!!! "# $ % & & # ' (! ) * +, -!!. / " 0! 1 (!!! ' &! & & & ' ( 2 3 0-4 ' 3 ' Giuseppe Bianchi

!!! "# $ % & & # ' (! ) * +, -!!. / " 0! 1 (!!! ' &! & & & ' ( 2 3 0-4 ' 3 '

"#$!!% "&'! #&'!%! () *+,, 3 & 5 &,! #-!*! ' & '.! #%!* //!! & (0)/!&/, 6 5 /, "!

First system: NMT-450 (Nordic Mobile Telephone) Scandinavian standard; adopted in most of Europe 450 MHZ band First european system (Sweden, october 1981) 1 ( 2 2 7 ", 83 ( 2 5 9 : RTMI (Radio Telefono Mobile Italiano) Market: 1973 -! & 7( ; < RTMS (Radio Telefono Mobile di Seconda Generazione) 450 MHZ 8 & 7( 6 ", Total Access Communication System 900 MHZ

First generation: 1980 s Several competing standards in different countries NMT (Nordic Mobile Telephone) Scandinavian standard; adopted in most of Europe First european system (Sweden, 1981) TACS (Total Access Communication Systems), starts in 1985 UK standard; A few of Europe, Asia, Japan AMPS (Advanced Mobile Phone Service) US standard C-Netz (Only in Germany) Radiocom 2000 (Only in France) Analog transmission Frequency modulation Various bands: NMT: 450 MHz first 900 MHz later TACS 900 MHz 1230 bidirectional channels (25KHz) AMPS 800 MHz Today still in use in lowtechnology countries And not yet completely dismissed in high-tech countries

( =', 5 ' =, 5 06 5 /, 0>6 5 /,?, "0 5 & 6!! @, > <+ A &!?, / 0 "& / 0"B 2, /! C >& 0 (slow only in US) -! 5 9 D ( ; 5 9 D (Digital Cellular System: DCS-1800) ( 5 9 D (Personal Communication System:PCS-1900,US only),// =, 5 >E =, 5 >;!

",/2,0/ 34"05,/667, 8!!! (&0!!435/!,//93& 08& " 70 8! "! &! > F ( >< ( &! ( 5 ' G!! &! ",/2,30 8! (9,0

! " %! 8!! 4,,95 Circuit switched data communication Uses up to 4 slots (1 slot = 9.6 or 14.4 Kbps) 27: $!,* 427$,5 Packet data (use spectrum only when needed!) Up to 115 Kbps (8 slots) 3!90/2 3* 439235 Higher data rate available on radio interface (3x)» Up to 384 Kbps (8 slots)» Thanks to new modulation scheme (8PSK)» May coexist with old GMSK

+&,4+* &,5 ITU standard: IMT-2000 (International Mobile Telecommunication 2000) UMTS forum created in 1996 Later on 3GPP forum (bears most of standardization activities) ' "05 6! But several other proposals accepted as compatible 4! & 7( ; ; <> <H ( ( > 5 9 D 6 B @7 E I

# ;?, 6 7C < J?, & @7 ( 7! ( '! & & Much faster than projections! August 2000: 372 GSM networks, 362M customers $* ' &! K L 5 K E ' ' < 3 6 ) &! K L ; <5 ' E -! <! & & ' #

6!

5, " $ % &&'(( 5, "

&&! " # 5, "75 ',! " 3 6 73! 6 M, "7M, " M, 7M!, 9! 7 5, " 3! 6 M, " M,

() * +!, +, - ' #!" & % " $ " 5, 5 ', M, M!, M, " M, " 5, " 5 ',! " =5, " =5, " C 5 " C 5! " 8@4 8 & @4 6? " 6 &! " 9 3 4 9 3! 4. 3 4. 3! 4

' External Networks operator &8 The network in the proper sense MS: Mobile Station )<!/!*!! 0. / Manages transmission path from MS to NSS. / Communication and interconnection with other nets. / GSM network administration tools Users A Interface Radio Interface (Um)

",!!!

