CS 8803 - Cellular and Mobile Network Security: Cellular Networking

Similar documents
CS Cellular and Mobile Network Security: CDMA/UMTS Air Interface

The GSM and GPRS network T /301

Cellular Networks: Background and Classical Vulnerabilities

Wireless Cellular Networks: 1G and 2G

2G/3G Mobile Communication Systems

Cellular Network Organization. Cellular Wireless Networks. Approaches to Cope with Increasing Capacity. Frequency Reuse

EPL 657 Wireless Networks

Chapter 6 Wireless and Mobile Networks

How To Understand The Gsm And Mts Mobile Network Evolution

Mobile & Wireless Networking. Lecture 5: Cellular Systems (UMTS / LTE) (1/2) [Schiller, Section 4.4]

GSM GPRS. Course requirements: Understanding Telecommunications book by Ericsson (Part D PLMN) + supporting material (= these slides)

Mobile Wireless Overview

CS263: Wireless Communications and Sensor Networks

Lecture 1. Introduction to Wireless Communications 1

Revision of Lecture Eighteen

Lecture overview. History of cellular systems (1G) GSM introduction. Basic architecture of GSM system. Basic radio transmission parameters of GSM

Wireless Mobile Telephony

8. Cellular Systems. 1. Bell System Technical Journal, Vol. 58, no. 1, Jan R. Steele, Mobile Communications, Pentech House, 1992.

CS Cellular and Mobile Network Security: GSM - In Detail

Module 5. Broadcast Communication Networks. Version 2 CSE IIT, Kharagpur

GSM Network and Services

Mobile Communications Chapter 4: Wireless Telecommunication Systems slides by Jochen Schiller with modifications by Emmanuel Agu

How To Understand And Understand The Power Of A Cdma/Ds System

CDMA Network Planning

GSM System. Global System for Mobile Communications

Wireless Cellular Networks: 3G

How To Understand The Theory Of Time Division Duplexing

Mobile Communications TCS 455

Cellular Network Organization

Global System for Mobile Communications (GSM)

ERLANG CAPACITY EVALUATION IN GSM AND CDMA CELLULAR SYSTEMS

GSM and Similar Architectures Lesson 07 GSM Radio Interface, Data bursts and Interleaving

3GPP Wireless Standard

Global System for Mobile Communication Technology

Wireless Telecommunication Systems GSM, GPRS, UMTS. GSM as basis of current systems Satellites and

GSM v. CDMA: Technical Comparison of M2M Technologies

Ch GSM PENN. Magda El Zarki - Tcom Spring 98

The Evolution of 3G CDMA Wireless Networks. David W. Paranchych IEEE CVT Luncheon January 21, 2003

Hello viewers, welcome to today s lecture on cellular telephone systems.

Dimensioning, configuration and deployment of Radio Access Networks. Lecture 2.1: Voice in GSM

Mobile Computing. Basic Call Calling terminal Network Called terminal 10/25/14. Public Switched Telephone Network - PSTN. CSE 40814/60814 Fall 2014

Guide to Wireless Communications. Digital Cellular Telephony. Learning Objectives. Digital Cellular Telephony. Chapter 8

Attenuation (amplitude of the wave loses strength thereby the signal power) Refraction Reflection Shadowing Scattering Diffraction

Mobile Communications

Chapters 1-21 Introduction to Wireless Communication Systems

How To Make A Multi-User Communication Efficient

EETS 8316 Wireless Networks Fall 2013

Multiple Access Techniques

EE 4105 Communication Engg-II Dr. Mostafa Zaman Chowdhury Slide # 1

GSM Architecture Training Document

EE4367 Telecom. Switching & Transmission. Prof. Murat Torlak

The Telephone Network. An Engineering Approach to Computer Networking

Location management Need Frequency Location updating

18-759: Wireless Networks Lecture 18: Cellular. Overview

Administrivia. CSMA/CA: Recap. Mobility Management. Mobility Management. Channel Partitioning, Random Access and Scheduling

10. Wireless Networks

Handoff in GSM/GPRS Cellular Systems. Avi Freedman Hexagon System Engineering

Global System for Mobile Communication (GSM)

