Basic Concepts of Cellular Networks and Mobile IP Aug 31, 2005
Evolution of Cellular Networks Architectures –AMPS –GSM Security Mechanisms in GSM Cellular Networks: Agenda
Origin of Wireless Communications Wireless communications gained popularity in 1930’s –Mainly used for public safety by police and other government organizations –Not connected to the PSTN (Public Switching Telephone Networks) First public mobile telephone service started in 1946 in United States –Using a single high power transmitter and large tower to cover an area of 50 km
Concept of Cellular Networks A single high power transmitter services one larger area multiple low power transmitters service multiple smaller areas (Cells) Frequency can be reused by cells far away from each other improve usage A set of cells that do not share frequency form a cluster The cluster is then replicated throughout the desired communication area
Evolution of Cellular Networks 1G 2G3G4G 2.5G AnalogDigital Circuit-switchingPacket-switching
1G Systems Goal: To develop a working system that could provide basic voice service Time frame: Technology: FDMA/FDD Example Systems: –Advanced Mobile Phone System (AMPS-USA) –Total Access Communication System (TACS-UK) –Nordic Mobile Telephone (NMT-Europe) Incompatible analog systems
2G Systems Goal: Digital voice service with improved quality and also provide better data services Time Frame: Technology: TDMA/TDD, CDMA Example Systems: –Global System for Mobile (GSM-Europe) –IS-136(TDMA) –IS-95 (CDMA)
Goal: To provide better data rates and wider range of data services and also act as a transition to 3G Time frame: Systems: –IS-95B –High Speed Circuit Switched Data (HSCSD) –General Packet Radio Service (GPRS) –Enhanced Data rates for GSM Evolution (EDGE) 2.5G Systems
Goal: High speed wireless data access and unified universal standard Time frame: Two competing standards –One based on GSM, IS-136 and PDC known as 3GPP –Other based on IS-95 named 3GPP2 Completely move from circuit switching to packet switching Enhanced data rates of 2-20Mbps 3G Systems
Future systems Goal: –High mobility, High data rate, IP based network –Hybrid network that can interoperate with other networks 4G Systems
AMPS 1G system developed by Bell Labs Analog system used FDMA/FDD 40Mhz of spectrum 842 channels rate: 10kbps
Public Switched Telephone Network MTSO (MSC) BTS MTSO: Mobile Telecommunication Switching Office Also known as MSC (Mobile Switching Center) BTS: Base Transceiver Station AMPS: Architecture
Public Switched Telephone Network MTSO (MSC) BTS Paging message Paging message Paging message Paging message AMPS: Conventional Telephone Cell Phone
Call arrives at MSC via the PSTN MSC then sends out a paging message via all BTS on the FCC (Forward Control Channel). The paging message contains subscriber’s Mobile Identification Number (MIN) The mobile unit responds with an acknowledgement on the RCC (Reverse Control Channel) MSC directs BS to assign FVC (Forward Voice Channel) and RVC (Reverse Voice Channel) AMPS: Conventional Telephone Cell Phone
Subscriber unit transmits an origination message on the RCC Origination message contains –MIN –Electronic Serial Number –Station Class Mark –Destination phone number If BTS receives it correctly then it is passed on to MSC MSC validates the information and connects the call AMPS: Cell phone initializes a call
GSM system consists of three interconnected sub- systems –Base station Subsystem Mobile station (MS) Base Transceiver Station (BTS) Base Station Controllers (BSC) –Network Switching Subsystem (NSS) Mobile Switching Center (MSC) Home Location Register (HLR) Visitor Location Register (VLR) Authentication center (AUC) –Operation Support Subsystem Operation Maintenance Centers GSM: Architecture
Base Station Subsystem BSC BTS BSCs connect the MS to the NSS The BTS provides last mile connection to the MS and communication is between the BTS and MS Handover between BTS within same BSC is handled by the BSC GSM
BSC BTS Base Station Subsystem MSC HLRVLRAUC Public Networks Network Switching Subsystem OSS Operation Support Subsystem GSM
Principles –Only authenticated users are allowed to access the network –No user data or voice communication is transmitted in “clear text” The subscriber identity module (SIM) card is a vital part of GSM security. It stores –International Mobile Subscriber Identity (IMSI) –Ciphering Key Generating Algorithm (A8) –Authentication Algorithm (A3) –Personal Identification Number –Individual Subscriber Authentication Key (K i ) Security in GSM
Mobile station contains –A5 algorithm and IMEI The network stores –A3, A5, A8 algorithms The Authentication Center stores –IMSI –Temporary Mobile Subscriber Identity (TMSI) –Individual Subscriber Authentication Key (K i ) Security in GSM
