5. Signaling in Core Network
Based on SS7
• ISUP and specific Application Parts
GSM MAP and ANSI-41 services
• Mobility, call-handling, O&M
• Authentication, supplementary services
• SMS, …
Location registers for mobility management
• HLR: home location register has permanent data
• VLR: visitor location register keeps local copy for roamer
03/22/12 Tinniam V Ganesh 5
7. Wireless definitions
PLMN
A Public Land Mobile Network (PLMN) is established and operated by an administration or
Recognized Private Operating Agency (RPOA)
The PLMN infrastructure is logically divided into
5. Core Network (CN)
6. Access Network (AN)
Access Network (AN)
9. BSS in 2G systems (BTS, BSC)
10. RNS in 3G systems (NodeB, RNC)
The Core Network (CN) is divided into
13. Circuit Switched domain
14. Packet Switched domain
03/22/12 Tinniam V Ganesh 7
10. GSM- Access Network
Mobile Station : The mobile communicates over the air interface with a base
transceiver station (BTS) .
The handset has 2 parts namely the mobile equipment and the subscriber
identity module (SIM)
The SIM contains the user specific information, subscriber authentication
information and some service info.
BTS : The BTS contains the radio transceivers that provide the radio interface to
mobile stations. One or more BTS are connected to the Base Station
Controller.
BSC The BSC provides a number of functions related to
• Radio resource (RR) management
• Mobility management (MM) for subscribers in coverage areas
Together the BTS and BSCs are known as the Base Station System (BSS)
03/22/12 Tinniam V Ganesh 10
11. Mobile Switching Center (MSC)
• Mobile services switching center (MSC) —The MSC performs the telephony switching
functions of the system. It controls calls to and from other telephone and data systems.
•
• The Mobile-services Switching Centre (MSC) constitutes the interface between the radio
system and the fixed networks.
• The MSC performs all necessary functions in order to handle the circuit switched
services to and from the mobile stations.
• The Mobile-services Switching Centre is an exchange which performs all the switching
and signalling functions for mobile stations located in a geographical area designated as
the MSC area.
• Does radio resource management
• Does switching, routing of calls
• Is involved in charging
03/22/12 Tinniam V Ganesh 11
12. Home Location Register (HLR)
• Home location register (HLR) —The HLR is a database used for storage and
management of subscriptions. The HLR is considered the most important database,
HLR stores the following information
• the subscription information
• some location information enabling the charging and routing of calls towards the MSC
where the MS is registered (e.g. the MS Roaming Number, the VLR Number, the MSC
Number, the Local MS Identity)
• the International Mobile Station Identity (IMSI);
• one or more Mobile Station International ISDN number(s) (MSISDN);
The data base contains other information such as
• teleservices and bearer services subscription information
• service restrictions (e.g. roaming limitation)
• a list of all the group IDs a service subscriber is entitled to use to establish voice group
or broadcast calls
• supplementary services; the HLR contains the parameters attached to these services;
03/22/12 Tinniam V Ganesh 12
13. Visitor Location Register (VLR)
• Visitor location register (VLR) —The VLR is a database that contains temporary
information about subscribers that is needed by the MSC in order to service visiting
subscribers.
• The VLR is always integrated with the MSC.
• When a mobile station roams into a new MSC area, the VLR connected to that MSC will
request data about the mobile station from the HLR.
• Later, if the mobile station makes a call, the VLR will have the information needed for
call setup without having to interrogate the HLR each time.
• The VLR stores the following information
- the International Mobile Subscriber Identity (IMSI);
- the Mobile Station International ISDN number (MSISDN);
- the Mobile Station Roaming Number (MSRN),
- the Temporary Mobile Station Identity (TMSI), if applicable;
03/22/12 Tinniam V Ganesh 13
14. Authentication Center (AuC)
• Authentication center (AUC) —A unit called the AUC provides authentication and
encryption parameters that verify the user's identity and ensure the confidentiality of
each call. The AUC protects network operators from different types of fraud found in
today's cellular world.
• The Authentication Centre (AuC) is an entity which stores data for each mobile
subscriber to allow the International Mobile Subscriber Identity (IMSI) to be
authenticated and to allow communication over the radio path between the mobile
station and the network to be ciphered.
• The Authentication Centre (AuC) is associated with an HLR, and stores an identity key
for each mobile subscriber registered with the associated HLR. This key is used to
generate:
– data which are used to authenticate the International Mobile Subscriber Identity
(IMSI);
– a key used to cipher communication over the radio path between the mobile station
and the network
03/22/12 Tinniam V Ganesh 14
15. Equipment Identification Register (EIR)
• Equipment identity register (EIR) —The EIR is a database that contains information
about the identity of mobile equipment that prevents calls from stolen, unauthorized, or
defective mobile stations. The AUC and EIR are implemented as stand-alone nodes or as
a combined AUC/EIR node.
• The Equipment Identity Register (EIR) in the GSM system is the logical entity which is
responsible for storing in the network the International Mobile Equipment Identities
(IMEIs), used in the GSM system.
03/22/12 Tinniam V Ganesh 15
16. Gateway MSC (GMSC)
• If a network delivering a call to the PLMN cannot interrogate the HLR, the call is routed
to an MSC. This MSC will interrogate the appropriate HLR and then route the call to the
MSC where the mobile station is located. The MSC which performs the routing function
to the actual location of the MS is called the Gateway MSC (GMSC).
03/22/12 Tinniam V Ganesh 16
19. General Packet Radio Service (GPRS)
Core Network
• Serving GPRS Support Node (SGSN)
• Gateway GPRS Support Node (GGSN)
03/22/12 Tinniam V Ganesh 19
20. Serving GPRS Support Node (SGSN)
A Serving GPRS Support Node (SGSN) is responsible for
the delivery of data packets from and to the mobile stations within its geographical
service area.
packet routing and transfer,
mobility management (attach/detach and location management),
logical link management, and
authentication
charging functions.
The location register of the SGSN stores location information
current cell, current VLR
user profiles (e.g., IMSI, address(es) used in the packet data network) of all GPRS users
registered with this SGSN.
