GSM

WHAT IS GSM Global System for Mobile Communication Developed by “Group Spe’ciale Mobile – An Initiative of CEPT ( Conference of European Post & Telecomm ) AIM : To replace the incompatible Analog System and provide International Roaming GSM was commercially launched in 1991 GSM is the most widely accepted and globally implemented standard

WHAT IS GSM (CONTD.) GSM makes use of TDMA technique for transmitting signals GSM is a 2G standard using digital cellular technology for transmitting voice and data GSM900 and GSM1800 is used in Europe and GSM1900 is used in US

BSS : BASE STATION SUBSYSTEM GSM Architecture MS : MOBILE STATION BSS : BASE STATION SUBSYSTEM NSS : NETWORK SWITCHING SUBSYSTEM OSS : OPERATION SUPPORT SUBSYSTEM

GSM NETWORK AREAS CELL : LOCATION AREA : MSC/VLR SERVICE AREA : PLMN : BASIC SERVICE AREA IDENTIFIED BY “CI” ONE BTS PER CELL CELL GLOBAL ID (CGI) = LAI + CI LOCATION AREA : GROUP OF CELLS AS LOCATION AREA SERVED BY ONE OR MORE BSCs IDENTIFIED BY “LAI” LAI IS BROADCAST REGULARLY BY BTS MSC/VLR SERVICE AREA : AREA COVERED BY MSC PLMN : AREA COVERED BY A NETWORK OPERATOR HAVING ONE OR MORE MSCs PUBLIC LAND MOBILE NETWORK

GSM SUBSYSTEMS NSS : NETWORK SWITCHING SUBSYSTEM BSS : BASE STATION SUBSYSTEM OSS : OPERATION SUPPORT SUBSYSTEM

NSS NETWORK SWITCHING SUBSYSTEM CONSISTS OF MSC, AuC, VLR, HLR,EIR PERFORMS SWITCHING OF CALLS BETWEEN THE MOBILE AND OTHER SUBSCRIBERS ALSO MANAGES SERVICES SUCH AS AUTHENTICATION CONNECTS THE MOBILE NETWORK TO OTHER NETWORKS SUCH AS PSTN, ISDN, PLMN, ETC

BSS BASE STATION SUBSYSTEM CONSISTS OF BTS AND BSC BSS MAY HAVE ONE OR MORE BASE STATIONS IT USES ‘Abis’ INTERFACE BETWEEN BTS AND BSC A SEPARATE HIGH-SPEED LINE (T1 / E1) IS CONNECTED FROM BSS TO THE MSC

OSS OPERATION SUPPORT SUBSYSTEM PROVIDES A NETWORK OVERVIEW CONSISTS OF OPERATIONS AND MAINTENANCE CENTRE (OMC) OMC IS CONNECTED TO ALL EQUIPMENT IN NSS AND TO BSC IN BSS ITS FUNCTIONS ARE ADMINISTRATION MAINTENANCE NETWORK CONFIGURATION SECURITY COMMERCIAL OPERATIONS

OPERATIONS AND MAINTENANCE CENTRE OMC OPERATIONS AND MAINTENANCE CENTRE

GSM ARRESSES AND INDENTIFIERS IMEI ( INTERNATIONAL MOBILE EQUIPMENT IDENTITY ) UNIQUELY IDENTIFIES A MOBILE STATION INTERNATIONALLY ALLOCATED BY THE EQUIPMENT MANUFACTURER STORED IN “EIR” BY THE NETWORK OPERATOR INDICATES MANUFACTURER AND DATE OF MANUFACTURE 19 DECIMAL PLACES IMSI ( INTERNATIONAL MOBILE SUBSCRIBER IDENTITY ) EACH REGISTERED USER IDENTIFIED BY IMSI STORED IN SUBSCRIBER IDENTITY MODULE (SIM) 15 DECIMAL PLACES CONTAINING COUNTRY CODE, NETWORK CODE AND MOBILE SUBSCRIBER IDENTIFICATION NUMBER(MSIN)

