Handoff strategies• When a mobile moves into a different cell while a conversation is in progress, the MSC automatically

transfers the call to a new channel belonging to a new base station. This handoff not only involves identifying a new base station but also requires that the voice and control signals be allocated to channels associated with the new base station

• Handoffs must be performed successfully and infrequently as possible• System designers must take care to achieve effective measure to achieve handoff

• A me tho d to per form ha ndoff:

• An optimum signal level need to be determined to perform handoff• Once a particular signal level is specified as the minimum usable signal for acceptable voice quality at the base

station receiver (normally between -90dBm and -100dBm)• D=Pr(handoff)-Pr(minimum usable)

• If D is too large then handoffs occur too frequently; while if the difference is too small then there may be insufficient time to complete a handoff before the signal becomes too weak and is subsequently lost.

• In deciding when to handoff, it is important to ensure that the drop in measured signal is not due to momentary fading

and the mobile is actually moving away from the base station.

• In order to ensure this, the base station monitors the signal level for a certain time period before a handoff is initiated• The time over which a call may be maintained within a cell, without handoff is called dwell time. The dwell

time, is governed by factors propagation, interference, distance between subscriber and base station.• M e t h o d of h a n d o ff :

• In first generation analog cellular systems, signal strength measurements are made by base stations and supervised by MSC. Each base station constantly monitors the signal strength of all of its reverse voice channels to determine the relative location of each mobile user with respect to the base station tower. In addition to measuring RSSI when call is in progress, a spare receiver called “locator receiver”, is used to determine signal strengths of mobile users

which are in neighboring cells• The locator receiver is controlled by MSC and is used to monitor signal strength of neigboring cells which appear to

be in need of handoff and reports all the RSSI values to the MSC.• In second generation systems that use digital TDMA

technology, handoff decisions are mobile assisted

• In Mobile Assisted Handoff, every mobile station measures the received power from the surrounding base stations and continually reports the results of these measurements to the serving base station.

• A handoff is initiated when the power received from the base station of a neighboring cell begins to exceed the power received from the current base station by a certain level.

• This method of handoff is fast, as it doesn’t involve MSC to take the decision• Hard handoff: Hard handoff happens when the connection between the mobile and its initially- serving

base station is momentarily broken before reconnecting with the new base station. This is the method traditionally used in existing cellular systems, because it requires the least processing by the network providing service.

• Soft handoff: In soft handoff the two base stations are briefly simultaneously connected to the mobile unit while crossing the cell boundary. As soon as the mobile's RF link with the new base station is acceptable, the initially-serving base station disengages from the mobile unit.

• A handoff may span to

• The same MSC, which is referred to as inter- cell or inter-BS handoff

• Two different MSCs, which is referred to asinter-system or inter-MSC handoff.Prioritizing handoffs

• Giving priority to handoff called the guard channel concept• A fraction of available channels in a cell is reserved exclusively for handoff requests• The drawback is reduced total carried traffic

• Queuing of handoff requests is another method to decrease the probability of forced termination due to lack of available channels

Practical handoff considerations• High speed vehicles pass through the coverage region of a cell within matter of seconds, whereas

pedestrian users may never need a handoff during a call. Due to fast movement of vehicles MSC can be burdened to manage the handoff.

• To overcome that , an approach called as “umbrella approach ”been proposed

• Cell dragging: it results from pedestrian users that provide a very strong signal to the base

station. Such situation occurs in line of sight radio path between subscriber and base station.

As the user travels away from the base station at a very low speed, the average signal doesn’t

reduce. Even when the user has traveled beyond the designed range of cell, the received

signal at the base station is above the threshold, thus handoff maynot be made.

• This creates interference and traffic management problem• To deal with this handoff thresholds and radio coverage pattern must be adjusted carefully

Interference and system capacity• Sources of interference are:

• mobile in same cell, a call in progress in a neighboring cell, other base stations operating in the same frequency band

• Interference on voice channels causes cross talk, where the subscriber hears interference in the background due to an undesired transmission

• On the control channels, interference leads to missed and blocked calls due to errors in the digital signaling.

