Presentation is loading. Please wait.

Presentation is loading. Please wait.

GSM Mobility Management

Published byMadeleine Bruce Modified over 7 years ago

Similar presentations

Presentation on theme: "GSM Mobility Management"— Presentation transcript:

1 GSM Mobility Management
GSM architecture overview Network layout Protocols Addresses & identifiers Location management Call delivery + location update Security Handover management Originals by: Rashmi Nigalye, Mouloud Rahmani, Aruna Vegesana, Garima Mittal, Fall 2001 Prof. M. Veeraraghavan, Polytechnic University, New York

2 GSM network layout GSM Network (PLMN) MSC region MSC region MSC region
PLMN: Public Land Mobile Network MSC: Mobile Switching Center BTS: Base Transceiver Station BSC: Base Station Controller GSM Network (PLMN) MSC region MSC region In each GSM network (Public Land Mobile Network (PLMN) ) there is at least one administration area assigned to a Mobile Switching Center (MSC) In each administration area there is at least one Location Area (LA).. LA consists of several cell groups. Each cell group is assigned to one Base Station Controller (BSC). Cells of one BSC may belong to different LAs. BTS : Base Transceiver station Location area Location area BSC BSC MSC region BTS BTS

3 GSM network layout PSTN ISDN OMC BSC MSC GMSC BSC BTS HLR EIR VLR AUC
Abis E B,C EIR HLR AUC VLR OMC: Operations and Maintenance Center GMSC: Gateway Mobile Switching Center - to set up a call toward a GSM user, this call is first routed to a GMSC; it is responsible for fetching location information and routing the call toward the visiting MSC where the GSM user is currently located. There is widespread implementation of the GMSC function in the same machines as the MSC itself. NSS: Network and Switching Subsystem (NSS consists of MSC, OMC, HLR, VLRs, AuC) MSC: Mobile Switching Center VLR: Visitor Location Register HLR: Home Location Register EIR: Equipment Identification register AuC: Authentication Center BSC: Base Station Controller BTS: Base Transceiver Station MS: Mobile Subscriber BSS: Base Station System (The BSC and BTS together are referred to as BSS. ) PSTN: Public Switched Telephone Network ISDN: Integrated Services Digital Network BTS Um

4 GSM MAP protocol GSM MAP similar to IS41 MAP
MAP uses Transactions Capabilities Part (TCAP) of the SS7 stack MAP functions: Updating of location information in VLRs Storing routing information in HLRs Updating and supplementing user profiles in HLRs Handoff of connections between MSCs

5 What is a location area (LA)?
A powered-on mobile is informed of an incoming call by a paging message sent over the PAGCH channel of a cell One extreme is to page every cell in the network for each call - a waste of radio bandwidth Other extreme is to have a mobile send location updates at the cell level. Paging cut to 1 cell, but large number of location updating messages. Hence, in GSM, cells are grouped into Location Areas – updates sent only when LA is changed; paging message sent to all cells in last known LA PAGCH: Paging and Access Grant Channel

6 Addresses and Identifiers
International Mobile Station Equipment Identity (IMEI) It is similar to a serial number. It is allocated by equipment manufacturer, registered by network, and stored in EIR International Mobile Subscriber Identity (IMSI) MCC MNC MSIN MCC: Country Code MNC: Mobile Network Code MSIN: Mobile Subscriber Identification Number “The MSC/VLR is able to derive the identity of the subscriber’s home PLMN and possibly more information on the HLR of the subscriber. In practice, the HLR can usually be identified by looking at the most significant digits of the IMSI following the MCC and MNC. However, this usually only works inside the home PLMN country. For PLMNs of other countries, using IMSI as a global title, the messages are routed toward a gateway entity of the home PLMN country.” GSM book by Mouly and Patet, page. 468. When subscribing for service with a network, subscriber receives (IMSI) and stores it in the SIM (Subscriber Identity Module) card. The HLR can be identified by a VLR/MSC from the IMSI.