GSM ARRESSES AND INDENTIFIERS MSISDN ( MOBILE SUBSCRIBER ISDN NUMBER ) THE REAL TELEPHONE NUMBER OF A MOBILE STATION SIM CARD UPTO 16 DECIMAL PLACES CONTAINS COUNTRY CODE, NATIONAL DESTINATION CODE AND SUBSCRIBER NUMBER (10 DIGIT) MSRN (MOBILE STATION ROAMING NUMBER) IT IS A TEMPORARY LOCATION DEPENDENT ISDN NUMBER ASSIGNED BY VLR TO EACH MOBILE STATION IN IT’S AREA AND ALSO STORED IN HLR STRUCTURE SAME AS MSISDN CALLS ARE ROUTED TO THE MOBILE USING MSRN

GSM ARRESSES AND INDENTIFIERS TMSI (TEMPORARY MOBILE SUBSCRIBER IDENTITY) VLR OF CURRENT CAN ASSIGN TMSI WHICH IS VALID ONLY AT THAT LOCATION USED TO HIDE THE IMSI (SUBSCRIBER IDENTITY) STORED ONLY IN VLR AND NOT UPDATED IN HLR VLR CHANGES THE TMSI PERIODICALLY AS A PART OF SECURITY LMSI (LOCAL MOBILE SUBSCRIBER IDENTITY) ASSIGNED WHEN MOBILE STATION REGISTERS WITH VLR IT IS AN ADDITIONAL KEY FOR SEARCHING TO ACCELERATE DATABASE ACCESS IT IS ALSO UPDATED IN HLR

GSM OPERATION

GSM TDMA / FDMA

GSM FRAME HIERARCHY

GSM AIR (RADIO) INTERFACE Um – THE GSM AIR (RADIO) INTERFACE PROVIDES THE PHYSICAL LINK BETWEEN MOBILE AND NETWORK AIR INTERFACE PARAMETERS : FREQ. BAND MOBILE – BASE : 890 – 915 MHz FREQ. BAND BASE – MOBILE : 935 – 960 MHz 124 RADIO CARRIERS SPACED BY 200 KHz TDMA STRUCTURE WITH 8 TIMESLOTS / CARRIER GMSK MODULATION SLOW FREQUENCY HOPPING AT 217 HOPS / SECOND CHANNEL CODING WITH INTERLEAVING DOWN LINK AND UP LINK POWER CONTROL DISCONTINUOUS TRANSMISSION AND RECEPTION

GSM PHYSICAL CHANNELS EACH 200 KHz CARRIER IS SUBDIVIDED INTO FRAMES THAT ARE REPEATED CONTINUOUSLY A FRAME IS SUBDIVIDED INTO 8 TIME SLOTS EACH TIME SLOT REPRESENTS A PHYSICAL CHANNEL EACH CHANNEL OCCUPIES THE 200 KHz CARRIER FOR 577 MuS EVERY 4.615 MS DATA IS TRANSMITTED IN SMALL BURSTS INSIDE A TIME SLOT (USER AND SIGNALLING DATA)

GSM PHYSICAL CHANNELS (CONTD.) THE REMAINING PART OF THE TIME SLOT IS “GUARD SPACE” TO AVOID OVERLAPPING OF BURSTS EACH PHYSICAL CHANNEL HAS A DATA RATE OF 33.8 KBPS AND EACH RADIO CARRIER TRANSMITS 270 KBPS OVER THE ‘Um’ INTERFACE THUS ONE PHYSICAL CHANNEL IS ONE BURST PERIOD ALLOCATED IN EACH TDM FRAME

TYPES OF BURSTS IN GSM NORMAL BURST SYNCHRONIZATION BURST FREQUENCY CORRECTION BURST ACCESS BURST DUMMY BURST DUMMY BURST IS USED IF NO DATA IS AVAILABLE FOR THE SLOT

NORMAL BURST T : TAIL BITS INFO : DATA BITS F : FLAG BIT TRAINING : BITS TO SET RECEIVER PARAMETERS G : GUARD BITS

SYNCHRONIZATION BURST T : TAIL BITS INFO : DATA BITS G : GUARD BITS LONG TRG SEQUENCE : SYNCHRONIZES MS WITH THE BTS IN TIME

FREQUENCY CORRECTION BURST T : TAIL BITS G : GUARD BITS ALL BITS ARE SET TO ZERO. ALLOWS MS TO CORRECT THE LOCAL OSCILLATOR TO AVOID INTERFERENCE WITH NEIGHBOURING CHANNELS

ACCESS BURST T : TAIL BITS G : GUARD BITS USED FOR INITIAL CONNECTION SETUP BETWEEN MS AND BTS. IT HAS MUCH LARGER GUARD SPACE.