Wireless Access of GSM

Cellular Technology Sections 6.4 & 6.7

GSM System Architecture

Development of Wireless Networks

Evolution of GSM in to 2.5G and 3G

Exercise 2 Common Fundamentals: Multiple Access

1 Lecture Notes 1 Interference Limited System, Cellular. Systems Introduction, Power and Path Loss

Pradipta Biswas Roll No. 04IT6007 M. Tech. (IT) School of Information Technology Indian Institute of Technology, Kharagpur

Implementation of Mobile Measurement-based Frequency Planning in GSM

Voice services over Adaptive Multi-user Orthogonal Sub channels An Insight

Lecture 18: CDMA. What is Multiple Access? ECE 598 Fall 2006

How To Understand How Satellite Links Fit In Gsm Over Satellite Links

Indian Journal of Advances in Computer & Information Engineering Volume.1 Number.1 January-June 2013, Academic Research Journals.

Mobility and cellular networks

Global System for Mobile Communication (GSM)

GSM Channels. Physical & Logical Channels. Traffic and Control Mutltiframing. Frame Structure

Introduction to Wireless Communications and Networks

ECE/CS 372 introduction to computer networks. Lecture 13

1G to 4G. Overview. Presentation By Rajeev Bansal Director(Mobile-1) Telecommunication Engineering Centre

CDMA TECHNOLOGY. Brief Working of CDMA

How To Improve Data Rates For Global Evolution (Edge)

INTRODUCTION TO COMMUNICATION SYSTEMS AND TRANSMISSION MEDIA

communication over wireless link handling mobile user who changes point of attachment to network

Multiplexing on Wireline Telephone Systems

Mobile Networking Concepts and Protocols CNT 5517

How To Understand Cellular Communications

GSM BASICS GSM HISTORY:

Packet Synchronization in Cellular Backhaul Networks By Patrick Diamond, PhD, Semtech Corporation

Cellular Phone Systems

Frequency [MHz] ! " # $ %& &'( " Use top & bottom as additional guard. guard band. Giuseppe Bianchi DOWNLINK BS MS UPLINK MS BS

Chapter 1: Introduction

Information Paper. FDMA and TDMA Narrowband Digital Systems

Introductory Concepts

Computer Networks. Wireless and Mobile Networks. László Böszörményi Computer Networks Mobile - 1

Wireless Personal Area Networks (WPANs)

Cell Planning in GSM Mobile

!!! "# $ % & & # ' (! ) * +, -!!. / " 0! 1 (!!! ' &! & & & ' ( ' 3 ' Giuseppe Bianchi

Chapter 3 Cellular Networks. Wireless Network and Mobile Computing Professor: Dr. Patrick D. Cerna

Appendix C GSM System and Modulation Description

How To Know If You Are Safe To Use An Antenna (Wired) Or Wireless (Wireless)

In this Lecture" Access method CDMA" Mobile and Sensor Systems Lecture 2: Mobile Medium Access Control Layer and Telecommunications

Appendix A: Basic network architecture

Transcription:

CS 8803 - Cellular and Mobile Network Security: Cellular Networking Professor Patrick Traynor 9/13/2012

The Big Picture Details create the big picture. -Sanford I. Weill 2

Overview Evolution Architecture Air Interfaces Network Protocols Application: Messaging 3

Cellular Systems Wireless Access TDMA (IS-136, GSM) CDMA (IS-95, CDMA2000) WCDMA (UMTS) Connection oriented networks for voice PSTN (ISDN) Packet overlay networks for data General Packet Radio Service (GPRS) - GSM and UMTS Enhanced Version Data Optimized (EVDO) - CDMA Rebranded from Data Only Signaling protocols Signaling system number 7 (SS7) for voice and GPRS IETF protocols for EVDO 4