7 Addresses and Identifiers
Mobile Subscriber ISDN (MSISDN) The “real telephone number”: assigned to the SIM The SIM can have several MSISDN numbers for selection of different services like voice, data, fax CC NDC SN NDC: National Destination Code (NDC identifies operator); SN: Subscriber Number; CC: Country Code; Digits following NDC identifies the HLR

8 Addresses and Identifiers
Mobile Station Roaming Number (MSRN) It is temporary location dependent ISDN number It is assigned by local VLR to each MS in its area. CC NDC SN

9 Addresses and identifiers
Temporary Mobile Subscriber Identity (TMSI) It is an alias of the IMSI and is used in its place for privacy. It is used to avoid sending IMSI on the radio path. It is an temporary identity that is allocated to an MS by the VLR at inter-VLR registration, and can be changed by the VLR TMSI is stored in MS SIM card and in VLR.

10 TMSI, IMSI, MSRN and MSISDN
Unlike MSISDN, IMSI is not known to the GSM user. The CC of MSISDN translates to an MCC of IMSI as follows, e.g, Denmark CC: 45 MCC: 238 TMSI is used instead of IMSI during location update to protect privacy. As user moves, TMSI is used to send location update. Thus a third party snooping on the wireless link cannot track a user as he/she moves. MSRN is the routing number that identifies the current location of the called MS. MSRN is temporary network identity assigned to a mobile subscriber. MSRN identifies the serving MSC/VLR. MSRN is used for call delivery (calls incoming to an MS). MSISDN is the dialed number to reach a GSM user

11 Addresses and Identifiers
Location Area ID (LAI) CC: Country Code, MNC:Mobile Network Code, LAC: Location Area Code LAI is broadcast regularly by Base Station on BCCH Each cell is identified uniquely as belonging to an LA by its LAI BCCH is Broadcast Control Channel CC MNC LAC

12 Location management Set of procedures to:
track a mobile user find the mobile user to deliver it calls Current location of MS maintained by 2-level hierarchical strategy with HLRs and VLRs.

13 Ways to obtain MSRN Obtaining at location update – MSRN for the MS is assigned at the time of each location update, and is stored in the HLR. This way the HLR is in a position to immediately supply the routing info (MSRN) needed to switch a call through to the local MSC. Obtaining on a per call basis – This case requires that the HLR has at least an identification for the currently responsible VLR. When routing info is requested from the HLR, it first has to obtain the MSRN from the VLR. This MSRN is assigned on a per call basis, i.e. each call involves a new MSRN assignment

14 Routing information: case when MSRN is selected per call by VLR/MSC
MSISDNIMSI, VLR number HLR IMSI MSISDN MSRN MSRN MSISDN GMSC MSRN MSC/VLR If MSRN is allocated to each subscriber visiting at an MSC, then the number of MSRNs required is large. If instead, an MSRN is allocated only when a call is to be established, then the number of MSRNs is roughly equal to number of circuits at MSC – a much smaller number – hence MSRNs typically allocated per call by VLR/MSC

15 Call routing to a mobile station: case when HLR returns MSRN
1 MSISDN GMSC ISDN LA 1 1 4 MSRN 2 MSISDN 3 MSRN BSC MSC MSC HLR BTS 7 TMSI 1) ISDN switch forward the call to a mobile switch based on the MSISDN. 2) 3) GMSC request routing address (MSRN) from HLR. 4) Using MSRN, call is forward to local MSC. 5) 6) MSC determines TMSI of MS from the VLR. 7) MSC initiates paging in relevant LA. 8) After MS responds to paging, connection is switched through. HLR has MSISDN to MSRN mapping and VLR has MSRN to TMSI mapping. In the current slide, we presume that the HLR already has the updated MSRN. (refer to slide 29). In case, the HLR only knows about the VLR, it would have to request the current VLR of the MS to provide the routable address (MSRN). The VLR would return the MSRN to the GMSC through the HLR. Then, the GMSC would use the MSRN to route the call to the MS through the visited MSC. 5 MSRN 7 TMSI LA 2 BSC EIR BTS VLR 8 TMSI 7 TMSI AUC 6 TMSI BTS MS