GSM LOGICAL CHANNELS

GSM LOGICAL CHANNELS ‘TCH’ (TRAFFIC CHANNEL) – USED TO TRANSMIT USER DATA ( VOICE & FAX ) ‘CCH’ (CONTROL CHANNELS) ARE USED TO CONTROL MEDIUM ACCESS ALLOCATION OF TRAFFIC CHANNELS (MOBILITY MANAGEMENT) ‘BCCH’ : BROADCAST CONTROL CHANNEL – A BTS USES THIS TO SIGNAL INFO TO ALL MSs WITHIN THE CELL ‘CCCH’ : COMMON CONTROL CHANNEL – CONNECTION SETUP INFO I EXCHANGED BETWEEN MS AND BTS ‘DCCH’ : DEDICATED CONTROL CHANNEL – THESE ARE BIDIRECTIONAL AS AGAINST ALL OTHER CHANNELS WHICH ARE UNI-DIRECTIONAL

GSM PROTOCOLS

GSM PROTOCOLS RADIO LAPDm THE PHYSICAL LAYER HANDLES RADIO SPECIFIC FUNCTIONS LIKE CREATING BURSTS, MULTIPLEXING INTO TDMA FRAME, SYNCHRONIZATION WITH BTS, DETECTION OF IDLE CHANNELS, MEASUREMENT OF CHANNEL QUALITY, ENCRYPTION, DECRYPTION, CHANNEL CODING, ERROR DETECTION AND CORRECTION, VOICE ACTIVITY DETECTION, ETC LAPDm THE DATA LINK LAYER MODIFIED VERSION OF ISDN PROTOCOL HANDLES SIGNALLING BETWEEN ENTITIES, RELIABLE DATA TRANSFER, RESEQUENCING OF DATA FRAMES, FLOW CONTROL, SEGMENTATION AND REASSEMBLY OF DATA, ETC

GSM PROTOCOLS (CONTD.) RR MM CM NETWORK LAYER PROTOCOL RADIO RESPONSE (RR) MANAGEMENT SUPPORTED BY BTS MANAGEMENT (BTSM) SETUP, MAINTENANCE AND RELEASE OF RADIO CHANNELS MM MOBILITY MANAGEMENT – REGISTRATION, AUTHENTICATION, LOCATION UPDATING, PROVISION OF TMSI TO REPLACE IMSI, ETC CM CALL MANAGEMENT – CALL CONTROL (CC), SMS AND SUPPLEMENTARY SERVICE (SS)

GSM PROTOCOLS (CONTD.) PCM SS7 BSSAP PULSE CODE MODULATION SYSTEM SIGNALLING SYSTEM 7 BSSAP BASE STATION SUBSYSTEM (BSS) APPLICATION PART

GSM SPECIFICATIONS MODULATION ACCESS METHOD GAUSSIAN MINIMUM SHIFT KEYING ( GMSK ) ACCESS METHOD COMBINATION OF TDMA / FDMA FREQUENCY OF TOTAL 25 MHz BANDWIDTH DIVIDED INTO 124 CARRIER FREQUENCIES OF 200 KHz BANDWIDTH EACH OF THESE CARRIER FREQUENCIES IS THEN DIVIDED IN TIME INTO 8 TIME SLOTS ONE SLOT IS USED FOR TRANSMISSION AND ONE FOR RECEPTION THE TWO TIME SLOTS ARE ALSO SEPARATED IN TIME. SO RECEIVE AND TRANSMIT IS NOT AT THE SAME TIME EACH BASE STATION IS ASSIGNED A SET OF CARRIER FREQUENCIES FROM THE TOTAL CARRIER FREQUENCIES

GSM SPECIFICATIONS (CONTD.) TRANSMISSION RATE TRANSMISSION RATE OF TIME SLOT : 22.8 KBPS OVER THE AIR THE BIT RATE : 270 KBPS FREQUENCY BAND GSM900 UPLINK : 890 TO 915 MHz DOWNLINK : 935 TO 960 MHz GSM1800/DCS1800 UPLINK : 1710 TO 1785 MHz DOWNLINK : 1805 TO 1880 MHz GSM1900/PCS1900 (IN US) UPLINK : 1850 TO 1910 MHz DOWNLINK : 1930 TO 1990 MHz

