Provides a communication link between MS and MSC; Manages DB for MS location. Controls user connection. Transmission.

Provides a communication link between MS and MSC; Manages DB for MS location Controls user connection CM MM RR Transmission

Several RR functions considered in previous part!"# Surprise! handover is part of RR, not MM! $! " # $ % & %&& # # # #

" $ # ' # & ( $ # # " % # #

'(##()) $ # # ) * + * +! ', %' # # - #

CM MM GMSC RR HLR Trans. MS BTS BSC MSC (VLR)

MS BTS BSC Relay MSC Anchor MSC HLR CM MM RIL3-CC RIL3-MM MAP/D RR RIL3-RR RSM BSSMAP MAP/E TCAP SCCP SCCP SCCP LAPDm LAPD MTP MTP MTP! "! "

* +#,

BTS 2 BTS 1 BTS n - $. $ / 0 * ) 1 * ) 22+ # $ At least once every 5 minutes BSIC (from SCH) refreshed every at most 30s

max! C1(n) = RXLEV(n) RXLEV_ACCESS_MIN Select cell with greatest c1(n)>0: [ 0, ( MS_TXPWR_MAX_CCH P) ] # $ % &' ( ) &' # $ % * $ * + ( ) (, " $ 3 $ 45 6 47 8 0 * # - * # *. / ) ). $ 3 $ 9 7,9 5 / ) & ' When cell parameters are the same, simply select cell with higher RXLEV!

"#$ & '*./ C2(n) = C1(n) + CELL_RESELECT_OFFSET TEMPORARY_OFFSET H(PENALTY_TIME 0 where H(x) = 1 x x < 0 0 T) ( ) " 0 1 2 $ + 3 * $ 4 $ * $ $ $ * 5 6 6 $ 4 $ 5 3 * 5 6 6 $. $ * $ $ $ * 5 6 6 $ 6, " 7 & '0 8 2 2. 9 : 2 4 ) " " & " '

% & BTS BTS 0()1 No need to inform BTS at all! 23# : $ ( ; $ Need to inform the network! - < = ) ( ( > ) # ) ( ) >? # ) ) # '#

'( ) 45)(45)( # / # 6 0. (, Based on radio link quality measurements. ( / $, $ 7# # @ $ $ Not possible in GSM: for about 100-200ms, communication is interrupted # @, $ Not possible in GSM; possible in UMTS

)'* *&'( before during after Hard handover (GSM) MSC BSS 1 BSS 2 f 1 MS MSC BSS 1 BSS 2 f 1 MS MSC BSS 1 BSS 2 MS f 2 Seamless (DECT) MSC BSS 1 BSS 2 MSC BSS 1 BSS 2 MSC BSS 1 BSS 2 f 1 MS f 1 MS f 2 MS f 2 Soft handover (UMTS) MSC BSS 1 BSS 2 f 1 MS f 1 MSC BSS 1 BSS 2 f 1 MS f 1 MSC BSS 1 BSS 2 MS f 1

)'( & Classification by motivation & +, *! ' +", @& 5 +", *, Classification by typology 7 ', # New radio channel in the same cell Not termed as handover but as subsequent assignment ', # ', # Under control of same BSC 23 ', # ',# Change reference BSC; may imply a location area update ',# Most complex: need to change MSC

&'( Switching point for all inter-msc handover Switching point for internal handover Anchor MSC: the MSC that first managed the current call A-MSC BSC Relay MSC: the MSC that currently manages the call BSC R-MSC BSC A A-bis Switching point for inter-bsc handover BTS BTS BTS BTS radio interface