16 Messages exchanged: call delivery
1 GMSC 5 4 PSTN 2 HLR 3 VLR 6 Target MSC Target MSC VLR HLR GMSC Originating Switch 1. ISUP IAM NOTE: Generally, call termination means end of a conversation. However, in GSM, call termination means delivering an incoming call to the MS. CALL TERMINATION: The call originating from a PSTN network to a MS is routed to the gateway MSC (GMSC) through a SS7 ISUP IAM message. The GMSC then sends MAP_SEND_ROUTING_INFO to the HLR. This message consists of the MSISDN of the MS and other information. The HLR sends the MAP_PROVIDE_ROAMING message to the VLR to get the MSRN. Message contains IMSI, MSC no. and other information. 4 & 5. The VLR creates the MSRN using the MSC no. stored in the VLR record of that MS. This MSRN is send to GMSC through the HLR. 6. The MSRN provides the address of the target MSC which has the MS. A voice trunk is setup by an SS7 ISUP IAM Message between the GMSC and the target MSC. 2. MAP_SEND_ROUTING_INFO 3. MAP_PROVIDE_ROAMING_NUMBER 4. MAP_PROVIDE_ROAMING_NUMBER_ack 5. MAP_SEND_ROUTING_INFO_ack 6. ISUP IAM

17 Find operation in GSM ISDN switch recognizes from the MSISDN that the call subscriber is a mobile subscriber. Therefore, forward the call to the GMSC of the home PLMN (Public Land Mobile Network) GMSC requests the current routing address (MSRN) from the HLR using MAP By way of MSRN the call is forwarded to the local MSC Local MSC determines the TMSI of the MS (by querying VLR) and initiates the paging procedure in the relevant LA After MS responds to the page the connection can be switched through.

18 GSM security network MS Authentication
What signed response (SRES) are you able to derive from the input challenge RAND by applying the A3 algorithm with your personal key Ki (Ki is per subscriber)? RAND network A3 algorithm Ki MS A3 algorithm Ki SRES RAND (128bit) SRES equal?

19 GSM security BTS MS A5 algorithm Kc (64 bits) frame number (22 bits)
Encryption Digital technology – easy to encrypt voice data A5 derives a ciphering sequence of 114 bits for each burst independently XOR 114 bits of a radio burst with 114 bits of a ciphering sequence generated by A5 A5 algorithm Kc (64 bits) MS frame number (22 bits) BTS Kc S2(114) ciphering S1(114) deciphering S1 ciphering S2 deciphering

20 Key management Ciphering key Kc is generated using algorithm A8 in the same manner as SRES (from RAND and Ki) Each time a mobile station is authenticated the MS and network compute the ciphering key Kc by running algorithm A8 with the same inputs RAND and Ki as for SRES Ciphering with Kc applies only when the network knows the identity of the subscriber it is talking to. Bootstrap period during which network does not know who the subscriber is Up to and including the first message carrying the non-ambiguous subscriber identity is carried in the clear (unencrypted) Protection: use TMSI instead of IMSI when possible – TMSI should be exchanged during protected signaling (ciphered) procedures

21 Location registration
MS has to register with the PLMN to get communication services Registration is required for a change of PLMN MS has to report to current PLMN with its IMSI and receive new TMSI by executing Location Registration process. The TMSI is stored in SIM, so that even after power on or off, there is only normal Location Update. If the MS recognizes by reading the LAI broadcast on BCCH that it is in new LA, it performs Location Update to update the HLR records. Location update procedure could also be performed periodically, independent of the MS movement. The difference in Location Registration and Location Update is that in location update the MS has already been assigned a TMSI.

22 Location registration
MS BSS/MSC VLR HLR AUC Location registration IMSI Ki Loc.Upd.Req Upd Loc.Area Auth.Info.Req (IMSI) Aut.Par.Req (IMSI,LAI) (IMSI,LAI) (IMSI) Aut. Info. Authenticate Auth.Info (IMSI,Kc, RAND,SRES) Authentic. Req (IMSI,Kc, RAND,SRES) (RAND) (RAND) Ki RAND SRES A3 & A8 After subscriber has requested registration at its current location by sending its IMSI and LAI, the MSC instructs the VLR to register the MS with its current LAI. In order for this registration to be valid, identity of subscriber is first checked using IMSI. The AuC gives the authentication information based on the IMSI. SRES Kc Auth.Resp. Auth.Resp = (SRES) (SRES) Update Location (IMSI,MSRN) Generate TMSI Contd...