GSM SPECIFICATIONS (CONTD.) CHANNEL SPACING SEPARATION BETWEEN ADJACENT CARRIER FREQUENCIES : 200 KHz SPEECH CODING LINEAR PREDICTIVE CODING (LPC) SPEECH IS ENCODED AT 13 KBPS DUPLEX DISTANCE IT IS THE DISTANCE BETWEEN UPLINK AND DOWNLINK FREQUENCIES A CHANNEL HAS TWO FREQUENCIES 80 MHz APART

GSM SPECIFICATIONS (CONTD.) DUPLEX TECHNIQUE FREQUENCY DIVISION DUPLEXING (FDD) ACCESS MODE ALSO CALLED WCDMA FRAME DURATION 4.615 MS SPEECH CHANNELS PER RF CHANNEL 8 CHANNELS

GSM SERVICES GSM HAS DEFINED THREE CATEGORIES OF SERVICES BEARER SERVICES ( DATA SERVICES ) TELE SERVICES ( TELEPHONY ) SUPPLEMENTARY SERVICES GSM VALUE ADDED SERVICES

BEARER SERVICES ( DATA SERVICES ) CONNECTION ORIENTED, CIRCUIT OR PACKET SWITCHED PERMITS SYNCHRONOUS OR ASYNCHRONOUS DATA TRANSMISSION UPTO 9.6 KBPS FOR INTERNETWORKING WITH PSTN, PSDN AND PACKET SWITCHED PUBLIC DATA NETWORKS

TELE SERVICES ( TELEPHONY ) GSM MAINLY FOCUSES ON VOICE-ORIENTED TELE SERVICES EMERGENCY NUMBER SERVICE VOICE MESSAGING SERVICE GROUP 3 FAX SERVICE ( FAX DATA IS TRANSMITTED AS DIGITAL DATA OVER THE TELEPHONE NETWORK

SUPPLEMENTARY SERVICES MAY VARY FROM OPERATOR TO OPERATOR TYPICAL SERVICES ARE : USER IDENTIFICATION CALL REDIRECTION OR FORWARDING MULTI-PARTY COMMUNICATION CLOSED USE GROUP (CUG) CALL WAITING CALL BARRING, ETC.

GSM VALUE ADDED SERVICES THESE SERVICES ARE PROVIDED BY MEANS OF PERIPHERAL UNITS ATTACHED TO THE CELLULAR NETWORK TYPICAL VALUE ADDED SERVICES ARE : MESSAGING SERVICE INFORMATION SERVICE PRIVATE INTERCONNECT

MESSAGING SERVICE IN ADDITION TO THE VOICE MESSAGING SERVICE, GSM NETWORKS INCORPORATE “SHORT MESSAGE SERVICE” (SMS) SMS IS A METHOD OF COMMUNICATION THAT USES TEXT MESSAGING BETWEEN CELL PHONES OR FROM PC OR HANDHELD DEVICES TO CELL PHONES MAXIMUM SIZE OF TEXT IS 160 CHARACTERS THE CONTROL CHANNEL PROVIDES A PATHWAY FOR SMS MESSAGES. THE SMS FLOWS THROUGH SMSC – TO THE TOWER – THEN TO THE CELL PHONE AS A LITTLE PACKET OF DATA ON THE CONTROL CHANNEL

SMS PATH MSC CENTRALIZED SMSC MS CORE NETWORK SMS CENTRE

SMS SMS IS A “STORE-AND-FORWARD” SERVICE DESTINATION CELL PHONE NEED NOT BE ‘ON’ OR ‘IN RANGE’ TO SEND AN SMS THE MESSAGE IS STORED IN THE ‘SMSC’ – THE CENTRALIZED SMS CENTRE TILL THE DESTINATION CELL PHONE TURNS ON OR MOVES INTO THE RANGE AND THEN IT IS DELIVERED TO IT THUS SMS IS CHARACTERIZED BY LOW BANDWIDTH MESSAGE TRANSFER AND IS HIGHLY EFFICIENT SERVICE

INFORMATION SERVICE PROVIDES USEFUL INFORMATION TO THE MOBILE USER EXAMPLES : TRAVEL INFORMATION WEATHER INFORMATION AREA INFORMATION BASED ON CURRENT LOCATION OF THE MOBILE USER