• Interference is more severe in urban areas due to greater RF noise floor and large number of

base stations and mobiles

Two major types of system-generated cellular interference are:

• * co-channel interference

• * adjacent channel interference

• GSM (Global System for Mobile Communications, originally Groupe Spécial Mobile), is a standard set developed bythe European Telecommunications Standards Institute (ETSI) to describe protocols for second generation (2 G ) digital cellular networks used by m obi l e phon e s .

• The GSM standard was developed as a replacement for first generation (1 G ) analog cellular networks, and originally described a digital, circuit-switched network optimized for f ull d u p l e x voice t e l e phon y . This was expanded over time to include data communications, first by circuit-switched transport, then p a c k e t data transport via GP R S (General Packet Radio Services) and EDG E (Enhanced Data rates for GSM Evolution or EGPRS).he primary goal of GSM was to provide a mobile phone system that allows users to roam and provides voice services compatible to ISDN and other PSTN systems.

• GSM has initially been deployed in Europe using890–915

MHz for uplinks and 935–960 MHz for downlinks – this system is now also called GSM

900 to distinguish it from the later versions.• These versions comprise GSM at 1800 MHz (1710–1785 MHz uplink, 1805–1880 MHz downlink),

also called DCS (digital cellular system) 1800, and the GSM system mainly used in the US at 1900 MHz (1850–1910 MHz uplink, 1930–1990 MHz downlink), also called PCS (personal communications service) 1900.

• GSM 400 is a proposal to deploy GSM at 450.4–457.6/478.8–

486 MHz for uplinks and 460.4–467.6/488.8–496 MHz for downlinks.

• Mobile services

• GSM permits the integration of different voice and data services and the interworking with existing networks.

• Services make a network interesting for customers.

• GSM has defined three different categoriesof services:

bearer, tele, and supplementary services.

• Bearer services:

• GSM specifies different mechanisms for data transmission, the original GSM allowing for data rates of up to 9600 bit/s for non-voice services.

• Bearer services permit transparent and non-transparent, synchronous or asynchronous data transmission.

• Transparent bearer services only use the functions of the physical layer (layer 1) to transmit data. Data transmission has a constant delay and throughput if no transmission errors occur. The only mechanism to increase transmission quality is the use of forward error correction (FEC), which codes redundancy into the data stream and helps to reconstruct the original data in case of transmission errors.

• Non-transparent bearer services use protocols of layers two and three to implement error

correction and flow control.

• These services use the transparent bearer services, adding a radio link protocol (RLP). This protocol comprises mechanisms of high-level data link control (HDLC), and special selective-reject mechanisms to trigger retransmission of erroneous data.

• Tele services

• GSM mainly focuses on voice-oriented tele services. Another service offered by GSM is the emergency number. This service is mandatory for all providers and free of charge. This connection also has the highest priority, possibly pre-empting other connections, and will automatically be set up with the closest emergency center.

• A useful service for very simple message transfer is the short message service (SMS), which offers transmission of messages of up to 160 characters. SMS messages do not use the standard data channels of GSM but exploit unused capacity in the signalling channels

• The successor of SMS, the enhanced message service (EMS), offers a larger message

size (e.g., 760 characters, concatenating several SMs), formatted text, and the transmission of

animated pictures, small images and ring tones in a standardized way (some vendors offered

similar proprietary features before).

• EMS never really took off as the multimedia message service (MMS) was available. (Nokia never liked EMS but pushed Smart Messaging, a proprietary system.)

• MMS offers the transmission of larger pictures (GIF, JPG, WBMP), short video clips etc. and comes with mobile phones that integrate small cameras.

• Another non-voice tele service is group 3 fax, which is available worldwide.

• In this service, fax data is transmitted as digital data over the analog telephone network according to the ITU-T standards T.4 and T.30 using modems.

• Supplementary services

• GSM providers can offer supplementary services. Similar to ISDN networks, these services offer various enhancements for the standard telephony service, and may vary from provider to provider.

• Typical services are user identification, call redirection, or forwarding of ongoing calls. Standard ISDN features such as closed user groups and multiparty communication may be available.

2. System architecture

.·.·

BSS

····...·..· ..

ASS

radio cell

Func t onalarchitec ture of a GS \1 system

A,..---- -----....:----------

,-->.- -. ··.

..

A ...... ....

