Mwa 20060113

2G1330 Mobile and Wireless Network
Architectures
Lecture notes of G. Q. Maguire Jr.
For use in conjunction with the text: Wireless and Mobile
Network Architectures, by Yi-Bing Lin and Imrich
Chlamtac, John Wiley & Sons, 2001, ISBN 0-471-39492-0.
KTH Information and

Communication Technology
1998-2006 G.Q.Maguire Jr. .

All rights reserved. No part of this course may be reproduced, stored
in a retrieval system, or transmitted, in any form or by any means,
electronic, mechanical, photocopying, recording, or otherwise,
without written permission of the author.
Last modified: 2006.01.13:10:07
Maguire Cover.fm Total pages: 1

maguire@kth.se 2006.01.13
Table of Contents
1. Introduction ....................................................................... 1
Welcome to the course! ............................................................................ 2
Staff Associated with the Course.............................................................. 3
Instructor (Kursansvarig) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3
Administrative Assistant: recording of grades, registration, etc. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3
Goals, Scope and Method ......................................................................... 4
Goals of the Course - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4
Scope and Method - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 4
Prerequisites.............................................................................................. 5
Contents .................................................................................................... 6
Topics ....................................................................................................... 7
Examination requirements ........................................................................ 8
Project ....................................................................................................... 9
Assignment Registration and Report ...................................................... 10
Literature................................................................................................. 11
Lecture Plan ............................................................................................ 12
Maguire 2 of 30
maguire@it.kth.se 2006.01.13 Mobile and Wireless Network Architectures
Context of the course .............................................................................. 13
Chapters 1-4, and 22 ............................................................................... 14
Internet Architecture............................................................................... 15
More complete Architecture ................................................................... 16
Internetworking....................................................................................... 17
Personal Communication Systems (PCS)............................................... 18
High Tier and Low Tier Cellular, and Cordless ..................................... 19
Cellular Telephony ................................................................................. 20
Low Tier Cellular and Cordless Telephony........................................... 21
Mobile Data ............................................................................................ 22
Paging ..................................................................................................... 23
Specialized Mobile Radio (SMR)........................................................... 24
Satellite ................................................................................................... 25
Wideband systems .................................................................................. 26
Local Metropolitan Area Networks (LMDS) ......................................... 27
Point-to-Point Optical links .................................................................... 28
Wireless Local Area Networks (WLANs).............................................. 29
Maguire 3 of 30
Short range radio..................................................................................... 30
Ultrawideband - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 30
Trend: Increasing Data Rates.................................................................. 31
GSM - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 31
High Speed Circuit Switched Data (HSCSD) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 31
GPRS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 31
Wireless LAN - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 31
Basic Personal Communication System (PCS) network architecture .... 32
Example of a PCS Architecture.............................................................. 33
PCS network architecture supporting Mobility ...................................... 34
Mobility Management ............................................................................ 35
Mobility Management Protocols ............................................................ 36
Macro- vs. Micro-mobility ..................................................................... 37
Getting Service ....................................................................................... 38
Locating the user..................................................................................... 39
Handoff Management: Detection & Assignment ................................... 40
Handoff/Handover/Automatic Link Transfer ......................................... 41
Handoff Criteria...................................................................................... 42
Handoff Goals......................................................................................... 43
Maguire 4 of 30
When to make the decision? ................................................................... 44
Reality is more complex ......................................................................... 45
Who makes the handoff decision?.......................................................... 47
Inter-BS Handoff (aka inter-cell handoff) .............................................. 48
What happens if there are insufficient resources at new AP? ................ 49
Inter-system Handoff (aka inter-MSC handoff) ..................................... 50
What happens if the mobile moves gain? .............................................. 51
Fast Mobile IPv4 handoff via Simultaneous Bindings ........................... 52
Fast handover timeline............................................................................ 53
Roaming.................................................................................................. 54
User roaming ......................................................................................... 55
Roaming Management............................................................................ 56
Roaming example ................................................................................... 57
Of course it couldnt be this simple!....................................................... 58
Call delivery ........................................................................................... 59
CT2 ......................................................................................................... 60
Back to: Who makes the handoff decision? ........................................... 61
Maguire 5 of 30
Network controlled handoff (NCHO)..................................................... 62
Mobile assisted handoff (MAHO) .......................................................... 63
Mobile controlled handoff (MCHO) ...................................................... 64
Handover Failures................................................................................... 66
Channel Assignment............................................................................... 67
Channel Assignment Process.................................................................. 68
Handoff Management: Radio Link Transfer .......................................... 69
Handoff frequency .................................................................................. 71
Soft handoff in multiple forms ............................................................... 72
Paging ..................................................................................................... 73
Pager ....................................................................................................... 74
Paging Architecture ................................................................................ 75
Paging Service area................................................................................. 76
Introduction of paging systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Alphanumeric paging systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Mobile telephone systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Mobile but not necessarily wireless. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Local mobility via wireless (or redirects) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Maguire 6 of 30
Two-way paging and messaging systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Paging Interworking ............................................................................... 83
Paging - link level................................................................................... 84
Motorolas FLEX protocol ................................................................. 85
Sleeping for power savings..................................................................... 86
Mobile Telephone Systems Timeline (the first two generations: analog + digital)
87
References and Further Reading............................................................. 88
Course book - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 88
Further details concerning physical and link layer wireless communication - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 88
CDPD - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 89
LEO - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 89
Fixed Broadband wireless - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 90
User profiles - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 90
Mobile IP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 90
Fast handoff - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 91
Micromobility: Cellular IP, HAWAII, Hierarchical Mobile IP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 91
Comparison of IP Mobility protocols - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 91
TeleMIP- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 92
Intersystem Handoff- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 92
2. Network Signaling and CDPD........................................ 93

Network Signaling (Chapters 5-8).......................................................... 94
Maguire 7 of 30
Transaction Capabilities Application Part (TCAP) ................................ 95
Transaction 2 (T2) - additional details.................................................... 97
Automatic Code Gapping (ACG) ........................................................... 98
TIA TSB-51: Authentication, Signaling Message Encryption, and Voice Privacy
99
MIN and ESN ....................................................................................... 100
Without-Sharing Scheme...................................................................... 101
Without-Sharing Call Origination ........................................................ 102
Sharing Scheme .................................................................................... 103
Sharing Call Origination....................................................................... 104
When should you use Without-Sharing vs. Sharing............................. 105
Cellular Authentication and Voice Encryption (CAVE) Algorithm .... 106
PACS Network Signalling.................................................................... 107
PACS Architecture .............................................................................. 108
Access Manager (AM).......................................................................... 109
AIN/ISDN Switch................................................................................. 110
AIN Service Control Point (SCP)......................................................... 111
Maguire 8 of 30
PACS Intersystem Handoff .................................................................. 112
3 alternative inter-RPCU handoff methods
(Switch Loopback, Direct Connection, Three-way Calling Connection): 113
CDPD.................................................................................................... 114
Motivation for CDPD ........................................................................... 115
Goals- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 115
CDPD network architecture.................................................................. 116
CDPD Entities ...................................................................................... 117
other entities ......................................................................................... 118
Limits.................................................................................................... 119
Handoffs ............................................................................................... 120
Connectionless Network Services (CLNS) .......................................... 121
Roaming Management.......................................................................... 122
Multicast ............................................................................................... 123
CDPD usage ......................................................................................... 124
CDPD phaseout .................................................................................... 125
Ricochet ................................................................................................ 126
Maguire 9 of 30
Ricochet System Architecture .............................................................. 127
Further reading...................................................................................... 128
TIA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 128
TSB-51 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 128
Mobile*IP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 129
CDPD - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 130
Ricochet- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 131
3. GSM, GPRS, SMS, International Roaming, OAM .... 132

Lecture 3 ............................................................................................... 133
Global System for Mobile Communications (GSM)............................ 134
GSM Requirements .............................................................................. 135
GSM Architecture ............................................................................... 136
Foundation ............................................................................................ 137
GSM contributions ............................................................................... 138
Distinctive features of GSM ................................................................. 139
Mobile Station (MS) ............................................................................. 141
Subscriber Identity Module (SIM)........................................................ 142
SIM card ............................................................................................... 143
Phone with and without SIM ................................................................ 144
Maguire 10 of 30
Mobile Equipment (ME) ...................................................................... 145
Power saving and interference reduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 146
User ID Device ID ...........................................................................

Classmark - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 147
148
Mobile Terminal (MT) ......................................................................... 150
Base Station System (BSS)................................................................... 151
Base transceiver station (BTS) ............................................................. 152
Base station controller (BSC) ............................................................... 153
Network and Switching Subsystem (NSS) ........................................... 154
Databases .............................................................................................. 155
Equipment Identity Register (EIR)....................................................... 156
Operation Sub-System (OSS) ............................................................... 157
Operation and Maintenance Center (OMC) ......................................... 158
GSM Interfaces (just some of them!) .................................................. 159
GSM Layers.......................................................................................... 161
GSM Air interface ................................................................................ 162
Abis interface......................................................................................... 164
Abis protocols........................................................................................ 165
Maguire 11 of 30
A Interface ............................................................................................ 166
A interface protocols............................................................................. 167
GSM Audio........................................................................................... 169
CODECs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 169
MSC interfaces and protocols............................................................... 170
GSM Logical Channels ........................................................................ 171
Traffic channel (TCH) .......................................................................... 172
Broadcast channels (BCH) ................................................................... 173
Common control channels (CCCH) ..................................................... 174
Dedicated control channels (DCCH) .................................................... 175
GSM Timing......................................................................................... 176
Incoming Call ....................................................................................... 177
Mobility Management (MM)................................................................ 178
Security ................................................................................................. 179
Cipher mode management- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 179
Authentication ...................................................................................... 180
Authentication and Encryption ............................................................. 181
GSM data rates ..................................................................................... 182
Maguire 12 of 30
System engineering............................................................................... 183
GSM Network Optimization ................................................................ 184
Optimal Cell Planning .......................................................................... 185
Features................................................................................................. 186
GSM Phase 2+ ...................................................................................... 187
High Speed Circuit Switched Data (HSCSD) ...................................... 188
General Packet Radio Service (GPRS)................................................. 190
GPRS nodes .......................................................................................... 191
GSM/GPRS Architecture and Interfaces ............................................ 192
GPRS Coding Schemes ........................................................................ 193
Unstructured Supplementary Service Data (USSD)............................. 194
USSD continued ................................................................................... 195
Short Message Service (SMS) .............................................................. 196
SMS message types .............................................................................. 197
Short Message Service Architecture .................................................... 198
SMSCs .................................................................................................. 199
Three kinds of SMSs ............................................................................ 200
Maguire 13 of 30
Entering Short Messages ...................................................................... 201
SMS shorthand ..................................................................................... 202
External Application Interface (EAI) ................................................... 203
Voice Messaging System (VMS) ......................................................... 204
Voice Profile for Internet Mail (VPIM)................................................ 205
Enhanced Message Service (EMS)....................................................... 206
Multimedia Messaging Service (MMS) ............................................... 207
SMS over GPRS ................................................................................... 208
International Roaming .......................................................................... 209
Enhanced Data Rates for GSM Evolution (EDGE).............................. 210
GSM/EDGE Radio Access network (GERAN)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 210
EGRPS.................................................................................................. 211
Operation/Administration/Maintenance ............................................... 212
Further reading...................................................................................... 213
GSM - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 213
GPRS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 215
USSD - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 216
SMS and Multimedia Messaging Service (MMS) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 216
International Roaming - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 218
Operation/Administration/Maintenance- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 219
Maguire 14 of 30
4. Number portability, VoIP, Prepaid, Location Based Services
220
Lecture 4 ............................................................................................... 221
Database lookups .................................................................................. 222
Local Number Portability (LNP) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 222
Three kinds of Local Number Portability............................................. 223
Mobile Number Portability (MNP) ...................................................... 224
Non-geographic number portability (NGNP)....................................... 225
Call forwarding at donor end................................................................ 226
Drop back forwarding........................................................................... 227
Query on release (QoR) solutions......................................................... 228
Look up type solutions ......................................................................... 229
Two stage solutions .............................................................................. 230
All call/all network solutions................................................................ 231
Who knows the mappings?................................................................... 232
Nummerportabilitet i Sverige ............................................................... 233
EU Document 398L0061...................................................................... 234
Maguire 15 of 30
Nortel Networks Universal NP Master (UNMP) ................................ 235
Lookup engines..................................................................................... 236
Voice over IP (VoIP) ............................................................................ 237
TIPHON................................................................................................ 238
Ericssons GSM on the Net .................................................................. 239
iGSM .................................................................................................... 240
Prepaid .................................................................................................. 241
GSM Prepaid ........................................................................................ 242
Difference between Mobile and Fixed Prepaid .................................... 243
Four alternatives for Mobile Prepaid.................................................... 244
Wireless Intelligent Network (WIN) .................................................... 245
Calling party pays vs. Called party pays .............................................. 246
WIN Call termination when called party pays ..................................... 247
Service Node......................................................................................... 248
Hot Billing ............................................................................................ 249
one-call exposure in depth ............................................................... 250
Handset-Based ...................................................................................... 251
Maguire 16 of 30
Combined Handset-based + Hot Billing............................................... 253
Roaming and Prepaid............................................................................ 254
Revenue and new services .................................................................... 255
Location Based Services (LBS)............................................................ 256
Means of determining location ............................................................. 257
Geographic Location/Privacy (geopriv) ............................................... 258
Further reading...................................................................................... 259
Number portability - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 259
VoIP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 260
Prepaid - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 261
Location Based Services - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 261
5. WAP, Heterogeneous PCS, 3G..................................... 264

Lecture 5 ............................................................................................... 265
Wireless Application Protocol (WAP) ................................................. 266
WAP Model .......................................................................................... 267
WAP (first round) Summary ................................................................ 268
WAP 2.0 ............................................................................................... 269
WAP 2.0 new & enhanced services ..................................................... 270
Maguire 17 of 30
Heterogeneous PCS .............................................................................. 271
Similar Radio technologies + Same Network technology (SRSN) ...... 272
Different Radio technologies + Same Network technology ................. 273
Different Radio technologies + Different Network technology ........... 274
Tier Handoff ......................................................................................... 275
Registration for SRSN & DRSN .......................................................... 276
Registration for DRDN......................................................................... 277
Call delivery ......................................................................................... 278
User identity (identities) and MSs ........................................................ 279
Major forces driving heterogeneous PCS ............................................. 280
Internetworking scenarios..................................................................... 281
Paradigm shifts ..................................................................................... 282
Third Generation Mobile (3G).............................................................. 283
3rd Generation Partnership Project (3GPP).......................................... 284
3G(PP) Architecture ............................................................................ 285
3.5G or super 3G................................................................................... 286
High Speed Downlink Packet Access (HSDPA) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 286
High Speed Uplink Packet Access (HSUPA) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 286
Maguire 18 of 30
Third Generation Partnership Project 2 (3GPP2) ................................. 287
3GPP2 reference model ........................................................................ 288
3GPP2 abbreviations ............................................................................ 293
Mobile Station Application Execution Environment (MExE) ............. 295
MExE Classmark- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 295
Common Language Infrastructure for MExE devices: Classmark 4.... 296
Service discovery and management - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 296
CLI MExE Devices - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 297
3G Physical Layer................................................................................. 298
Gateway Location Register (GLR)....................................................... 299
3G QoS ................................................................................................. 300
UMTS Subscriber Identity Module (USIM)......................................... 301
Wireless Operating System for Handsets ............................................. 302
Mobile Virtual Network Operator (MVNO) ........................................ 303
IP Multimedia Subsystem (IMS) .......................................................... 304
Future IMS services.............................................................................. 305
IMS architecture ................................................................................... 306
G ......................................................................................................... 307
Maguire 19 of 30
4th generation?...................................................................................... 308
IEEE 802.21.......................................................................................... 309
4G in Asia ............................................................................................. 310
eMobility Platform ............................................................................... 311
Further reading...................................................................................... 312
WAP - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 312
Heterogeneous PCS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 312
3G- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 313
6. Wireless Local Loop (WLL) and