PRIVATE INTERCONNECT DIRECT CONNECTIONS CAN BE MADE AVAILABLE BETWEEN THE CELLULAR NETWORK AND THE CORPORATE PRIVATE NETWORK, THUS BYPASSING THE PSTN CALL CHARGES FOR SUCH DIRECT CONNECTIONS ARE SUBSTANTIALLY LOWER THAN THE PSTN CALL CHARGES AND HENCE ARE BENEFICIAL TO THE CORPORATES AN ADDITIONAL BENEFIT IS THAT THE PRIVATE INTERCONNECT ALLOWS CALLS TO BE DELIVERED DIRECT TO THE EXTENSIONS REMOVING THE NEED FOR SWITCHBOARD OPERATOR

GSM SECURITY GSM OFFERS SEVARAL SECURITY SERVICES USING CONFIDENTIAL INFORMATION STORED IN THE AuC AND THE ‘SIM’ SIM STORES PERSONAL, SECRET DATA AND IS PROTECTED WITH A PIN TO PREVENT UNAUTHORIZED USE SECURITY SERVICES OFFERRED ARE : ACCESS CONTROL AND AUTHENTICATION CONFIDENTIALITY ANONYMITY

ACCESS CONTROL AND AUTHENTICATION USER NEEDS A SECRET ‘PIN’ TO ACCESS THE SIM ALGORITHM USED IS ‘A3’

CONFIDENTIALITY ALL USER RELATED DATA IS ENCRYPTED ALGORITHM ‘A5’ AND CIPHER KEY ‘Ki’ IS USED TO ENCRYPT THE DATA ALGORITHM ‘A8’ IS USED TO GENERATE THE CIPHER KEY

ANONYMITY ALL DATA IS ENCRYPTED BEFORE TRANSMISSION USER IDENTIFIERS ARE NOT SENT OVER THE AIR INTERFACE GSM TRANSMITS A TEMPORARY IDENTIFIER (TMSI) NEWLY ASSIGNED BY THE VLR AFTER EACH LOCATION UPDATE

AUTHENTICATION

AUTHENTICATION SUTHENTICATION BASED ON SIM SIM STORES INDIVIDUAL AUTHENTICATION KEY USER IDENTIFICATION (INSI) ALGORITHM ‘A3’ AUTHENTICATION USES A “CHALLENGE-RESPONSE” METHOD A RANDOM NO. ‘RAND’ IS GENERATED AS CHALLENGE MS ANSWERS WITH ‘SRES’ – THE SIGNED RESPONSE AuC GENERATES ‘RAND’, ‘SERS’ AND CIPHER KEY ‘Ki’ FOR EACH IMSI AND FORWARDS IT TO HLR FOR AUTHENTICATION, VLR SENDS THE ‘RAND’ TO THE SIM

AUTHENTICATION (CONTD.) BOTH NETWORK AND MOBILE PERFORM THE SAME OPERATION WITH ‘RAND’ AND ‘Ki’ USING THE ALGORITHM ‘A3’ MOBILE SENDS BACK THE GENERATED ‘SRES’ VLR COMPARES THE ‘SRES’ VALUES COMPUTED BY NETWORK AND THE MOBILE IF THEY ARE SAME THEN THE SUBSCRIBER IS ACCEPTED ELSE THE SUBSCRIBER IS REJECTED

ENCRYPTION

ENCRYPTION TO ENSURE PRIVACY, ALL MESSAGES CONTAINING USER RELATED INFORMATION ARE ENCRYPTED IN GSM THE CIPHER KEY ‘Kc’ IS GENERATED USING THE INDIVIDUAL KEY ‘Ki’ AND A RANDOM VALUE BY APPLYING THE ALGORITHM ‘A8’ THE CIPHER KEY ‘Kc’ IS NOT TRANSMITTED OVER THE AIR INTERFACE MOBILE AND BTS THEN ENCRYPT AND DECRYPT DATA USING THE ALGORITHM ‘A5’ AND THE CIPHER KEY ‘Kc’ ‘Kc’ IS 64 BIT KEY – WHICH IS NOT VERY STRONG BUT PROVIDES GOOD PROTECTION AGAINST SIMPLE EAVESDROPPING

GSM SECURITY THUS GSM SECURITY FEATURES AS FOLLOWS : On air interface, GSM uses encryption and TMSI instead of IMSI. SIM is provided 4-8 digit PIN to validate the ownership of SIM 3 algorithms are specified : - A3 algorithm for authentication - A5 algorithm for encryption - A8 algorithm for key generation