23 (…contd) Location registration.
VLR MS BSS/MSC HLR AUC Generate TMSI Start Ciph. Ins.Subsc.Data (Kc) (IMSI) Forw. New TMSI Subs.Dat.Ins.Ack (TMSI) Ciph.Mod.Com. Loc.Upd.Accept Kc Loc.Upd.Accept Message M (IMSI) A5 Ciph.Mod. Kc(M) After successful authentication, MS is assigned new MSRN which is stored with LAI in HLR, and new TMSI is received by MS (TMSI Reallocation) in ciphering mode. While in location Updating, VLR is receiving user data. New TMSI is received by MS (TMSI Reallocation) in ciphering mode. Kc(M) Kc(M) Kc A5 M TMSI Realloc.Cmd. can be combined Loc.Upd.Accept TMSI Realloc.Ack TMSI.Ack

24 Insert Subscriber. data
MS BSS/MSC VLR HLR AUC Location update IMSI, TMSI Ki, Kc, LAI Loc.Upd.Req Update Loc.Area (TMSI,LAI) (TMSI,LAI) Authentication Update Location (IMSI,MSRN) Generate TMSI Start ciphering Insert Subscriber. data (Kc) IMSI Start ciphering. Subs. Data Insert Ack (contd..)

25 (..contd) Location update.
VLR MS BSS/MSC HLR AUC Start ciphering. Forward new TMSI (TMSI) Loc. Upd. Acept (IMSI) Loc. Upd. Acept TMSI Realloc. Cmd. Auth. Para. Req If location change involves both LA and VLR, the new VLR has to request the Identification and security data for the MS from the old VLR and store them locally. In case of Inter-VLR, if (in an emergency situation) the old VLR cannot be determined by the LAI or the old TMSI is not known in the new VLR, IMSI is requested by new VLR from the MS. (IMSI) Loc. Upd. Acept Auth. Info. Auth.Info.Req (IMSI,Kc, RAND,SRES) TMSI Reallocation Complete TMSI Ack (IMSI) Auth.Info (IMSI,Kc, RAND,SRES)

26 Types of handover (same as “handoff”)
There are four different types of handover in the GSM system. Handover involves transferring a call between: Channels (time slots) in the same cell Cells (Base Transceiver Stations) under the control of the same Base Station Controller (BSC), Cells under the control of different BSCs, but belonging to the same Mobile services Switching Center (MSC), and Cells under the control of different MSCs. Internal handovers Only one Base Station Controller (BSC). (save signaling bandwidth, they are managed by the BSC without involving the Mobile services Switching Center (MSC), except to notify it at the completion of the handover.) External handovers Handled by the MSCs involved. (An important aspect of GSM is that the original MSC, the anchor MSC, remains responsible for most call-related functions, with the exception of subsequent inter-BSC handovers under the control of the new MSC, called the relay MSC.)

27 Attributes of radio-link handover
Hard handover MAHO Backward COS selection scheme: static Cross-over switch: anchor switch GSM is circuit switched and in circuit switches there are no buffers. Hence, we apply the same procedure as the generic scheme for handover but the buffering step is excluded.

28 Handover (MAHO) Handovers are initiated by the BSS/MSC (as a means of traffic load balancing). During its idle time slots, the mobile scans the Broadcast Control Channel of up to 16 neighboring cells, and forms a list of the six best candidates for possible handover, based on the received signal strength. This information is passed to the BSC and MSC, at least once per second, and is used by the handover algorithm.