)* GSM separates user mobility from equipment mobility, by defining two distinct components 3= The cellular telephone itself (or the vehicular telephone) 6 G7 IMEI (International Mobile Equipment Identity), 1!!4,15 Fixed installed chip (plug-in SIM) or exchangeable card (SIM card) 6 G7 IMSI (International Mobile Subscriber Identity) MSISDN (Mobile Subscriber ISDN number)» the telephone number! 15x17mm Mini UICC 12x15mm (standardized feb 04)

+, Terminal Mobile Equipment Termination Terminal Equipment Terminal Adaptor Mobile Termination Mobile Termination functions 4! Terminal Equipment functions?!! '! N -&!!!!! =, 5 Terminal Adaptor functions @! 5 / "-! Mobile Equipment S TE1 MT R TE2 TA MT U m

+, " - 6,, <8 485 & / 1 " * 11 * 111 1' " ) & '!"#

+ +, Uniquely identifies the mobile equipment 15 digits hierarchical address assigned to ME during manifacturing and type approval testing Type approval procedure: guarantees that the MS meets a minimum standard, regardless of the manifacturer IMEI structure: 0 1 * / - 2 0 3 *2 / - " 0 1 * - 0 4 *, -! & Before april 1, 2004: TAC = Type Approval Code ' &! & @! 5 8 ' &! & ' &! &? & 6 " -6 "! ' 6 ' O P 7

) +. / 00* 0 5 * / - " 0 1 * - 0 4 *, - Details: http://www.numberingplans.com/ Includes IMEI analyser

+ Protection against stolen and malfunctioning terminals Italian memorando di intesa signed on maj 5, 2003 Equipment Identity Register (EIR): 1 DataBase for each operator; keeps: 6 %! #!. valid IMEIs Corresponding MEs may be used in the GSM network 7!. IMEIs of all MEs that must be barred from using the GSM network Exception: emergency calls (to a set of emergency numbers) Black list periodically exchanged among different operators ' " 8!. IMEIs that correspond to MEs that can be used, but that, for some reason (malfunctioning, obsolete SW, evaluation terminals, etc), need to be tracked by the operator A call from a gray IMEI is reported to the operator personnel

+=! ) &! &,!! @5, @ 5, @, 0)!!!/ 6! & & =, 5, @5 &! subscriber s secret authentication key (Ki) Authentication algorithm ( secret algorithm - A3 not unique) Cipher key generation algorithm (A8) 7>, @5 & & '! '! 4 6 5 ', 5, & ' & Q!! /!! PIN (Personal Identification Number, 4-8 digits) PUK (PIN Unblocking Key, 8 digits)

Uniquely identifies the user (SIM card) GSM-specific address unlike MSISDN - normal phone number 15 digits hierarchical address assigned by operator to SIM card upon subscription IMSI structure (follows ITU-T E.212 numbering plan): 0 9 * / - 0 3 * -! 0 ) 4: *! ( - @D N! &!/.333 ; $ 33< 3= 3 @ / 3 5 )! &! : 4 $, 2 # 4: 6!, 5 5 & = 5 9! = =! # > > * - # : 3* +-? & & '! '

1$ 1$$ MSISDN: the usual telephone number -@, 0) & ' @? > 8( 2 E!, &! & 7 0 9 * / -, 0 9 *( - *, - 0 ) 4: * - GSM is the first network to distinguish & @5, @ - & ' 5, @, 0) Separation IMSI-MSISDN protects confidentiality @5, @ & 7 & '! % - 7@5, @ N' & @5, @ ' % Separation IMSI-MSISDN allows 8! & ' & single IMSI may be associated to several MSISDN numbers 8!!! '! 5, @, 0) & '

&,10&, 1! # ' '. 3 4 has significance only in this area! @5, @ reduces problem of eavesdropping,$?0, $%? 6 5, @, 0) & ' CC, NDC of the visited network SN assigned by VLR? &! 5, Subscriber Number (SN) assigned to provide routing information towards actually responsible MSC

)<!1/

2 Other MSC E MS BTS BSC U m A bis BSS 5, 5 ', M, M!, M, " M, " 5, " 5 ',! " C 5 " C 5! " 8@4 8 & @4 6? " 6 &! " 9 3 4 9 3! 4. 3 4. 3! 4 Other Networks EIR F MSC C HLR AUC A B D OMC VLR Other VLR G! (? 4 @! 6 ' M, >M, " 6 M,, >5, " M 5, ">. 3 4 " 5, ">. 3 4 0 9 3 4 >. 3 4 8 5, ">5, " - 5, ">8@4 =. 3 4 >. 3 4