-----------#:;/---------,,''

NSS §f ./:.:---... \ lJ>.·..... s

.--'--'-.ISDN,PSTN

• A GSM system consists of three subsystems, the radio sub system (RSS), the network and switching subsystem

(NSS), and the operation subsystem (OSS).

• Cell: Cell is the basic service area: one BTS covers one cell.Each cell is given a Cell Global Identity (CGI), a number that uniquely identifies the cell.

• Location Area: A group of cells form a Location Area. This is the area that is paged when a subscriber gets an incoming call. Each Location Area is assigned a Location Area Identity (LAI). Each Location Area is served by one or more BSCs.

• Mobile station international ISDN number (MSISDN): The important number for a user of GSM is the phone number. The number is associated with SIM, which is personalized for a user.

• The MSISDN follows the ITU-T standard . This number consists of the country code (CC) (e.g., +49 179 1234567 with 49 for Germany), the national destination code (NDC) (i.e., the address of the network provider, e.g., 179), and the subscriber number (SN).

• International mobile subscriber identity (IMSI): GSM uses the IMSI for internal unique identification of a subscriber. IMSI consists of a mobile country code (MCC) (e.g., 240 for Sweden, 208 for France), the mobile network code (MNC) (i.e., the code of the network provider), and finally the mobile subscriber identification number (MSIN).

• Temporary mobile subscriber identity (TMSI): To hide the IMSI, which would give away the exact identity of the user signaling over the air interface, GSM uses the 4 byte TMSI for local subscriber identification. TMSI is selected by the current VLR and is only valid temporarily and within the location area of the VLR (for an ongoing communication TMSI and LAI are sufficient to identify a user; the IMSI is not needed). Additionally, a VLR may change the TMSI periodically.

• Mobile station roaming number (MSRN): Another temporary address that hides the identity and location of a subscriber is MSRN. The VLR generates this address on request from the MSC, and the address is also stored in the HLR. MSRN contains the current visitor country code (VCC), the visitor national destination code (VNDC), the identification of the current MSC together with the subscriber number. The MSRN helps the HLR to find a subscriber for an incoming call.

• Radio subsystem:• As the name implies, the radio subsystem (RSS) comprises all radio specific entities, i.e., the mobile stations

(MS) and the base station subsystem (BSS).• Figure shows the connection between the RSS and the NSS via the A interface (solid lines) and the connection

to the OSS via the O interface (dashed lines). The A interface is typically based on circuit-switched PCM-30 systems (2.048 Mbit/s), carrying up to 30 64 kbit/s connections, whereas the O interface uses the Signalling System No. 7 (SS7) based on X.25 carrying management data to/from the RSS.

• Base station subsystem (BSS): The BSS is composed of two parts:• The Base Transceiver Station (BTS)

• The Base Station Controller (BSC)

• The BSS carries out t r an sc odin g of speech channels, allocation of radio channels to mobile phones, p a gin g , t r an s m i s s io n and r e c ep t i on over the a i r in t e r f a ce and many other tasks related to the radio network.

• Base transceiver station (BTS): The BTS houses the radio transceivers that define a cell and handles the radio link protocols with the MS. The BTS corresponds to the transceivers and antennas used in each cell of the network. A BTS is usually placed in the center of a cell. Its transmitting power defines the size of a cell. Each BTS has between 1 and 16 transceivers, depending on the density of users in the cell. Each BTS serves as a single cell. It also includes the following functions:

• Encoding, encrypting, multiplexing, modulating, and feeding the RF signals to the antenna

• Transcoding and rate adaptation

• Time and frequency synchronizing

• Voice through full- or half-rate services

• Decoding, decrypting, and equalizing received signals

• Random access detection

• Base station controller (BSC): The BSC basically manages the BTSs. The BSC manages the radio resources for

one or more BTSs. It handles radio channel setup, frequency hopping, and handovers. The BSC is the connection

between the mobile and the MSC. The BSC also translates the 13 Kbps voice channel used over the radio link to the

standard 64 Kbps channel used by the Public Switched Telephone Network (PSDN) or ISDN.

• It assigns and releases frequencies and time slots for the MS.The BSC also handles intercell handover. It controls the power transmission of the BSS and MS in its area. The function of the BSC is to allocate the necessary time slots between the BTS and the MSC. It is a switching device that handles the radio resources.