29 Handover procedures in GSM
8 Connection route 9 MSC-A MSC-B MSC-C 1 6 8 BSC 4 3 BSC BTS 1 BSC BTS 2 2 BTS 3 BTS 3 5 7

30 Inter MSC basic handover
VLR-B MS/BSS 1 MSC-A MSC-B Handover required Perform Handover Allocate Handover number Handover report Radio chan. Ack IAM MS/BSS 2 ACM HA Indication HB Indication HB Confirm Send End Signal BSS requests for handover to MSC-A MSC-A decides handover and sends “perform handover” message to MSC-B. MSC-B assigns a handover number and allocates a channel for MS via VLR-B. VLR-B sends a handover report to MSC-B, which then sends a “radio-channel ack” containing the new MSRN, to MSC-A. An ISDN channel is switched between the two MSCs (ISUP messges: IAM and ACM) Both MSCs ack the MS(HA and HB indications). HA indication and HB indication are the acknowledgements send from the MSCs to the MS. MS resumes connection on the new channel (HB confirm). HB confirm is sent from MS to MSC when it resumes the connection to the new channel after a short interruption. MSC-B sends “send end signal” msg to MSC-A and releases the old radio connection. MSC-A generates an “end signal” mssg to MSC-B MSC-B sends “handover report” to its VLR. VLR is involved because during call origination and call termination routing information must be obtained by the MSC from the serving VLR. ANS End of Call REL RLC End Signal Handover report

31 Subsequent handover from MSC-B to MSC-A
MS/BSS 1 MSC-A MSC-B MS/BSS 2 HA Required Perform subsequent Handover Subseq. Handover Acknowledge HB Indication HB Confirm HA Indication Mobile returns to MSC-A (hand back) MSC-A does not assign a handover number, searches directly for a new radio channel for the MS. Both MSC A and MSC B start handover procedure at the air I/F (HA/HB indication), and complete the handover. MSC A terminates the connection to MSC B “End signal” terminates connection at MSC B Handover report is sent to the VLR of MSC B ISUP messg “release” releases the ISDN connection. End Signal VLR-B Handover report End of Call REL RLC

32 Subsequent handover from MSC-B to MSC-C
MSC-A MSC-B MS HA Request Perform subsequent Handover MSC-C VLR-C Perform Handover Allocate Handover Number Send Handover report Handover to MSC-C: Subsequent handover from MSC-B to MSC-A Basic handover from MSC-A to MSC-C MSC-B sends the messg “perform subsequent handover” to MSC-A and initiates basic handover to MSC-C. MSC-C sends ISUP messg ACM to MSC-A. Now, MSC-A informs MSC-B about the start of handover and frees handover procedure at the radio I/F from MSC-B. MSC-B sends “send end signal” to MSC-A MSC-A sends “end signal” to MSC-B to terminate the MAP procedure and cancels the ISDN connection. Here the ISUP messages, IAM and ACM, are used because MSC-A frees the handover procedure at radio interface for MSC-B, only after it receives these ISUP messages from MSC-C about the start of handover at MSC-C. Radio chan. Ack. IAM ACM HB Indication (Contd…)

33 (…contd) Subsequent handover from MSC-B to MSC-C
MSC-A MSC-B MS Perform subsequent Acknowledge HA Indication MSC-C HB Confirm Send End Signal ANS MSC-B VLR-B REL and RLC are release messages. End Signal Handoff Report REL RLC

34 Abbreviations ISC: International switching center
OMC: Operations and maintenance center GMSC: Gateway switching center MSC: Mobile switching center VLR: Visitor location register HLR: Home Location register EIR: Equipment Identification register AUC: Authentication center BSC: Base station controller BTS: Base transceiver station MS: Mobile subscriber TMSI: Temporary Mobile Subscriber Identity IMSI: International Mobile Subscriber Identity

35 References The GSM Sytem for Mobile communications by Mouly & Pautet
Wireless and Mobile Network Architectures by Yi-Bing Lin & Imrich Chlamtac Wireless Personal Communications Systems by Dr. Goodman GSM Switching, Services and Protocols by Jorg Eberspacher and Hans-Jorg Vogel

Download ppt "GSM Mobility Management"

Similar presentations

GSM Network Overview Um Abis A BSC BTS Mobile Station HLR VLR EIR AuC

GSM Network Overview Um Abis A BSC BTS Mobile Station HLR VLR EIR AuC
GSM Security and Encryption

