Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

GSM Mobility Management

advertisement 
GSM Mobility Management
• GSM architecture overview
– Network layout
– Protocols
– Addresses & identifiers
• Location management
– Call delivery + location update
– Security
• Handover management
Originals by: Rashmi Nigalye, Mouloud Rahmani, Aruna Vegesana, Garima Mittal, Fall 2001
Prof. M. Veeraraghavan, Polytechnic University, New York
1
GSM network layout
PLMN: Public Land Mobile Network
GSM Network
(PLMN)
MSC: Mobile Switching Center
BTS: Base Transceiver Station
BSC: Base Station Controller
MSC region
Location area
MSC region
BSC
Location
area
BSC
BTS
BTS
MSC region
2
GSM network layout
PSTN
ISDN
OMC
BSC
MSC
BTS
Abis
GMSC
E
BSC
A
B,C
EIR
HLR
BTS
BTS
Um
AUC
VLR
3
GSM MAP protocol
• GSM MAP similar to IS41 MAP
• MAP uses Transactions Capabilities
Part (TCAP) of the SS7 stack
• MAP functions:
– Updating of location information in VLRs
– Storing routing information in HLRs
– Updating and supplementing user profiles
in HLRs
– Handoff of connections between MSCs
4
What is a location area (LA)?
• A powered-on mobile is informed of an incoming
call by a paging message sent over the PAGCH
channel of a cell
• One extreme is to page every cell in the network
for each call - a waste of radio bandwidth
• Other extreme is to have a mobile send location
updates at the cell level. Paging cut to 1 cell, but
large number of location updating messages.
• Hence, in GSM, cells are grouped into Location
Areas – updates sent only when LA is changed;
paging message sent to all cells in last known LA
5
Addresses and Identifiers
• International Mobile Station Equipment Identity (IMEI)
– It is similar to a serial number. It is allocated by equipment
manufacturer, registered by network, and stored in EIR
• International Mobile Subscriber Identity (IMSI)
MCC
MNC
MSIN
MCC: Country Code
MNC: Mobile Network Code
MSIN: Mobile Subscriber Identification Number
When subscribing for service with a network, subscriber receives (IMSI)
and stores it in the SIM (Subscriber Identity Module) card.
The HLR can be identified by a VLR/MSC from the IMSI.
6
Addresses and Identifiers
• Mobile Subscriber ISDN (MSISDN)
– The “real telephone number”: assigned to
the SIM
– The SIM can have several MSISDN
numbers for selection of different
services like voice, data, fax
CC
NDC
SN
NDC: National Destination Code (NDC identifies operator);
SN: Subscriber Number; CC: Country Code;
Digits following NDC identifies the HLR
7
Addresses and Identifiers
• Mobile Station Roaming Number
(MSRN)
– It is temporary location dependent
ISDN number
– It is assigned by local VLR to each MS in
its area.
CC
NDC
SN
8
Addresses and identifiers
• Temporary Mobile Subscriber
Identity (TMSI)
– It is an alias of the IMSI and is used in its place for
privacy.
– It is used to avoid sending IMSI on the radio path.
– It is an temporary identity that is allocated to an MS by
the VLR at inter-VLR registration, and can be changed by
the VLR
– TMSI is stored in MS SIM card and in VLR.
9
TMSI, IMSI, MSRN and MSISDN
• Unlike MSISDN, IMSI is not known to the GSM user. The
CC of MSISDN translates to an MCC of IMSI as follows,
e.g, Denmark CC: 45 MCC: 238
• TMSI is used instead of IMSI during location update to
protect privacy. As user moves, TMSI is used to send
location update. Thus a third party snooping on the wireless
link cannot track a user as he/she moves.
• MSRN is the routing number that identifies the current
location of the called MS.
– MSRN is temporary network identity assigned to a mobile
subscriber.
– MSRN identifies the serving MSC/VLR.
– MSRN is used for call delivery (calls incoming to an MS).
• MSISDN is the dialed number to reach a GSM user
10
Addresses and Identifiers
• Location Area ID (LAI)
– CC: Country Code, MNC:Mobile Network
Code, LAC: Location Area Code
– LAI is broadcast regularly by Base
Station on BCCH
– Each cell is identified uniquely as
belonging to an LA by its LAI
CC
MNC
LAC
11
Location management
• Set of procedures to:
– track a mobile user
– find the mobile user to deliver it calls
• Current location of MS maintained by
2-level hierarchical strategy with
HLRs and VLRs.
12
Ways to obtain MSRN
1.
2.
Obtaining at location update – MSRN for the MS
is assigned at the time of each location update,
and is stored in the HLR. This way the HLR is in
a position to immediately supply the routing info
(MSRN) needed to switch a call through to the
local MSC.