03/22/12 Tinniam V Ganesh 20
21. Gateway GPRS Support Node (GGSN)
GGSN
• The GGSN is responsible for the interworking between the GPRS network and external
packet switched networks,
• The GGSN ‘hides’ the GPRS infrastructure from the external network.
• The GGSN converts the GPRS packets coming from the SGSN into the appropriate
packet data protocol (PDP) format
03/22/12 Tinniam V Ganesh 21
24. SMS Architecture
SMS-GMSC /
SMS-IWMSC MSC/SGSN MS
SC 1. 3. 5.
< > < > < >
↑ ↑
2. 4.*
<
<
HLR VLR
SC – Service Centre
SMS-IWMSC – SMS Interworking MSC
SMS-GMSC – Gateway MSC for SMS
03/22/12 Tinniam V Ganesh 24
25. SMS Network Elements
• Service Centre (SC): function responsible for the relaying and store‑and‑forwarding of a
short message between an SME and an MS
• Gateway MSC For Short Message Service (SMS‑ GMSC): function of an
MSC capable of receiving a short message from an SC, interrogating an HLR
for routing information and SMS info, and delivering the short message to
the VMSC or the SGSN of the recipient MS
• Interworking MSC For Short Message Service (SMS‑ IWMSC): function of
an MSC capable of receiving a short message from within the PLMN and
submitting it to the recipient SC
03/22/12 Tinniam V Ganesh 25
26. SMS Services
Short Message Mobile Terminated
SM MT denotes the capability of the GSM/UMTS system to transfer a short message
submitted from the SC to one MS, and to provide information about the delivery of the
short message either by a delivery report or a failure report
Short Message Mobile Originated
SM MO denotes the capability of the GSM/UMTS system to transfer a short message
submitted by the MS to one SME via an SC, and to provide information about the delivery of
the short message either by a delivery report or a failure
03/22/12 Tinniam V Ganesh 26
27. 3G Rel 99 Architecture
03/22/12 Tinniam V Ganesh 27
28. 3G Architecture
Access Network
Universal Terrestial Radio Access Network
Radio Network Systems (RNS) or UTRAN
4. Node B
5. Radio Network Controller RNC
Core Network
• MSC Server (UMTS)
• HLR
• VLR
• GMSC
• SMSC
03/22/12 Tinniam V Ganesh 28
33. Access Network
• The network is divided into a number of cells or geographic coverage areas
• Within each cell is a base station which contains the radio transmission and
reception equipments
• The coverage area of the base station depends in factors like transmit power
of station, the height of the base station the topology of the area.
• Specific radio frequencies are allocated within each cell
• The frequencies are reused in other cells that are sufficiently far away to
avoid interference
03/22/12 Tinniam V Ganesh 33
34. Problem due to limited spectrum
Spectrum allocation at 800 Mhz – 25 Mhz
1G AMPS systems – 30 Khz/channel
Capacity = 25 Mhz/30Khz = 833 channels
Hence 833 simultaneous users (hardly enough)
03/22/12 Tinniam V Ganesh 34
35. Frequency re-use
Assume 832 channels available
Divide into 4 sets = 832/4 = 208 channels per cell
For N cells in the system total capacity = 208N (instead of 832)
03/22/12 Tinniam V Ganesh 35
37. Cell boundaries
• Want to cover area without gaps or overlaps:
squares, triangles, hexagons
• Want to have signal strength as large as possible for all points within the cell
• hexagon is closest to a circle
• This is an idealized representation, in the real world, cell boundaries are ill-defined.
03/22/12 Tinniam V Ganesh 37
38. Limitations of Frequency reuse
This is limited by
S/I
S – Signal strength in db
I – Co channel interference in db
03/22/12 Tinniam V Ganesh 38
39. Methods of increasing capacity
Cells are split to add channels
03/22/12 Tinniam V Ganesh 39
43. Bluetooth
• Bluetooth is the name given to a new technology using short-range radio links,
intended to replace the cable(s) connecting portable and/or fixed electronic devices. It is
envisaged that it will allow for the replacement of the many propriety cables that
connect one device to another with one universal radio link. Its key features are
robustness, low complexity, low power and low cost. Designed to operate in noisy
frequency environments, the Bluetooth radio uses a fast acknowledgement and
frequency hopping scheme to make the link robust. Bluetooth radio modules operate in
the unlicensed ISM band at 2.4GHz, and avoid interference from other signals by
hopping to a new frequency after transmitting or receiving a packet. Compared with
other systems in the same frequency band, the Bluetooth radio hops faster and uses
shorter packets.
03/22/12 Tinniam V Ganesh 43
45. Bluetooth stack
• The Radio layer defines the requirements for a Bluetooth transceiver operating in the
2.4 GHz ISM band.
• The Baseband layer describes the specification of the Bluetooth Link Controller (LC)
which carries out the baseband protocols and other low-level link routines.
• The Link Manager Protocol (LMP) is used by the Link Managers (on either side) for
link set-up and control.
• The Host Controller Interface (HCI) provides a command interface to the Baseband
Link Controller and Link Manager, and access to hardware status and control registers.
• Logical Link Control and Adaptation Protocol (L2CAP) supports higher level protocol
multiplexing, packet segmentation and reassembly, and the conveying of quality of
service information.
• The RFCOMM protocol provides emulation of serial ports over the L2CAP protocol.
The protocol is based on the ETSI standard TS 07.10.
• The Service Discovery Protocol (SDP) provides a means for applications to discover
which services are provided by or available through a Bluetooth device. It also allows
applications to determine the characteristics of those available services.