Wireless Standards Evolution to 3G 1G Analog AMPS 2G IS-95-A/ cdmaone 2.5G IS-95-B/ cdmaone 2.75G 3G Existing Spectrum CDMA2000 1xRTT (1.25 MHz) CDMA2000 1xEVDO (1.25 MHz) 700 MHz CDMA2000 3x (5 MHz) 4G IS-136 TDMA LTE (1.4, 3, 5, 10, 15, 20 MHz) TACS WiMAX GSM GSM GPRS GSM EDGE WCDMA (UMTS) HSCSD 5

Reference Architecture MS MS: Mobile Subscriber/Station BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center HLR: Home Location Register AuC: Authentication Center VLR: Visitor s Location Register 6

Reference Architecture MS BTS MS: Mobile Subscriber/Station BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center HLR: Home Location Register AuC: Authentication Center VLR: Visitor s Location Register 6

Reference Architecture MS BTS BSC MS: Mobile Subscriber/Station BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center HLR: Home Location Register AuC: Authentication Center VLR: Visitor s Location Register 6

Reference Architecture MS BTS BSC BTS BTS MS: Mobile Subscriber/Station BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center HLR: Home Location Register AuC: Authentication Center VLR: Visitor s Location Register 6

Reference Architecture MS BTS BSC MSC BTS BTS MS: Mobile Subscriber/Station BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center HLR: Home Location Register AuC: Authentication Center VLR: Visitor s Location Register 6

Reference Architecture MS BTS BSC BSC BSC MSC BTS BTS MS: Mobile Subscriber/Station BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center HLR: Home Location Register AuC: Authentication Center VLR: Visitor s Location Register 6

Reference Architecture MS BTS BSC BSC BSC MSC BTS BTS MSC MS: Mobile Subscriber/Station BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center HLR: Home Location Register AuC: Authentication Center VLR: Visitor s Location Register 6

Reference Architecture BSC VLR MS BTS BSC BSC MSC BTS BTS MSC MS: Mobile Subscriber/Station BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center HLR: Home Location Register AuC: Authentication Center VLR: Visitor s Location Register 6

Reference Architecture BSC VLR VLR MS BTS BSC BSC MSC BTS BTS MSC MS: Mobile Subscriber/Station BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center HLR: Home Location Register AuC: Authentication Center VLR: Visitor s Location Register 6

Reference Architecture BSC VLR VLR MS BTS BSC BSC MSC HLR BTS BTS MSC MS: Mobile Subscriber/Station BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center HLR: Home Location Register AuC: Authentication Center VLR: Visitor s Location Register 6

Reference Architecture BSC VLR VLR MS BTS BSC BSC MSC HLR AuC BTS BTS MSC MS: Mobile Subscriber/Station BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center HLR: Home Location Register AuC: Authentication Center VLR: Visitor s Location Register 6

Reference Architecture BSC VLR VLR MS BTS BSC BSC MSC HLR AuC BTS BTS MSC PSTN/ISDN MS: Mobile Subscriber/Station BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center HLR: Home Location Register AuC: Authentication Center VLR: Visitor s Location Register 6

Reference Architecture BSC VLR VLR MS BTS BSC BSC MSC HLR AuC BTS BTS MSC PSTN/ISDN MS: Mobile Subscriber/Station BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center HLR: Home Location Register AuC: Authentication Center VLR: Visitor s Location Register MSC Wireless Network HLR 6

Basic Network Architecture MS BS BS BS MSC SMSC VLR VLR MSC Network GMSC HLR Gateway MSC receives incoming calls for phones. Serving MSC assigned based on location HLR: Permanent registry for service profiles, pointer to VLR VLR: Temporary repository for profile information, pointer to SMSC. 7

Cellular Services Automatic call delivery find a user, deliver a call IN-type services e.g., call forwarding Messaging short message service Connection oriented user data transfer voice, fax, circuit-switched data Packet Data General Packet Radio Service (GPRS) - GSM and UMTS Enhanced Version Data Optimized (EVDO) - CDMA 8

High Level Call Flow Mobile User Registers Power up/down Movement Periodic Call recipient located Call routed to gateway or home MSC Gateway MSC searches for called mobile (via HLRs and VLRs) Mobile user is paged (determines current base station) Call delivered Uses standard SS7 procedures 9