Obtaining on a per call basis – This case requires
that the HLR has at least an identification for
the currently responsible VLR. When routing
info is requested from the HLR, it first has to
obtain the MSRN from the VLR. This MSRN is
assigned on a per call basis, i.e. each call involves
a new MSRN assignment
13
Routing information: case when MSRN
is selected per call by VLR/MSC
MSISDNIMSI, VLR number
HLR



MSISDN

MSRN
GMSC
•
MSC/VLR
If MSRN is allocated to each subscriber visiting at an MSC, then
the number of MSRNs required is large. If instead, an MSRN is
allocated only when a call is to be established, then the number of
MSRNs is roughly equal to number of circuits at MSC – a much
smaller number – hence MSRNs typically allocated per call by
14
VLR/MSC
Call routing to a mobile station:
case when HLR returns MSRN
1
MSISDN
ISDN
GMSC
LA 1
1
4
MSRN
2
3
BSC
MSISDN
MSRN
MSC
BTS
MSC
HLR
7
TMSI
5
7
MSRN
TMSI
LA 2
BSC
EIR
BTS
MS
8
7
TMSI
TMSI
VLR
BTS
6
TMSI
AUC
15
Messages exchanged: call delivery
PSTN
1
GMSC
5
4
HLR
2
VLR
3
6
Target
MSC
HLR
GMSC
Originating
1. ISUP IAM
Switch
2. MAP_SEND_ROUTING_INFO
VLR
Target
MSC
3. MAP_PROVIDE_ROAMING_NUMBER
4. MAP_PROVIDE_ROAMING_NUMBER_ack
5. MAP_SEND_ROUTING_INFO_ack
6. ISUP IAM
16
Find operation in GSM
• ISDN switch recognizes from the MSISDN that
the call subscriber is a mobile subscriber.
Therefore, forward the call to the GMSC of the
home PLMN (Public Land Mobile Network)
• GMSC requests the current routing address
(MSRN) from the HLR using MAP
• By way of MSRN the call is forwarded to the local
MSC
• Local MSC determines the TMSI of the MS (by
querying VLR) and initiates the paging procedure in
the relevant LA
• After MS responds to the page the connection can
be switched through.
17
GSM security
• Authentication
• What signed response (SRES) are you able to
derive from the input challenge RAND by
applying the A3 algorithm with your personal
key Ki (Ki is per subscriber)?
Ki
RAND (128bit)
RAND
A3 algorithm
A3 algorithm
SRES
Ki
MS
network
SRES
equal?
18
GSM security
• Encryption
• Digital technology – easy to encrypt voice data
• A5 derives a ciphering sequence of 114 bits for each
burst independently
• XOR 114 bits of a radio burst with 114 bits of a ciphering
sequence generated by A5
BTS
MS Kc (64 bits) frame number
frame number
Kc
(22 bits)
A5 algorithm
A5 algorithm
S1(114)
deciphering
S2(114) ciphering
S1
ciphering
S2
deciphering
19
Key management
• Ciphering key Kc is generated using algorithm A8 in the same
manner as SRES (from RAND and Ki)
• Each time a mobile station is authenticated the MS and
network compute the ciphering key Kc by running algorithm
A8 with the same inputs RAND and Ki as for SRES
• Ciphering with Kc applies only when the network knows the
identity of the subscriber it is talking to.
– Bootstrap period during which network does not know
who the subscriber is
• Up to and including the first message carrying the nonambiguous subscriber identity is carried in the clear
(unencrypted)
– Protection: use TMSI instead of IMSI when possible –
TMSI should be exchanged during protected signaling
(ciphered) procedures
20
Location registration
• MS has to register with the PLMN to get communication
services
• Registration is required for a change of PLMN
• MS has to report to current PLMN with its IMSI and
receive new TMSI by executing Location Registration
process.
• The TMSI is stored in SIM, so that even after power on or
off, there is only normal Location Update.
• If the MS recognizes by reading the LAI broadcast on
BCCH that it is in new LA, it performs Location Update to
update the HLR records.
• Location update procedure could also be performed
periodically, independent of the MS movement.
• The difference in Location Registration and Location Update
is that in location update the MS has already been assigned
a TMSI.
21
MS
BSS/MSC
VLR
HLR
AUC
Location registration
IMSI Ki
Loc.Upd.Req
(IMSI,LAI)
Upd Loc.Area
Aut.Par.Req
(IMSI,LAI)
(IMSI)
Aut. Info.
Authenticate
Authentic. Req
(IMSI,Kc,
RAND,SRES)
(RAND)
(RAND)
Ki
Auth.Info
(IMSI,Kc,
RAND,SRES)
RAND
SRES
A3 & A8
Kc
Auth.Info.Req
(IMSI)
SRES
Auth.Resp.
(SRES)
Auth.Resp
(SRES)
Update
Location
(IMSI,MSRN)
Generate
TMSI
Contd...
22
(…contd) Location registration.
MS
VLR
BSS/MSC
HLR
AUC
Generate
TMSI
Start Ciph.
Ins.Subsc.Data
(Kc)
Forw. New TMSI
(TMSI)
Ciph.Mod.Com.
Kc
(IMSI)
Subs.Dat.Ins.Ack
Loc.Upd.Accept
Loc.Upd.Accept
Message M
(IMSI)
A5
Kc(M)
Ciph.Mod.