GSM Security and Encryption
IN Intelligent Network Basic IN concept & technology

IN Intelligent Network Basic IN concept & technology
1 GSM Mobility Management Originals by: Rashmi Nigalye, Mouloud Rahmani, Aruna Vegesana, Garima Mittal, Fall 2001 Prof. M. Veeraraghavan, Polytechnic University,

1 GSM Mobility Management Originals by: Rashmi Nigalye, Mouloud Rahmani, Aruna Vegesana, Garima Mittal, Fall 2001 Prof. M. Veeraraghavan, Polytechnic University,
GSM Network. GSM-Introduction Architecture Technical Specifications Frame Structure Channels Security Characteristics and features Applications Contents.

GSM Network. GSM-Introduction Architecture Technical Specifications Frame Structure Channels Security Characteristics and features Applications Contents.
GSM Protocol Stack Shrish Mammattva Bajpai. What is Protocol Stack ? A protocol stack (sometimes communications stack) is a particular software implementation.

GSM Protocol Stack Shrish Mammattva Bajpai. What is Protocol Stack ? A protocol stack (sometimes communications stack) is a particular software implementation.
GSM 1. 2 GSM Mobility Management Originals by: Rashmi Nigalye, Mouloud Rahmani, Aruna Vegesana, Garima Mittal, Fall 2001 Prof. M. Veeraraghavan, Polytechnic.

GSM 1. 2 GSM Mobility Management Originals by: Rashmi Nigalye, Mouloud Rahmani, Aruna Vegesana, Garima Mittal, Fall 2001 Prof. M. Veeraraghavan, Polytechnic.
1 Channel Overview 3 Types 1.Broadcast Control Channel: Point to Multipoint, Downlink (BTS) to MS) (A)BCCH (Board cast Control Channel) It inform the Mobile.

1 Channel Overview 3 Types 1.Broadcast Control Channel: Point to Multipoint, Downlink (BTS) to MS) (A)BCCH (Board cast Control Channel) It inform the Mobile.
By Neha choudhary Asst.Professor CSE/IT LHST-A.  GSM-Introduction  Architecture  Technical Specifications  Characteristics and features  Applications.

By Neha choudhary Asst.Professor CSE/IT LHST-A.  GSM-Introduction  Architecture  Technical Specifications  Characteristics and features  Applications.
GSM standard (continued)

GSM standard (continued)
Modes Mobile Station ( MS )

Modes Mobile Station ( MS )
Cellular Mobile Communication Systems Lecture 7

Cellular Mobile Communication Systems Lecture 7
MOBILE PHONE ARCHITECTURE & TECHNOLOGY. HISTORY  The idea of the first cellular network was brainstormed in 1947  Disadvantages  All the analogue system.

MOBILE PHONE ARCHITECTURE & TECHNOLOGY. HISTORY  The idea of the first cellular network was brainstormed in 1947  Disadvantages  All the analogue system.
 The GSM network is divided into two systems. each of these systems are comprised of a number of functional units which are individual components of the.

 The GSM network is divided into two systems. each of these systems are comprised of a number of functional units which are individual components of the.
Evolution from GMS to UMTS

Evolution from GMS to UMTS
Hui Zhang, Fall 2012 1 15-441 Computer Networking Mobility.

Hui Zhang, Fall Computer Networking Mobility.
GSM Continued.

GSM Continued.
 Global System for Mobile Communications (GSM) is a second generation (2G) cellular standard developed to cater voice services and data delivery using.

 Global System for Mobile Communications (GSM) is a second generation (2G) cellular standard developed to cater voice services and data delivery using.
GSM: The European Standard for Mobile Telephony Presented by Rattan Muradia Requirement for course CSI 5171 Presented by Rattan Muradia Requirement for.

GSM: The European Standard for Mobile Telephony Presented by Rattan Muradia Requirement for course CSI 5171 Presented by Rattan Muradia Requirement for.
GSM Network Structure Lance Westberg.

GSM Network Structure Lance Westberg.

Similar presentations

Ads by Google