Delivering a Call MSC GMSC BS VLR MS BS SMSC Network HLR BS 10

Delivering a Call MSC GMSC BS VLR MS BS SMSC Network HLR 1. 404-894-2000 BS 10

Delivering a Call MSC GMSC BS VLR 2. 404-894-2000 maps to HLR X MS BS SMSC Network HLR BS 10

Delivering a Call MSC GMSC BS VLR MS BS SMSC Network 3. How do I deliver call to User 222? HLR BS 10

Delivering a Call MSC GMSC BS 4. How do I deliver call to User 222? VLR MS BS SMSC Network HLR BS 10

Delivering a Call MSC GMSC BS 5. 999-xxx VLR MS BS SMSC Network HLR BS 10

Delivering a Call MSC GMSC BS VLR MS BS SMSC Network 6. 999-xxx HLR BS 10

Delivering a Call MSC GMSC BS VLR 7. 999-xxx MS BS SMSC Network HLR BS 10

Delivering a Call MSC GMSC BS VLR 8. Call to 999-xxx MS BS SMSC Network HLR BS 10

Delivering a Call MSC GMSC BS VLR MS BS 9. Page SMSC Network HLR BS 10

Delivering a Call MSC GMSC BS VLR MS 10. Call BS SMSC Network HLR BS 10

Protocols of Note MSC VLR Mobility Management Protocols GSM-MAP, ANSI41-MAP MS BS MSC HLR SS7 Air Interfaces GSM, IS136, IS-95, UMTS BS PSTN/ISDN BS 11

Mobile Registration - High Level Old SMSC Old VLR HLR VLR MSC BS Cancel Location OK Update Location 12

Mobile Call Delivery - High Level Gateway MSC HLR VLR MSC BS Call Request Request Routing Info SS7 Call Delivery Routing Number Call Request Connect Page 13

Security Moment - Location Granularity Commonly heard assertion: The phone company knows exactly where all of their customers are located at every moment. Virtually all phones are equipped with some type of GPS resolution. Is this true? What are the security implications? What services could be enabled? 14

Hierarchy of Location Information VLR MSC VLR MSC Registration Registration SMSC Temporary Routing # HLR GMSC Phone Number Paging 15

E911 16

E911 Enhanced 911 (E911) transmits your GPS location to the nearest Public Safety Answering Point (PSAP). 16

E911 Enhanced 911 (E911) transmits your GPS location to the nearest Public Safety Answering Point (PSAP). This is how you always get the nearest 911 call center, regardless of where you are traveling in North America. 16

E911 Enhanced 911 (E911) transmits your GPS location to the nearest Public Safety Answering Point (PSAP). This is how you always get the nearest 911 call center, regardless of where you are traveling in North America. But what about the Location On vs. E911 Only options available on most phones? 16

E911 Enhanced 911 (E911) transmits your GPS location to the nearest Public Safety Answering Point (PSAP). This is how you always get the nearest 911 call center, regardless of where you are traveling in North America. But what about the Location On vs. E911 Only options available on most phones? Location On does not allow the phone company to constantly track you. It instead allows services within the network to use your GPS data when you initiate them (e.g., Verizon Navigator, Family Locator). 16

E911 Enhanced 911 (E911) transmits your GPS location to the nearest Public Safety Answering Point (PSAP). This is how you always get the nearest 911 call center, regardless of where you are traveling in North America. But what about the Location On vs. E911 Only options available on most phones? Location On does not allow the phone company to constantly track you. It instead allows services within the network to use your GPS data when you initiate them (e.g., Verizon Navigator, Family Locator). The phone company simply can not keep track of all the changes in location information at every moment! 16

Voice Path MS BS MSC VLR PSTN/ISDN HLR Coded Voice Full rate voice (64 Kbps) This is under the assumption that the underlying network supports digital voice. What does that mean? 17

Analog vs Digital Phone systems are generally classified as either analog or digital. What exactly does that mean? This is all about how data is represented and delivered through the network. Analog is the translation of voice/sound into electrical impulses. Pure waveform representations of sounds. Digital is an approximation of this waveform, represented in 0s and 1s. 18