03/22/12 Tinniam V Ganesh 45
50. Why WiFi ?
1. Setup Cost – Reduced cabling required
2. Flexibility – Quick and easy to setup in temporary or permanent space
3. Scalable – Can be expanded with growth
4. Freedom – You can work from any location that you can get a signal
5. Lower total cost of ownership – Because of affordability and low install cost
6. Mobile Users – Can access the Corporate network from any public hotspot using VPN
03/22/12 Tinniam V Ganesh 50
51. 802.11b
• Been around the longest, well-supported, stable, and cost effective, but runs
in the 2.4 GHz range that makes it prone to interference from other devices
(microwave ovens, cordless phones, etc) and also has security disadvantages
• Has 11 channels, with 3 non-overlapping, and supports
• rates from 1 to 11 Mbps, but realistically about 4-5 Mbps
• Uses direct-sequence spread-spectrum technology
03/22/12 Tinniam V Ganesh 51
52. 802.11g
• Extension of 802.11b, with the same disadvantages (security and
interference)
• Has a shorter range than 802.11b
• Is backwards compatible with 802.11b so it allows or a smooth transition
from 11b to 11g
• Flexible because multiple channels can be combined for faster throughput,
but limited to one access point
• Runs at 54 Mbps, but realistically about 20-25 Mbps and about 14 Mbps
when b associated
• Uses frequency division multiplexing technology
03/22/12 Tinniam V Ganesh 52
53. 802.11a
Completely different from 11b and 11g.
3. Flexible because multiple channels can be combined for faster throughput and more
access points can be collocated
4. Shorter range than 11b and 11g
5. Runs in the 5 GHz range, so less interference from other devices
6. Has 12 channels, 8 non-overlapping, and supports rates from 6 to 54 Mbps, but
realistically about 27 Mbps max
7. Uses frequency division multiplexing technology
03/22/12 Tinniam V Ganesh 53
54. Security in WiFi
Data Security/Encryption
• Third Party solution - Fortress
• Wi-Fi Protected Access (WPA)
• Wired Equivalent Privacy (WEP)-Shared key
Access
WPA/WEP
MAC Authentication – MAC address control
Attack – Denial of Service
• Client Protection
• Antivirus/Firewall
03/22/12 Tinniam V Ganesh 54
57. Quiz 3
1. The Core Network (CN) consists of CS domain and PS domain
a. True b. False
2. The Access Network in 2G does not include
a. BSC b. BTS c. MSC d. RNC
3. The 2G CS domain does not include
a. MSC b. HLR c. AuC d. SGSN
4.Which is not true of the HLR
a. It is a Database b. It stores IMSI, features and services c. It is involved routing of
calls from PSTN d. Does switching and routing
5. Which is not true of EIR
a. Stores IMEI b. Used to determine if equipment is stolen c. Is a database
d. Does radio resource management
6. A GMSC
a. Will query HLR for call from PSTN b. Does switching and routing c. Connected to
PSTN d. All of the above
7. Which is true SGSN
a. Does packet routing & transfer b. Does mobility management c. Does charging d. all
of the above
03/22/12 Tinniam V Ganesh 57
58. Quiz 3
1. Which is not true of the speeds
a. GSM – 64 Kbps b. GPRS – 115 kbps c. EDGE - 384 Kbps d. 3 G – 2 Mbps
2. A SC in a SMS network is used for storing and forwarding SMS messages
a. True b. False
3. The Access Network of a 3G Architecture consists of
a. MSC, HLR, VLR b. RNC, Node B c. SGSN, GGSN d. AUC, EIR
4. Assume spectrum is 30 Mhz and channel bandwidth is 30 Khz then number of users is
a. 833 b. 1000 c. 500 d. Cannot say
5. Which is not true of Bluetooth
a. Uses 2.4 GHz b. Uses TDMA with TDD c. Range 1 Km d. Gross Data rate
of 1 km.
6. L2CAP is not used for
a. QoS b. Segmentation c.Reassembly d. Link serup and tear
down
7. Security in WiFi networks uses
a. WPA b. WEP c. MAC Authentication d. All of the above
9. MSCs use packet switching technology
a. True b. False
03/22/12 Tinniam V Ganesh 58
59. Call flows and Advanced wireless concepts
03/22/12 Tinniam V Ganesh 59
60. Agenda – Session 4
Call flows and Advanced wireless concepts
• GSM Air interface
• GSM air interface channels
• Location Updating Sequence Flows
• Mobile origination to PSTN
• PSTN origination to Mobile
• GPRS call flow
• SMS call Flow
• Recap
• Inter BSC Handoff scenario
• UMTS
• Softswitch
• IMS Architecture
• 3.5 G
• Mobile data explosion
• The evolution of LTE
• Recap
• Quiz 4
03/22/12 Tinniam V Ganesh 60
62. Air Interface Access techniques
Radio spectrum is a finite resource
The radio access method is either Frequency division duplex (FDD) or Time Division Duplex
(TDD). The protocol method is TDMA, FDMA or CDMA
Frequency Division Duplex (FDD) : Two separate radio channels are used for
communicating to the base station
• One radio channel for , f1, for downlink
• One radio channel, f2, for uplink
f1 - downlink
FDD
f2 - uplink
03/22/12 Tinniam V Ganesh 62
63. TDD
• Time Division Duplex (TDD)
• One radio channel for communicating to base station. Duplexing is done on
time
03/22/12 Tinniam V Ganesh 63
64. Mobile radio propagation effects
• Signal strength
– Must be strong enough between base station and mobile unit to maintain
signal quality at the receiver
– Must not be so strong as to create too much co-channel interference with
channels in another cell using the same frequency band
• Fading
– Signal propagation effects may disrupt the signal and cause errors
03/22/12 Tinniam V Ganesh 64
65. GSM Architecture
The interface between the BTS and BSC is known as the A-bis interface
MSC One or more BSCs are connected to MSC. The MSC is a switch the node that controls
call setup, call routing and many of the functions provided by the standard
telecommunication switch
VLR is a database that contains subscriber related information for the duration that a
subscriber is in the coverage area of an MSC. The MSC and VLR are in the same
platform,
The interface between the BSC and MSC is known as A-interface
This is a SS7 based interface using the SCCP. Above this is the BSS Application Part
(BSSAP) which is the protocol for communicating between the BSC and the MSC.