)'(+ 4'684'6 @ # ) A @ # '68'6 @# ) A @# -68-6 @# ) A @ #!)4'68-68 / # / # # B / #,#,# $ $

)'( #45) ; $,/ # RXLEV_UL < L_RXLEV_UL_H ; $,/! ) # RXQUAL_UL < L_RXQUAL_UL_H * # # adaptive timing advance parameter > MAX_MS_RANGE ' 2 #) *,/ RXLEV_DL < L_RXLEV_DL_H *,/! ) RXQUAL_DL < L_RXQUAL_DL_H *,/ RXLEV_NCELL(n) > RXLEV_MIN(n) RX signal level RXLEV_0 RXLEV_1 RXLEV_2 RXLEV_3 RXLEV_62 RXLEV_63 Bit error Ratio RXQUAL_0 RXQUAL_1 RXQUAL_2 RXQUAL_3 RXQUAL_4 RXQUAL_5 RXQUAL_6 From (dbm) - -110-109 -108-49 -48 From (%) - 0.2 0.4 0.8 1.6 3.2 6.4 To (dbm) -110-109 -108-107 -48 - To (%) 0.2 0.4 0.8 1.6 3.2 6.4 12.8 RXQUAL_7 12.8 -

' 5-5-9 ' 2d TA TA[ bits] tbit = d = c tbit c 2 @ 1 300000[ mt / ms] [ ms] c tbit d TA = TA = TA 270.833 TA 554 2 2 ( ) mt 'B # ; + + ' ') B C #

)'( '' 5# A # $ A # $ A # $ # # provided they can support the MS. 6 $,$ D,7 8 $ 3 $ 9 8 $ RXLEV (cell A) RXLEV (cell A) Handover Handover RXLEV (cell B) RXLEV (cell B) HANDOVER ALGORITHM: operator-dependent! GSM standard SUGGESTS a simple reference algorithm, but implementation left to operator hysteresis

'(' 1) Handover request goes up to switching point MSC 2) Switching point prepares new path on fixed net 1 3 4 2 5 3) Switching point sends HO command to MS 4) MS accesses new channel 5) Old channel/path torn down

&, '( " &'$ MS BTS-A BSC-A MSC BSC-B BTS-B MS " ( " (, & ' " (, " (, <! " ( " ( " ( " " ( ; " ( " ( "! " (

-, '( #3(7)0 )' : EF 5 First MSC change (basic handover) Second MSC change (subsequent handover) MSC-A MSC-R1 MSC-A MSC-R1 MSC-R2 Note the role of the Anchor MSC!

: ;# -<'#

. ( ( LA-1 LA-2 LA-3 MSC VLR LA-4 LA-n

( ' =#( * ( User first access to PLMN ( ; $» Needs to send IMSI and receive TMSI Subsequent accesses to PLMN (either in old or new MSC/VLS)» Also after MS shut-down!» TMSI-based identification & ( B / ( $ $

', ) 4''6 & 4''6 8-7 ( '@G B ( H Country Code (CC): 3 digits Mobile Network Code: 2 digits Location Area Code: max 5 digits

./.0"($ ' MSC VLR 3 HLR 1 2 1) Obtain LAI from BCCH 2) Register MS ID into local VLR 3) Update pointer at HLR

. MS BSS/MSC VLR HLR AUC Loc. Upd. Request IMSI, LAI Update Loc. Area IMSI, LAI Auth. Param. Req. IMSI Auth. Info (Auth. Parameters) Auth. Info. Req. IMSI Auth. Info (Auth. Parameters) Activate ciphering authentication Start Ciphering Kc Forward new TMSI TMSI Locat. Upd. Accept Update Location IMSI, MSRN Insert Subscrib. Data IMSI, additional data Insert Subscrib. Data ACK Locat. Upd. Accept IMSI TMSI Realloc Cmd Locat. Upd. Accept TMSI Realloc ACK TMSI ACK

" '1.$ Authentication Request Challenge: 128 bit RAND VLR IMSI, RAND SRES, Kc HLR / AUC Ki RAND A3 SRES SRES Authentication Response Signed RESult: 32 bit SRES Equal? Ki RAND A8 Kc

"' $ ) - $ /. 6 )-:(->+, # # ' Along with secret key Ki B $ * 1 ) # B 1 / C Since A3,A8 run ONLY in the AUC at the home HLR Ki is NEVER transmitted away from AUC or MS!!# G# ) #. HI 9 6 G. B * H 5(# J ( '# ' / $ B * # ) #. #!