Analog vs Digital - Tradeoffs Analog Inexpensive - think cheap home phones Bandwidth constrained - very limited amount of data can be sent. Security thoughts? Noise - every link introduces noise, reduces clarity. Digital Expensive - relatively speaking Improved voice clarity - signal arrives exactly as approximated. What about quality? Higher bandwidth - compression of data. 19

Voice Encoding - GSM-FR/PCM/G.711...... 20 msec... 20 msec... 160 Samples 160 Samples RTP-LTP Encoder Sender 260-bit frame RTP-LTP Decoder Receiver Pulse Code Modulation (PCM) is the basis for GSM Full- Rate (GSM-FR) voice encoding. 8 khz samples (64 kbps) reduced to 13.2 kbps using Regular Pulse Excitation - Long Term Prediction (RPE-LTP). Converted back to 64 kbps at MSC prior to Release 4. Changes in the core towards TrFO for all IP. 20

Air Interface Functions Control read system parameters authenticate update location receive and originate calls manage handoffs Dedicated traffic voice, data Shared Traffic Messaging, data, signaling 21

Wireless Access Basics Frequency Division Multiple Access (FDMA): Analog cellular - 1G Time Division Multiple Access (TDMA): IS-54, IS-136, FSM - 2G GPRS - 2.5G Code Division Multiple Access (CDMA): IS-95 (cdmaone) - 2G IS-2000 (CDMA2000), WCDMA - 3G 22

FDD/TDD modes for Forward/Reverse Channels Frequency Division Duplex (FDD) Two distinct bands of frequency for each user (forward and reverse). Frequency separation between forward and reverse constant for all channels. Reverse channel typically lower frequency than forward channel (so that the mobile device can transmit at lower power). Time Division Duplex (TDD) Each duplex channel has a forward timeslot and reverse timesolt for bidirectional communication. Simplifies subscriber equipment. Rigid timing required for time-slotting. 23

Background - AMPS Advanced Mobile Phone System Analog Channels Frequency Modulation (FM) 1 channel per carrier (1 conversation) f c 24

Background - TDMA Combination of FDMA and TDMA System operated within certain frequency bands Within system bands: many carrier frequencies are defined each carrier is divided into timeslots a channel is defined by a set of time slots on a carrier frequency Forward (downlink) and Reverse (uplink) channels use different carriers. Information is digitally coded. 25

TDMA TDMA Overview One Carrier/ Channel One Slot One User Co-channel Interference Inter-symbol Interference Capacity limited by number of carriers, slots. System Bandwidth FDMA 26

TDMA Single carrier frequency is shared by several users. Data transmission occurs in bursts, resulting in lower battery consumption. High synchronization overhead is necessary because of burst transmissions. Discontinuous transmission also make handoffs simpler since the mobile device can listen to other base stations during idle time slots Due to high transmission rates, inter-symbol interference is common and needs equalization. 27

Code Division Multiple Access (CDMA) used in several wireless broadcast channels (cellular, satellite, etc) standards unique code assigned to each user; i.e., code set partitioning all users share same frequency, but each user has own chipping sequence (i.e., code) to encode data encoded signal = (original data) X (chipping sequence) decoding: inner-product of encoded signal and chipping sequence allows multiple users to coexist and transmit simultaneously with minimal interference (if codes are orthogonal ) 28

CDMA Encode/Decode channel output Z i,m sender data bits code d 1 = -1 1 1 1 1 1-1- 1-1- d 0 = 1 1 1 1 1 1-1- 1-1- Z i,m = d i. cm -1-1 -1 1-1 slot 1 channel output 1 1 1 1 1 1 1 1-1- 1-1- slot 0 channel output slot 1 slot 0 received input 1- -1-1 1-1 1 1 1 1 1 1 1 1-1- 1-1- M D i = Σ Z i,m. cm m=1 M d 1 = -1 d 0 = 1 receiver code 1 1 1 1 1 1 1 1 1-1- 1-1- 1-1- 1-1- slot 1 slot 0 slot 1 channel output slot 0 channel output 29