• Additional functions include:

• Control of frequency hopping

• Performing traffic concentration to reduce the number of lines from the MSC• Providing an interface to the Operations and Maintenance

Center for the BSS

• Reallocation of frequencies among BTSs

• Time and frequency synchronization

• Power management

• Time-delay measurements of received signals from the MS

• Mobile Station (MS) : The MS is the user equipment which contains the software required for communication with

the GSM network. The MS consists of user independent hard/software and the subscriber identity module (SIM), which

stores the user specific data. While an MS can be identified via the international mobile equipment identity (IMEI)

A subscriber identity module or subscriber identification module (SIM) is an i n t e g r a t e d c ir c u i t that securely stores the i n t e r na t i onal m o b i l e s u b s c r i ber i de n ti t y (IMSI) and the related k e y used to identify and authenticate subscribers on mobile t e l eph o ny devices

• SIM card contains many identifiers and tables, such as card- type, serial number, a list of subscribed services, a personal identity number (PIN), a PIN unblocking key (PUK), an authentication key Ki , and the international mobile subscriber identity (IMSI).

• The PIN is used to unlock the MS. Using the wrong PIN three times will lock the SIM. In such cases, the PUK is needed to unlock the SIM. The MS stores dynamic information while logged onto the GSM system, such as, e.g., the cipher key Kc and the location information consisting of a temporary mobile subscriber identity (TMSI) and the location area identification (LAI).

• SIM cards are identified on their individual operator networks by a unique I nt e rn a t i on a l M obi l e S ub sc rib e r I d e ntity

(IMSI). M o b i l e n e t w o r k op e r a tors connect mobile phone calls and communicate with their market SIM cards using their

IMSIsThe K

i is a 128-bit value used in authenticating the SIMs on the mobile network. Each SIM holds a unique K

i assigned to it by the operator during the

personalization process.• Authentication process:• When the Mobile Equipment starts up, it obtains the International Mobile Subscriber Identity (IMSI) from the SIM card, and passes this to the

mobile operator requesting access and authentication.• The operator network searches its database for the incoming IMSI and its associated K

i.

• The operator network then generates a Random Number and signs it with the Ki associated with the IMSI (and stored on the SIM card), computing another

number known as Signed Response 1 (SRES_1).• The operator network then sends the RAND to the Mobile Equipment, which passes it to the SIM card. The SIM card signs it with its K

i, producing

SRES_2, which it gives to the Mobile Equipment along with encryption key Kc. The Mobile Equipment passes SRES_2 on to the operator network.

• The operator network then compares its computed SRES_1 with the computed SRES_2 that the Mobile Equipment returned. If the two numbers match, the SIM is authenticated and the Mobile Equipment is granted access to the operator's network. K

c is used to encrypt all further communications between the

Mobile Equipment and the network.

• Location area identity

• The SIM stores network state information, which is received from the L o c a t i on A r e a I d e n t ity (LAI). Operator networks are divided into Location Areas, each having a unique LAI number. When the device changes locations, it stores the new LAI to the SIM and sends it back to the operator network with its new location. If the device is power cycled, it will take data off the SIM, and search for the prior LAI.

Function

Management of radio channels X

Frequency hopping XX

Management of terrestrial channelsX

Mapping of terrestrial onto radio channelsX

Channel coding and decoding X

Rate adaptation X

Encryption/decryption ... ...A A

PagingX X

Uplink Signal measurement X

Traffic measurement X

Authentication X

Location registry, location update X

Handover management X

Network and switching subsystem• The “heart” of the GSM system is formed by the network and switching sub-system (NSS).• The NSS connects the wireless network with standard public networks, performs handovers between different

BSSs, comprises functions for worldwide localization of users and supports charging, accounting, and roaming of users between different providers in different countries.

• The NSS consists of the following switches and databases:

• Mobile services switching center (MSC): The central component of the Network Subsystem is the MSC. The

MSC performs the switching of calls between the mobile and other fixed or mobile network users, as well as the

management of mobile services such as registration, authentication, location updating, handovers, and call routing to a

roaming subscriber.

• SS7 (Signalling System 7) covers all aspects of control signaling for digital networks (reliable routing and delivery of control messages, establishing and monitoring of calls).

• Features of SS7 are number portability, free phone/toll/collect/credit calls, call forwarding, three-way calling etc.