Since the MSC communicated with the BSC and the MS the BSSAP is divided into two parts
the BSSMAP (BSS Management Application Part) and the Direct Transfer Application
Part (DTAP)
BSSMAP are messages to BSS
DTAP messages are passed transparently thro the BSS to the NS`
03/22/12 Tinniam V Ganesh 65
67. GSM Architecture
HLR The Home Location register contains subscriber data such has the details
the subscriber has subscribed to . Associated with the HLR ios the
authentication center (AuC). This is the network element that contains the
subscriber specific authentication data such as the secret key
For a given subscriber using a random number generated by the AuC and
passed to the SIM via the HLR., MSC and ME.
The SIM performs the calculation using the Ki and the authentication algorithm.
If the result os the calculation by the SIM matches that in AuC then the
subscriner has been authenticated
03/22/12 Tinniam V Ganesh 67
68. GMSC
When a call from a PSTN it arrives at a type of MSC known as the GMSC.
The GMSC queries the HLR to determine the location of the subscriber
The response from the HLR indicates to the GMSC when the subscriber may be
found
The call is forwarded by the GMSC to the MSC serving the subscriber
03/22/12 Tinniam V Ganesh 68
69. The GSM Air interface
GSM uses TDMA with Frequency Division duples (FDD)
GSM has been deployed in 900 Mhz, 1800 Mhz, 1900 Mhz
In GSM a given band is divided into 200 Khz carries or RF channels in both uplink and
downlink directions
For eg. In standard 900 Mhz band the first uplink is 890.2 Mhz and the last uplink is 914.8
allowing a total of 124 carriers
914.8 Mhz – 890.2 Mhz = 24.6 Mhz/200 Khz = 123+ 1 carriers or channels
Each RF carrier is divided into 8 time slots .
The 8 time slots are used to carry user traffic and also control traffic
03/22/12 Tinniam V Ganesh 69
70. Types of Air Interface channels
There are 3 types of channels
2. Broadcast channels
3. Control channels
4. Traffic channels
Broadcast Channels
Frequency correction channel (FCCH) used for frequency correction of the MS
Synchronization channel (SCH) – Broadcast by BTS and is used for mobile station for frame
synchronization
Broadcast Control Channel (BCCH) – Broadcast general information
Common Control Channel (CCCH)
Paging channel – used for paging of the mobiles
Random Access Channel (RACH) – Only used in uplink. It is used to allocate to MS a Stand
alone dedicated Control Channel (SDCCH) or directly to a Traffic Channel (TCH)
Access Grant Channel (AGCH) – used in the downlink in responswe to a access request
received on the RACH
03/22/12 Tinniam V Ganesh 70
71. Air interface channels
• Notification Channel – used to notify MS
• Standalone dedicated control channel (SDCCH) – Used towards MS when it is
not used for TCH. Used for SMS. Call establishment signaling prior to
allocation of TCH
• Slow Associated Control Channel (SACCH) – Power Control messages from
BTS to MS are sent on this channel. In the uplink the MS sends
measurement reports to the BTS
• Fast Associated Control Channel (FACCH) – Used to transmit non voice
information to and from the MS
03/22/12 Tinniam V Ganesh 71
72. Air interface channel structure
Certain time slots in a given RF carrier are allocated to control channel whereas
the remaining are for traffic channels. For eg. Time slot 0 us for BCCH
/CCCH . It may also carry 4 SDCCH
BCCH/CCCH/
TCH TCH TCH TCH TCH TCH TCH
SDCCH
03/22/12 Tinniam V Ganesh 72
73. How does the cellular network know the
mobile’s position?
The cell phone keeps the cellular operator informed about your location.
03/22/12 Tinniam V Ganesh 73
74. Location Area
Location Area (LA)
• A GSM network is divided into cells. A group of cells is considered a location
area. A mobile phone in motion keeps the network informed about changes
in the location area. If the mobile moves from a cell in one location area to a
cell in another location area, the mobile phone should perform a location
area update to inform the network about the exact location of the mobile
phone.
Home Location Register (HLR)
• The HLR maintains a database for the mobile subscribers. At any point of
time, the HLR knows the address of the MSC VLR that control the current
location area of the mobile. The HLR is informed about a location area
update only if the location area change has resulted in a change of the MSC
VLR.
Mobile Switching Center - Visitor Location Register (MSC VLR)
• The MSC VLR is responsible to switching voice calls and it also keeps track of
the exact location area where the mobile user is present. Note that a typical
MSC VLR will service several location areas.
03/22/12 Tinniam V Ganesh 74
75. Location Update
1. When the MS is switched on it must camp on a suitable cell. This involves scanning
the air interface to select a cell with a suitably strong signal and decoding the
informationbroadcast by the BTS on the BCCH
2. The MS makes a channel request on the RACH with a cause as Location Updating
3. The BSS allocates an SDCCH for the MS to use. It instructs the MS to move to the
SDCCH by sending an immediate assignment message on the AGCH
4. The MS then moves the SDCCH and send the location updating message. This
contains the location area identity and the mobile identity. The mobile identity is
either the International Mobile Subscriber Identity (IMSI) or the Temporary Mobile
Subscriber Identity (TMSI).
5. This is sent through the BSS to the NSC
6. On receipt of the IMSI the NSC.VLR attempt to authenticate the subscriber.
7. If the MSC does not have authentication information then it request the HLR using
the MAP operation Send Authetication Info.
8. The HLR AuC sends the MAP Return Result with up to five authentication vectors
03/22/12 Tinniam V Ganesh 75
76. Location Update
Known as triplets. Each triplet contains a random number (RAND) and a signed response
(SRES)
2. The MSC sends an Authentication request to the MS. This contains the RAND.
3. The MS performs the same calculations as were performed by the HLR/AuC and
send the Authentication response containing the SRES parameter.
4. The MSC/VLR check rto make sure that the SRES from the MS matches the SRES
from HLR/AuC
5. If a match is made then the MS is authenticated
6. At this point the MSC/VLR use te MAP Operation Update Location to inform the HLR
of the subscriber location.