Enterprise Networks ........................................................ 319
Lecture 6 ............................................................................................... 320
Wireless Local Loop (WLL) ................................................................ 321
Deployment issues ................................................................................ 322
WLL Technologies ............................................................................... 323
Enterprise Networks ............................................................................. 324
Cordless PBXs ...................................................................................... 325
Virtual enterprise networks................................................................... 326
Remoting the office to where the user is .............................................. 327
Maguire 20 of 30
corDECT............................................................................................... 328
Personal Handyphone (PHS) ................................................................ 329
PAS in China ........................................................................................ 330
Unified Communications...................................................................... 331
References............................................................................................. 332
7. Wireless LAN (WLAN)................................................. 333
Wireless Local Area Networks (WLANs)............................................ 334
Two possible network configurations................................................... 335
Terms .................................................................................................... 336
IEEE 802.11 Basic Access Method ...................................................... 337
Distribution Coordinating Function (DCF) .......................................... 338
IEEE 802.11 Frame Format.................................................................. 341
IEEE 802.11 Frame Control ................................................................ 342
Startup, then Join a network ................................................................. 343
Discovery Phase.................................................................................... 344
Authentication ...................................................................................... 345
Maguire 21 of 30
Wire Equivalent Privacy (WEP) ....................................................... 346
Handoff ................................................................................................. 347
Inter-Access Point Protocol (IAPP)...................................................... 348
Fast Handoff ......................................................................................... 349
Point Coordination Function (PCF)...................................................... 350
Spacing ................................................................................................. 351
Timing and Power Management........................................................... 352
WLAN AP performance ....................................................................... 353
AAA...................................................................................................... 354
IEEE Extensible Authentication Protocol - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 354
Roaming................................................................................................ 355
Clearinghouse - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 355
Interconnect Provider - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 355
Proxies .................................................................................................. 357
Lightweight Access Point Protocol (LWAPP) ..................................... 358
HiperLAN2 ........................................................................................... 359
802.11a and 802.11h............................................................................. 360
IEEE 802.11k........................................................................................ 361
Maguire 22 of 30
IEEE 802.11p........................................................................................ 362
Multihop ............................................................................................... 363
QDMA (quad-division multiple access)............................................... 364
Wireless Internet Service Providers (WISPs)....................................... 365
Further reading...................................................................................... 368
WISPs - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 368
IEEE 802.11 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 368
AAA - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 370
8. Bluetooth: Piconets, Scatternets................................... 372

Bluetooth .............................................................................................. 373
Bluetooth........................................................................................... 374
Bluetooth protocol stack ....................................................................... 375
Physical Layer ...................................................................................... 376
Transmit Power..................................................................................... 377
Masters vs. Slaves................................................................................. 378
Frequency Hop Sequence ..................................................................... 379
Time Division Multiplexing (TDM)..................................................... 380
Network Topology ............................................................................... 381
Maguire 23 of 30
Scatternets............................................................................................. 382
Voice + Data support ............................................................................ 383
Baseband............................................................................................... 384
Baseband Packet formats...................................................................... 385
Baseband Packet formats...................................................................... 386
Synchronization Word Algorithm ........................................................ 387
Security ................................................................................................. 388
Link Control Protocol (LCP) ................................................................ 389
Link Control states................................................................................ 390
Link Manager........................................................................................ 391
Host Controller Interface (HCI)............................................................ 392
HCI Transport Layer............................................................................. 393
Logical Link Control and Adaptation Protocol (L2CAP) .................... 394
L2CAP Signalling................................................................................. 395
L2CAP Command ................................................................................ 396
Configuring a Connection .................................................................... 397
Disconnecting and Timeouts ................................................................ 398
Maguire 24 of 30
For A to talk to B .................................................................................. 399
Service Discovery Protocol (SDP) ....................................................... 400
RFCOMM Protocol .............................................................................. 401
RFCOMM Frame Types....................................................................... 402
Telephony Control Signaling (TCS) Protocol ...................................... 403
Bluetooth Profiles ................................................................................. 404
Management ......................................................................................... 405
Low Power Modes................................................................................ 406
Bluetooth performance when faced with interference.......................... 407
Further reading...................................................................................... 408
9. Ultrawideband (UWB) .................................................. 409
Ultrawideband....................................................................................... 410
IEEE 802.15: Working Group for Wireless Personal Area Networks (WPAN)
411
Further reading...................................................................................... 412
UWB- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 412
Maguire 25 of 30
10. Broadband Wireless Access (BWA) .......................... 414
Broadband Wireless Access ................................................................. 415
IEEE 802.16.......................................................................................... 416
Data only? ........................................................................................... 417
IEEE 802.20 aka Mobile-Fi.................................................................. 418
All IP networks ..................................................................................... 419
Further reading...................................................................................... 420
BWA- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 420
11. Sensor Networks .......................................................... 422

Significance .......................................................................................... 423
Spectrum of Concerns........................................................................... 424
Patterns of Communication .................................................................. 425
Mediated Communication .................................................................... 426
Transformations.................................................................................... 427
Routing ................................................................................................. 428
Ad hoc routing ...................................................................................... 429
Patterns of Communication in time ...................................................... 430
Maguire 26 of 30
Internetworking..................................................................................... 431
DARPA/IPTO: BAA #99-16: Sensor Information Technology........... 433
Self-organizing sensor networks........................................................ 435
Sensor nodes must be reconfigurable................................................ 436
Low Energy Adaptive Clustering Hierarchy (LEACH) ....................... 437
Protocols to disseminate information ......................................... 438
Coordination vs. Centralization ............................................................ 439
Sensor fusion en route
(a form of in-net processing) ................................................................ 440
Data Aggregation.................................................................................. 441
Directed diffusion ................................................................................. 442
Tasks and Events .................................................................................. 443
How did the sensor know it was an elephant?...................................... 444
Caching of data ..................................................................................... 445
Design space for Diffusion ................................................................... 446
Metrics for evaluating directed diffusion ............................................. 447
Congestion ............................................................................................ 448
Maguire 27 of 30
Tiered architectures .............................................................................. 449
Localization .......................................................................................... 450
Mapping where sensors are .................................................................. 451
Synchronization ................................................................................... 452
Building upon localization and synchronization .................................. 453
Securing what you send ........................................................................ 454
Sensors.................................................................................................. 455
Smart dust: 1 cubic mm system ............................................................ 456
Berkeley Motes..................................................................................... 457
University of California, Berkeley - Motes .......................................... 458
Motes Routing ...................................................................................... 461
Millennial Net/...................................................................................... 462
vSpace................................................................................................... 463
Commercial sensor nodes ..................................................................... 464
Sensor nodes - low power VLSI design ............................................... 466
Rex Mins Myths .................................................................................. 467
SmartBadge .......................................................................................... 468
Maguire 28 of 30
Power .................................................................................................... 469
Dilemma ............................................................................................... 470
Sensor Modeling Language (SensorML).............................................. 471
IEEE 802.15: Working Group for Wireless Personal Area Networks (WPAN)
472
Ultrawideband....................................................................................... 473
Active networks .................................................................................... 474
Methods used in this area ..................................................................... 475
Conferences and workshops ................................................................. 476
References and Further Reading........................................................... 477
12. Misc. topics................................................................... 484
Space Data Corporation........................................................................ 485
MITs AI Lab: Project Oxygen............................................................. 486
Intelligent/Smart Spaces ....................................................................... 487
If WLANs are widely available............................................................ 488
Unlicensed Mobile Access (UMA) ..................................................... 489
Maguire 29 of 30
Near Field Communications ................................................................. 491
Future work........................................................................................... 492
Further reading...................................................................................... 494
Near Field Communications - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 494
Maguire 30 of 30
Architectures
1. Introduction
For use in conjunction with Wireless and Mobile Network
Architectures, by Yi-Bing Lin and Imrich Chlamtac, John
KTH Information and
Wiley & Sons, 2001, ISBN 0-471-39492-0

Last modified: 2006.01.13:10:20
Maguire MWA-Lecture1.fm Total pages: 92

maguire@it.kth.se 2006.01.13
Welcome to the course!
The course should be fun.
We will dig deeper into Personal Communication Systems - with a focus on their
architectures, but we will also examine some of the protocols which are used.
Information about the course is available from the course web page:
http://www.imit.kth.se/courses/2G1330/
Note that the above URL will change - due to the reoganization of KTH to:
http://www.cos.ict.kth.se/education/msc/ccs/courses/2G1330/
Maguire Welcome to the course! Introduction 2 of 92

Staff Associated with the Course
Instructor (Kursansvarig)
prof. Gerald Q. Maguire Jr. <maguire at kth.se>

Administrative Assistant: recording of grades, registration, etc.
Irina Radulescu <irina.radulescu at wireless.kth.se>
Maguire Staff Associated with the Course Introduction 3 of 92

Goals, Scope and Method
Goals of the Course
To understand both what Personal Communication Systems are and
their basic architectures.
To be able to read and understand the literature.
To provide a basis for your own research and development in this area.
Scope and Method
We are going to examine a number of different systems to understand
both the details of the system(s) and to abstract from these details
some architectural features.
You will demonstrate your knowledge by writing a written report and
giving an oral presentation describing your project.
Maguire Goals, Scope and Method Introduction 4 of 92

Prerequisites
Internetwork (2G1305) or
Equivalent knowledge in Computer Communications (this requires
permission of the instructor)
Maguire Prerequisites Introduction 5 of 92

Contents
The focus of the course is on personal communication systems and their network
architecture. This spans the range from piconets to space probes, but the emphasis
will be primarily focus on the range from LEO satellites down to personal area
networks.
The course consists of 10 hours of lectures and a project of ~50 hours effort.
Maguire Contents Introduction 6 of 92

Topics
Personal Communication Systems (PCS): handoff, mobility, paging
Network Signaling
CDPD
GSM, GPRS, SMS, International Roaming,
Operation/Administration/Maintenance
Number portability, VoIP, Prepaid
WAP
Heterogeneous PCS
Wireless Local Loop (WLL), Enterprise Networks
Personal Area Networks (PANs), such as Bluetooth and Ultrawideband
(UWB)
Wireless Local Area Networks (WLANs)
Broadband Wireless Access (BWA)
Sensor Networks
Maguire Topics Introduction 7 of 92

Examination requirements
Written and Oral project reports
Grades: U, 3, 4, 5
Maguire Examination requirements Introduction 8 of 92

Project
Goals: to gain analytical or practical experience and to show that you have
mastered some knowledge in this area and to encourage you to find a topic which
interests you (since this will motivate you to really understand the material)
Can be done in a group of 1 to 3 students (formed by yourself).
Each student must contribute to the final written and oral reports.
Discuss your ideas about topics with the instructor before starting.
Maguire Project Introduction 9 of 92

Assignment Registration and Report
Registration: 3-Feb. 2006, to <maguire at kth.se> with subject: "2G1330 topic"
Group members, leader, and topic selected
Written report
The length of the final report should be 10 pages (roughly 5,000 words) for each student.
The report may be in the form of a collections of papers, with each paper suitable for
submission to a conference or journal
Contribution by each member of the group - must be clear (in the case where the report is a
collection of papers - the role of each member of the group can be explain in the overall
introduction to the papers.
The report should clearly describe: 1) what you have done; 2) who did what; if you have
done some implementation and measurements you should describe the methods and tools
used, along with the test or implementation results, and your analysis.
Final Report: written report due Monday 27 Feb. 2006 at 23:59 +
oral presentations: Friday 10 March 2006.
Send email with URL link for a PDF or PostScript file to <maguire at it.kth.se>
Late assignments will not be accepted (i.e., there is no guarantee that
they will be graded before the end of the term)
Note that it is permissible to start working well in advance of the deadlines!
Maguire Assignment Registration and Report Introduction 10 of 92
Literature
The course will mainly be based on the book: Wireless and Mobile Network
Architectures, by Yi-Bing Lin and Imrich Chlamtac, John Wiley & Sons, 2001,
ISBN 0-471-39492-0.
Although we will not focus on Mobile IP in the lectures (since an introduction was
given in the internetworking course), if you want to do a project which involves
mobility, the following two books are useful sources:
Charles E. Perkins, Mobile IP: Design Principles and Practices,
Addison-Wesley, 1998, ISDN 0-201-63469-4.
James D. Solomon, Mobile IP: the Internet Unplugged, Prentice Hall,
1998, ISBN 0-13-856246-6.
We will refer to other books, articles, and RFCs as necessary - see notes and web.
In addition, you will be searching & reading the literature in conjunction with your
projects. Please make sure that you properly reference your sources in your report.
Maguire Literature Introduction 11 of 92

Lecture Plan
1: Introduction
Course arrangement
Personal Communication Systems (PCS): handoff, mobility, paging (Chapters 1-4,22)
2: Network Signaling (Chapters 5-8); CDPD
3: GSM (Ch. 9,10,11), GPRS (Ch. 18), SMS (Ch. 12), International
Roaming (Ch. 13), Operation/Administration/Maintenance (Ch. 14)
4: Number portability (Ch. 15), VoIP (Ch. 16), Prepaid (Ch. 17)
5: WAP (Ch. 19), Heterogeneous PCS (Ch. 20), 3G(Ch. 21)
6: Wireless Local Loop (WLL) (Ch. 23), Enterprise Networks (Ch. 24)
7: Wireless Local Area Networks (WLANs)
8: Bluetooth: Piconets, Scatternets
9: Ultrawideband (UWB)
10: Broadband Wireless Access (BWA)
11: Sensor Networks
12: Misc. topics
Maguire Lecture Plan Introduction 12 of 92

Context of the course
Personal Communication Systems have been both increasing their number of
users and increasing the variety of personal communication systems. Some of
these system (such as GSM) have had growth rates of millions of new customers
each month!
Europe is in the process of introducing so-called third generation (3G) cellular
systems. In many countries the license fees alone are many thousand of euros per
potential customer.
There are discussions of future systems (which Theo Kanter calls G systems1).
There is even discussion of if there will be a 4th generation of cellular systems or
if we will see the end of generational architectures and systems.
1. Because 3 < < 4 and is an irrational number.
Maguire Context of the course Introduction 13 of 92

Chapters 1-4, and 22
Chapter 1: Introduction
Chapter 2: Mobility Management
Chapter 3: Handoff Management: Detection and Assignment
Chapter 4: Handoff Management: Radio Link Transfer
Chapter 22: Paging Systems
Maguire Chapters 1-4, and 22 Introduction 14 of 92

Internet Architecture
WLAN
MH FDDI
AP
R
H

R Token Ring
switch
switch
H R
R WAN

Ethernet LANs switch switch

R
R
IWU
MH Ad hoc
BTS BSC MSC MH
HLR/VLR

PAN
Cellular networks MH MH
Figure 1: Multiple network technologies - internetworked together
Maguire Internet Architecture Introduction 15 of 92

More complete Architecture
WLAN
MH FDDI
AP
R Token Ring
H

R switch
switch
H R
R WAN

switch IWU
PSTN
Ethernet LANs switch
R
R
IWU
Ad hoc
MH
BTS BSC MSC MH
HLR/VLR

PAN
Cellular networks MH
MH
Figure 2: Internet and PSTN

We will focus on the parts marked in red in the above figure, i.e.,
Cellular, WLAN, and PAN (and Ad hoc) networks.
Maguire More complete Architecture Introduction 16 of 92
Internetworking
Internetworking is
based on the interconnection (concatenation) of multiple networks
accommodates multiple underlying hardware technologies by providing
a way to interconnect heterogeneous networks and makes them
inter-operate.
Most of the systems discussed in the course textbook are interconnected to the
Public Switched Telephony System (PSTN) - thus there must generally be an
adaptation to fixed rate (64 kbps) voice coding. Increasingly these systems are
also interconnected to the Internet, hence packet based services are becoming an
increasingly important part of such systems. In the lectures we will discuss the
effects of these interconnections.
Maguire Internetworking Introduction 17 of 92

Personal Communication Systems (PCS)
The goals of PCS are to provide a mobile user with voice, data, and multimedia at
any place, at any time, and in any format.
Thus the system has to either provide universal coverage or it has to include
interworking with other communication systems. Thus far, attempts at
providing universal coverage by a globally standard system have failed (for
various technical, historic, economic, and political reasons).
The market has often been fragmented based on: wide area coverage (especially
for business users), enterprise (focused on in-building and on campus), and
homes (often equated with personal or free-time usage). However, this market
separation is increasingly converging rather than further diverging.
Traditionally, various PCS systems were connected to the Public Switched
Telephony System (PSTN) and driven by telephony standards (and at the rate of
change of telephony standards). Today, these systems are increasingly connected
to the internet and driven by the internet standards & change at internet speeds.
Maguire Personal Communication Systems (PCS) Introduction 18 of 92
High Tier and Low Tier Cellular, and Cordless
Generally the PCS market has been divided into these three classes:
System High Tier Cellular Low Tier Cellular Cordless