CDMA: two-sender interference 30

CDMA Privacy Given that all signals look like noise unless you have the despreading sequence, what sort of privacy does CDMA give you? IS-95 operates at 1.25 Mc/s and has a long code of 42 bits. Ideally, you should get a 2 N search space......based on an ideal pseudo-random generator. Zhang et al show that this can actually be cracked by capturing 42 frames and solving 42 linear equations. That can be done in 840 ms. What is the implication for security here? 31

CDMA Benefits Higher capacity interference limited = high efficiency uses voice activity detection to reduce transmission bandwidth Improved quality soft handoff CDMA has frequency, spatial and time diversity to adapt to errors Ease of deployment no frequency planning; frequency reuse = 1 Increased privacy spreads small signal (9.6kbps) over large spectrum (1.25Mbps) so that signal appears as noise Increased talk time power control (performed 800x/sec) ensures that the MS transmits at optimum power, resulting in longer battery life. 32

3G CDMA Interfaces CDMA2000 (3GPP2/TIA) Chip rate: 1.2288, 3.6864 Mc/s Channel bandwidth: 1.25/5MHz Network synchronous: Base stations synchronized via GPS 20 ms frames Common CDM pilot Power control (800 Hz) WCDMA (3GPP/ETSI) Chip rate: 3.84 Mc/s Channel bandwidth: 5MHz Network synchronous mode 10 ms frames Common CDM pilot Power control (1600 Hz) CDMA Harmonization group is trying to reconcile these and the SCDMA standard. WCDMA once had a chip rate of 4.096 Mc/s, dedicated CDM pilot and was only asynchronous. 33

CDMA2000 Observations Compatibility CDMA2000 as the 3G air interface is compatible with IS-95. CDMA2000 networks can be deployed as overlay on existing 2G spectrum. Network architecture/protocols designed to easily migrate from IS-95. What are the implications here? 34

CDMA2000 Observations Network architecture is more IP friendly than UMTS, but still not all-ip. 3G1X, 3G1X EV-DO (HDR), 3G3X high data rate options for evolution. 3G1X and HDR deployments taking place in the US; 3G3x will use the new 700 Mhz spectrum sometime in the future. 35

WCDMA Observations WCDMA is the UMTS air interface and is a disruptive change from GSM. GPRS allows for evolution to higher data rates from GSM, and uses UMTS network architecture but not the WCDMA air interface. Network architecture not pure IP and is not IETF friendly. All IP wireless network architecture is the big theme in this space. 36

WCDMA Observations Regulations allow full UMTS (5Mhz) deployment only in new frequency spectrum. WCDMA 1900 has 3.84 MHz channels. Providers have paid huge amounts for UMTS spectrum. The most recent 700 Mhz auction raised approximately $US 19.6 billion. Block D (10 MHz bandwidth) did not meet its reserve price and will be open to auction again sometime in the future. Tremendous money and effort is being poured in! Financial issues dictate deployment speed... Now talk about this in the context of the iphone. 37

GSM - Air Interface Let s get into the details of the most widely used air interface... The GSM Air Interface supports: Call origination and termination Registration (location update and authentication) SMS Mobile assisted handoff User confidentiality Data confidentiality Sleep mode 38

GSM Air Interface - Outline System Description Channel Structure Protocols and Control Channels Traffic Channels 39

GSM Spectrum 50 MHz Uplink and downlink split bandwidth and use different frequencies Reverse channel (uplink) 890-915 MHz Forward channel (downlink) 935-960 MHz Carriers spread at 200 KHz Why is this? 40

GSM Structure Traffic Channel (per user in a call) Common Control Channel (CCCH) TCH (13 KBps) Common Control Channel (CCCH) Used for control information: registration, paging, call origination/termination. Traffic Channel (TCH) Information transfer in-call control (fast/slow associated control channels) 41

GSM Structure The CCCH is really a series of many logical channels, each discernible by their position in time. The details of which are coming in future lectures. The diagram in the previous slide should not be viewed to scale. The control channels generally represent ~3-6% of the resources in a cell. Everything else is dedicated to TCHs. Why? 42