LOCATION UPDATING MOBILE SUBSCRIBER MOVES FROM PLACE TO PLACE THE MOBILE NETWORK KEEPS TRACK OF THE MOBILE LOCATION BY UPDATING THE LOCATION INFORMATION IN THE REGISTERS THERE ARE THREE TYPES OF LOCATION UPDATING NORMAL IMSI ATTACH PERIODIC REGISTRATION

LOCATION UPDATING - NORMAL FROM TIME TO TIME, MS LISTENS TO THE “LAI” (LOCATION AREA IDENTITY) BROADCAST BY THE BTS AND COMPARES IT WITH THE “LAI” STORED IN THE SIM CARD IF THE TWO VALUES DIFFER, IT MEANS THAT MS HAS ENTERED A NEW LOCATION AREA AND MS MUST PERFORM A LOCATION UPDATE TYPE NORMAL

LOCATION UPDATING - NORMAL WHEN MS FINDS A DIFFERENT “LAI”, IT SENDS A CHANNEL REQUEST BTS FORWARDS THE REQUEST TO BSC. BSC ALLOCATES “SDCCH” IF AVAILABLE AND TELLS BTS TO ACTIVATE IT MS IS TOLD TO TUNE TO SDCCH MS SENDS LOCATION UPDATE REQUEST AUTHENTICATION PARAMETER IS SENT TO MS MS RESPONDS IF AUTHENTICATION IS SUCCESSFUL, THE VLR IS UPDATED AND THE OLD HLR/VLR ARE ALSO UPDATED MS RECEIVES ACCEPTANCE BTS IS TOLD TO RELEASE THE SDCCH MS IS TOLD TO RELEASE THE SDCCH

LOCATION UPDATING – IMSI ATTACH IMSI ATTACH IS A PROCEDURE USED BY MS TO NOTIFY THE NETWORK THAT IT HAS POWERED ON MS REQUESTS FOR AN SDCCH NETWORK RECEIVES THE IMSI ATTACH REQUEST FROM THE MS MSC SENDS IT TO THE VLR TO RESET THE IMSI DETACHED FLAG MS RECEIVES THE IMSI ATTACH ACKNOWLEDGEMENT MESSAGE

LOCATION UPDATING – PERIODIC REGISTRATION PERIODIC REGISTRATION PROCEDURE IS USED TO AVOID UNNECESSARY PAGING OF MS IN CASE MSC NEVER RECEIVES THE IMSI DETACH REQUEST FROM MS MS LISTENS ON THE ‘BCCH’ TO CHECK IF PERIODIC REGISTRATION IS USED IN THE CELL IF YES, MS IS TOLD BY BTS HOW OFTEN IT MUST REGISTER THE VALUE CAN RANGE FROM 0 – 255 DECI HOURS ( A UNIT OF 6 MINUTES) IF THE VALUE IS ‘0’, PERIODIC REGISTRATION IS NOT USED IN THAT CELL IF IT IS 10, MS MUST REGISTER EVERY HOUR WHEN THE TIMER IN MS EXPIRES, MS PERFORMS THE LOCATION UPDATE – TYPE PERIODIC REGISTRATION IF MS DOES NOT REGISTER WITHIN THE TIME INTERVAL PLUS A GUARD TIME, THEN MSC FLAGS THE MS AS DETACHED

CALL ROUTING – OUGOING CALL MS sends dialled number to BSS BSS sends dialled number to MSC 3,4 MSC checks VLR if MS is allowed the requested service.If so,MSC asks BSS to allocate resources for call. MSC routes the call to GMSC GMSC routes the call to local exchange of called user 7, 8, 9,10 Answer back(ring back) tone is routed from called user to MS via GMSC,MSC,BSS

CALL ROUTING – INCOMING CALL Calling a GSM subscribers Forwarding call to GSMC Signal Setup to HLR 5. Request MSRN from VLR Forward responsible MSC to GMSC Forward Call to current MSC 9. Get current status of MS 11. Paging of MS 13. MS answers 15. Security checks 17. Set up connection

HANDOVERS Between 1 and 2 – Inter BTS / Intra BSC Between 1 and 3 – Inter BSC/ Intra MSC Between 1 and 4 – Inter MSC