Cell size large (0.25-38km) medium (10-100m) small (10-20m)
User speed high ( 260 km/h) medium (100km/h) low (50km/h)
Handset complexity high low low
Handset power high (100-800mW) low (5-20mW) low (5-10mW)

consumption
Speech coding rate low (8-13kbps) high (32kbps) high (32kbps)
Delay or latency high (600ms) low (10 ms) low (10ms)
Costs high medium low (often flat rate)
Examples GSM, D-AMPS, PDC, CT2, DECT, PHS, PACS

cdmaOne,
Maguire High Tier and Low Tier Cellular, and Cordless Introduction 19 of 92
Cellular Telephony
Different means of defining channels:
Frequency Division Multiple Access (FDMA)
Advanced Mobile Phone Service (AMPS)
Time Division Multiple Access (TDMA)
D-AMPS, Global System for Mobile Communications (GSM)
Code Division Multiple Access (CDMA)
IS-95 (developed by Qualcomm), cdma2000, W-CDMA,
Maguire Cellular Telephony Introduction 20 of 92

Low Tier Cellular and Cordless Telephony
Cordless Telephony, second generation (CT2)
40 FDMA channels, within each 100kHz frequency channel the base stationuser
(downlink) and userbase station (uplink) channels are separated with time division
duplexing (TDD) (in every 2ms long frame there is 64bits of downlink user data followed by
64 bits of uplink user data).
Does not support handoffs, primarily supports out-going calls (incoming calls are hard as
there is no defined mobility database).
Digital Enhanced Cordless Telephony (DECT)
formerly: Digital European Cordless Telephony
utilizes a picocellular design using TDMA with 24 time slots (generally: 12 voice slots for
downlink and 12 voice slot for uplink, i.e., TDD) per frequency channel and 12 frequency
channels, automatic dynamic channel allocation based on signal strength measurements
a call can move from one time slot in one frequency channel to another time slot in another
channel - supporting seamless handoffs.
Personal Handy Phone System (PHS)
another TDMA TDD system also supporting dynamic channel allocation - it has been used
in Japan to for a public low tier cellular system.
Personal Access Communications System (PACS)
a TDMA system supporting both TDD and frequency division duplex (FDD); it utilized
mobile-controlled handoff (MCHO). It supports both circuit switched and packet switched
access protocols.
Maguire Low Tier Cellular and Cordless Telephony Introduction 21 of 92

Mobile Data
RAM Mobile Data (now Cingular Interactive, based on the swedish
Mobitex system)
Backbone behind Xpress Mail with BlackBerry, Interactive Messaging PLUS, and Wireless
Internet PLUS,
Coverage maps: http://www.mobitex.org/
Mobitex had greater national coverage1 90% of Swedens land and 99.5%
of the population, than even the analog 450Mhz cellular system, because the
swedish military used it.
Both public Mobitex systems (such as that formerly operated by Telia, now
by Multicom Security AB) and private systems (such as the one at Arlanda
Airport).
Advanced Radio Data Information System (ARDIS) {developed for
IBMs customer engineers offered indoor coverage} (now Motient)
Cellular Digital Packet Data (CDPD) {developed to provide data as an
overlay on analog cellular systems; based on Mobile IP}
Generally low rate systems 2.4 - 8 kbps
1. see http://www.mobitex.telia.com/taeckning.htm or http://www.multicomsecurity.se/Script/ShowPic.asp?FileID=396
Maguire Mobile Data Introduction 22 of 92

Paging
Within local paging areas or via satellite.
The key to paging devices high performance is that they sleep most of the time.
North America utilizes two way paging systems (i.e., the paging system can both
send and receive traffic).
Due to the lack of allocation for a return channel two way paging languished in
Europe.
Maguire Paging Introduction 23 of 92

Specialized Mobile Radio (SMR)
Taxis dispatching, fleet dispatching,
The basis for Nextel (http://www.nextel.com/) - using a handset built for them by
Motorola to operate over the wide variety of SMR channels which Nextel bought
(this is a case where the radio design came after the frequencies were
assembled).
Maguire Specialized Mobile Radio (SMR) Introduction 24 of 92

Satellite
Especially Low Earth Orbit Satellite (LEO)
numerous attempt to field systems - one problem is that most of the
time the satellites are over regions {primarily oceans} with few possible
customers. Also each satellite is only in range for ~10 minutes or so -
so there are frequent handoffs.
500 - 2000 km orbit
US DoD Enhanced Mobile Satellite Service (EMSS) {successor to
Iridium, features secure phones and US government secure voice
gateway}
The footprint (i.e., coverage area of a satellite transponder) for Mid-earth orbit
(MEO) and Geostationary (GEO) satellite - generally cover too large an area and
does so with very long delays (due to the distance of these satellites from the
earth). However, they are widely used for both their wide coverage area (for
example, for paging) and for one way services (often broadcast or spot coverage).
Maguire Satellite Introduction 25 of 92

Wideband systems
Wideband Code Division Multiple Access (W-CDMA)
With data rates in rural areas 1.44kbps, in cities 384kps, and indoors up to 2 Mbps
http://www.umtsworld.com/technology/overview.htm
Also known as (AKA) UMTS terrestrial radio access (UTRA)
cdma2000
AKA IS-2000 an evolution of cdmaOne/IS-95 to 3rd generation services
CDMA2000 1X, an average of 144 kbps packet data; 1XEV-DO up to 2 Mbits/sec.; 1XEV-DV
even higher peak rates - simultaneous voice and high speed data + improved QoS
TD-SCDMA - one of the chinese 3G standards
http://www.tdscdma-forum.org/nenglish/index.html
See also:
3rd Generation Partnership Project (3GPP) http://www.3gpp.org/
based on evolved GSM core networks and the radio access technologies
Third Generation Partnership Project 2 (3GPP2) http://www.3gpp2.org/
ITUs "IMT-2000" initiative:
high speed, broadband, and Internet Protocol (IP)-based mobile systems
featuring network-to-network interconnection, feature/service transparency, global roam-
ing and seamless services independent of location.
includes cdma2000 enhancements
Maguire Wideband systems Introduction 26 of 92

Local Metropolitan Area Networks (LMDS)
Point-to-point or Point-to-multipoint (generally wide band) links
some operators have more than 700MHz worth of bandwidth available
(in aggregate) in a given market (geographic) area
line-of-sight coverage over distances up to 3-5 kilometers
data rates from 10s of Mbps to 1Gbps or more
Ericssons MINI-LINK BAS up to 37 Mbit/s per sector
http://www.ericsson.com/transmission/wba/
Frequency bands between 24 to 31 GHz (licensed spectrum)
UK: 28 GHz band and 10 GHz band
Rest of Europe: 26 GHz band
US: 24 GHz used by Teligent and 39 GHz band licensed by Winstar (now part of IDT)
at least one experimental license in the US in 41.5 GHz to 43.5 GHz
Biggest problem is price of such high frequency components!
For further info see: http://www.lmdswireless.com/ and
http://www.networkcomputing.com/netdesign/1223wireless13.html
See also fixed Broadband Wireless Access (BWA) systems (i.e., Broadband
Wireless Access (BWA) on page 414)
Maguire Local Metropolitan Area Networks (LMDS) Introduction 27 of 92
Point-to-Point Optical links
Free-Space Optics (FSO)
using laser light sources it is possible to achieve very high speeds
(typically OC-3 (155Mbps), OC-12 (622Mbps), or 1.25Gbps; but some
systems operate at 2Gbps and 10GBps) for point-to-point links
uses Terahertz (THz) spectrum range
short ranges - typically below 2km
See also: http://www.freespaceoptics.org/
Maguire Point-to-Point Optical links Introduction 28 of 92

Frequency Hopping Spread Spectrum (FH-SS)
Direct Sequence Spread Spectrum (DS-SS)
Orthogonal Frequency Division Multiplexing (OFDM)
IR links
Most of the radios have either used the Instrumentation, Scientific, and Medical
(ISM) bands, National Information Infrastructure (NII) bands, or the HiperLAN
band.
Data rates have ranged from 100s of kbps to 54 Mbps.
See IEEE 802.11 (in its many variants) - some of the standards are available at
(those published more than 6 months ago are free):
http://standards.ieee.org/getieee802/
See Wireless LAN (WLAN) on page 333.
Maguire Wireless Local Area Networks (WLANs) Introduction 29 of 92

Short range radio
low speed wireless links (door locks, wireless sensors, RF ID tags, )
Personal Area Networks (PANs) - these have generally be relatively low data rate
systems, such as Bluetooth (1Mbps in aggregate).
See Bluetooth: Piconets, Scatternets on page 372
Near Field Communication (NFC) - typical range of centimeters (when operating

in the 13.56 MHz frequency range)
see http://www.nfc-forum.org/
Ultrawideband
US FCC gave regulatory approval 14 Feb. 2002
Intel demod transmitter and receiver at 100Mbps
Intel expects to be able to get 500Mbps at a few meters dropping to
10Mbps at 10m.
See Ultrawideband (UWB) on page 409.
Maguire Short range radio Introduction 30 of 92

Trend: Increasing Data Rates
GSM
14.4kbps per channel
High Speed Circuit Switched Data (HSCSD)
combining multiple GSM channels to achieve a higher aggregate rate
for a single user
GPRS
hundreds of kbps - by using the GSM time slots in a packet oriented
manner
Wireless LAN
802.11 Wireless LAN - 11Mbps .. 54 Mbps
802.15 Wireless Personal Area Network (WPAN) ~1Mbps
802.16 Metropolitan Area Networks - Fixed Broadband Wireless (10 ..
66 GHz) 10s to 100s of Mbps/channel and lower frequencies with more
limited bandwidth)
802.20 (aka Mobile-Fi) Mobile Broadband Wireless Access (MBWA) --
IP based
Maguire Trend: Increasing Data Rates Introduction 31 of 92
Basic Personal Communication System
(PCS) network architecture
Mobile Station
Cell Cell MS
Base Station
Base Station
Base Station Controller
Radio Network Mobile Switching Center
PSTN
Mobility
Database
Wireline Transport Network

Figure 3: Basic PCS network architecture
Maguire Basic Personal Communication System (PCS) network architecture Introduction 32 of 92

Example of a PCS Architecture
Mobile Station
PSTN
Cell
R
IWU
BS BSC MSC
HLR/VLR Cell

BS

Cellular network Mobile Station

Cordless
Figure 4: Cellular and Cordless networks
B(T)S = Base (Transceiver) Station, BSC = Base Station Controller,

MSC = Mobile Switching Center, Home Location Register (HLR)/Visitor
Location Register (VLR) provides a Mobility Database, and the PSTN provides
the wireline (backhaul) transport network.
Maguire Example of a PCS Architecture Introduction 33 of 92
PCS network architecture supporting Mobility
MS
Cell
MS
Cell
VLR
Mobile Switching Center Database
Radio Network2
VLR
PSTN
Mobile Switching Center Database HLR
Radio Network1 Database
Figure 5: Basic PCS network architecture
Maguire PCS network architecture supporting Mobility Introduction 34 of 92

Mobility Management
If mobile only originates traffic, then you dont have to know where the mobile
is to send traffic to it - but rather you only have to decide if you will give it service.
If a mobile is to receive traffic (without having originated traffic), then someone
must know where to send this traffic. This someone can be:
a server in the network (where the user is)
a server attached to the network (where the user is)
a server attached to another network (different from where the user
is right now - sometimes this is their home network)
We will examine mobility management with respect to the static decision of
where to send traffic, the dynamics of maintaining communication despite change
in access points (Handoff), and the use of paging (both in conjunction with
mobility management, as an alternative architecture, and as a component of other
architectures).
See also: 1.4 The Essential Challenge of Mobility Management [1]
Maguire Mobility Management Introduction 35 of 92

Mobility Management Protocols
Include:
Mobile IP
EIA/TIA Interim Standard 41 (IS-41 or ANSI-41)
Global System for Mobile Communications (GSM) Mobile Application
Part (MAP)
Maguire Mobility Management Protocols Introduction 36 of 92

Macro- vs. Micro-mobility
Macro-mobility == Inter-domain mobility
(a domain is {as usual} a single administrative entity)
Micro-mobility == Intra-domain mobility
In micro-mobility entities outside of the current domain can not (and need not) see
any changes when the mobile moves within the domain, while with
macro-mobility others can see when a mobile moves, even within a domain.
Maguire Macro- vs. Micro-mobility Introduction 37 of 92

Getting Service
Once a mobiles identity is know, the policy question is: Should this mobile get service?
The policy question and its answer may involve:
roaming agreements (generally reciprocal agreements),
current traffic loads,
anticipated traffic loads,
mobile users priority/class/ ,
.
The question of authentication, authorization, and accounting (AAA) for mobile

users are topics of a thesis: Juan Caballero Bayerri and Daniel Malmkvist,
Experimental Study of a Network Access Server for a public WLAN access
network, M.S. Thesis, KTH/IMIT, Jan. 2002.
See also IEEE 802.1x Port Based Network Access Control
http://www.ieee802.org/1/pages/802.1x.html
Maguire Getting Service Introduction 38 of 92

Locating the user
we can track the user continuously, or
we can start looking for the user where we last saw them and then
expand our search, or
we can guess where the user might be
based on their patterns of movement (past behavior)
their personal schedule (if they give us access to this information),
the user tells us where they are
based on a schedule the user can tell us where they are (e.g., every one minute tell the
system where you are now) or
the user can listen for something (for example a page) which causes them to check in or to
report their location
the user can tell their agent/intermediary where they are (i.e., we dont
actually know where they are), thus we contact them through their
agent whom we know how to contact.
Maguire Locating the user Introduction 39 of 92

Handoff Management: Detection &
Assignment
Who initiates handoff?
How do you detect that you should handoff?
Handover (Europe) handoff (North America)
Maguire Handoff Management: Detection & Assignment Introduction 40 of 92

Handoff/Handover/Automatic Link Transfer
Handoff is the process that occurs when a mobile is handed over from one
access point to another, i.e., the access point which the mobile is using changes.
This is generally one of several types:
soft handoff the mobile can communicate with both the old and the new APa
hard handoff the mobile can only communicate with one AP or the other
seamless handoff If neither the user nor running applications notice the handoff (i.e., there is no effect on content of data
streams coming arriving to or departing from the mobile)b (includes both smooth and fast handoffs)
glitchless handoff in this case the delays due to the handoff are hidden/eliminated from the data stream
smooth handoff buffering of traffic to the mobile when it is in the process of changing from one AP to another is
buffered and then delivered to the new APc
fast handoff only a short interruption time between disconnection at the old AP and connection to the new AP
vertical handoff when the new cell is larger than the current cell (i.e., microcell to macro cell)
horizontal handoff when the new cell is similar to the current cell (i.e., microcell to micro cell)
a. Generally I will refer to such devices as access points (APs), except when their being a Base Station is particularly important.
b. For seamless and glitchless handoffs see for example, work by R. Cceres and V.N. Padmanabhan.
c. See C. Perkins and K-Y. Wangs scheme for buffering with Mobile IP, requires per mobile buffering associated with the (former) access points.
Maguire Handoff/Handover/Automatic Link Transfer Introduction 41 of 92

Handoff Criteria
Signal quality - due to its effect on the ability to deliver data via the link
Data quality - the effect of errors on the delivered traffic
With respect to signal quality we can exploit knowledge of general radio signal
properties or we can exploit specific situation knowledge (based on our earlier
experience or the experience which other mobiles have reported and which we
have learned about).
A simplified view with respect to signal strength (reality is much more complex):
Mobile

Signal
Strength start looking for a new AP
(dB) time to switch
minimum threshold to stay with AP1
call terminated if handoff is not completed
AP1 AP2
Maguire Handoff Criteria Introduction 42 of 92