-"+,!# $ / / #! $ $ < 0 A D7 A < 8 K 6 I < L 7 D0 K 6 2 21 =2,097,152 < 2,715,648 < 2 22 =4,194,304?#(# @8& Frame number FN, 22 bits Kc 64 bits Frame number FN, 22 bits Kc 64 bits MS A5 A5 BTS S1 S2 S1 S2 In-clear uplink XOR enciphered uplink XOR In-clear uplink In-clear downlink XOR enciphered downlink XOR In-clear downlink

.0' 1. " * -$ MS BSS/MSC VLR HLR AUC Loc. Upd. Request TMSI, LAI Activate ciphering TMSI Realloc Cmd authentication Update Loc. Area TMSI, LAI Update Location IMSI, MSRN Generate New TMSI Start Ciphering Kc Insert Subscrib. Data Forward new TMSI IMSI, additional data Ins. subs. data ACK Locat. Upd. Accept Locat. Upd. Accept IMSI Locat. Upd. Accept TMSI Realloc ACK TMSI ACK Auth. Param. Req. IMSI Auth. Info B A. B * # ) # Auth. Info. Req. IMSI Auth. Info B A. B * # ) #

/1.. % # ) ) " " " " ) )!! + + % #

- 5)795#) 7 K 9 < $ 3 ( ; "'# '> J # '> > " # '> > $ '1 B ( ) @ # ' C # ' $ =& # $ ( CC Some author (Mouly-Pautet) uses the term» TIC (Temporary Identity Code) = 4 bytes» TMSI = TIC+LAI = unambiguous user identification % - # 'M ( ' $ 2 Operator may set a 6min up to 24hrs periodicity for LU (value transmitted on BCCH) IMSI_attach = a special LU in a same Location Area; IMSI_attach follows an IMSI_detach (power-down of MS)

.0'2'&&1. MS BSS/MSC VLR-new HLR VLR-old Loc. Upd. Request # 'M ( '( ' Activate ciphering authentication Update Loc. Area # 'M ( '( ' determine VLR-old From old LAI Send parameters (TMSI, old LAI) Update Location IMSI, MSRN Generate New TMSI Start Ciphering Kc Insert Subscrib. Data Forward new TMSI IMSI, additional data Ins. subs. data ACK IMSI response (IMSI,RAND,SRES,Kc) Locat. Upd. Accept IMSI Cancel Location IMSI Cancel Locat. ACK

0=& # =& -7 * 8=& A 5)7 ' $ '# ' MS Identity Request Identity Response IMSI MSC PAGING: - Normally based on TMSI - But when no valid TMSI information available (e.g. after a DB restore after crash), based on IMSI

? '<

-BC '+, '+, 8'+8', # 5'+5', #

MS Mobile Terminated Call MSC Fixed party MS Mobile Originated Call! MSC Fixed party DATA DATA In ISDN ISUP: - setup = IAM (Initial Address Message); - Alerting = ACM (Address Complete Message); - Connect = ANS (Answer)

MS Mobile Terminated Call network MS Mobile Originated Call network Paging request Channel request Immediate Assignment Paging Response Authentication Request Authentication Response Ciphering mode command Ciphering Mode Complete Setup Call Confirmed Assignment Command Assignment Complete Alerting Connect Connect Acknowledge Channel request Immediate Assignment Service Request Authentication Request Authentication Response Ciphering mode command Ciphering Mode Complete Setup Call proceeding Assignment Command Assignment Complete Alerting Connect Connect Acknowledge