7. The HLR immediately sends a Cancel Location message to the VLR to remove anty
previous location
8. VLR deletes any previous data
9. HLR uses a MAP operation to Insert Subscriber data to VLR
10. VLR acknowledges receipt of information
11. HLR sends a return result of the MAP Update Location
03/22/12 Tinniam V Ganesh 76
77. Location Update
1. On receipt of the return result the MSC sends a DTAP message Location
Updating Accept to the MS
03/22/12 Tinniam V Ganesh 77
80. Mobile Originated Call to PSTN
Request Access
• The MS sends a Channel Request (CHAN_REQ) message on the RACH.
The BSS responds with a radio resource assignment (IMM_ASS_CMD) on the AGCH.
The MS sends a Service Request (CM_SERV_REQ) message to the BSS on the SDCCH.
Authentication
• Before the network will provide any services to the MS, the network will require the MS
to authenticate itself. The BSS sends an Authentication Request (AUTH_REQ) message
to the MS. The RAND serves as the "challenge" for authentication.
• The MS calculates the proper SRES based on the RAND that was given and sends the
SRES to the BSS in an Authentication Response (AUTH_RESP) message.
• The BSS verifies the SRES. If the SRES is correct then the MS is authenticated and
allowed access to the network. The BSS will send a Service Accept (CM_SERV_ACC)
message letting the MS know that the service request was received and processed.
• Once authenticated, the BSS orders the MS to switch to cipher mode with the
CIPH_MOD_CMD message.
03/22/12 Tinniam V Ganesh 80
81. Mobile Originated Call to PSTN
Initial Call Setup
• The MS will immediately switch to cipher mode and send a Cipher Mode Complete
(CIPH_MOD_COM) message.
• The MS then sends a Call Setup (SETUP) message to the BSS. The message includes the
address information (MSISDN) of the called party.
• The BSS assigns a TCH to the MS by sending an Assignment Command (ASS_CMD)
message. This message includes which Transceiver (TRX) and which Time Slot (TS) to
use.
• The BSS does not actually assign a TCH to the MS until the MSC sends a Call
Proceeding (CALL_PROC) message to the BSS indicating that the IAM has been sent.
• The MS immediately switches to the assigned TCH. The MS sends an Assignment
Complete (ASS_COM) message back to the BTS on the FACCH.
03/22/12 Tinniam V Ganesh 81
82. Mobile Originated Call to PSTN
Call Setup
• The MSC sends an Initial Address Message (IAM) to the GMSC. The IAM contains the
MSISDN of the called party as the MS dialed it.
• The MSC will also send a Call Proceeding (CALL_PROC) message down to the BSS and
this is when the BSS would assign a TCH to the MS, as described in step 10 above.
• Based on the dialed number, the GMSC decides where to route the IAM within the
PSTN.
• The PSTN will continue to route the IAM until it reaches the correct Switching Center
and the call routing is complete. The PSTN will then establish the call circuit and send
an Address Complete Message (ACM) back to the GMSC.
• The GMSC then forwards the ACM back to the responsible MSC indicating that the call
circuit has been established
03/22/12 Tinniam V Ganesh 82
83. Mobile Originated Call to PSTN
Call Establishment
• Once the MSC receives the ACM, it sends an ALERT message to the MS
indicating that the call is going through. The BSS sends the ALERT message
on the FACCH. Once the MS receives the ALERT, it will generate the ringing
sound in the earpiece. The BSS sends an alerting message the subscriber will
hear the line ringing.
• Once the called party answers the phone, the PSTN will send an Answer
message to the MSC. The MSC forwards this to the MS in a Connection
(CON) message.
• Once the MS receives the CON message, it switches over to voice and begins
the call. All voice traffic occurs on the assigned TCH.
03/22/12 Tinniam V Ganesh 83
84. Mobile Originated Call to PSTN
Call Termination
• When either the caller or the called party hangs up, the call will be disconnected. Either
party can initiate the disconnect. In this example, the MS initiates the disconnect. The
MS sends a Disconnect (DISC) message to the BTS on the FACCH.
• The BSS forwards the DISC to the MSC. Once the MSC receives the DISC message, it
sends a Release (REL) message through the GMSC to the PSTN as well as down through
the BSS to the MS.
• The MS responds by sending a Release Complete (REL_COM) message to the BSS on the
FACCH. The BSS forwards the REL_COM message up to the MSC. Once the MSC
receives the REL_COM message the call is considered ended from the call control
perspective.
• Although the call has ended, the BSS still has a TCH allocated to the MS. The MSC
sends a Channel Release (CHAN_REL) message to the BSS. The BSS forwards the
CHAN_REL message to the MS.
• The MS responds with a DISC (LAPDm) message and returns to an idle mode. The BSS
reallocates the channel for other call or releases the TRX.
03/22/12 Tinniam V Ganesh 84
85. Mobile Originated Call to PSTN
PSTN
BSS MSC/VLR
CM Service Request
Service request MO call Complete Layer 3
Authentication Request
Authentication Response
Cipher Mode Command
Ciphering Mode Command
Ciphering Mode Complete
Cipher Mode Complete
Setup
Call Proceeding
Assignment Request
Assignment Command
Assignment Complete
Assignment Complete
03/22/12 Tinniam V Ganesh 85
86. Mobile Originated Call to PSTN
PSTN
BSS MSC/VLR
IAM
ACM
Alerting
ANM
ANM
Connect Acknowledge
03/22/12 Tinniam V Ganesh 86
87. PSTN to Mobile call flow
Mobile Terminated Call
• Route Establishment to find the MSC/VLR
• The calling party dials the MSISDN for the mobile subscriber. The PSTN identifies the
network (PLMN) that the dialed MSISDN belongs to and will locate a GMSC for that
network. The PSTN sends an Initial Address message to the GMSC.
• The GMSC forwards the MSISDN to the HLR and requests routing information for it.
The HLR looks up the MSISDN and determines the IMSI and the SS7 address for the
MSC/VLR that is servicing the MS.
• The HLR then contacts the servicing MSC/VLR and asks it to assign a Mobile Station
Routing Number (MSRN) to the call.
• The MSC/VLR allocates the MSRN and forwards it to the HLR.
Note: It is important to remember that the MSC/VLR assigns a MSRN to the call not to
the MS itself.
• The HLR forwards the MSRN as well as routing information for the servicing MSC/VLR
to the GMSC.