Handoff Goals
minimal impact on traffic - making a handoff at the right time
tolerance/adaption for congestion and capacity - the new and old cells
may have different levels of utilization, available bandwidth, - handoff
has to deal with this
efficiency - the handoff should result in improved efficiency (in terms of
traffic, energy consumption, reduced interference, ) the handoff
process itself should try to minimize the resources it consumes
improve availability - handoff should result in using an AP providing:
better bandwidth, lower cost, lower delay, low delay variance,
the mobile should be able to use the maximum set of APs (which may
involve changing spreading code, modulation, coding, or changing
to a different radio module) in order to achieve a better system optima,
rather than be restricted to a local single system optima
Maguire Handoff Goals Introduction 43 of 92

When to make the decision?
By starting to look for a new AP before you need it, there is time to make a
decision:
Signal TL start looking for a new AP

Strength
TH time to switch
AP1 AP2
Based on your current velocity you

might be able to estimate when you will
reach the 2nd threshold.
TL - Threshold for Looking around, TH - threshold for Handoff
Maguire When to make the decision? Introduction 44 of 92

Reality is more complex
The Mobile Station (MS) and the Base Station (BS) experience a channel which
varies - due to user movement, movement of other users, reflections, diffractions,
thus produces:
Rapid-fading
Rayleigh-distributed envelope of the signal strength (often called Multipath fading)
If there is also a light-of-sight component, then the distribution is Rician
Slower fading
Shadow fading - a lognormal distribution
Three common measurements of the channel:

Word Error Indicator (WEI) - based on the receiver being able to
decode the received signal correctly
Received Signal Strength Indication (RSSI) - a measure of the received
signal strength (in units of dB)
Quality Indicator (QI) - related to the signal to interference & noise ratio
(S/I) (in units of dB)
Maguire Reality is more complex Introduction 45 of 92

As the channel is varying in time and making the measurements takes time -
various techniques are used to filter the RSSI and QI measurements:
window averaging - simply average the last w measurements
leaky-bucket integration - a simple one-pole low-pass filter
Various schemes exist to try to combat channel problems:
diversity techniques (frequency hopping, multiple receivers, multiple
correlators with variable delay lines, multiple antennas, )
signal processing techniques (bit interleaving, convolutional coding,
equalizers, )
For further information about these techniques - see: [2] .. [6].
Maguire Reality is more complex Introduction 46 of 92

Who makes the handoff decision?
Network controlled handoff (NCHO) - the network makes the decision
used in CT-2 Plus and AMPS
Mobile assisted handoff (MAHO) - the mobile provides data which the
network uses to make the decision
used in GSM and IS-95 CDMA
Mobile controlled handoff (MCHO) - the mobile decides for itself
used in DECT, PACS, Mobile IP
forward handoff - mobile initiates handoff and sends the request to the new AP
backward handoff - mobile initiates handoff and sends the request to the old AP
Maguire Who makes the handoff decision? Introduction 47 of 92

Inter-BS Handoff (aka inter-cell handoff)
When both cells are connected to the same MSC the mobile node (MN) can signal that it is going to
change cells and identifies the new cell, then the MSC sets up the correct resources in the new cell, and can
now deliver traffic to the mobiles new cell. In telephony systems this often involves setting up a bridge
to copy traffic to both the new and the old channels.
Step 1 Step 2 Step 3 Step 4
AP2
AP2 AP2 MN
AP2 MS
MN
MN MN
AP1
AP1 AP1
A D D
B
A E A
Mobile Switching Center D
Signaling
C C
User traffic MSC MSC
MSC
Figure 6: Steps in handoff within the control of one MSC (not showing the BSC)
1. Mobile (MN) is using AP1, all traffic is going via a channel (A) between MSC (via BSC) and AP1; MN signals via AP2,
its intention for upcoming handoff (via B)
2. MSC creates a bridge (C) and traffic is now sent via both channels (A) and (D)
3. MN signals (via E) that it is ready to use channel D
4. MSC eliminates bridge C and frees channel A, the MN now uses only channel D.
Maguire Inter-BS Handoff (aka inter-cell handoff) Introduction 48 of 92

What happens if there are insufficient
resources at new AP?
Nonprioritized scheme (handoffs are treated the same as new calls)
handover is blocked - keep using the existing channel until either:
call is over or
link fails (or forced termination)
To reduce forced termination and improve call completion:
Reserved channel scheme - keep some resources available for
handovers (i.e., they under commit)
Queuing priority scheme - exploit cell over lap (called a handover
area if it exists) to enqueue mobiles waiting for handover
Subrating scheme - downgrade an existing call in the new cell and
split the resources with the call being handed over ( the call being
handed over is also downgraded). Downgrading often involves
changing from a full-rate to a half-rate CODEC.
Some operators base their decision on what to do on how valuable the handoff customer is vs. current customers being
served in the new cell, i.e., high value customers can cause existing calls of other customers to be terminated.
Maguire What happens if there are insufficient resources at new AP? Introduction 49 of 92
Inter-system Handoff (aka inter-MSC handoff)
When the two cells are connected to different MSCs the situation is more complex.
MS
Cell
MS
Cell
MSC2
Trunk
MSC1
Before PSTN
After
Figure 7: Handoffs between two MSCs
Maguire Inter-system Handoff (aka inter-MSC handoff) Introduction 50 of 92

What happens if the mobile moves gain?
Note that the call always goes via
the so-called Anchor MSC
(MSC1), because the phone
MSC1 MSC2 MSC1 MSC2 attached to the PSTN knows
nothing about mobility and the
originating exchange thinks the
call is still in existence (i.e., there
MS MS
was no termination and set up of
a. Forward handoff a new call to or from the fixed
b. Backward handoff phone).
Note: Without path minimization

MSC1 MSC2 MSC1 MSC2 the chain of trunks between
MSCs could continue to grow as
long as the call lasts and the
mobile keeps moving to new
MSC3 MSC3 MSCs. With voice calls, the call
MS MS duration is generally rather lim-
ited, but with data it could con-
tinue for a very long time we
c. Handoff to a third MSC c. Path minimization
will need to use another model
for dealing with data (addressed
later in the lectures).
Figure 8: Handoffs between multiple MSCs
Maguire What happens if the mobile moves gain? Introduction 51 of 92

Fast Mobile IPv4 handoff via Simultaneous
Bindings
The Simultaneous Binding option in Mobile IPv4 allows the Mobile Node to
establish a binding for the new AP with its home agent (before a handoff). The
Home Agent now duplicates all packets destined for the MN for the time of the
handoff and relays all data to both the old and the new APs. Thus the MN
performs the handoff by simply reconfiguring its interface -- which it can
generally do within a very short interruption time, i.e. often less than 10ms. When
the MN physically connects to the new network, it will find that the packets
destined for it are already arriving there!
Maguire Fast Mobile IPv4 handoff via Simultaneous Bindings Introduction 52 of 92

Fast handover timeline
Traditional Mobile IP: break before make
disconnect connect get new inform transmission receive
address home agent via new AP data
>300ms or more Interruption
Time
Enhanced Mobile IP: make before break
get new inform transmission disconnect connect receive
address home agent via new AP data
<10ms Interruption
Time
Figure 9: Fast handover timeline a
a. Figure adapted from http://www.ccrle.nec.de/Figure3.gif which is part of http://www.ccrle.nec.de/Handoff.htm - web page is no longer available,
but the Internet Archive has a copy of the text at: http://web.archive.org/web/20021121192850/http://www.ccrle.nec.de/Handoff.html
Maguire Fast handover timeline Introduction 53 of 92

Roaming
Roaming occurs when a user of one PCS is using the services of another PCS.
Roaming is generally based on roaming agreements between the
operators of the involved PCS systems; i.e., the users home operator
agrees to pay the other PCS operator(s) for carrying this mobile users
traffic.
Note: the agreement is generally about the user - not a specific device, thus a user is free to
change devices to access the new PCS network. This of course may complicate the
authentication, authorization, and accounting (AAA) processes.
As a side of effect of authenticating and authorizing the user to access
the new PCS, the home PCSs mobility database is updated to reflect
the fact that this user in located in the other PCS - thus traffic arriving
for this user can (should?) be forwarded/redirected to the users current
location. Clearly this raises both:
policy decisions: Should this specific traffic be redirected? Should all traffic be redirected?
Should this location be reported? ) and
accounting questions (Who pays for carrying the redirected traffic? Is there a base charge
for roaming? )
Maguire Roaming Introduction 54 of 92

User roaming
MS
Cell
MS
Cell
VLR
PCS2
VLR
PSTN
Mobile Switching Center Database HLR
PCS1 Database
Figure 10: Mobile roams from PCS1 to PCS2 (Neither is the home PCS)
When the mobile moves to PCS2 the local VLR is updated, the HLR is updated, and the former VLR is also updated.
Maguire User roaming Introduction 55 of 92

Roaming Management
Two parts:
registration (location update) - process whereby MS informs the
system of its current location
location tracking - the process of locating the user to deliver a call
EIA/TIA Interim Standard 41 (IS-41 or ANSI-41) and Global System for Mobile
Communications (GSM) Mobile Application Part (MAP) both define a two-level
strategy - which uses two tiers of databases:
home location register (HLR) - exists at the users home system
visitor location register (VLR) - a temporary record at the visited
system
Maguire Roaming Management Introduction 56 of 92

Roaming example
Gunvor (from Kiruna) has been visiting in Gteborg, now arrives in Stockholm
MS
MS
1 3
VLR
Mobile Switching Center Database VLR
PCS1
PCS2
Gteborg 4 Stockholm
PSTN 2
HLR
Database Kiruna
Figure 11: Mobile roams from PCS1 to PCS2
1. When the user (and her MS) arrives in Stockholm, her MS has to register with the VLR for PCS2.
2. PCS2s VLR informs the users in Kiruna HLR of the users current location (i.e. that the HLR should point to the VLR
in PCS2). The HLR sends the users profile to PCS2s VLR.
3. PCS2s VLR informs the mobile (MS) that is has successfully registered.
4. HLR informs PCS1s VLR to remove their entry for the user.
Maguire Roaming example Introduction 57 of 92

Of course it couldnt be this simple!
Discussion left out all the interactions within the PCS (i.e., details of channel
assignment & signaling within the cells, between the base station & base station
controller, and between the BSC & the MSC) -- it also left out all the interactions
with the PSTN. Section 2.3 Roaming Management under SS7 describes some
of the details of the later. To reduce the cost of registration one can utilize a
forwarding pointer scheme:
Move operation (registration) - when moving from VLR to VLR, enter a
forwarding pointer into the previous VLR, rather than notifying the HLR
Find operation (call delivery) - when a call comes to the home system,
walk the chain and then update the HLR.
Reducing the cost of deregistration:
implicit deregistration - only delete records from the VLR when you
need the space
periodic reregistration - MS periodically registers with the VLR, if no
reregistration within a timeout period, then their record is deleted
Maguire Of course it couldnt be this simple! Introduction 58 of 92
Call delivery
An originating Switching Point (SSP) (or alternatively a Signal Transfer Point
(STP)) maintains a cache of the Mobile Identification Number (MIN) and the
current VLR) - it examines this cache - there are three outcomes:
1 Cache entry not found do the lookup of MINs HLR via Global Title
Translation (GTT)
2 Cache entry exists and is current do a lookup in the VLR
3 Cache entry exists, but is obsolete do the lookup of MINs HLR via
Global Title Translation (GTT)
Determining that the cache entry is (probably) current is generally done with
heuristics.
Maguire Call delivery Introduction 59 of 92

CT2
Section 2.4 describes how CT2 as a call originating only system didnt need
location services, but that it could be extended via:
1 sending a page to a user and the user call in
2 calling into a meeting point - which patches the two (or more) callers
together
Maguire CT2 Introduction 60 of 92

Back to: Who makes the handoff decision?
Maguire Back to: Who makes the handoff decision? Introduction 61 of 92

Network controlled handoff (NCHO)
Network controlled handoff (HCHO) - the network makes the decision
BS monitors the signal strength and quality from the MS
Network uses multiple (current and surrounding) BSs to supervise the
quality of all current connections by making measurements of RSSI
MSC makes the decision when and where to effect the handoff
Heavy network signaling traffic and limited radio resources at BSs
prevent frequent measurements of neighboring links long handoff
times.
Handoff times: upto 10 seconds or more
Maguire Network controlled handoff (NCHO) Introduction 62 of 92

Mobile assisted handoff (MAHO)
Mobile assisted handoff (MAHO) - the mobile provides data which the network
uses to make the decision; essentially it is a variant of network controlled handoff
- but uses the mobile to help reduce the handoff times.
For example, in GSM the MS transmits measurements twice a second
GSM handoff execution time ~ 1 second
Note in both NCHO and MAHO - if the network cant tell the mobile about the
new channel/time slot/ to use before the link quality has decayed too far, then
the call may be terminated.
Maguire Mobile assisted handoff (MAHO) Introduction 63 of 92

Mobile controlled handoff (MCHO)
The mobile decides for itself (by monitoring signal strength and quality from the
current and candidate base stations), when it finds a better candidate it initiates
a handoff. In MCHO most of the work is done by the mobile (as it knows who it
can hear, how well it can hear them, and can even consider its battery level, etc.)
Two common handoffs:
automatic link transfer (ALT) - transfer between two base stations
time slot transfer (TST) - transfer between channels of a single BS
Maguire Mobile controlled handoff (MCHO) Introduction 64 of 92

Measurement
process
Yes Link quality No

Select new carrier Execute
acceptable? or channel ALT or TST
Figure 12: MS-quality maintenance processing
Different systems use different approaches to the measurement process. For

example, some DECT implementations can measures the RSSI of all channels
simultaneously. In other systems, the measurement of other channels is done when
the device is itself not transmitting or receiving.
Handoff times: DECT 100-500ms, PACS 20-50ms.
Maguire Mobile controlled handoff (MCHO) Introduction 65 of 92

Handover Failures
No available channel/link resources in the new BS
Insufficient resources as determined by the network (for example, no
available bridge, no suitable channel card {for example, none
supporting the voice CODEC in use or radio link coding}
It takes too long for the network to set up the new link
Target link fails during handoff
Maguire Handover Failures Introduction 66 of 92

Channel Assignment
Goals:
achieve high spectrum utilization
maintain a given service quality
use a simple algorithm
require a minimum number of database lookups
Unfortunately it is hard to do all of these at once!
If there is no available channel, then
new calls are blocked
existing calls that cant be handed over forced terminations
Maguire Channel Assignment Introduction 67 of 92

Channel Assignment Process
Fixed Channel Assignment (FCA)
Dynamic Channel Assignment (DCA)
Quasi-static autonomous frequency assignment (QSAFA)

Lots of schemes have been introduced to reduce the number of forced
terminations, at the cost of increased blocking or decreased efficiency:
Nonprioritized scheme (NPS) - handoff call treated the same as a
new call
Reserved Channel scheme (RCS)- reserves some resources for
handoffs
Queuing Priority scheme (QPS) - exploit the over lap (handoff area)
Subrating scheme (SRS) - switching CODECs of one or more calls to
free resources
Maguire Channel Assignment Process Introduction 68 of 92

Handoff Management: Radio Link Transfer
We will not cover the details of the radio link, but will examine some key ideas.
hard handoff mobile connects only to a single base station at a time
soft handoff mobile receives/transmits from/to multiple BSs simultaneously
In soft handoff, the network and perhaps the mobile have to figure out how to
combine the information from the multiple basestations (in the up and down links
respectively).
Link transfers:
1 Intracell
2 Intercell or inter-BS
3 Inter-BSC
4 Intersystem or inter-MSC
5 Intersystem between two PCS networks
Maguire Handoff Management: Radio Link Transfer Introduction 69 of 92

Intracell
MS
Cell
Inter-BS (intercell)
Inter-MSC
Inter-BSC
Base Station Controller Mobile Switching Center
Intersystem
Mobile Switching Center
Cell
PSTN
Mobile Switching Center
PCS2
Figure 13: Handoffs, mobile moves within PCS1 and then on to PCS2
Maguire Handoff Management: Radio Link Transfer Introduction 70 of 92

Handoff frequency
With a cellular voice call of 1 minute duration:
Type of handoff Probability

inter-BS 0.5
inter-BSC 0.1
inter-MSC 0.05
Maguire Handoff frequency Introduction 71 of 92

Soft handoff in multiple forms
Within one BSC With Two BSCs With Two MSCs Between systems
AP2 AP2 AP2 MN AP2

MN
MN
MN
AP1 AP1 AP1
AP1
MSC
BSC BS BS MSC MSC MSC
Figure 14: Soft handoffs
Some CDMA systems use very precise link level timing to enable the signals from
multiple BSs to arrive additively at the mobile - thus leading to a physically
stronger signal.
Soft handoffs between systems generally will require that the mobile be able to
receive multiple signals - which will use different codes, frequencies, .
Maguire Soft handoff in multiple forms Introduction 72 of 92

Paging
Originally a one-way personal altering/messaging system invented by Charles
Neergard in 1949 (annoyed when hospitalized by the voice paging over the public
address system).
A transmitter sends a stream of addresses and messages. Pagers listen for their
address (also called a cap code).
Cap Code beep (one of ~4 tones) when the pagers address is received by the pager
Tone voice 1970s, allows the sender to record and send a short voice message
Digital display early 1980s, a callback number (or code) entered by the sender, which appears on the pagers display
Alphanumeric late 1980s, display a text message
Maguire Paging Introduction 73 of 92

Pager
Receiver
(Transmitter) Decoder Control Logic
I/O
I/O can be a display, a beeper, keypad, audio input/output, vibrator, .

