Chapter 2 Technical Basics: Layer 1 Methods for Medium Access: Layer 2 Chapter 3 Wireless Networks: Bluetooth, WLAN, WirelessMAN, WirelessWAN Mobile Networks: Wireless Telecommunication Systems GSM, GPRS, UMTS GSM as basis of current systems Satellites and Enhancements for data communication: Broadcast Networks HSCSD, GPRS, EDGE UMTS: Future or not? Chapter 4 Mobility on the network layer: Mobile IP, Routing, Ad-Hoc Networks Mobility on the transport layer: reliable transmission, flow control, QoS Mobility support on the application layer 1
Mobile Telephony A-Netz 1958 introduced by Federal Post Office Analogous and connected by operator No handover between base stations 1977 stopped B-Netz Introduced 1972 Caller had to know in range of which base station the called resided (using a region dialing code!) Partly roaming agreements with Austria, The Netherlands, Luxemburg 1994 stopped C-Netz No region dialing code necessary Cellular system with large number of base stations Also data and fax connections 2000 stopped 2
Standardization of Networks In the 70 th and 80 th : analogous, cellular mobile systems in most European countries (1 st generation networks) Incompatibility of the mobile systems 1982: Foundation of Groupe Spéciale Mobile (GSM) for solving interoperability issues Goal: digital network (D-Netz, also called 2 nd generation, 2G because of change in technology) 1990: first specification of GSM: GSM900 (900 MHz) 1991: specification of GSM1800 as E-Netz 1992: 13 networks in 7 countries, D1 and D2 in Germany 1994: E-Plus 1995: GSM1900 in the USA 1998: E2-Netz, VIAG Interkom 2000: auctioning of UMTS licenses (Integration of voice and data: 3 rd generation, 3G) 2001 Start of GPRS as enhancement to GSM for packet-oriented data transfer (also called 2.5G ) 3
GSM Basis of Current Mobile Systems GSM today means Global System for Mobile Communications Introduction by the European telephone exchange offices (Germany: D1 and D2) seamless roaming within Europe possible Today many providers all over the world use GSM (more than 210 countries in in Asia, Africa, Europe, Australia, America) More than 747 million subscribers in more than 400 networks More than 10 billion SMS per month in Germany, > 360 billion worldwide (more than 10% of the sales of the operators) Uses the frequency ranges of 900, 1800, and 1900 MHz Voice and data connections with up to 9.6 KBit/s (enhancement: 14.4 KBit/s) Access control by chip-cards Cell structure for a complete coverage of regions (100 500 m Ø per cell in cities, up to 35 km on country-side) 4
Performance Characteristics of GSM Most important technical aspects: Communication: mobile, wireless communication; support for voice and data services Total mobility: international access, chip-card enables use of base stations of different providers Worldwide connectivity: only one number, the network handles localization High capacity: good frequency efficiency; relatively small cells to allow for a high number of customers High transmission quality: high audio quality and reliability for uninterrupted wireless phone calls also at higher speeds (cars, trains, ) Security functions: access control and authorization via chip-card and PIN GSM offers three types of services: Bearer Services Telematic Services Supplementary Services 5
Disadvantages of GSM There is no perfect system! No end-to-end encryption of user data No full ISDN bandwidth of 64 KBit/s to the user Reduced concentration while driving Electromagnetic radiation Abuse of private data possible Roaming profiles accessible High complexity of the system Several incompatibilities within the GSM standards 6
Bearer Services Basic telecommunication services to transfer data between access points Specification of services up to the terminal interface (corresponding to OSI layers 1 3) Different data rates for voice and data (original standard) Data service (circuit switched) synchronous: 2.4, 4.8 or 9.6 KBit/s asynchronous: 300 1200 Bit/s Data service (packet switched) synchronous: 2.4, 4.8 or 9.6 KBit/s asynchronous: 300 9600 Bit/s Additionally: signaling channels for connection control (used by telematic services) 7
Telematic Services Telecommunication services that enable voice communication via mobile phones All services have to obey cellular functions, security measurements, etc. Offered services: Mobile telephony Primary goal of GSM was to enable mobile telephony offering the traditional bandwidth of 3.1 khz Emergency number Common number throughout Europe (112); mandatory for all service providers; free of charge; connection with the highest priority (preemption of other connections possible) Multinumbering Several phone numbers per user possible 8
Telematic Services Non-Voice-Teleservices Fax Voice mailbox (implemented in the fixed network supporting the mobile terminals) Electronic mail (MHS, Message Handling System, implemented in the fixed network)... Short Message Service (SMS) Alphanumeric data transmission to/from the mobile terminal using the signaling channel, thus allowing simultaneous use of basic services and SMS 9