• Home location register (HLR): The HLR is the most important database in a GSM system as it stores all user- relevant information.

• This comprises static information, such as the mobile subscriber ISDN number (MSISDN), subscribed services (e.g., call forwarding, roaming restrictions, GPRS), and the international mobile subscriber identity (IMSI).

• Dynamic information is also needed, e.g., the current location area (LA) of the MS, the mobile subscriber roaming number (MSRN), the current VLR and MSC. As soon as an MS leaves its current LA, the information in the HLR is updated. This information is necessary to localize a user in the worldwide GSM network.

• Visitor location register (VLR): The VLR associated to each MSC is a dynamic database which stores all

important information needed for the MS users currently in the LA that is associated to the MSC (e.g., IMSI, MSISDN,

HLR address).

• If a new MS comes into an LA the VLR is responsible for, it copies all relevant information for this user from the HLR. This hierarchy of VLR and HLR avoids frequent HLR updates and long-distance signaling of user information.

Operation subsystem• The third part of a GSM system, the operation subsystem (OSS), contains the necessary functions for network

operation and maintenance.• The OSS possesses network entities of its own and accesses other entities via SS7 signaling• The following entities have been defined:

• Operation and maintenance center (OMC): The OMC monitors and controls all other network entities via

the O interface (SS7 with X.25).

• X.25 is a standard suite of protocols used for packet switching across computer networks.• Signalling System No. 7 (SS7) is a set of te l e p hon y s ignalin g protocols which are being used to set up

most of the world's p u bl i c s w i t c h e d te l e pho ne ne t w o rk (PSTN) telephone calls.• Typical OMC management functions are traffic monitoring, status reports of network entities, subscriber and

security management, or accounting and billing.• OMCs use the concept of telecommunication management net- work (TMN) as standardized by the ITU-T.

• Authentication centre (AuC): As the radio interface and mobile stations are particularly vulnerable, a separate AuC

has been defined to protect user identity and data transmission.

• The AuC contains the algorithms for authentication as well as the keys for encryption and generates the values needed for user authentication in the HLR.

• The AuC may, in fact, be situated in a special protected part of the HLR.

• Equipment identity register (EIR): The EIR is a database for all IMEIs, i.e., it stores all device identifications

registered for this network.

• As MSs are mobile, they can be easily stolen. With a valid SIM, anyone could use the stolen MS. The EIR has a blacklist of stolen (or locked) devices. In theory an MS is useless as soon as the owner has reported a theft.

GSM Protocol Architecture

u171 A

.Ir Int(lrfa.oo

GM CM

Layer 3 MM

SCCP

Layer 2

Layer 1

MTP

Bl"S BSC

CM: CO miCtion managams

TDMA/FDMA MM: Mobility man,agementSCCP; Si nl cer.nr\Bc ion con•rol part

ITtg: JII"C '1.1 Thr: GSJ¥l prot<IO.ll ardli:te tlJr('

RR: Had·· resource management MITP= M e'SS3g-c ttr1lls•c-f Pt1J LAPD:Li k access pro OOD I -D

46

50

•

Each of the 248 channels is additionally separated in time via a GSM TDMA frame,• The duration of a frame is 4.615 ms. A frame is again subdivided into 8 GSM time slots, where each slot

represents a physical TDM channel and lasts for 577 µs• Data is transmitted in small portions, called bursts

• The burst is only 546.5 µs long and contains 148 bits. The remaining 30.5 µs are used as guard space to avoid overlapping with other bursts due to different path delays and to give the transmitter time to turn on and off

• The first and last three bits of a normal burst (tail) are all set to0 and can be used to enhance the receiver performance. The training sequence in the middle of a slot is used to adapt the parameters of the receiver to the current path propagation characteristics and to select the strongest signal in case of multi-path propagation.

GSM Protocol Stack

50

In any telecommunication system, signalling is required to coordinate the necessarily distributed functional entities of the network.