Kc(M)
Kc(M)
Kc
A5
TMSI Realloc.Cmd.
Loc.Upd.Accept
TMSI Realloc.Ack
New TMSI is received by MS
(TMSI Reallocation) in ciphering mode.
M
can be combined
TMSI.Ack
23
MS
BSS/MSC
VLR
HLR
Location update
AUC
IMSI, TMSI
Ki, Kc, LAI
Loc.Upd.Req
(TMSI,LAI)
Update Loc.Area
(TMSI,LAI)
Authentication
Update Location
(IMSI,MSRN)
Generate
TMSI
Start ciphering
(Kc)
Start ciphering.
Insert Subscriber. data
IMSI
Subs. Data Insert Ack
(contd..)
24
(..contd) Location update.
MS
BSS/MSC
VLR
HLR
AUC
Start ciphering.
Forward new TMSI
(TMSI)
Loc. Upd. Acept
(IMSI)
Loc. Upd. Acept
TMSI Realloc. Cmd.
Auth. Para. Req
(IMSI)
Loc. Upd. Acept
TMSI Reallocation
Complete
Auth. Info.
TMSI Ack
(IMSI,Kc, RAND,SRES)
Auth.Info.Req
(IMSI)
Auth.Info
(IMSI,Kc, RAND,SRES)
25
Types of handover
(same as “handoff”)
• There are four different types of
handover in the GSM system. Handover
involves transferring a call between:
– Channels (time slots) in the same cell
– Cells (Base Transceiver Stations) under the
control of the same Base Station Controller
(BSC),
– Cells under the control of different BSCs, but
belonging to the same Mobile services
Switching Center (MSC), and
– Cells under the control of different MSCs.
26
Attributes of radio-link handover
•
•
•
•
Hard handover
MAHO
Backward
COS selection scheme: static
– Cross-over switch: anchor switch
27
Handover (MAHO)
• Handovers are initiated by the BSS/MSC
(as a means of traffic load balancing).
• During its idle time slots, the mobile scans
the Broadcast Control Channel of up to 16
neighboring cells, and forms a list of the
six best candidates for possible handover,
based on the received signal strength.
• This information is passed to the BSC and
MSC, at least once per second, and is used
by the handover algorithm.
28
Handover procedures in GSM
8
Connection route
9
MSC-A
MSC-B
MSC-C
1
6
8
BSC
4
3
BSC
BTS 1
BSC
BTS 2
2
BTS 3
5
BTS 3
7
29
Inter MSC basic handover
MS/BSS 1
MSC-A
Handover required
VLR-B
MSC-B
Perform Handover
Allocate Handover number
Handover report
Radio chan. Ack
IAM
MS/BSS 2
ACM
HA Indication
HB Indication
Send End Signal
HB Confirm
ANS
End of Call
REL
RLC
End Signal
Handover report
30
Subsequent handover from MSC-B to MSC-A
MS/BSS 1
MSC-A
MSC-B
MS/BSS 2
HA Required
Perform subsequent
Handover
Subseq. Handover
HB Indication
Acknowledge
HB Confirm
HA Indication
VLR-B
End Signal
Handover report
End of Call
REL
RLC
31
Subsequent handover from MSC-B to MSC-C
MSC-B
MSC-A
MS
HA Request
Perform subsequent
Handover
MSC-C
VLR-C
Perform Handover
Allocate Handover
Number
Radio chan. Ack.
Send Handover report
IAM
ACM
HB Indication
(Contd…)
32
(…contd) Subsequent handover from MSC-B to MSC-C
MSC-B
MSC-A
MS
Perform subsequent
HA Indication
Acknowledge
MSC-C
HB Confirm
Send End Signal
ANS
MSC-B
VLR-B
End Signal
Handoff Report
REL
RLC
33
Abbreviations
•
•
•
•
•
•
•
•
•
•
•
•
•
ISC: International switching center
OMC: Operations and maintenance center
GMSC: Gateway switching center
MSC: Mobile switching center
VLR: Visitor location register
HLR: Home Location register
EIR: Equipment Identification register
AUC: Authentication center
BSC: Base station controller
BTS: Base transceiver station
MS: Mobile subscriber
TMSI: Temporary Mobile Subscriber Identity
IMSI: International Mobile Subscriber Identity
34
References
• The GSM Sytem for Mobile
communications by Mouly & Pautet
• Wireless and Mobile Network
Architectures by Yi-Bing Lin & Imrich
Chlamtac
• Wireless Personal Communications Systems
by Dr. Goodman
• GSM Switching, Services and Protocols by
Jorg Eberspacher and Hans-Jorg Vogel
35
Related documents
What Is an IMSI Number?
What Is an IMSI Number?
GSM ARCHITECTURE
GSM ARCHITECTURE
Rowan of Rin - Multilingual Classroom
Rowan of Rin - Multilingual Classroom
Pharmacology series –Autumn 2014
Pharmacology series –Autumn 2014
Intelligent Network and Mobile Networks
Intelligent Network and Mobile Networks
GSM
GSM
Download
advertisement