FACCH in a signaling-only mode, the network must send the
RR Channel Mode Modify message at some point to enable the TCH part of the channel.
Mobile-Terminating Call (MTC) establishment
This is the transaction for an incoming call to the MS, defined in GSM 04.08 Sections 5.2.2 and 7.3.3, but
taken largely from ISDN Q.931.
The network initiates the radio channel establishment procedure and assigns the MS to a Dm channel,
usually an SDCCH. This establishes the connection in the L3 RR sublayer.
1.
The MS sends the first message on the new Dm, which is the RR Paging Response message. This
message contains a mobile identity (IMSI or TMSI) and also implies a connection attempt in the MM
sublayer.
2.
The network verifies the subscriber in the HLR and verifies that the MS was indeed paged for service.
The network can initiate authentication and ciphering at this point, but in the simplest case the
network can just send the CC Setup message to initiate Q.931-style call control.
3.
The MS responds with CC Call Confirmed.4.
The network sends an RR Assignment message to move the transaction off of the SDCCH and onto aTCH+FACCH.
5.
Once the MS has acquired the timing on the TCH+FACCH, it responds on the new FACCH with the
RR Assignment Complete message. From this point on, all control transactions are on the FACCH.
6.
The MS starts alerting (ringing, etc.) and sends the CC Alerting message to the network.7.
Interface - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Um_Interface
12 9/24/2009 2:58 PM
7/29/2019 Um Interface Lesson
http://slidepdf.com/reader/full/um-interface-lesson 9/12
When the subscriber answers, the MS sends the CC Connect message to the network.8.
The network response with the CC Connect Acknowledge message. At this point, the call is active.9.
As in the MOC, the TCH+FACCH assignment can happen at any time, with the three common techniques
being early, late and very early assignment.
Call clearing
The transaction for clearing a call is defined in GSM 04.08 Sections 5.4 and 7.3.4. This transaction is the
same whether initiated by the MS or the network, the only difference being a reversal of roles. This
transaction is taken from Q.931.
Party A sends the CC Disconnect message.1.
Party B responds with the CC Release message.2.
Party A responds with the CC Release Complete message.3.
The network releases the RR connection with the RR Channel Release message. This always comes
from the network, regardless of which party initiated the clearing procedure.
4.
SMS Transfer on Um
GSM 04.11 and 03.40 define SMS in five layers:
L1 is taken from the Dm channel type used, either SDCCH or SACCH. This layer terminates in the
BSC.
1.
L2 is normally LAPDm, although GPRS-attached devices may use Logical link control (LLC, GSM
04.64). In LAPDm SMS uses SAP3. This layer terminates in the BSC.
2.
L3, the connection layer, defined in GSM 04.11 Section 5. This layer terminates in the MSC.3.
L4, the relay layer, defined in GSM 04.11 Section 6. This layer terminates in the MSC.4.
L5, the transfer layer, defined in GSM 03.40. This layer terminates in the SMSC.5.
As a general rule, every message transferred in L(n) requires both a transfer and an acknowledgment on
L(n-1). Only L1-L4 are visible on Um.
Mobile-Originated SMS (MO-SMS)
The transaction steps for MO-SMS are defined in GSM 04.11 Sections 5, 6 and Annex B. In the simplest
case, error-free delivery outside of an established call, the transaction sequence is:
The MS establishes an SDCCH using the standard RR establishment procedure.1.
The MS sends a CM Service Request,2.The MS initiates multiframe mode in SAP3 with the normal LAPDm SABM procedure.3.
The MS sends a CP-DATA message (L3, GSM 04.11 Section 7.2.1), which carries an RP-DATA
message (L4, GMS 04.11 Section 7.3.1) in its RPDU.
4.
The network responds with a CP-ACK message (L3, GSM 04.11 Section 7.2.2).5.
The network delivers the RDPU to the MSC.6.
The MSC responds with an RP-ACK message (L4, GSM 04.11 Section 7.3.3).7.
The network sends a CP-DATA message to the MS, carrying the RP-ACK payload in its RPDU.8.
The MS responds with a CP-ACK message.9.
The network releases the SDCCH with the RR Channel Release message. This implies a closure of the
MM sublayer and triggers the release of L2 and L1.
10.
Mobile-Terminated SMS (MT-SMS)
The transaction steps for MT-SMS are defined in GSM 04.11 Sections 5, 6 and Annex B. In the simplest
Interface - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Um_Interface
12 9/24/2009 2:58 PM
7/29/2019 Um Interface Lesson
http://slidepdf.com/reader/full/um-interface-lesson 10/12
case, error-free delivery outside of an established call, the transaction sequence is:
The network pages the MS with the standard paging procedure.1.
The MS establishes an SDCCH using the standard RR paging response procedure, which implies a CC
sublayer connection.
2.
The network initiates multiframe mode in SAP3.3.
The network sends the RP-DATA message as the RPDU in a CP-DATA message.4.
The MS responds with the CP-ACK message.5.
The MS processes the RPDU.6.
The MS sends a CP-DATA message to the network containing an RP-ACK message in the RPDU.7.
The network responds with a CP-ACK message.8.