Supplementary Services Services in addition to the basic services, cannot be offered stand-alone Similar to ISDN services besides lower bandwidth due to the radio link May differ between different service providers, countries and protocol versions Important services Identification: forwarding of caller number Suppression of number forwarding Automatic call-back Conferencing with up to 7 participants Locking of the mobile terminal (incoming or outgoing calls) 10
Cellular Network Signal attenuation restricts distance between sender and receiver (~ d² in line of sight, d 5.5 within buildings) Frequency range very limited and not suited for high number of subscribers Frequency re-use by SDMA: divide the whole area in cells Intentionally restriction of a cell by lowering the transmission power Frequency ranges can be re-used in a larger distance without problems of interference Two subscribers in distant cells can use the same channel simultaneously Zelle 1 technical possible transmission range Zelle 1 intentionally restriction of transmission range 11
Cellular Network The size of a cell is determined by a maximum given transmission power and a minimum receiver signal strength for a good voice quality Hexagonal cell pattern is idealized (Cells overlap irregularly) No uniform cell size, size depends on attenuation as well as expected traffic amount (inner city vs. unpopulated regions) Cell change of mobile user during a phone call Passing the connection to the neighbor cell: handover 4 3 5 1 2 6 7 4 3 4 3 5 1 2 5 1 2 6 7 6 7 Cluster Distance depends on remaining signal strength 1 6 7 12
Cell Concept Lehrstuhl für Informatik 4 Cluster: Area in which all frequencies are used. Each cell in the cluster at least is assigned one frequency, but also several frequencies per cell are possible More cells per cluster: Less channels per cell Lower system capacity Less co-channel interference (co-channel cells have larger distance in between) Less cells per cluster: More channels per cell Higher system capacity More co-channel interference (co-channel cells are nearby) Cell planning: Optimize the luster size N in a way to maximize capacity and minimize interferences 13
Coverage of GSM Networks (www.gsmworld.com) T-Mobile (GSM-900/1800) Vodafone (GSM-900/1800) e-plus (GSM-1800) O 2 (GSM-1800) 14
Architecture of the GSM System The GSM system is a so-called PLMNs (Public Land Mobile Network). Several providers setup mobile networks following the GSM standard within each country The GSSM system consists of several components: MS (mobile station) BS (base station) MSC (mobile switching center) LRs (location register) Different subsystems are defined: RSS (radio subsystem): covers all radio aspects NSS (network and switching subsystem): call forwarding, handover, switching OSS (operation subsystem): management of the network 15
GSM - Architecture GSM Network Region with Mobile Switching Center (MSC) Location Area Location Area MSC Region Base Station Subsystem Base Station Subsystem Cell Cell Base Station Subsystem Location Area MSC Region GSM networks are hierarchical structured: At least one administrative region with Mobile Switching Center An administrative region consists of at least one location area A location area consists of several Base Station Subsystems A Base Station Subsystem consists of one Base Station Controller (BSC) and several Base Transceiver Stations (BTS, cells) 16
4 4 4 Lehrstuhl für Informatik 4 GSM Architecture OMC ISC PLMN, international BSC MSC GMSC PSTN ISDN BSC EIR AUC HLR VLR OSS NSS AUC: BSC: EIR: GMSC: HLR: Authentication Center Base Station Controller Equipment Identity Register Gateway Mobile Switching Center Home Location Register RSS ISC: International Switching Center MSC: Mobile Switching Center OMC: Operation and Maintenance Center PLMN: Public Land Mobile Network VLR: Visitor Location Register 17
Radio Subsystem The radio subsystem is the cellular network up to the switching centers It comprises several components: Base Station Subsystem (BSS): Base Transceiver Station (BTS): radio components including sender, receiver, antenna. A BTS can serve one cell or, if directed antennas are used, several cells. Base Station Controller (BSC): The BSC performs the switching between BTSs and the control of BTSs. It manages the network resources, mapping of radio channels onto terestrial channels. The complexity of BTSs only is low by that separation. BSS = BSC + Sum(BTS) + interconnection Mobile stations (MS) are seen as mobile network components. 18
Base Transceiver Station und Base Station Controller Functions BTS BSC Management of radio channels X Frequency hopping (FH) X X Management of terrestrial channels X Mapping of terrestrial onto radio channels X Channel coding and decoding X Rate adaptation X Encryption and decryption X X Paging X X Uplink signal measurements X Traffic measurement X Authentication X Location registry, location update X Handover management X 19
Base Station Subsystem BSC BSC BSC Base Station Controller F1 F2 F3 F5 F7 Fx Frequency range of a cell F7, F6 F8 F4 F6 F1 F9 F3 Base Transceiver Station BSC A BTS controls all transmission in a cell. Communication only is possible between a mobile station and its BTS Problems: Cell changes (Handover to another BTS), combined with a frequency change Location of a mobile station (HLR/VLR) 20