Control logic supports:
duplicate message detection
message locking (to keep message from being overwritten)
message freezing (to keep message on the screen)
altering modes (beep, vibrate, )
power management
Maguire Pager Introduction 74 of 92

Paging Architecture
User Operations
User Access Interface and Maintance
Terminal
Equipment Center
(Input Device) PSTN or Base
PSDN Paging
Terminal Station
Controller
PSDN Internetwork Base

connection Base
Base
Interface Station
Base
Station
to other Base
Station
Base
paging terminals Station
Station
Station
Pager or
Pager
Paging terminal has database of customers, cap code, pager number, types of
messages, ; converts voice message to text (for alphanumeric pagers); store in
mailbox for pager; forward to other paging terminals; send to relevant Base
Station Controller(s)
Maguire Paging Architecture Introduction 75 of 92
Paging Service area
Service areas: site, local area, region, national, international
If the user temporarily left the paging service area or if the signal could not reach
them, then they would miss it. Motorolas ReFLEX technology, a two-way paging
system, keeps transmitting a paging message until the users pager sends a
confirmation that it has been received.
Maguire Paging Service area Introduction 76 of 92

Introduction of paging systems
+cc xxxx exchange paging company Operator X
+cc pppp
1. page
Operator A Operator B
+cc eeee Exchange Exchange +cc ffff

... ...
3.
+cc eeee d123 +cc eeee d124 +cc ffff d123 +cc ffff d124
2. user moves to a phone User
1 pager
Upon a page (1), user moves to nearest phone (2), calls paging company (3),
company operator tells the user what telephone number to call - perhaps they
(also) convey a short message. The mobile user can be contacted and told by the
operator at the paging company to connect to the fixed telephone network. [i.e.,
make a temporary connection to the (voice) network.]
Alphanumeric paging systems
paging company Operator X
+cc xxxx exchange
+cc pppp
1. page

... ...
3.
message (perhaps with telephone# in it)
2. user moves to a phone
pager User1
Upon a page (1), user moves to nearest phone (2), calls a number based on the
content of the (page) message (3); or perhaps they just consume the short message
they received. The mobile user can be contacted and told by a message to connect
to a given number on the fixed telephone network.
Mobile telephone systems
Operator X
mobile telephone
+cc xxxx exchange company
SMR, NMT, GSM,
+cc mmmm

... ...
mobile call
+cc mmmm d125
pager User1
The mobile user is directly reached by the call through the mobile telephone
network.
SMR (Specialized Mobile Radio) is a non-cellular radio system.
NMT (Nordic Mobile Telephone), GSM (Groupe System Mobile), and PCS are cellular radio systems.

Mobile but not necessarily wireless
Operator X
mobile telephone +cc mmmm yyyy +cc eeee d123
+cc xxxx exchange company

+cc mmmm

... ...
User1 +cc mmmm yyyy (a personal phone number, e.g., +1 700 xxx xxxx, )
The mobile user is indirectly reached through the fixed telephone network.
The connection can be via the mobile company (hiding the actual location of the user) or
via redirect directly to the current location of the user.
Thus the mobile operator turns +cc mmmm yyyy into +cc eeee d123
[dynamic address translation].
Local mobility via wireless (or redirects)
Operator A radio Operator B

... ...
wired
+cc eeee d123 cordless +cc ffff d123 +cc ffff d124
wireless (DECT, PCS, )
+cc eeee d123
+cc eeee d123 User1 +cc eeee d123
The mobile user is reached by local redirection (which may utilize local wireless
links) of the call coming from the fixed telephone network.
The local exchange is playing the role of the mobile company (hiding the actual location of the user).
There are multiple instruments (terminals) and user is currently associated with a list of them
Could involve a non-local redirect
To the external world the user looks like they are always at +cc eeee d123, which
the local PBX maps into a specific extension (at the time of the call).

Two-way paging and messaging systems
Operator X paging or messaging
company
+cc xxxx exchange
+cc pppp
router
data network
router
... ...
+cc ffff d123

+cc eeee d124
+cc eeee d123 message +cc ffff d124
User1 pager or messager
Two-way paging or messaging allows exchange of digital messages.

Traditionally
the paging or messaging system was a separate data network, but GSMs
Short Message Service provides alphanumeric messaging via the GSM infrastructure.
The messaging device can also be a computer (PDA/notebook/)
Connection between the two users can be via the PSTN or a (public) data network

Paging Interworking
Telocator Alphanumeric Protocol (TAP), also known as IXO or PET,
defines a 7-bit alphanumeric text message to be sent to paging
receivers, with a block size of 256 characters and an effective message
length of 1,000 characters
Telocator Data Protocol (TDP) suite: a functional superset of TAP;
adopted 1995; Telocator Message Entry (TME) protocol - the input
protocol for TDP: two-way paging, priority paging, deferred paging,
periodic paging, message forwarding, and message deletion.
Telocator Network Paging Protocol (TNPP) used to create networks
of paging terminals from different manufacturers (overcomes the
proprietary protocols to/from paging terminals - such as Glenayre Link
Module, Spectrum Data Link Handler)
Software:
http://en.tldp.org/HOWTO/mini/Pager/
Maguire Paging Interworking Introduction 83 of 92

Paging - link level
Older format: British Post Office Code Standards Advisory Group
(POCSAG)
single operator, single frequency
maximum of 2 million users
two separate tones and then a burst of data; 576 bit preamble then multiple 544 bit batches
ETSIs European Radio Message System (ERMES)
35 bit radio identity code
effective transmission rate of 3750 bps
each hour is partitions into 60 cycles, each cycle partitioned into 5 subsequences, each
subsequence is partitioned into 16 batches
Philips Telecoms Advanced Paging Operations Code (APOC)
Motorolas FLEX (further described on next slide)
signals have only a single tone preceding the data burst.
Interestingly FLEX paging data is _not_ encrypted.
Motorolas Generation II FLEX
FLEX G1.9 protocol supports full roaming, time of day updates accurate to one hundredth of
a second, and dynamic group messaging
Motorolas FLEXsuite applications, such as over the air programming, encryption, and
compression utilize FLEX G1.9.
1600 and 3200 symbols-per-second
Maguire Paging - link level Introduction 84 of 92

Motorolas FLEX protocol 1
Supports upto five billion individual addresses and up to 600,000 numeric pagers
per channel. Channel can run at 1600 to 6400 bps as needed by operator.
FLEXion an advanced voice paging protocol
Motorolas Portable Answering Machine - can receive and store voice messages,
digitally compresses voice messages
system is aware of the general location of the recipients messaging unit, therefore sends
the message from the closest paging transmitter
ReFLEX a two-way messaging protocol
Motorolas Advanced Messaging Group has demonstrated the use of a ReFLEX two-way
pager to access Hyper Text Markup Language (HTML) content.
160 FLEX technology-based systems in commercial operation in 36 countries,
representing 93% of the worlds paging subscriber base.
1. As of February 2002, Motorola transferred all their paging subscriber device product lines to Multitone Electronics plc, Basingstoke, UK
http://www.multitone.com/ -- this page was based on information from: http://www.motorola.com/MIMS/MSPG/FLEX/protocol/solution.html this URL is no longer
valid
Maguire Motorolas FLEX protocol Introduction 85 of 92

Sleeping for power savings
A major aspect of the link level paging protocols is to enable the pager to spend
most of its time sleeping.
It does this by knowing when to listen for its address and in the case of Motorola
if as the address is being received more bits fail to match than the error correction
could possibly correct, then it goes to sleep immediately.
Some paging receivers dont even wake up the decoder unless the page may be for
this device (thus the different parts of the page may be awakened separately).
Maguire Sleeping for power savings Introduction 86 of 92

Mobile Telephone Systems Timeline (the first
two generations: analog + digital)
Year Standard System Technology Primary markets
1979 NTTs MCS-L1 First commercial mobile phone network Analogue Tokyo
1979 AMPSa Advanced Mobile Phone System Analogue US (pre-commercial)
1981 NMT 450 Nordic Mobile Telephone Europe, Middle East
1983 AMPS Advanced Mobile Phone System Analogue North and South America
1985 TACS Total Access Communication System Analogue Europe and China
1986 NMT 900 Nordic Mobile Telephony Analogue Europe, Middle East
1991 GSM Global System for Mobile communication Digital World-wide
1992 GSM 1800 Global System For Mobile Communication Digital Europe
1993 CdmaOne(IS95) Code division multiple access Digital North America, Korea (1995)
1994 D-AMPS(IS94) Time Division Multiple Access Digital North and South America
1994 PDC Personal Digital Cellular Digital Japan
1995 PCS 1900 Personal Communication Services Digital North America
2001 WCDMA Wideband CDMA Digital Europe, Japan
2001 EDGE Enhanced Datarate for Global Evolution Digital Europe
2002 CDMA2000 CDMA2000 1xEV-DO. Digital Korea
a. April 3rd 1973 Motorola vice presidents Marty Cooper and John Mitchell made the first public demonstration of a call from a handheld wireless phone.
For more details see http://www.umtsworld.com/umts/history.htm
Maguire Mobile Telephone Systems Timeline (the first two generations: analog + digital) Introduction 87 of 92
References and Further Reading
Course book
[1] Yi-Bing Lin and Imrich Chlamtac, Wireless and Mobile Network
Architectures, John Wiley & Sons, 2001, ISBN 0-471-39492-0.
See the summary in section 2.5 (and in each chapter) for more pointers to additional
reading. Carefully note that some of the things which the authors have covered in ch. 2 are
simply their proposals and not (yet) implemented; but their ideas are worth understanding.
Further details concerning physical and link layer wireless communication
[2] David J. Goodman, Wireless Personal Communication Systems,

Addison-Wesley, 1997, ISBN 0-201-63470-8.
Great coverage about the link layer details and general architectures of AMPS, IS-41, North
American TDMA and CDMA, and GSM. Only very brief coverage of CT2, DECT, PHS, and
PACS. This is an extremely well written book.
[3] William C.Y. Lee, Mobile Cellular Telecommunications: Analog and Digital
Systems, Second Edition, 1995, ISBN 0-07-038089-9
all the usual radio topics
[4] Theodore S. Rappaport, Wireless Communications: Principles and Practice,
Maguire References and Further Reading Introduction 88 of 92

2nd edition, Prentice-Hall, 2002, 736 pages, ISBN: 0-13-042232-0.
[5] Ellen Kayata Wesel, Wireless Multimedia Communications: Networking
Video, Voice, and Data, Addison-Wesley, 1998, ISBN 0-201-63394-9.
[6] K. Pahlavan and P. Krishnamurthy, Principles of Wireless Networks,
Prentice Hall PTR, 2002, ISBN 0-13-093003-2.
CDPD
[7] Mark S. Taylor, William Waung, and Moshen Banan, Internetwork Mobility:
The CDPD Approach, Prentice-Hall, Upper Saddle River, NJ, 1997. ISBN
0-13-209693-5.
LEO
[8] Christopher Redding, Overview of LEO Overview of LEO Satellite

Systems, Institute for Telecommunication Sciences National
Telecommunications and Information Administration, Boulder, CO - lecture
slides from 1999 International Symposium on Advanced Radio
Technologies: http://www.its.bldrdoc.gov/meetings/art/art99/slides99/red/red_s.pdf

Fixed Broadband wireless
[9] IEEE 802.16c, Air Interface for Fixed Broadband Wireless Access
Systems - Detailed System Profiles for 10-66 GHz,
http://standards.ieee.org/announcements/80216capp.html
User profiles
[10] Sudeep Kumar Palat, Replication of User Mobility Profiles for Location
Management in Mobile Networks, Norwegian University of Science and
Technology, Dr. Ing. Dissertation, Dept. of Telematics, 12 Jan. 1998.
Mobile IP
[11] C. Perkins, IP Mobility Support, IETF RFC 2002, October 1996.

[12] C. Perkins, Ed., IP Mobility Support for IPv4, RFC 3344, Aug. 2002, note:
this obsoletes RFC 3220 and RFC2002.
[13] D.Johnson,C.Perkins,andJ.Arkko,MobilitySupportinIPv6,RFC3775
June 2004. http://www.ietf.org/rfc/rfc3775.txt

Fast handoff
[14] Karim El Malki (Editor), Low Latency Handoffs in Mobile IPv4, Internet
draft, draft-ietf-mobileip-lowlatency-handoffs-v4-08.txt, June 2004, work in
progress. http://www.ietf.org/internet-drafts/draft-ietf-mobileip-lowlatency-handoffs-v4-09.txt
Micromobility: Cellular IP, HAWAII, Hierarchical Mobile IP
[15] http://comet.ctr.columbia.edu/micromobility/
[16] E. Gustafsson, A. Jonsson, and C. Perkins, Mobile IPv4 Regional

Registration, Internet draft, draft-ietf-mobileip-reg-tunnel-08.txt, 22
November 2003, work in progress. {Expired}
Comparison of IP Mobility protocols
[17] P. Reinbold and O. Bonaventure. A Comparison of IP Mobility Protocol.

Technical Report Infonet-TR-2001-07, University of Namur, Infonet Group,
June 2001. http://citeseer.nj.nec.com/455628.html - formerly available
as http://www.infonet.fundp.ac.be/doc/tr/Infonet-TR-2001-07.html

TeleMIP
[18] Subir Das, et al. TeleMIP: Telecommunication-Enhanced Mobile IP

Architecture for Fast Intradomain Mobility. IEEE Personal
Communications, 7(4):50--58, August 2000.
Intersystem Handoff
[19] Janise McNair, Ian F. Akyildiz, and Michael D. Bender, An

Inter-System Handoff Technique for the IMT-2000 System, Proceedings of
IEEE INFOCOM Conference, March 2000, pp.208-216.