- The transfer of signalling information in GSM follows the layered OSImodel

• Layer 1: Physical Layer• Radio Transmission

• Layer 2: Data Link Layer (DLL)• provides error-free transmission between adjacent entities, based on the ISDN’s LAPD protocol for the U

m and A

bis interfaces,

and on SS7’s Message Transfer Protocol (MTP) for the other Layer interfaces . It offers reliable

data transfer over connections, re-sequencing of data frames, and flow control

• Layer 3: Networking or Messaging Layer• Responsible for the communication of network resources, mobility, code format and call-related management messages

between various network entities

52

The data link layer (layer 2)

over the radio link is based

on a modified LAPD (Link Access

Protocol for the D channel) referred

to as LAPDm (m like mobile).

On the A-bis interface, the layer 2 protocol is based on the LAPD fromISDN.The Message Transfer Protocol (MTP) level 2 of the SS7 protocol is used at the A interface.

Layer III Message• Radio Resource Management (RR),

• Mobility Management (MM) and

• Connection Management (CM).

Radio Resource Management (RR)

53

54

Mobility Management (MM)

55

- Assumes a reliable RR connection

- Responsible for

- location management and

- Security

- Location management involves the procedures and signaling for location updating, so that the mobile’s current location is stored at the HLR, allowing incoming calls tobe properly routed.

- Security involves the authentication of the mobile, to prevent unauthorized access to the network, as well as the encryption of all radio link traffic.

- The protocols in the MM layer involve the SIM, MSC, VLR, and the HLR, as well as the AuC (which is closely tied withthe HLR).

The CM functional layer is divided into three sub layers.- Call Control (CC)- Supplementary Services- Short Message Service

Call Control (CC) sub layer- manages call routing, establishment, maintenance, and release, and is closely related to ISDN call control.

Connection Management (CM)

Supplementary Services sub layer- manages the implementation of the various supplementary services (Call Forwarding/waiting/hold ), and also allows users to access and modify their service subscription.Short Message Service sub layer- handles the routing and delivery of short messages, both from and to the mobile subscriber.

Security• GSM offers several security services using confidential information stored in the AuC and in the

individual SIM (which is plugged into an arbitrary MS).• The SIM stores personal, secret data and is protected with a PIN against unauthorized use.

• (For example, the secret key Ki used for authentication and encryption procedures is stored in the SIM.)• The security services offered by GSM are:

• Access control and authentication: The first step includes the authentication of a valid user for the SIM. The user needs a secret PIN to access the SIM.

• Confidentiality: All user-related data is encrypted. After authentication, BTS and MS apply encryption to voice, data, and signaling

• Anonymity: To provide user anonymity, all data is encrypted before transmission, and user identifiers (which

would reveal an identity) are not used over the air. Instead, GSM transmits a temporary identifier (TMSI), which is newly assigned by the VLR after each location update. Additionally, the VLR can change the TMSI at any time

Algorithm A3 is used for authentication, A5 for encryption, and A8 for the generation of a cipher key.

a. Authentication

Before a subscriber can use any service from the GSM network, he or she must be authenticated. Authentication is based on the SIM, which stores the individual authentication key Ki , the user identification IMSI, and the algorithm used for authentication A3. Authentication uses a challenge-response method:

• control AC generates a random number RAND as challenge, and the SIM within the MS answers with SRES (signed response) as response (see Figure). The AuC performs the basic generation of random values RAND, signed responses SRES, and cipher keys Kc for each IMSI, and then forwards this information to the HLR.

• The current VLR requests the appropriate values for RAND, SRES, and Kc from the HLR. For authentication, the VLR sends the random value RAND to the SIM. Both sides, network and subscriber module, perform the same operation with RAND and the key Ki , called A3. The MS sends back the SRES generated by the SIM; the VLR can now compare both values. If they are the same, the VLR accepts the subscriber, otherwise the subscriber is rejected

Encryption

To ensure privacy, all messages containing user-related information are encrypted in GSM over

the air interface.After authentication, MS and BSS can start using

encryption by applying the cipher key Kc

(the precise location of security functions for encryption, BTS and/or BSC are vendor dependent).

• Kc is generated using the individual key Ki and a random value by applying the algorithm A8. Note that the SIM in the MS and the network both calculate the same Kc based on the random value RAND. The key Kc itself is not transmitted over the air interface.

• MS and BTS can now encrypt and decrypt data using the algorithm A5 and the cipher key Kc. As Figure shows, Kc should be a 64 bit key – which is not very strong, but is at least a good protection against simple eavesdropping.