Mobile Station Lehrstuhl für Informatik 4 Terminal for the use of GSM services; it comprises several functional groups: MT (Mobile Terminal): Offers common functions used by all services the MS offers Corresponds to the network termination (NT) of an ISDN access End-point of the radio interface TA (Terminal Adapter): Terminal adaptation, hides radio specific characteristics TE (Terminal Equipment): Peripheral device of the MS, offers services to a user Does not contain GSM specific functions SIM (Subscriber Identity Module): Personalization of the mobile terminal, stores user parameters 21
Network and Switching Subsystem The network subsystem is the main component of the public mobile network GSM. It interconnects the BSSs with other networks and performs switching, mobility management, and system control Components are: Mobile Services Switching Center (MSC) Controls all connections via a separated network to/from a mobile terminal within the domain of the MSC - several BSC can belong to a MSC Databases Home Location Register (HLR) Central master database containing user data, permanent and semipermanent data of all subscribers assigned to the HLR (one provider can have several HLRs) Visitor Location Register (VLR) Local database for a subset of user data, including data about all user currently in the domain of the VLR 22
Mobile Switching Center The exchange central of a GSM network is the Mobile Switching Center: path choice, signaling and processing of service features Administration of and access to radio resources Additional functions for location registration and handover when a cell change occurs (support of subscriber mobility) Certain gateways to other fixed or mobile telephony networks (Gateway-MSC; GMSC) Most important functions of a MSC: Specific functions for paging and call forwarding Mobility specific signaling Location registration and forwarding of location information Provision of new services (fax, data calls) Support of short message service (SMS) Generation and forwarding of accounting and billing information 23
Home and Visitor Location Register Two types of databases are used for subscriber registration and location management: Home Location Register (HLR) Central location management, a subscriber can be searched for here, not the whole network has to be searched Contains all static subscriber data (number, access rights, subscribed services, service features) as well as a raw location information MSCs use HLR to get information about rights, services and current (raw) location of subscribers Visitor Location Register (VLR) Locale database for a subset of subscriber data, most important the current (detailed) subscriber location; is assigned a MSC Only stores information about subscribers which are in range of the corresponding MSC Contains dynamic data which are updated by information exchange with HLR and the mobile stations Data from a VLR follow the subscriber when he comes into range of another VLR 24
4 Lehrstuhl für Informatik 4 Connection Establishment POTS 2 5 8 Gateway Destination MSC MSC 9 9 9 BSS 1 9 4 3 7 6 9 8 HLR VLR 1 - Call for a mobile station 2 - POTS forwards call to the GMSC connecting the GSM network 3 - GMSC uses HLR to request currently responsible MSC 4 - Response with switching information to the current subscriber location 5 - Forwarding of the call to the destination MSC 6 - MSC requests exact position of the subscriber in its VLR 7 - VLR checks service profile and availability of the MS and gives back the current BSS 8 - Paging of the mobile subscriber (broadcast in the whole BSS) 9 - MS answers, call can be established 25
Handover Lehrstuhl für Informatik 4 Automatic change of the responsible BTS without influence on the quality of a connection a caller should not be able to notice the change. Process: 1. Measurement During a transmission permanently measurements in the signaling channel are performed to detect the necessity of a handover (receiving power, bit error rates, distance to base station, participants in the cell, narrow-band interference) 2. Initiation of handover Establishment of a connection from the responsible MSC to the new base station Selection of a new channel with the new base station 3. Switching to new BTS Network-controlled handover (e.g. C-Netz), MS-supported handover (e.g. GSM) or MS-controlled handover (e.g. DECT) 26
Handover Decision Signal strength of signal A receiving power Signal strength of signal B handover range MS movement MS Last point of switching BTS A BTS B 27
Handover Procedure MS measurement report BTS old measurement result BSC old MSC BSC new BTS new HO decision HO required HO request HO command HO command HO command HO access Link establishment clear command clear command clear complete clear complete resource allocation ch. activation HO request ack ch. activation ack HO complete HO complete 28