The network releases the SDCCH with the RR Channel Release message. This implies a closure of the
MM sublayer and triggers the release of L2 and L1.
9.
Um Security Features
GSM 02.09 defines the following security features on Um:
authentication of subscribers by the network,encryption on the channel,
anonymization of transactions (at least partially)
Um also supports frequency hopping (GSM 05.01 Section 6), which is not specifically intended as a security
feature but has the practical effect of adding significant complexity to passive interception of the Um link.
Authentication and encryption both rely on a secret key, Ki, that is unique to the subscriber. Copies of Ki
are held in the SIM and in the Authentication Center (AuC), a component of the HLR. Ki is never
transmitted across Um. An important and well-know shortcoming of GSM security is that it does not provide
a means for subscribers to authenticate the network. This oversight allows for false basestation attacks,such as those implemented in an IMSI catcher.
Authentication of Subscribers
The Um authentication procedure is detailed in GSM 04.08 Section 4.3.2 and GSM 03.20 Section 3.3.1 and
summarized here:
The network generates a 128 bit random value, RAND.1.
The network sends RAND to the MS in the MM Authentication Request message.2.
The MS forms a 32-bit hash value called SRES by encrypting RAND with an algorithm called A3,
using Ki as a key. SRES = A3(RAND,Ki). The network performs an identical SRES calculation.
3.
The MS sends back its SRES value in the RR Authentication Response message.4.
The network compares its calculated SRES value to the value returned by the MS. If they match, the
MS is authenticated.
5.
Both the MS and the network also compute a 64-bit ciphering key, Kc, from RAND and Ki using the
A8 algorithm. Kc = A8(RAND,Ki). Both parties save this value for later use when ciphering is
enabled.
6.
Note that this transaction always occurs in the clear, since the ciphering key is not established until after the
transaction is started.
Um Encryption
GSM encryption, called "ciphering" in the specifications, is implemented on the channel bits of the radio
bursts, at a very low level in L1, after forward error correction coding is applied. This is another significant
Interface - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Um_Interface
f 12 9/24/2009 2:58 PM
7/29/2019 Um Interface Lesson
http://slidepdf.com/reader/full/um-interface-lesson 11/12
security shortcoming in GSM because:
the intentional redundancy of the convolutional coder reduces the Unicity distance of the encoded
data and
the parity word can be used to verify correct decryption.
A typical GSM transaction also includes LAPDm idle frames at predictable times, affording a Known
plaintext attack.
The GSM ciphering algorithm is called A5. There are four variants of A5 in GSM, only first three of which
are widely deployed:
A5/0—no ciphering at all
A5/1 -- strong(er) ciphering, intended for use in North America and Europe
A5/2 -- weak ciphering, intended for use in other parts of the world
A5/3 -- even stronger ciphering with open design
Ciphering is a radio resource function and managed with messages in the radio resource sublayer of L3, but
ciphering is tied to authentication because the ciphering key Kc is generated in that process. Ciphering is
initiated with the RR Ciphering Mode Command message, which indicates the A5 variant to be used. The
MS starts ciphering and responds with the RR Ciphering Mode Complete message in ciphertext.
The network is expected to deny service to any MS that does not support either A5/1 or A5/2 (GMS 02.09
Section 3.3.3). Support of A5/1 and A5/2 in the MS is mandatory (GSM 02.07 Section 2).
Anonymization of Subscribers
The TMSI is a 32-bit temporary mobile subscriber identity that can be used to avoid sending the IMSI in the
clear on Um. The TMSI is assigned by the BSC and is only meaningful within specific location area. The
TMSI is assigned by the network with the MM TMSI Reallocation Command, a message that is normally notsent until after ciphering is started, so as to hide the TMSI/IMSI relationship. Once the TMSI is established,
it can be used to anonymize future transactions until the MS moves to another location area. Note that the
subscriber identity must be established before authentication or encryption, so the first transaction in a new
location area must be initiated by transmitting the IMSI in the clear.
See also
OpenBTS
Further reading
M. Boulmalf, S. Akhtar. Performance Evaluation of Operational GSM's Air-Interface (Um)
(http://www.scs.org/getDoc.cfm?id=2090) . UAE University. pp. 4. http://www.scs.org
/getDoc.cfm?id=2090.
External links
3GPP - The current standardization body for GSM with free standards available
(http://www.3gpp.org) .General Packet Radio Service GPRS: Architecture, Protocols, and Air Interface
(http://www.comsoc.org/livepubs/surveys/public/3q99issue/bettstetter.html) .
The GSM Software Project (http://wiki.thc.org/gsm) .
GSM Tutorials (http://www.gsmfordummies.com/index.html) .
Interface - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Um_Interface
f 12 9/24/2009 2:58 PM
7/29/2019 Um Interface Lesson
http://slidepdf.com/reader/full/um-interface-lesson 12/12
This page was last modified on 22 September 2009 at 03:34.
Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may
apply. See Terms of Use for details.
Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization.
Retrieved from "http://en.wikipedia.org/wiki/Um_Interface"
Categories: Global System for Mobile communications
Interface - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Um_Interface