Frequency Assignments FDMA/TDMA systems Take advantage of frequency attenuation Key: Split spectrum into set of frequencies (channels) and reuse frequencies in distant cells. Requires careful frequency planning. Fixed vs. Dynamic allocation Channels are typically assigned to cells in a fixed manner. Fixed assignment is simple to implement as base stations are independently and statically assigned their channels. Dynamic channel assignment based on load is possible but is more complicated and requires real-time coordination between different base stations. 43

Frequency Reuse Cells typically modeled as hexagonal Circles result in overlaps, square/ triangle possible but result in larger approximation. Each color represents a different set of carriers. Reuse factor F=3 shown For hexagonal cells: i 2 +(i j)+j 2 ; i 1; j 1 Paging Paging To find co-channel cell, go i steps in one direction, turn 60 counterclockwise and go j steps. 44

Co-channel Interference & System Capacity If R = cell radius, D=distance between co-channel cell centers, co-channel reuse ration Q: Q = D/R = Larger Q implies better transmission due to reduced interference, but also implies lower capacity per cell (S/N where S is the total number of available channels). Let i0 be the number of co-channel interfering cells, making the Signal to Interference (SIR) ratio at the receiver: S I = i 0 S i=1 I i 3F 45

Co-Channel Interference & System Capacity Assuming log-distance path loss (exponent: n) and interference from first layer of equidistant interfering cells: S I = R n i 0 i=1 D n = i 0 = ( 3F ) n D n R i 0 46

Example Capacity Calculation Assume system can use all frequencies System-bandwidth = 50 MHz System uses FDD => bandwidth = 25 MHz Carriers spaced at 200 KHz N carr = B sys B carrier N carr = 125 System capacity depends on re-use factors and cell size. 47

Frequency Reuse Factor Calculation Let signal to interference ration of 18dB or more be acceptable. Assume nearest 6 co-channel equidistant cells interfere. Assume path-loss exponent is 4. S I = 18dB = 63.1 ( 3F ) 4 6 Frequency reuse factor F >= 6.5 = 7 48

Cell Capacity N carr = 125 N cell = N carr /F F = 7, Ncell = 17 8 channels per carrier (TDMA) 136 channels/cell (Acell) Each cell has a capacity of 136 simultaneous voice calls F=3 Ncell = 41 8 channels per carrier 328 channels/cell 49

System Capacity Network size = Z square miles Cell size = C square miles cells/network = Z/C Channels/network, Anet A net = A cell Z C Z = 1000, C = 10, F = 7, Anet = 13,600 Z = 1000, C = 10, F = 3, Anet = 32,800 Z = 1000, C = 25, F = 7, Anet = 5,440 System capacity has a linear inverse relationship with cell size and frequency reuse patterns under ideal conditions 50

Capacity and Blocking Cellular systems rely on trunking to accommodate a large number of users with a limited number of channels. Trunking exploits statistical multiplexing of large numbers of users (calls). Think about lines at the bank. System is engineered with enough channels to handle the peak hour offered load at the given maximum blocking rate. Typically, blocking for new calls is maintained at below 1%. To calculate blocking, we need to apply some queuing theory. 51

Performance: Blocking 0 1 2... 0 µ 2µ 3µ Nµ p n = p B = p n = p B = A is the offered load in Erlangs: /µ n i=0 n n! n i=0 A n n! i i! A i i! λ Models input (call rate) of λ, N trunks, holding time of μ -1 1 2... N µ µ µ 52

Cell Capacity Planning Based on spectrum allocation and frequency reuse patterns, calculate number of channels available per cell. Based on user density, calling and holding patterns, calculate load per cell in Erlangs. Use Erlang B formula to calculate blocking given the load and number of channels. 53

Practice Problem Consider a system with 8 MHz total bandwidth and carrier frequencies of 160 khz. Each carrier supports 3 voice channels using TDMA. If the frequency reuse factor F=7, and the network covers 1,000 mi 2, determine the blocking probability on the air interface for cell size of 1.0 mi 2 assuming that users make/receive a combined 3 calls/hour, calls last an average of 2.5 minutes and there are 10 users/mi 2. 54

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information