• The GMSC sends an Initial Addressing message to the servicing MSC/VLR and uses the
MSRN to route the call to the MSC/VLR. Once the servicing MSC/VLR receives the call,
the MSRN can be released and may be made available for reassignment.
03/22/12 Tinniam V Ganesh 87
88. PSTN to Mobile call flow
Paging the Mobile Station
• The MSC/VLR then orders all of its BSCs and BTSs to page the MS. Since the
MSC/VLR does not know exactly which BSC and BTS the MS is monitoring, the page
will be sent out across the entire Location Area.
Initial Setup
• The MS receives the Page Request (PAG_REQ) on the PCH. The MS recognizes that the
page is intended for it, based on a TMSI or an IMSI.
• The MS sends a Channel Request (CHAN_REQ) message on the RACH.
• The BSS responds on the AGCH by sending an Immediate Assignment (IMM ASS)
message which assigns an SDCCH to the MS. At this point, the network does not know
that the MS is the one that it is paging, it only knows that this MS wants access to the
network
• The MS immediately switches to the assigned SDCCH and sends a Paging
Response (PAG_RES) message on the SDCCH. This lets the network know that the MS
is responding to its page.
03/22/12 Tinniam V Ganesh 88
89. PSTN to Mobile call flow
Authentication
• Before the network will provide any services to the MS, the network will
require the MS to authenticate itself. The BSS sends an Authentication
Request (AUTH_REQ) message to the MS. The RAND serves as the "challenge"
for authentication.
• The MS calculates the proper SRES based on the RAND that was given and
sends the SRES to the BSS in anAuthentication Response (AUTH_RESP)
message.
• The BSS verifies the SRES. If the SRES is correct then the MS is
authenticated and allowed access to the network.
• Once the MSC/VLR has authenticated the MS, it will order the BSS and MS
to switch to cipher mode using the CIPH_MOD_CMD message. Once the MS
in encryption mode, the VLR will normally assign a new TMSI to the MS.
03/22/12 Tinniam V Ganesh 89
90. PSTN to Mobile call flow
Establishing a Channel
• Once the MS is authenticated and in encryption mode, The MSC sends a Setup Message
to the BSS, the BSS forwards the SETUP message to the MS on the assigned
SDCCH.the assigned SDCCH. The SETUP message may include the Calling Line
Identification Presentation (CLIP), which is essentially caller ID.
• The MS responds by sending a Call Confirmed (CALL_CON) message; which indicates
that the MS is able to establish the requested connection. The BSS relays the message
up to the MSC.
Call Setup
• The BSS then sends an Assignment Command (ASS_CMD) message to the MS on the
assigned SDCCH. The ASS_CMD message assigns a Traffic Channel (TCH) to the MS.
• The MS immediately switches to the TCH and responds with an Assignment
Complete (ASS_COM) message on the FACCH. The MS begins ringing once it has
established the TCH.
Remember that all signaling that occurs on the traffic channel actually occurs on a
FACCH, which is a time slot that is stolen from the TCH and used for signaling.
The MS sends an ALERT message to the MSC on the FACCH. The BSS forwards the
ALERT message through the PSTN to the calling party and the caller hears the line
ringing.
03/22/12 Tinniam V Ganesh 90
91. PSTN to Mobile call flow
Call Establishment
• Once the user answers the call (by pressing the send button), the MS will send
a Connect CON message to the MSC. The Connect message is forwarded back to the
caller's switch to activate the call.
• The MSC sends a Connect Acknowledge CON_ACK message to the MS and the call is
established.
•
Call Disconnect
• Disconnect happens the same way as for any other call. In this example, the calling
party initiates the disconnect.
• When the calling party hangs up, the calling party's switch initiates a Release (REL)
message. The message is forwarded to the serving MSC, which is then forwarded to the
BSS.
• The BSS will send a Disconnect (DISC) message to the MS on the FACCH.
03/22/12 Tinniam V Ganesh 91
92. PSTN to Mobile call flow
• The MS confirms release of the call by sending a Release (REL) message on the FACCH,
which is forwarded to the MSC.
• The MSC sends e Release Complete (REL_COM) message through the BSS to the MS. As
far as call control (CC) is concerned, the connection has been terminated.
• The MS still has a TCH assigned to it, so the BSS sends a Channel Release (CHAN_REL)
message to the MS. This releases the radio resource on the Air Interface.
• The MS responds be sending a final Disconnect message and returns to idle.
03/22/12 Tinniam V Ganesh 92
93. PSTN to Mobile call flow
BSS MSC/VLR HLR GMSC PSTN
IAM
Send Routing Info (SRI)
Provide Routing Number (PRN)
IAM (MSRN)
Paging
Paging Request
Channel Request
Immediate Assignment
Paging Response
Paging Response
Cipher mode command
Ciphering mode command
Ciphering mode response
03/22/12 Tinniam V Ganesh 93
96. SMS-MO
1. The mobile station transfers the short message to the MSC.
2. The MSC queries the VLR to verify that the message transfer does not
violate the supplementary services invoked or the restrictions imposed on the
subscriber.
3. The MSC sends the short message to the SMSC using
the forwardShortMessage operation.
4. The SMSC delivers the short message to the SMC.
5. The SMSC acknowledges the successful outcome of
the forwardShortMessage operation to the MSC.
6. The MSC returns the outcome of the short message operation to the
mobile station.
03/22/12 Tinniam V Ganesh 96
97. SMS-MO
SGSN
SMS-IWMSC
SC MSC MS
x
VLR
03/22/12 Tinniam V Ganesh 97
99. SMS-MT
1.The Short message is transferred from SC to SMS-GMSC
2.SMS-GMSC queries the HLR(SRI) and receives the routing information for the mobile
subscriber (SRI-ACK).
3. The SMS-GMSC sends the short message to the MSC using the forwardShortMessage
operation(FSM).
4. The MSC retrieves the subscriber information from the VLR. This operation may include
an authentication procedure.
5. The MSC transfers the short message to the mobile station.`
6. The MSC returns the outcome of the forwardShortMessage operation to the SMS-
GMSC(FSM-ACK).