Architectures
2. Network Signaling and CDPD

KTH Information and
Wiley & Sons, 2001, ISBN 0-471-39492-0

Last modified: 2006.01.13:10:20

Network Signaling (Chapters 5-8)
Interconnection between a PCS Network (PCN) and a PSTN for:
mobility management - tracking the location of mobile users
call control - setting up the call path between a mobile users and the
other call party
interconnection interfaces - the interconnections themselves
message routing - information exchange
Mobile Identification Number (MIN) -- the main means of identifying a MS
Universal Personal Telecommunication (UPT) number - a number associated
with a mobile subscriber.
Maguire Network Signaling (Chapters 5-8) Network Signaling and CDPD 94 of 131
Transaction Capabilities Application Part
(TCAP)
For exchanging information which is not circuit related.
More than 50 TCAP operations in IS-41 (just) for:
inter-MSC handoff
automatic roaming
operation, administration, and maintenance (OAM)
A TCAP message has two parts: transaction and component
transaction QueryWithPermission, Response, ConversationWithPermssion,

and Unidirectional (pass info in one direction)
component INVOKE, RETURN RESULT (Last), RETURN ERROR, or REJECT
Each TCAP transaction has a timeout associated with it and uses connectionless
transport.
Maguire Transaction Capabilities Application Part (TCAP) Network Signaling and CDPD 95 of 131
TCAP message flow for a MS registration
PCS1 PSTN PCS2
STP1 STP2 STP3 STP4
VLR1
MSC1 Database HLR VLR2
Database MSC2
Database
RegistrationNotification (INVOKE)
RegistrationNotification (INVOKE)
T2
RegistrationNotification (RETURN RESULT)
T1
T3 RegistrationCancellation (INVOKE)
RegistrationNotification (RETURN RESULT
RegistrationCancellation (RETURN RESULT)
RegistrationCancellation (INVOKE)
T4
RegistrationCancellation (RETURN RESULT)
QualificationRequest (INVOKE)
T5
QualificationRequest (RETURN RESULT)
ServiceProfileRequest (INVOKE)
T6
ServiceProfileRequest (RETURN RESULT)
Figure 15: Mobile roams from PCS1 to PCS2
Maguire Transaction Capabilities Application Part (TCAP) Network Signaling and CDPD 96 of 131
Transaction 2 (T2) - additional details
Signal Transfer Point3 (STP3) does a table lookup, i.e., Global Title Translation
(GTT) of the MIN to identify the appropriate HLRs address, then the TCAP
message is forwarded from STP3 to STP2 where the HLR is.
GTT is needed because non-geographic numbering is assumed {we will return to
this later; See Number portability, VoIP, Prepaid, Location Based Services on
page 220.}.
Maguire Transaction 2 (T2) - additional details Network Signaling and CDPD 97 of 131
Automatic Code Gapping (ACG)
Can use Automatic Code Gapping (ACG) to reduce the rate at which
a network entity such as a MSC sends service request messages to a
service control function.
ACG can be applied automatically when an overload occurs or applied
manually for system management.
ACG can be applied to query messages destined for a specific Point
Code and Subsystem Number or for an SCCP Global Title.
3rd Generation Partnership Project 2 (3GPP2), Automatic Code Gapping (Stage
1), 3GPP2 S.R0016, Version 1.0.0, Version Date: December 13, 1999
http://www.3gpp2.org/Public_html/specs/S.R0016_v1.pdf
Purpose: Without automatic code capping you might over run the network entitys capacity for processing
messages, otherwise messages might be lost - then due to the timeouts associated with each transaction,
lost messages would cause retries -- further increasing the number of messages!
Maguire Automatic Code Gapping (ACG) Network Signaling and CDPD 98 of 131
TIA TSB-51: Authentication, Signaling
Message Encryption, and Voice Privacy
supports authentication over multiple air interfaces (AMPS,TDMA, &
CDMA) -- GSM authentication is excluded, because the GSM
authentication process has been defined in the GSM standards
provides a method of pre-call validation of (MS) that does not require
user intervention
uses Global Challenge procedures at registration, call origination, call
termination, and at any time using Unique Challenge procedures
without-sharing (WS) scheme: shared secret data (SSD) known only
to Authentication Center (AuC) and MS
sharing (S) scheme: the SSD or some aspect of it is shared with visited
system
SSD based on Authentication Key (A-Key) - never transmitted over the
air
Also includes procedures for generation and distribution of SSD
Maguire TIA TSB-51: Authentication, Signaling Message Encryption, and Voice PrivacyNetwork Signaling and CDPD
MIN and ESN
Mobile Identification Number (MIN) - a North American Numbering Plan
(NANP) number which is the phone number of a mobile phone
Electronic Serial Number (ESN) - a 32 bit serial number programmed into the
phone at manufacture (top 8 bits identify the manufacturer)
In AMPS the MIN and ESP are transmitted in the clear over the air - so it is easy
to listen for them and then program another phone with the same values clone
This lead to hundreds of millions of dollars of fraud TSB-51
Maguire MIN and ESN Network Signaling and CDPD 100 of 131
Without-Sharing Scheme
PCS2 LAn
PCS1
AuC HLR VLR2 BS MH
Database MSC2
Database Database
LA info
registration request
RAND
AUTHR, ESN, MIN, RANDC, COUNT
AuthenticationRequest (INVOKE)
AuthenticationRequest (INVOKE) RAND = a random number
AUTHR = Authentication Result
AuthenticationRequest (INVOKE) RANDC = top 8 bits of random number
AuC verifies
AUTHR & COUNT
COUNT+=1
AuthenticationRequest (RETURN RESULT)
Figure 16: Mobile moves into a new Location Area (LA) at PCS2
If authentication fails, then the result is RETURN ERROR.
Maguire Without-Sharing Scheme Network Signaling and CDPD 101 of 131

Without-Sharing Call Origination
PCS1 PCS2 LAn
AuC HLR VLR2 BS MS
Database MSC2
Database Database computes
VPMASK
SMEKEY
MS originates call
AuC verifies AUTHR
generates VPMASK, SMEKEY

Figure 17: Mobile places a call in PCS2
Because of shared secret data (SSD) the AuC can generate the same Voice
Privacy Mask (VPMASK) and Signaling Message Encryption Key (SMEKEY) as
the mobile and passes this information to the operator of PSC2
Maguire Without-Sharing Call Origination Network Signaling and CDPD 102 of 131
Sharing Scheme
Old VLR PCS2 LAn
PCS1
AuC HLR VLR3 VLR2 MH
Database MSC2 BS
Database Database Database
LA info
registration request
RAND
AuC verifies
AUTHR
CountRequest (INVOKE)
CountRequest (INVOKE)
CountRequest (RETURN RESULT)
CountRequest (RETURN RESULT)
AuC verifies
COUNT

Figure 18: Mobile moves into a new Location Area (LA) at PCS2 registration using Sharing scheme
Because the SSD was shared with the prior VLR3, we need its value of COUNT.
Maguire Sharing Scheme Network Signaling and CDPD 103 of 131

Sharing Call Origination
PCS2 LAn
VLR2 BS MS
Database MSC2
computes
VPMASK
SMEKEY
MS originates call
AuC verifies AUTHR, COUNT

generates VPMASK, SMEKEY
Figure 19: Mobile places a call in PCS2 using sharing scheme
Note that because the visited system shares the SSD, it no longer has to contact the
home PCSs AuC to generate the VPMASK and SMEKEY
Maguire Sharing Call Origination Network Signaling and CDPD 104 of 131
When should you use Without-Sharing vs.
Sharing
Use Without-Sharing when number of registration operations greater than the
number of call origination/termination.
Can use an adaptive algorithm:
based on statistics move between Without-Sharing and Sharing
schemes
once you make a call, then use Sharing scheme; but if you move
without making a call, then revert back to Without-Sharing scheme
Maguire When should you use Without-Sharing vs. Sharing Network Signaling and CDPD 105 of 131
Cellular Authentication and Voice Encryption
(CAVE) Algorithm
IS-54B - TDMA standard - includes CAVE algorithm
Computes Authentication Result (AUTHR) using SSD, ESN, MIN, a random
number (RAND). RAND is typically updated in the system every 20 minutes and
SSD is updated for each mobile every 7 to 10 days [22].
3 of the 4 IS-54 algorithms have been broken:
David Wagner (then a University of California at Berkeley graduate student, now faculty
member) and Bruce Schneier1 & John Kelsey (both of Counterpane Systems) announced
that they had broken the Cellular Message Encryption Algorithm (CMEA)[24] which is
used to protect the control channel (for example, dialed digits, alphanumeric pages).
D. Wagner, L. Simpson, E. Dawson, J. Kelsey, W. Millan, and B. Schneier, Cryptanalysis of
ORYX[25] - shows that the stream cipher used to protect data is breakable with a plain text
attack.
voice privacy depends on a XOR against a generated string - which is generally rather easy
to break (as the string is not equal to the message length)
1. Author of the popular book Applied Cryptography.
Maguire Cellular Authentication and Voice Encryption (CAVE) Algorithm Network Signaling and CDPD 106 of
PACS Network Signalling
Personal Access Communications Systems (PACS) supports:
basic call control
roaming
handoff management
Does not use MSCs or HLR/VLR, but uses Advanced Intelligent Network (AIN)
protocol with an Access Manager (AM), AIN switch, and AIN Service Control
Point (SCP).
Maguire PACS Network Signalling Network Signaling and CDPD 107 of 131
PACS Architecture
SCP = Service Control Point AIN SCP
STP = Signal Transfer Point AM
HLR
VLR
radio port control unit (RPCU) AIN
SS7 PSTN
AIN STP
AIN trunk
switch
ISDN
radio port (RP) AM
interface P
ISDN AM
interface A
MS
portable
fixed access unit
Figure 20: PACS Architecture
Maguire PACS Architecture Network Signaling and CDPD 108 of 131

Access Manager (AM)
The access manager in the radio port control unit (RPCU), it provides:
radio control managing the RPs, trunk provisioning, RP to RP link transfers
non-radio service control call control (managing the B channels), switching, routing
The RPCU has to deal with inter-RPCU handoff (similar to inter-BSC handoff)
and inter-radio port (inter-RP) handoff.
Note: an AM is also located in the AIN SCP; the two interact with the ISDN/AIN
Switch providing tunneling/de-tunneling (i.e., encapsulation) of the ISDN
REGISTER messages over AIN.
Pg. 125 notes that the RPCUs could be connected via an IP network to the VLR,
thus by passing the AIN/ISDN Switch (SSP) for all non-call associated (NCA)
signalling.
Maguire Access Manager (AM) Network Signaling and CDPD 109 of 131
AIN/ISDN Switch
Note: The textbook often refers to this as the AIN Service Switching Point (SSP).
Uses:
SS7 ISUP to set up trunk and for inter-system handoff
SS7 TCAP to support mobility management and transport AIN
messages between switch and SCP; the AIN messages are basically
remote procedure calls (RPC) calls to the SCP
ISDN for:
call control {standard ISDN},
automatic link transfer (ALT) {FACILITY message for handoff}, and
non-call associated (NCA) signalling {for example, communication between RPCU and VLR
for registration and authentication - REGISTER message - which is encapsulated in an AIN
NCA-Data message}
Also provides:
Automatic Code Gaping (for traffic load control)
Automatic Message Accounting (for access charging)
Maguire AIN/ISDN Switch Network Signaling and CDPD 110 of 131

AIN Service Control Point (SCP)
Provides service logic, databases, and operations to support:
Home Location Register (HLR)
Visitor Location Register (VLR)
Access Manager (AM)
Authentication Center (AuC)
Communicates with:
the switch via AIN TCAP
external PCS databases via IS-41 protocol
Maguire AIN Service Control Point (SCP) Network Signaling and CDPD 111 of 131
PACS Intersystem Handoff
PACS Intersystem Handoff/automatic link transfer (ALT) follows IS-41 anchor
switch approach.
Maguire PACS Intersystem Handoff Network Signaling and CDPD 112 of 131
3 alternative inter-RPCU handoff methods
(Switch Loopback, Direct Connection, Three-way Calling Connection):
a. Before ALT b. After ALT (Switch Loopback) c. After ALT (Direct Connect)
Switch Switch Switch

old new old new old new
RPCU RPCU RPCU RPCU RPCU RPCU
d.During ALT e. After ALT Note: (d) illustrates that the switch
(Three-Way Calling Connections) (Three-Way Calling Connections) is doing bridging, but the traffic is
not using any radio capacity in the
new cell - until the mobile arrives
Switch Switch
old new old new
RPCU RPCU RPCU RPCU
Maguire3 alternative inter-RPCU handoff methods (Switch Loopback, Direct Connection, Three-way Calling Connection): Net-
CDPD
In 1992, AT&T Wireless Services developed the cellular digital packet data
(CDPD) protocol, a data-only protocol that (re-)uses the AMPS or IS-136
network. Packets (typically ~1.5 kilobytes) use vacant cellular channels - either an
assigned channel or between calls.
CDPD does not communicate with the underlying network; but does utilize
knowledge of this networks channel assignment algorithms to predict when
channels will be available for CDPDs use.
Mobile Data Base Stations - do channel sniffing to find idle channels
It is essentially an implementation of Mobile*IP [28] .. [30].
Maguire CDPD Network Signaling and CDPD 114 of 131

Motivation for CDPD
Most traditional cellular systems (such as AMPS) are unsuited for
packet data
Long call setup times - many seconds (vs. CDPD with from under 1 to 4 seconds)
Modem handshaking required - this modem training can often take more time than the data
transfer time!
Analog providers already have AMPS frequency allocation
Re-use AMPS channels to provide data service.
Must not interfere with existing analog service (viewed as operators bread and butter)
no new spectrum license needed - but you get to make more money with the spectrum you
already have (IFF you can share the spectrum wisely)
Goals
low speed data: Paging, short message, e-mail, (achieve 10-12kbps)
broadcast and multicast (for example, for fleet management)
always on-line packet data service
transparent to existing AMPS service, but shares spectrum with it
Maguire Motivation for CDPD Network Signaling and CDPD 115 of 131
CDPD network architecture
Mobile End System (M-ES), Mobile Data Basestation (MDBS),
Mobile Data -Intermediate System (MD-IS)
Internet
MD-IS
MD-IS
PSDN
M-ES
MDBS
AMPS BS
AMPS PSTN
MSC
Maguire CDPD network architecture Network Signaling and CDPD 116 of 131
CDPD Entities
Mobile End System (M-ES)
Subscriber unit - interfaces with the radio at 19.2 kbps
Subscriber Identity Module (SIM) - used to identify subscriber
Mobile Application Subsystem - actually provides the functionality
(could be a PDA, Laptop, embedded processor, )
Mobile Data Base Station (MDBS)
controls the radio: radio channel allocation, channel usage,
one modem/transceiver per radio channel pair (up & down link)
generally co-located with the AMPS basestations (so they can share
antenna, site, )
Mobile Data-Intermediate System (MD-IS)
frame relay switch + packet router
buffers packets destined to M-ES it knows about (== with TEI assigned)
supports user mobility by a mobile location protocol
Maguire CDPD Entities Network Signaling and CDPD 117 of 131
other entities
Fixed End System (F-ES) - hosts
External F-ESs traditional non-CDPD host(s)
Internal F-ESs hosts within the boundaries of the CDPD network; they have access to additional internal
network data (usage accounting information, mobile location information, subscriber
authentication information,
Accounting Server collection and distribution of usage accounting data (each

(AS) MD-IS periodically sends its usage information to the AS)
Authentication Server supports the authentication function in CDPD; may or may

not be a part of the MD-IS
Directory Server supports directory services within the CDPD network (could
support DNS and/or X.500)
Network includes configuration management, fault management, per-

Management System formance management and other functions
Maguire other entities Network Signaling and CDPD 118 of 131

Limits
No direct Mobile End System (M-ES) to M-ES communication
radius of a CDPD cell is limited to <10 miles (i.e. < 17km)
each M-ES can only send two packets back to back - to avoid hogging
the channel
Maguire Limits Network Signaling and CDPD 119 of 131

Handoffs
Mobile Data Base Station (MDBS) broadcasts a list of available channels
When M-ES finds link quality has dropped below a threshold, it checks the
channels from the MDBSs that it can hear; if there is a better channel it initiates a
link transfer - by switching to the new channel and registering with the new MDBS
MD-IS maintains a registration directory
contains a list of Temporary Equipment Identifiers (TEI)
associated with each TEI is a element inactivity timer (T203)
associated with each radio channel stream is a TEI notification timer
(T204) - when this timer goes off MD-IS broadcasts a list of TEIs with
data buffered for them {mobiles with nothing to send can sleep until the
next TEI notification frame}
when a mobile wakes up and hears that there is data for it, it sends a
Receiver Ready (RR) frame
Maguire Handoffs Network Signaling and CDPD 120 of 131

Connectionless Network Services (CLNS)
CDPD supports both:
ISO connectionless network protocol
IP
Maguire Connectionless Network Services (CLNS) Network Signaling and CDPD 121 of 131
Roaming Management
Each M-ES has a unique Network Equipment Identifier (NEI) which is
associated with a home MD-IS (Mobile Home serving Function (MHF)
{analogous to a Mobile IP Home Agent}.
Home MD-IS keeps location directory of the MD-IS currently serving each of its
mobiles (note that the routing is to the current MD-IS, not to the M-ES itself)
Each MD-IS keeps a registration directory listing currently visiting mobile
(Mobile Serving Function (MSF)) {analogous to a Mobile IP Foreign Agent}
When a M-ES moves, the home MD-IS explicitly cancels the registration at the
former MD-IS.
Packet routing is handled just as in Mobile IP.
Maguire Roaming Management Network Signaling and CDPD 122 of 131

Multicast
CDPD has explicit provisions for Multicast and enables mobiles to register for a
multicast NEI - this must include a Group Member Identifier (GMID) which is
unique with in the group
Details at: http://www.leapforum.org/published/internetworkMobility/split/node75.html
Maguire Multicast Network Signaling and CDPD 123 of 131