' ''3' 08-')#+08-'), B $ $ 8-')#+8-'), $ $ C Best utilization of radio resource (avoids allocation if callee not available) Call drop if no TCH is available at this point =2- +=2-, ' Fastest signalling process Waste of resources VEA Non-OACSU OACSU RACH RACH RACH TCH (FACCH) SDCCH TCH (FACCH) SDCCH TCH (DATA) TCH (DATA) TCH (DATA) Connection established Callee responds

4 5 5 $ * / 0 9 # 7 C B / Key Pressed MS Start DTMF (w. key code) Start DTMF ACK MSC 8 # + $ / 1 $ * + # # 1 * + On FACCH) Stop DTMF

GMSC ISDN 1: MSISDN MSC C VLR B 5: MSRN 6: TMSI MSC B 4: MSRN 7: paging MSC A 2: MSISDN 3: MSRN HLR

"($ ' '' '.0 During an LU within a same VLR, MSRN is NOT signaled! MSRN retrieved on a per-call basis! (choice of solution depends on trade-offs) GMSC ISDN 1: MSISDN MSC C 7: MSRN VLR B 8: TMSI MSC B 6: MSRN 9: paging MSC A 2: MSISDN 5: MSRN HLR 3: IMSI 4: MSRN

+ &> ; ' International Switching Center + = &> ; ' # + & ' Transit Exchange Local Exchange International Switching Center MSISDN +39.335.1234567 - # 7. MSRN +44.NDC.8877665 + 0 & ' # 335.1234567

Call to MSISDN +39.335.3043125 6 7 ISC (UK) + = &> ; ' # Call to MSISDN +39.335.1234567 ISC (ITA) MSISDN +39.335.1234567 - # 7. MSRN +44.NDC.9876543 + 0 & ' # Is the PRICE (!) to pay for simple routing and billing

$, ( ( Consulted by ISCs (which MUST support GSM-MAP!) )0# ( ( B M $ B * C I.e. must know the MS is roaming in the PLMN $!» Extensions tovlr or to GMSC» Details in Lin-Chlamtac

.-,. ' 3 bis ISC (UK) 2 % # + = &> ; ' 1 3 ISC (ITA) 4. + 0 & '

( )) $ 7 0 8 5 # # * 5,,$ ' % '$ # #

MSC PLMN Internet, PSDN IWMSC Short Message Service Center SMS-GMSC Get routing info for terminating MS. MSC PLMN

MS SM-SC # $ $ ( #, ( # ( #, ( # #, MSC IW-MSC # ( #,( #, " $ & ' " $ & ' # #, # #, " $ & ' " $ & ' Quite complex signalling involved (see specific texts)

) # $#3" < 8 8 < A / 2 # "# ;. @K < N $ $ 3 5 0 N $ & # B $ $ $ $

$ O$ P $ &# $

$ &' Originating network switch Donor network switch switch Recipient network Originating switch sets-up trunk to donor switch Donor switch sets-up trunk to recipient switch Simplest solution, as call forwarding is a feature available in virtually all switches

$% Originating network switch SS7 ISUP IAM SS7 ISUP REL Donor network switch Number Portability DataBase switch Recipient network Donor switch blocks incoming call with a release message (REL) REL carries a QoR cause value, stating that called party number is ported Originating switch then queries Number Portability database

$, % Originating network switch Donor network switch Number Portability DataBase switch Recipient network Originating switch queries Number Portability database for every call!! - best solution if majority of numbers are ported (no interaction with donor) - but very high DB load, as EVERY number must be looked-up!

) 3# - # /!)''+ 3# ##, : $ # B C Recipient network MSC GMSC HLR Note: If path must cross GMSC: Use Intermediate Routing Number Incoming call MSRN IRN MSRN (or IRN) GMSC Signaling relay function HLR Donor network

" % $ Recipient network MSC GMSC Query MSRN Return MSRN HLR IRN Incoming call switch Query IRN Return IRN Number Portability DataBase

(' "%$ Recipient network MSC GMSC HLR Incoming call MSRN switch Query MSRN Return MSRN Signaling relay function Number Portability DataBase