Handover Strategies Handover with fixed switching point ( hard handover ) Simultaneous switching of the new connection and forwarding of subscriber data; results in short interruption of the connection (which possibly can be noticed as a short crackling in the line) Only one radio channel is used at any point of time Handover with variable switching point The MS for a short time has a connection to two base stations. Only when the establishment of the new radio connection is done and all data are forwarded, the new channel is activated and the call switched During the handover, the MS has to send/receive on two channels in parallel Soft Handover Simultaneous connection to two BTSs, both connections are used to transfer data between MSC and MS During the whole handover procedure any time that signal is processed which has higher power resp. lower bit error rate (improvement of transmission quality) High transmission capacity needed 29
4 4 4 4 Lehrstuhl für Informatik 4 Handover Types Intracell handover Handover between two cells of the same BSC area (intercell) MSC BSC BTS MSC BTS BSC BSC BTS BTS BSC BTS BTS BSC MSC BTS BSC MSC Is necessary if a channel currently in use is distorted by a narrowband interference; the MS has to be assigned a new channel in the same cell. Is necessary if a MS moves over the border between two cells belonging to the same BSC The handover is controlled by the BSC, the corresponding MSC only is informed about the new assignment 30
4 4 4 4 Lehrstuhl für Informatik 4 Handover Types Handover between two cells of different BSC areas (intercell) Handover between different MSCs Anchor-MSC BSC MSC BSC BTS BSC BTS BSC BTS BTS BTS BSC MSC BTS BSC MSC Is necessary if a MS moves over the border between two cells belonging to different BSC but the same MSC Connection is switched to the new BSC, but remains in the control of the same MSC Handover to the new connection is controlled by the MSC Is necessary if a MS moves over the border between two cells belonging to different MSC Complex, because a connection to a completely new control center is to be switched Control is taken by the Anchor-MSC which controlled the old connection 31
Operation Subsystem The OSS performs some central tasks for the provision of the whole GSM network as well as maintenance of that network Components are: Authentication Center (AUC) Creates on demand of a VLR the access right parameters for a subscriber These parameters serve for security and protection of subscriber information in the GSM system Equipment Identity Register (EIR) Registers serial numbers of GSM mobile stations as well as the assigned usage right Devices which are registered in the AUC can be locked and maybe located if stolen Not a mandatory component in the GSM architecture Operation and Maintenance Center (OMC) Control centers for the maintenance of all other GSM architecture parts 32
GSM900 vs. GSM1800 Criterion GSM900 GSM1800 Frequency range (Uplink) 890 MHz - 915 MHz 1710 MHz - 1785 MHz Frequency range (Downlink) 935 MHz - 960 MHz 1805 MHz - 1880 MHz Duplexing distance 45 MHz 95 MHz Bandwidth Up- and Downlink 2 x 25 MHz 2 x 75 MHz Bandwidth of a channel 200 khz 200 khz Access method FDMA & TDMA FDMA & TDMA Number of carrier frequencies 124 372 Timeslots per carrier frequency 8 8 Channels 992 2976 Bit rate 270,833 KBit/s 270,833 KBit/s Net bit rate for voice 13 KBit/s 13 KBit/s Modulation method GMSK GMSK Cell size (radius) 2-35 km 0,2-8 km Transmission power of a MS max. 20 Watt max. 1 Watt 33
GSM Protocol Lehrstuhl für Informatik 4 Access method: combination of: Frequency multiplexing (FDMA/FDD) Sending on 124 channels of 200 KHz each between 890 and 915 MHz Receiving on 124 channels of 200 KHz each between 935 and 960 MHz Time multiplexing (TDMA) with a shift of 3 time slots between sending and receiving time by to avoid the need for duplex-enabled transceiver units 960 MHz f 124 123 122 935.2 MHz 1 200 khz 915 MHz 124 123 122 20 MHz 890.2 MHz 1 t 34
TDMA Frames Lehrstuhl für Informatik 4 Frequency range 3 890-915 MHz 935-960 MHz GSM TDMA Frame GSM Timeslot 124 channels with 200 khz each Downstream 124 channels with 200 khz each Upstream Higher GSM Frame Structures 1 2 3 4 5 6 7 8 guard time tail payload S training S payload tail 57 1 26 1 57 4,615 ms guard time Time 3 bit 546,5 µs 577 µs GSM timeslot: Burst und guard times Tail (000): define start und end of a Bursts Training: synchronization sequence with well-known bit pattern for adapting the receiver to the current signal propagation characteristics, e.g. calculating the strongest signal part in case of multipath propagation S (Signaling): what is the content of the payload field: user or control data (optional: slow frequency hopping after each TDMA frame to avoid frequencydependent signal fading) 35
Frame Hierarchy Hyperframe 0 1 2... 2045 2046 2047 3 h 28 min 53,76 s Superframe 0 1 2... 48 49 50 0 1... 24 25 6,12 s Multiframe 0 1... 24 25 120 ms 0 1 2... 48 49 50 235,4 ms Frame 0 1... 6 7 slot burst 4,615 ms 577 µs 36
Security in GSM Security services Access control / authentication User SIM (Subscriber Identity Module): secret personal identification number (PIN) SIM network: challenge response method Confidentiality Anonymity Encrypted transmission after successful authentication temporary identity: TMSI (Temporary Mobile Subscriber Identity) Newly assigned after each location update 3 algorithms specified in GSM: A3 for authentication ( secret, open interface) A5 for encryption (standardized) A8 for key generation ( secret, open interface) secret : A3 and A8 available via the Internet Network providers also can use stronger mechanisms 37