7. If requested by the SMC, the SMSC returns a status report indicating delivery of the
short message.
03/22/12 Tinniam V Ganesh 99
100. SMS-MT
SGSN
SMSC-GMSC MS
SC MSC
x
HLR VLR
03/22/12 Tinniam V Ganesh 100
102. Handover
A handover (aka handoff) is the process by which a call in progress is transferred from one
radio channel in the same cell or different cell.
A handover can occur
Within a cell
Between cells of the same BTS
Between cells of diffferent BTS of same BSC
Between cells of different BSC
Between cells of different MSCs
03/22/12 Tinniam V Ganesh 102
103. Inter BSC handover
Inter BSC handover
• The BSC must involve the MSC
• One the serving BSC determines that a handover should take place it sends a message
handover required too the NSC
• The message contains information about the desired target cell and the the current cell
• The MSC analyzes the information and identifies the target BSC associated with the
target cell
• It then sends a Handover Request to rthe target BSC
03/22/12 Tinniam V Ganesh 103
106. Handoff/handover
• Handoff (also known as handover) is the ability of the subscriber to maintain
a call while moving within a network
• Handoff is used in AMPS, IS-136 and IS-95. In GSM it is called handover
• Handover means that subscriber is transitioned from one radio channel and/
or time slot) to another.
• Depending on the two cells in question the handover can be between two
sectors on the same station between two BSCs between 2 MSCs or even
between networks
Base station A
Base station B
Base station A
Base station B
03/22/12 Tinniam V Ganesh 106
107. GPRS call flow
Attach
• The terminal initiates a attach process
• The SGSN authenticates the GPRS mobile by sending a RAND value (a random
value).
• The SIM applies secret GSM algorithms on the RAND and the secret key Ki to obtain
the session key Kc and SRES.
• The computed SRES value is passed to the SGSN.
• SGSN authenticates the response
• SGSN accepts the attach request
Activate PDP context
9. The terminal does a PDP Activate PDP context
10. SGSN does a DNS Query to the DNS server to find the address of the GGSN (Global
GPRS Support Node)
11. The DNS server sends the IP Address of the GGSN
12. The SGSN sends a Create PDP Activate context to the GGSN
13. The GGSN does a RADIUS authenticate to RADIUS server
14. The RADIUS does a authenticate response
03/22/12 Tinniam V Ganesh 107
108. GPRS call flow
1. GGSN request for dynamic IP address
2. The DHCP sends back a IP address
3. The GGSN sends a Create PDP Context Response
4. SGSN sends a PDP Context Accept
03/22/12 Tinniam V Ganesh 108
109. GPRS call flow
Radius DHCP
SGSN DNS Server GGSN
server server
Attach request
Authenticate request
(RAND)
Authenticate response
(SRES)
Attach accept
Attach complete
Activate PDP Context
APN DNS Query (APN)
DNS Response (GGSN IP)
Create PDP Context
RADIUS Authenticate Request
RADIUS Authenticate Response
DHCP Address request
DHCP Address response
Create PDP Context
Response
Activate PDP Context Accept
03/22/12 Tinniam V Ganesh 109
111. Universal Mobile Telecommunication Service (UMTS)
UMTS represents an evolution of GSM to support 3G capabilities
The air interface is known as UTRAN
UMTS uses Wideband CDMA (WCDMA)
The air interface consists of
5. Node B
6. RNC
Core Network
8. MSC Server
9. Media Gateway
10. HLR
11. VLR
12. GMSC
03/22/12 Tinniam V Ganesh 111
111
112. UTRAN
UMTS Terrestrial Radio Access Network (UTRAN)
The UTRAN consists of the Radio Network Controller (RNC) and Node B which is the base
station
The RNC is analogous to the GSM BSC
The Base station is equivalent to the Node B
03/22/12 Tinniam V Ganesh 112
113. Wireless Network (Release 4)
PSTN Gi Gp
PSTN PSTN
CS- Mc
GMSC GGSN
MGW server
C
Gc
Nc HLR AuC
PSTN
H Gn
Nb
Gr
D EIR
MSC Server –Mobile Switching Center Server
G F Gf
VLR VLR CS-MGW – Core System Media Gateway
E B Gs
B SGSN GMSC Server– Gateway Mobile Switching Center
MSC server Nc
MSC server Server
Mc
Mc
GGSN – Gateway GPRS Support Node
CN
SGSN – Serving GPRS Support Node
CS-MGW CS-MGW
Nb VLR – Visitor Location Register
A
Gb HLR – Home Location Register
IuCS IuPS
EIR – Equipment Identification Register
BSS RNS
Iur AuC – Authentication Center
BSC RNC RNC BSC – Base Station Controller
Abis Iub BTS – Base Transceiver System
BTS BTS Node B Node B RNC – Radio Network Controller
cell
RNC – Radio Network Controller
Um Uu PSTN – Public Switched Telephone Network
ME
SIM-ME i/f or Cu
SIM USIM
MS
113
03/22/12 Tinniam V Ganesh 113
116. Softswitch
• Softswitch denotes a component in a new architecture designed for migrating
from a voice centric world to a data centric world.
• Separates signaling from the bearer traffic allowing for greater flexibility and
efficiency
• Represents a move from the monolithic traditional circuit switches to a more
distributed, open architecture and provides for greater degree of flexibility
03/22/12 Tinniam V Ganesh 116
117. Softswitch vs Legacy Switch
Signaling Signaling
& SS7 & SS7
Control Control
Application
Servers
Packet
Time
T Line Slot Line T
D Interfaces Inter- Interfaces D
TDM TDM
M
change
M
or Media Media or
IP Gateway Gateway IP
– Monolithic – Disaggregated
(Control + Bearer Integrated) (Control separated from Bearer)
– Proprietary Interfaces – Open Interfaces
– Inefficient Resource Utilization – Most Efficient Resource Utilization
– Limited Scalability – High Scalability
– Higher Operating Costs – Lower Capital / Operating Costs
– Long Feature Development Intervals – Rapid Feature Development / 3rd Party
03/22/12 Tinniam V Ganesh 117
118. IMS Architecture
IMS is a framework of network nodes that use SIP signaling and an all IP core.