3 ' Um - Radio Interface BSS OSS A-bis Interface A Interface * - Transmitter and receiver devices, voice coding & decoding, rate adaptation for data Provides signaling channels on the radio interface Limited signal and protocol processing (error protection coding, link layer LAPDm) * - performs most important radio interface management functions: Radio channels allocation and deallocation; handover management;

3( ( ' 3 U m Interface (to MS) Output filter Input Filter HF Transmitter HF Receiver Slow freq. Hopping TRX Digital Signal Processing Transmission System Abis Interface (to BSC) Operation and Maintenance Functionality/clock distribution "? ( (. @ ' 7 @ @ @ / A / @ ( + @ @ ( In essence, BTS is a complex modem!

34 " 2, # ( 2 ; E ( < < <! >M, ;! >M, #! >M, 9, ( < < ( 2! >M, <! >M, ( 2! >M,

3 2 ' 32 @4 @3 @7 4 / B : DB ), @ ( ( @ ( - G 5, " )+?&1@?, switch calls from MSC to correct BTS and conversely Protocol and coding conversion for traffic (voice) & signaling (GSM-specific to ISDN-specific) Manage MS mobility Enforce power control

BTS: -collects speech traffic -Deciphers and removes error protection -Result: -13 kbps air-interface GSM speech-coded signal MSC: -A modified ISDN switch -Needs to receive ISDN-coded speech -64 kbps PCM format (A-law) Transcoding and Rate Adaptation Unit (TRAU) needed! Rationale: re-use existing ISDN switches & protocols

5 On BTS 13 kbit/s 64 kbit/s 64 kbit/s BTS TRAU BSC MSC On BSC 13 kbit/s BTS 16 kbit/s BSC TRAU 64 kbit/s MSC On MSC 13 kbit/s BTS 16 kbit/s BSC 64 kbit/s (4x16 sub-mux) TRAU MSC Why 16 kbps instead of 13? Inband signalling needed for BTS control of TRAU (TRAU needs to receive synchro & decoding information from BTS)

$ % &' 3 5 ',! "5, "G=5, "=5, " 9 3! 4 9 3 4 G6 &! "6 & ". 3! 4. 3 4 8 & @4 8@4 ) "!? 10.,, L & ' 5 6 / + 5 ' 6! /

&2 ' 2 61,9?84(: 5 7/8%!%/ //<!8:8%! 7+,/ 0!/ 6! &! 5 ' & registration, authentication handover execution and control paging 67?48:5A %A, 8! 5, " ' M,, (note: a BSS refers to just 1 MSC, not many)

6 ' 6! 47?5 @! N!! ' N-plicated for reliability reasons In large operator networks, there may be 2+ HLR with distinct information, although MSISDN-HLR association needs to be introduced (e.g. first two digits of the Subscriber Number) $ 8 & G5, @, 0) & '! ', Permanent information associated to the user @5, @5, @, 0),! & '! ',!!! /! ' & & & @5 8@ 6 &! Temporary information associated to the user 3! &! & 7 Current VLR address (if avail) Current MSC address (if avail) MSRN (if user outside PLMN)

& 2 ' 52 6!$ 8 & 9 3 4,:1,1 $ /%0*!, & '! ' Q! $ &! 8! &! $! 6! & & & &!!

2 24 2 X X )! '! ' %% =5, " 7 & 9 3 4! & 5,! X X =5, " X! ' & 9 3 4!!!! 5, "& ' ' 5, " 5, " % " 5, "

7 6 ' 76 6!, =R5, ">. 3 4 No need to carry heavy MSC-VRL signalling load on network links ' & (. 3 4 5, " '$ 8 & G5, @, 0)! &! 5, " Entry created when an MS enters the MSC area (registration) ) C 87 & & '! ', Subscriber and subscription data @5, @5, @, 0) /! ' & & & @5 8@ 6 &! Tracking and routing information 5 ', 4 ) & ' 5, 4 ) 5 ', @ 5, @ 3! 6 @3 6 @5, Used for paging and call setup

8 9 ' )8* Network measurement and control functions Monitored and initiated from the OMC (Operation and Maintenance Center) Basic functions ) 6 configuration, operation, performance management, statistics collection and analysis, network maintenance "! H! Accounting & billing,! & 5 E.g. Equipment Identity Register (EIR) management!!