Channel Establishment Identity (TMSI or IMSI) Authentication Request (RAND) Run Authentication Algorithm (RAND) Response (SRES,Kc) Authentication Response (SRES) RAND is 128 bit random sequence SRES is signed response generated for authentication Security in GSM: Authentication Network Mobile Station SIM
At the Network end At the Mobile user end in the SIM A3 Algorithm RAND (challenge) K i (128 bit) Transmitted to mobile A3 Algorithm RAND (challenge) K i (128 bit) A8 Algorithm K c used for encryption of user data and signaling data Proper authentication completed if result is zero Transmitted back to base station Authentication based on RAND
K i is known only to the operator who programs the SIM card and is tied to IMSI IMSI should be transmitted as less as possible. Only TMSI is used for authentication TMSI is periodically updated Security in GSM: Authentication
GSM uses symmetric cryptography –Data is encrypted using an algorithm which is seeded by the ciphering key K c K c is known only to base station and mobile phone and is frequently changed The A5 algorithm is used for ciphering the data Along with K c the algorithm is ‘seeded’ by the value based on the TDMA frame Internal state of the algorithm is flushed after a burst Security in GSM: Data Encryption
A5 algorithm Kc (from A8 algorithm) Count (from TDMA frame) User Data Xor Encoded message Security in GSM: Authentication
Why Mobile IP? Basic Principle of Mobile IP Route Optimization Mobile IP: Agenda
Internet hosts/interfaces are identified by IP address –Domain name service (DNS) translates host name to IP address –IP address identifies host/interface and locates its network IP Addressing Gateway Host 1 MH ISU: *.* Internet Host 2 Gateway PSU: *.*
A host move to another network requires different network address –But this would change the host’s identity –How can others still reach the moving host? How can on- going connections to the moving host be not interrupted? Applications –GPRS (2.5G), 3G cellular networks –Mission-critical applications IP devices held by police, ambulance, coast guards are always connected when moving –Moving offices, … Problems
CH MH Home network MH CH MH = mobile hostCH = correspondent host Home network Foreign network How to direct packets to moving hosts transparently? Routing for Mobile Host
An analogy: what do you do when moving from one apartment to another? –Leave a forwarding address with your old post-office! –The old post-office forwards mails to your new post- office, which then forwards them to you Mobile IP: –Two other entities – home agent (old post-office), foreign agent (new post-office) –Mobile host registers with home agent the new location –Home agent captures packets meant for mobile host, and forwards it to the foreign agent, which then delivers it to the mobile host Mobile IP: Basic Idea
MH = mobile hostCH = correspondent host HA = home agentFA = foreign agent MH discovers a FA in the foreign network. MH seeks a care-off address from the FA MH registers/authenticates its care-off address to the HA in its home network. HA CH Home networkForeign network FAMH A MH Moves to a Foreign Network *.* *.*
HA receives packets for the MH. HA tunnels packets to FA FA decapsulates packets and delivers them to MH HA CH Home network Foreign network FAMH Packets towards MH MH = mobile hostCH = correspondent host HA = home agentFA = foreign agent
Source address = address of CH Destination address = home IP address of MH Payload Source address = address of HA Destination address = care-of address of MH Source address = address of CH Destination address = home IP address of MH Original payload Packet from CH to MH Home agent intercepts above packet and tunnels it Packet Addressing
HA CH Home network Foreign network #1 FA #1MH Foreign network #2 FA #2MH MH registers new address (FA #2) with HA & FA #1 HA tunnels packets to FA #2, which delivers them to MH Packets in flight can be forwarded from FA #1 to FA #2 If MH Moves Again
HA CH Home network Foreign network FAMH Mobile hosts also send packets Mobile host uses its home IP address as source address -Lower latency -Still transparent to correspondent host -No obvious need to encapsulate packet to CH -Triangle Routing Packets from MH
HA CH Home network Foreign network FAMH When HA receives a packet (from CH) to tunnel to FA: It sends a binding message to CH with the care-of address of the MH. CH caches the address, and forward later packets directly to the care-of address. Route Optimization
When a FA receives a tunneled message, but sees no visitor entry for the mobile host, it generates a binding warning message to the appropriate HA When a HA receives a warning, it issues an update message to the CH, which removes the care-of address from its cache. Route Optimization
Topic of next class: Wireless LAN and Mobile Ad Hoc Network Reminder: pick the papers you want to present (with preferred dates if you want) ASAP. Notice