Access agnostic. The network can be accessed by Fixed lines, mobiles, PDA etc
Promises rich services like voice, data, video conferencing, real time gaming etc
Uses the GPRS network
Uses DIAMETER for AAA and database access
Allows for Fixed Mobile Convergence
03/22/12 Tinniam V Ganesh 118
120. Market conditions
Mobile data is growing at an
exponential speed
Mobile data in US & Europe expected to
grow at a CAGR of 55% & 42%
respectively
Mobile data revenues expected to grow
at a rate of 18%
Mobile broadband connections will
reach 1 billion by 2012 segmented
between 3G & 4G technologies
Highlights
• Annual IP traffic will exceed ½ a
zettabyte in 4 years by 2012 (10 21)
• Internet video (Youtube, DVD sharing
,IPTV) account for 30% of IP traffic
• Video communication and dynamic
video will increase the burden on the
network
• Global IP traffic will double every two
years to 2010 and beyond
03/22/12 Tinniam V Ganesh 120
121. The explosion of mobile data
In the last 2 years
• 1 billion new mobile subscriptions added
• 2 billion wireless devices sold
Device range from Mobile phones, Smartphones, Netbooks, PDAs, Wireless dongles and
Tablets
• Currently there are 3.5 billion subscribers worldwide
• 3G accounts for 350 million with 30 million added every quarter
• LTE forecast to reach 32.6 million by 2013
03/22/12 Tinniam V Ganesh 121
122. The rise and rise of data
03/22/12 Tinniam V Ganesh 122
124. 3.5 G
High Speed Downlink Packet Data Access (HSDPA)
Enhanced modulation scheme over WCDMA with throughput of 14.4 Mbps
Uses 16 QAM in addition QPSK
High Speed Uplink Packet Data Access (HSUPA)
Enables uplink of 1.4 Mbps upto 5.76 Mbps
WCDMA HSDPA HSUPA
GSM GPRS
Rel 99 Rel 5 Rel 6
EDGE
03/22/12 Tinniam V Ganesh 124
125. Elements of the LTE System
LTE encompasses the evolution of
• Radio access through E-UTRAN (eNodeB)
• Non-radio aspects under the term System Architecture Evolution (SAE)
Entire system composed of LTE & SAE is called Evolved Packet System (EPS)
At a high level a LTE network is composed of
• Access network comprised of E-UTRAN
• Core Network called Evolved Packet Core (EPC)
03/22/12 Tinniam V Ganesh 125
126. LTE Network Elements
UE – User Equipment used to connect to the EPS (Evolved Packet System). This is an
LTE capable UE
The LTE network is comprised of a) Access Network b) Core Network
Access network
ENB (eNodeB) – The evolved RAN consists of single node, the eNodeB that interfaces
with UE. The eNodeB hosts the PHY,MAC, RLC & RRC layers. It handles radio
resource management & scheduling.
Core Network (Evolved Packet Core-EPC)
MME (Mobility Management Entity) – Performs paging, chooses the SGW during
UE attach
S-GW (Serving Gateway) – routes & and forwards user data packets
P-GW (Packet Gateway) – provides connectivity between the UE and the external
packet networks.
03/22/12 Tinniam V Ganesh 126
128. LTE Technologies
LTE uses OFDM (Orthogonal Frequency Division Multiplexing) for lower latency and
better spectral efficiency
Uses MIMO (Mulitple In Multiple Out) LTE uses several transmit & receive paths
reducing interference with increase in spectral efficiency and throughput.
Flatter architecture – Fewer Network elements in the LTE Evolved Packet Core(EPC).
This results in lower latency because of lesser number of hops as compared to 3G.
Absence of RNC like Network Element(NE).
03/22/12 Tinniam V Ganesh 128
133. Quiz 4
1. A call from a PSTN to wireless network comes first to the
a. MSC b. GMSC c. HLR d. VLR
2. The GMSC determines where to route the call by
a. Checking its VLR b. Querying the HLR c. It knows where the mobile is d. none
of the above
4. GSM has been deployed in
a. 800 Mhz b. 1800 Mhz c. 1900 Mhz d. 2.4 Ghz
5. Which is not an Air Interface channel
a. Broadcast channel b. Control channel c. Traffic channel d. All
of the above
7. SDCCH is used for
a. SMS b. For call establishment signaling c. both a & b d. None of the abover
6. How does a mobile inform its whereabouts
a. It is stored in HLR b. By doing a Location Update c. HLR is informed of location
changes d. Both b & c
7. While doing Location Update, authentication is done at AuC & Mobile
a. True b. False
8. For Authentication MSC sends the mobile
a. RAND b. SRES c. Ki d. All of the above
9. MS sends a channel request on
a. RACH b. AGCH c. SDCCH d. TCH
03/22/12 Tinniam V Ganesh 133
134. Quiz 4
1. Which of the following is true in a PSTN to mobile call
a. GMSC sends MSISDN to HLR b. HLR determines MSC/VLR from MSISDN c.
MSC/VLR sends a MSRN
d. all of the above
4. UMTS uses
1. TDMA with FDD 2. CDMA 3. WCDMA 4. FDMA with FDD
12. Softswitch separates bearer from control
a. True b. False
13. Which is not true for softswitch
a. Uses time slot interchange b. uses media gateway c. does packet switching d.
none of the above
14. Which of the following is true for IMS
a. Uses SIP signaling b. Uses an IP Core c. Uses DIAMETER d. all of the above
15. LTE is made of the following
a. BTS, BSC, MSC b. Node B, RNC, Softswitch c. Node B, RNC, SGSN,
GGSN d. eNodeB, MME, SGW, GGW
03/22/12 Tinniam V Ganesh 134
135. Good luck & thank
You !!!
Tinniam V Ganesh
tvganesh.85@gmail.com
Read my blogs: http://gigadom.wordpress.com/
http://savvydom.wordpress.com/
03/22/12 Tinniam V Ganesh 135