CDPD usage
Very popular for vending machines
Public safety agencies, Law enforcement,
because police officers rarely roam outside their well-defined geographic patrol areas1
Handheld/laptop IP access
Price Plans: was from $14.95 per month for 250 kilobytes to $39.95 monthly for
unlimited usage with a two-year commitment
Of course if you are vending machine you dont buy an unlimited plan, but
perhaps if you are vending machine operator you do.
1. Formerly available from http://www.proberesearch.com/alerts/2002/wlsdata.htm Available from the

Internet Archive as http://web.archive.org/web/20030216141656/http://www.proberesearch.com/alerts/2002/wlsdata.htm
Maguire CDPD usage Network Signaling and CDPD 124 of 131

CDPD phaseout
By 2002 GPRS (see page 190) has displaced CDPD. With >85% of US
subscribers using digital phones the AMPS analog networks have decreasing
importance and US FCC will allow carriers to phase out their analog networks.
In March 2002, Verizon Wireless announced rate plans for the service based on
data transmission volume as part of their rollout of next-generation wireless
networks. CDMA 1X (code division multiple access) Express Network pricing:
$35 a Month for 10 MB
$55 per month for 20 MB, and
fees available for up to 150 MB of data
$99 a month for unlimited service
data transmission speeds of up to 144 kilobits per second (kbps), with
an average transmission rate of 40 to 69 kbps.
Note: Many network operators are no longer supporting CDPD and are turning off
service - driven by the lack of an analog network to overlay.
Maguire CDPD phaseout Network Signaling and CDPD 125 of 131

Ricochet 1
Aerie Networks bought the network assets of Metricom at bankruptcy sale.
Service only in Denver and San Diego. (Previously 17 market areas)
The 128kbps network uses a microcellular-packet-switching, FHSS (Frequency
Hopping Spread Spectrum) technology, and is designed for forwarding IP packets.
Transceivers are deployed in a mesh topology, generally on top of
streetlights (for power and low cost space!)
Designed to be self-configuring and do load-balancing (including
routing traffic around congested transceivers)
$24.99-$27.99 a month
authentication first using modems serial number and then via user
account and password
Mean RTT 2450 ms, std. deviation 1500 ms; UDP peak 50-58 kbps
Developed in 1985 for remote meter reading, 1994: 28.8 kbps, 2000:128 kbps
1. http://www.ricochet.com/
Maguire Ricochet Network Signaling and CDPD 126 of 131

Ricochet System Architecture
Portable Connects the mobile host to the Ricochet network; acts
Modems (PM) like modem with an extended Hayes AT command set FH
Pole Top Radios Route packets over a wireless link towards or from the
(PT) nearest wired access point; routing is performed Internet
geographically, i.e., based on the latitude and longitude NS
of the pole top radios (PTs) with respect to the final

destination. MGW
NSR
Ethernet Radios Bridges between the wireless and wired portion of the
(ER) network
ER ER ER
Metricom Maps between IP addresses and Ricochet identifiers and
Gateway encapsulates packets within Metricom-specific headers
(MGW) and routes the packets to the correct ER. For packets PT
originating from a mobile, decapsulates and forwards the PT
packets on the wired IP network. PT
PT
Name Server Serves as a router to the system name server.

Router (NSR)
PM MH
Name Server Validate the subscription, based on the PM identification
(NS) number, and validates service requests. Ricochet
Maguire Ricochet System Architecture Network Signaling and CDPD 127 of 131
Further reading
TIA
[20] TIA public documents

ftp://ftp.tiaonline.org/TR-45/TR45AHAG/Public/
TSB-51
[21] Cellular Telecommunications & Internet Association (CTIA) World of

Wireless Communication, http://www.wow-com.com/
[22] Jey Veerasamy, Cellular Authentication, University of Texas at Dallas, was
available as http://www.utdallas.edu/~veerasam/cs6385/authentication.ppt
can be found at
http://web.archive.org/web/20030521041343/http://www.utdallas.edu/~veerasam/cs6385/authentication.ppt
[23] Yi-Bing Lin, Seshadri Mohan, Nelson Sollenberger, and Howard Sherry,
Adaptive Algorithms for Reducing PCS Network Authentication Traffic,
IEEE Transactions on Vehicular Technology, 46(3):588-596, 1997.
http://liny.csie.nctu.edu.tw/ieee-tvt94c.ps
Maguire Further reading Network Signaling and CDPD 128 of 131

[24] David Wagner, Bruce Schneier, and John Kelsey, Cryptanalysis of the
Cellular Message Encryption Algorithm, Crypto97, 1997.
http://www.schneier.com/paper-cmea.html
[25] D. Wagner, L. Simpson, E. Dawson, J. Kelsey, W. Millan, and B. Schneier,

Cryptanalysis of ORYX, SAC98,
http://www.cs.berkeley.edu/~daw/papers/oryx-sac98.ps
[26] David Wagner http://http.cs.berkeley.edu/~daw/

[27] CAVE algorithm
ftp://ftp.ox.ac.uk/pub/crypto/misc/CAVE.tar.gz
Mobile*IP
[28] J. Ioannidis and G. Q. Maguire Jr., The Design and Implementation of a

Mobile Internetworking Architecture. eds. Dejan S. Milojicic, Frederick
Douglis, and Richard G. Wheeler, Mobility Processes, Computers, and
Agents, Addison-Wesley Pub Co., ACM Press Series, February 1999,
365-377. {Reprint of J. Ioannidis and G. Q. Maguire Jr., The Design and
Implementation of a Mobile Internetworking Architecture.USENIX Winter
1993 Technical Conference, pages 491-502. USENIX Association, January,
1993.}
[29] John Ioannidis, Dan Duchamp, and G.Q. Maguire Jr. IP-based Protocols for
Mobile Internetworking. SIGCOMM'91 Conference: Communications
Architectures and Protocols, pages 235-245. Association for Computing
Machinery, September, 1991.
[30] John Ioannidis, Protocols for Mobile Internetworking, Doctoral Dissertation,
Department of Computer Science, Columbia University, 1993.
CDPD
[31] Mark S. Taylor, William Waung, Mohsen Banan, Internetwork Mobility:

The CDPD Approach, Pearson Education, Inc., June 11, 1996
http://www.leapforum.org/published/internetworkMobility/split/main.html
Note that this is an on-line version of the entire 300 page book!
[32] A. Salkintzis, Packet Data over Cellular Networks: The CDPD Approach,
IEEE Communication Magazine, vol. 37, no. 6, June 1999, pp. 152-159.

[33] Sun Jong Kwon, Yun Won Chung, and Dan Keun Sung, Performance
Analysis of CDPD Sleep Mode for Power Conservation in Mobile End
Systems, IEICE Trans. on Communications, VOL. E84B, no. 10, Oct. 2001
[34] Y. Frankel, A. Herzberg, P. A. Karger, H. Krawczyk, C. A. Kunzinger, and
M. Yung. Security issues in a CDPD wireless network. IEEE Personal
Communications. Volume 2, Number 4, August 1995. pp. 16-27. For a short
summary of this paper see:
http://swig.stanford.edu/pub/summaries/wireless/security_cdpd.html
Ricochet
[35] Elan Amir and Hari Balakrishnan, An Evaluation of the Metricom Ricochet
Wireless Network, CS 294-7 Class Project,
http://www.lariat.org/Berkeley/node2.html
[36] Elan Amir and Hari Balakrishnan, Performance of the Metricom Ricochet
Wireless Network, Summer 1996 Daedalus Retreat, June 1996,
http://web.archive.org/web/20040723111756/http://daedalus.cs.berkeley.edu/talks/retreat.6.96/Metricom.pdf

Architectures
3. GSM, GPRS, SMS, International

Roaming, OAM
KTH Information and
Communication Technology Architectures, by Yi-Bing Lin and Imrich Chlamtac, John
Wiley & Sons, 2001, ISBN 0-471-39492-0

Last modified: 2006.01.13:10:20

Lecture 3
GSM (Chapters 9,10, and11), GPRS (Ch. 18), SMS (Ch. 12), International Roaming
(Ch. 13), Operation/Administration/Maintenance (Ch. 14)
Maguire Lecture 3 GSM, GPRS, SMS, International Roaming, OAM 133 of 219
Global System for Mobile Communications
(GSM)
designed to be a digital (wide area) wireless network
driven by european telecom manufacturers, operators, and
standardization committees
very widely used around the world
Maguire Global System for Mobile Communications (GSM) GSM, GPRS, SMS, International Roaming,
GSM Requirements
Service portability
mobile should be able to be used in any of the participating countries with international
roaming and standardized numbering & dialing (but possibly at different rates!)
usable for both wireline services and for mobile service
usable when: walking, driving, boating, (upto 250 km/h)
Quality of service and Security
quality at least as good a previous analog systems
capable of offering encryption (in some countries this is off by default)
Good radio frequency utilization
high spectrum efficiency
co-existence with earlier systems in the same bands
Modern network
follows ITU recommendations - to allow efficient interoperation with ISDN networks
supports voice and low rate data
standardized mobility and switching support
standardized interfaces between the subsystems - to allow a mix-and-match system
System optimized to limit cost of mobiles (and to a lesser extent to limit
the cost of the whole system)
GSM required higher complexity mobiles than earlier analog systems
subscriber cost is less than or equal to the then existing analog systems
Maguire GSM RequirementsGSM, GPRS, SMS, International Roaming, OAM 135 of 219
GSM Architecture
Radio Link
BSS
X.25 PSDN PSTN
Um Abis
OMC
MS BTS SS7/ISUP
ME X.25
Gateway MSC
SIM
A IWF (GMSC)
EIR
NSS
BSC MSC MSC MSC
TE E E F Database
B B C
VLR VLR HLR AuC
Database
G Database D Database
H Database
Figure 21: GSM Architecture
MS Mobile Station
BSS base station system
NSS network and switching subsystem
Maguire GSM ArchitectureGSM, GPRS, SMS, International Roaming, OAM 136 of 219
Foundation
Hybrid frequency-division/time-division multiple access
FDMA - division by frequency of the (maximum) 25 MHz allocated bandwidth into
124 carrier frequencies spaced 200 kHz apart.
One or more carrier frequencies assigned to each base station
Each carrier frequency divided in time, using TDMA
Fundamental unit of time in this TDMA scheme is a burst period approx. 0.577 ms long
Eight burst periods are grouped into a TDMA frame (approx. 4.615 ms) = basic unit for the
definition of logical channels
A physical channel is one burst period per TDMA frame
Slow frequency hopping at upto 217 times per second
hopping algorithm is broadcast on the broadcast control channel
helps alleviate multipath fading
co-channel interference is effectively randomized
Note: broadcast and common control channels are not subject to frequency hopping and
are always transmitted on the same frequency
Infrastructure based on Signalling System 7 (SS7)
Maguire Foundation GSM, GPRS, SMS, International Roaming, OAM 137 of 219
GSM contributions
Location-based mobility management
Mobile assisted handover
Temporary Mobile Subscriber ID (TMSI)
Maguire GSM contributionsGSM, GPRS, SMS, International Roaming, OAM 138 of 219
Distinctive features of GSM
Cooperative development by many actors from many countries
preserved open interfaces between the subsystems (especially
between infrastructure elements -- particularly between base stations
and switches lead to an open market for these subsystems)
specified a large number of interfaces!
Phased release - since they could not make all the innovations in time
for their targeted 1991 introduction
Phase 1 GSM spec. - 100 sections and 5,320 pages!
telephony (full rate speech) - with some added features
emergency calls
data transmission at 2.4/4.8/9.6 kbps (transparent {the error correction done by a for-
ward error correction (FEC) mechanism}/non-transparent {information is repeated when
it has not been correctly received})
short message service (SMS)
Phase 2
non-voice services (Advice of charge, Calling line identification, Call waiting, Call hold,
Conference calling, Closed user groups) and enriched telephony (half-rate speech)
High-speed circuit-switched data (HSCSD)
Maguire Distinctive features of GSMGSM, GPRS, SMS, International Roaming, OAM 139 of
Phase 2+
Multiple service profiles
Private numbering plans
Access to Centrex services
Internetworking with GSM 1800, GSM 1900, Digital Enhanced Cordless Telecom (DECT)
Phase 2.5
GPRS: Global packet radio system
Enhanced data rates for GSM (EDGE)
Maguire Distinctive features of GSMGSM, GPRS, SMS, International Roaming, OAM 140 of
Mobile Station (MS)
Subscriber Identity Module (SIM)
Mobile Equipment (ME)
Mobile Terminal (MT)
Maguire Mobile Station (MS)GSM, GPRS, SMS, International Roaming, OAM 141 of 219
Subscriber Identity Module (SIM)
small form factor - which can be removable and can be moved from one
terminal to another (latest card connectors: >5,000 cycles)
smart card (generally too large for handsets!)
plug-in SIM (the processor and contact from a smart card)
user authenticated via a Personal Identity Number (PIN)
if PIN entered incorrectly, N times, then phone is locked for all but
emergency calls, until you enter a PIN unblocking key (PUK)
contains subscriber information:
some which is fixed by operator (may include preferred network provider(s))
some which is changeable by the user (list of short numbers, phone list, SMS messages, )
can be updated via:
keyboard or attached terminal equipment or over the air (OTA) via SMS message sent by
operator/application/ built using SIM Toolkit
often the SIM is owned by the operator
profiles - operator/subscription info; SIMs are required to be able to
hold at least two profiles
contains International Mobile Subscriber Identity (IMSI)
Maguire Subscriber Identity Module (SIM)GSM, GPRS, SMS, International Roaming, OAM 142
SIM card
Figure 22: SIM card showing contacts on the left and the IMSI on the right
Maguire SIM card GSM, GPRS, SMS, International Roaming, OAM 143 of 219
Phone with and without SIM
Figure 23:
Maguire Phone with and without SIMGSM, GPRS, SMS, International Roaming, OAM 144 of
Mobile Equipment (ME)
the phone itself - radio and radio interface, display, keyboard, etc.
performs: radio transmission and reception, authentication, handover, encoding &
channel encoding. note: ME without SIM can only make emergency (112) calls
Radios operate in one or more of the following bands:
System Uplink Downlink Comments
(mobile station to (base station to
base station) (MHz) mobile station) (MHz)
GSM450 450.4 .. 457.6 460.4 .. 467.6 For migration of NMT 450 operators
GSM480 478.8 .. 486 488.8 .. 496
GSM850 824 .. 849 869 .. 894 Cellular (800 MHz / 850 MHz) frequency
band in Americas
GSM900 890 .. 915 935 .. 960 the original frequency band
GSM1800 1710 .. 1785 1805 .. 1880 also known as DCS1800
GSM1900 1850 .. 1910 1930 .. 1990 also known as PCS 900
ME identified by International Mobile Equipment Identity (IMEI)

Maguire Mobile Equipment (ME) GSM, GPRS, SMS, International Roaming, OAM 145 of
Power saving and interference reduction
To reduce the MSs power consumption and minimize interference on
the air interface, during pauses in speech the MS does not transmit -
this is called: Discontinuous transmission (DTX)
Comfort noise is artificially generated locally by the MS
Discontinuous reception (DRX)-mobile listens to the paging channel,
but only needs to wake up for its sub-channel of the paging channel
To minimize co-channel interference and to conserve power, both the
mobiles and the base transceiver stations operate at the lowest power
level that will maintain an acceptable signal quality
Power levels can be stepped up or down in steps of 2 dBm from the peak power for the class
down to a minimum of 13 dBm (20 milliwatts for MS)
only one step at a time and each step takes 60ms
there are 16 power levels (i.e., 30 db of range)
terminal is typically only transmitting in one time slot (i.e., 1/8 of the time - so its radiated
power is on average 8db lower than the set power level)
Both mobile station and BTS continually measure the signal strength or signal quality
(based on the bit error ratio), and pass the information to the base station controller (BSC)
which actually manages the power levels.
Classmark
32 bit quantity indicating properties of a mobile station

revision level
RF power capability
Class GSM900 DCS1800
1 20 W 1W For GSM900 classes 1 & 2 - vehicle mounted systems
and class 4 - portable terminals
2 8 Wa 0.25 W
3 5W
4 2 Wb
5 0.8 W
a. 1W average if using a single time slot per frame
b. 250mW average if using a single time slot per frame
(available) encryption procedures

frequency capabilities (i.e., which bands)
if the device is SMS capable
User ID Device ID
IMEI International Mobile Equipment Identity 15 hexadecimal digits
IMSI International Mobile Subscriber Identity 15 decimal digits
TMSI Temporary Mobile Subscriber Identity 32 bits
IMEI consists of:

Type Approval Code (TAC)
[Final Assembly Code (FAC) to identify the final assembly plant - 2 digits]1
Serial number - allocated to the manufacturers - 6 digits
Check Digit - 1 hexadecimal digit
International Mobile Equipment Identity and Software Version number(IMEISV)
adds a 2 hexadecimal software version number field to the IMEI
An important distinction in GSM is that due to the SIM card the user
(or at least IMSI) can be identified separately from the device (MS).
1. As of April 1st 2004, the FAC field was eliminated and the previous 6 digit TAC field was expanded to 8 hexadecimal digits
Maguire User ID Device IDGSM, GPRS, SMS, International Roaming, OAM 148 of 219
IMSI consists of:
mobile country code (MCC) - 3 digits [66]
mobile network code (MNC) - maximum of 3 digitsa }Home Network Identifier (HNI)
Mobile Station Identification Number (MSIN)
a. Note: GSM originally specified 2 digits; 3 digit MNCs are only allocated in North America; difficulties in transition from 2 to 3 digits [68], [69]
TMSI is assigned by the VLR to a visiting subscriber
Maguire User ID Device IDGSM, GPRS, SMS, International Roaming, OAM 149 of 219
Mobile Terminal (MT)
Generally a PDA, PC,
Interface: serial (DTE-DCE) cable, PCMCIA, IrDA, Bluetooth,
Part of the extended Hayes AT command set:
AT Command Description AT Command Description
+CNMI New message indication to TE +CMT SMS Message Received
+CBM New Cell-Broadcast Message (CBM) +CNMA New Message

ACKnowledgement to ME/TE
+CMGC Send Command +CPMS Preferred Message Storage
+CMGD Delete Message +CSCA Service Center Address
+CMGL List Message +CSCB Select Broadcast Message Type
+CMGR Read Message +CSDH Show Text Mode Parameters
+CMCS Send Message +CSMP Set Text Mode Parameters
+CMGW Write Message to Memory +CRES Restore Setting
Maguire Mobile Terminal (MT) GSM, GPRS, SMS, International Roaming, OAM 150 of
Base Station System (BSS)
one or more base transceiver station (BTS) and
base station controller (BSC)
Maguire Base Station System (BSS)GSM, GPRS, SMS, International Roaming, OAM 151 of
Base transceiver station (BTS)
Performs: channel coding/decoding and encryption/decryption
BTS includes: radio transmitters and receivers, antennas, the interface to the PCM
facility (i.e., backhaul for the voice and control to the BSC),
About 1/2 the processing is associated with transcoding PCM encoded speech
channel to/from GSM coding
Maguire Base transceiver station (BTS) GSM, GPRS, SMS, International Roaming, OAM 152
Base station controller (BSC)
BTSs are connected to a BSC which manages the radio resources
call maintenance using the received signal strength sent by mobile
stations normally every 480 ms
initiate handovers to other cells,
change BTS transmitter power,
Task breakdown:
call activities ~20-25%
paging and SMS ~10-15%
mobility management ~20-25%
hardware checking/network triggered events ~15-20%
BSCs engineered for about 80% utilization, if overloaded, shed load by:
(1) rejecting location updates, (2) rejecting MS originating calls, and
(3) ignoring handoffs
Maguire Base station controller (BSC) GSM, GPRS, SMS, International Roaming, OAM 153
Network and Switching Subsystem (NSS)
MSCs
Gateway MSC (GMSC) has interconnections to other networks
Databases
Gateways
Maguire Network and Switching Subsystem (NSS) GSM, GPRS, SMS, International Roaming,
Databases
Home Location database for management of mobile subscribers, stores the international mobile subscriber
Register (HLR) identity (IMSI), mobile station ISDN number (MSISDN) and current visitor location register
(VLR) address
keeps track of the services associated with each MS
an HLR may be used by multiple MSCs
Visitor Location caches some information from the HLR as necessary for call control and service
Register (VLR) provisioning for each mobile currently located in the geographical area controlled by this
VLR
connected to one MSC and is often integrated into the MSC
Authentication a protected database which has a copy of the secret key stored in each subscribers SIM card
Center (AuC)
this secret is used for authentication and encryption over the radio channel
normally located close to HLR
Equipment Identity contains a list of all valid mobile station equipment within the network, where each mobile
Register (EIR) station is identified by its international mobile equipment identity (IMEI) - split into 3
databases:
White list: all known, good IMEIs
Black list: bad or stolen handsets
Grey list: handsets/IMEIs that are uncertain
Maguire Databases GSM, GPRS, SMS, International Roaming, OAM 155 of 219
Equipment Identity Register (EIR)
Optional in a GSM network, i.e., not required
EIR block (bars) calls from a particular MS, not from a subscriber.
Sometimes the AuC and EIR are combined.
Maguire Equipment Identity Register (EIR) GSM, GPRS, SMS, International Roaming, OAM
Operation Sub-System (OSS)
Operation and Maintenance Center
Service management
subscription management for registering new subscriptions, modifying and removing
subscriptions, as well as billing information
billing
fraud detection

Maguire Operation Sub-System (OSS) GSM, GPRS, SMS, International Roaming, OAM 157
Operation and Maintenance Center (OMC)
Manages the GSM functional blocks: MSC, BSC (and indirectly the BTSs)
Task: to maintain satisfactory operation of the GSM network
Based on observing system load, blocking rates, handovers,
Activities:
Network Management System (NMS)
modify network configuration
equipment maintenance aiming at detecting, locating, and correcting
faults
Maguire Operation and Maintenance Center (OMC) GSM, GPRS, SMS, International Roaming,
GSM Interfaces (just some of them!)
Radio Link
BSS
X.25 PSDN PSTN
Um Abis
OMC
MS BTS SS7/ISUP
ME X.25
Gateway MSC
SIM
A IWF (GMSC)
EIR
NSS
BSC MSC MSC MSC
TE E E F Database
B B C
VLR VLR HLR AuC
Database
H Database
Figure 24: GSM Architecture

Interface Description Interface Description
Um Radio link between MS and BTS D between HLR and VLR (MAP/TCAP)
Abis between BTS and BSC, PCM 2 Mbps, G. 703 E between two MSCs (MAP/TCAP +
ISUP/TUP)
A between BSC and MSC, PCM 2 Mbps, G. 703 F between MSC and EIR (MAP/TCAP)
B between MSC and VLR (use MAP/TCAP protocols) G between VLRs (MAP/TCAP)
C between MSC and HLR (MAP/TCAP) H between HLR and AuC
Maguire GSM Interfaces (just some of them!) GSM, GPRS, SMS, International Roaming, OAM
Layer
BSS MAP
TUP
ISUP
INAP
MAP
3 CM CM TUP,
(04.08) (04.08) ISUP,
INAP,
MAP
MM MM
(04.08) (04.08)
RR RR BSSAP DTAP
(04.08) (08.06)
RR BTSM BTSM BSSAP TACP TACP
(04.08) (08.58) (08.58) (08.06)
2 LAP-Dm LAP-Dm LAP-D LAP-D SCCP SCCP SCCP SCCP

(04.06/08) (04.06/08) (08.56) (08.56) MTP MTP
(08.06) (08.06) MTP MTP
1 Radio Radio 64kbps 64kbps 64kbps 64kbps 64kbps 64kbps

(04.04) (04.04) (08.54) (08.54) (08.54) (08.54) (08.54) (08.54)
MS BTS BSC MSC PSTN

ISDN

Numbers in parentheses indicate the relevant ETSI-GSM recommendations.

Maguire GSM Interfaces (just some of them!) GSM, GPRS, SMS, International Roaming, OAM
GSM Layers
Layer 1: Physical layer
physical transmission
channel quality measurements
GSM Rec. 04.04, PCM 30 or ISDN links are used (GSM Rec. 08.54 on Abis interface and
08.04 on A to F interfaces)
Layer 2: Data link layer
Multiplexing of layer 2 connections on control/signaling channels
Error detection (based on HDLC)
Flow control
Transmission quality assurance
Routing
Layer 3: Network layer
Connection management (air interface)
Management of location data
Subscriber identification
Management of added services (SMS, call forwarding, conference calls, etc.)
Maguire GSM Layers GSM, GPRS, SMS, International Roaming, OAM 161 of 219
GSM Air interface
Layer 1 (GSM Rec. 04.04): Um interface
Layer 2 (GSM Rec. 04.05/06): LAP-Dm protocol (similar to ISDN
LAP-D):
connectionless transfer of point-to-point and point-to-multipoint signaling channels
Setup and tear-down of layer 2 connections of point-to-point signaling channels
connection-oriented transfer with in order delivery, error detection and error correction
Layer 3 (GSM Rec. 04.07/08) with sublayers for control signaling
channel functions (BCH, CCCH and DCCH):
Radio resource management (RR): to establish and release stable connection between
mobile stations (MS) and an MSC for the duration of a call and to maintain connection
despite user movements - functions of MSC:
cell selection
handover
allocation and tear-down of point-to-point channels
monitoring and forwarding of radio connections
enabling encryption
change transmission mode
Mobility management (MM) handles the control functions required for mobility:
authentication
assignment of TMSI,
Maguire GSM Air interfaceGSM, GPRS, SMS, International Roaming, OAM 162 of 219
management of subscriber location
Connection management (CM) - set up, maintain and tear down calls connections:
Call control (CC): Manages call connections,
Supplementary service support (SS): Handles special services,
Short message service support (SMS): Transfers brief text messages
Neither the BTS nor the BSC interpret CM and MM messages, these messages are
exchanged between the MSC or the MS using the direct transfer application part
(DTAP) protocol on the A interface.
Radio Resource Management (RR) messages are mapped to or from the base
station system application part (BSSAP) for exchange with the MSC:
Transmission mode (change) management SACCH procedures
Cipher mode management radio transmission control (power & timing, downlink),
Discontinuous transmission mode management (measurements, uplink)
Handover execution general information
Call re-establishment Frequency redefinition
RR-session release General information broadcasting (BCCH)
Load management cell selection information
information for idle mode functions
information needed for access
cell identity
Maguire GSM Air interfaceGSM, GPRS, SMS, International Roaming, OAM 163 of 219
Abis interface
Dividing line between the BSC function and the BTS
BSC and BTS can be connected using leased lines, radio links, metropolitan area
networks (MANs), LANs {see UC Berkeleys ICEBERG},
Two channel types exist between the BSC and BTS:
Traffic channels (TCH): configured in 8, 16 and 64 kbps formats - for
transporting user data
Signaling channels: configured in 16, 32, 56 and 64 kbps formats - for
signaling purposes between the BTS and BSC
Each transceiver (transmitter + receiver) generally requires a signaling channel on
the Abis interface, data is sent as Transcoder Rate Adapter Unit (TRAU)1 frames
(for a 16 kbps traffic channel (TCH), 13.6 kbps are used for user data and 2.4 kbps
for inband signaling, timing, and synchronization)
1. It is not defined where TRAU is placed, i.e., it could be part of BTS, BSC, or MSC.
Maguire Abis interface GSM, GPRS, SMS, International Roaming, OAM 164 of 219
Abis protocols
Layer 1 (GSM Rec. 08.54)
2.048 Mbps (ITU-T: E1) or 1.544 Mbps (ANSI: T1) PCM facility
with 64/32/16 kbps signaling channels and 16 kbps traffic channels (4 per timeslot)
LAP-D protocol used for data messaging between the BTS and BSC
Service Access Point Identifier (SAPI) refers to the link identifier transmitted in the LAPD
protocol (inherited from ISDN)
Layer 3 (GSM Rec. 08.58/04.08)
BTS management (BTSM) via three logical signaling connections identified by Service
Access Point Identifier (SAPI):
SAPI 0 is used by all messages coming from or going to the radio interface
SAPI 62 provides O&M message transport between the BTS and BSC
SAPI 63 is used for dynamic management of TEIs as well as for layer 2 management
functions.
Maguire Abis protocols GSM, GPRS, SMS, International Roaming, OAM 165 of 219
A Interface
Defines interface between the BSC and MSC
TCHs are converted from 64 kbps to 16 kbps in the transcoder equipment, two
cases based on where the transcoder equipment (TCE, i.e., TRAU) is located:
at BSC or BTS traffic channel (TCH) occupies a complete 64 kbps timeslot in the 2 Mbps or 1.544 Mbps PCM
link (layer 1, GSM Rec. 08.04)
at MSC the TCHs are 16 kbps on the A interface
At least 2 time slots on the PCM link are needed for control and signaling
purposes.
Maguire A Interface GSM, GPRS, SMS, International Roaming, OAM 166 of 219
A interface protocols
Signaling protocol (layer 2+3) between BSC and MSC based on the SS7 standard
and is transmitted along with the user data within the PCM facility. Normally
timeslot 16 (TS16) of the 64 kbps frame is used.
The following protocols are employed:
Layer 1 (GSM Rec. 08.04) either 2.048 Mbps (ITU-T: E1) or
1.544 Mbps (ANSI: T1) PCM link
Layer 2 (GSM Rec. 08.06) SS7-based protocols
Message transfer part (MTP) protocol - transmission security between the BCS and MSC
Signaling connection control part (SCCP) protocol
SCCP connection can be initiated by a mobile station (MS) or an MSC
An SCCP connection can involve the following protocols:
From the MS:
MM: CM service request
RR: Paging response
MM: Location updating request
MM: CM re-establishment request
From the MSC:
Initiation of an external handover (BSSMAP: handover request).
MSC manages the SCCP connections
Maguire A interface protocols GSM, GPRS, SMS, International Roaming, OAM 167 of
Base station system application part (BSSAP) protocol
On MSC end:
Base station management application part (BSSMAP) protocol - counterpart to the RR
protocol on the air interface
Direct transfer application part (DTAP) protocol transmits CC and MM messages trans-
mitted transparently through the BTS and BSC
Maguire A interface protocols GSM, GPRS, SMS, International Roaming, OAM 168 of
GSM Audio
Speech coding - 20ms (i.e., 160) samples (8kHz @13 bits) are buffered then coded
Error protection (codec specific)
Error detection (CRC)
Muting and Bad Frame Handling (substitution) - GSM 06.91
Comfort Noise Generation (CNG) - GSM 06.92
Voice Activity Detection (VAD) - GSM 06.94
Discontinuous Transmission (DTX) - GSM 06.93)
Manufacturer specific audio features:
noise cancelling
spectrum equalization
echo cancellation
CODECs
Full rate (FR) 13 kbps , Regular pulse excitation - long term prediction (RPE-LTP)
Half rate (HR) 5.65 kbps VSELP
Enhanced full rate (EFR) 12.2 kbps Algebraic Code Excited Linear Prediction (ACELP)
Adaptive Multi Rate (AMR) ACELP; eight bit rates ranging from 4.75 kbps .. 12.2 kbps - see [46]
Adaptive Multi Rate (AMR) codes 16 bit linear PCM at 16 kHz; 9 data rates (6.6 .. 23.85 kbps)
wideband - ITU G.722.2 C callable interface for encoder/decoder
and 3GPPs
GSM-AMR WB
Maguire GSM Audio GSM, GPRS, SMS, International Roaming, OAM 169 of 219
MSC interfaces and protocols
ISUP
H C E
AuC HLR MSC MSC Digital
F Newtorks
D INAP
IN
EIR B B
G POTS
VLR VLR TUP
Mobile Application Part (MAP) (GSM Rec. 09.02)

controls queries to the different databases in the mobile radio network (HLR, VLR, EIR, )
responsibilities include access and location management, MSC-MSC handover, security
functions, O&M, SMS, and supplementary services.
Transaction Capabilities Application Part (TCAP)
provides universal calls & functions for handling requests to distributed appl. processes
ISDN User Part (ISUP)
controls interworking (e.g. call setup/tear-down) between Public Land Mobile Networks
(PLMNs) and other networks, and provides the same basic functionality as TUP
Intelligent Network Application Part (INAP)
implements intelligent supplementary services (e.g. free call, time-dependent routing)
Telephone User Part (TUP)
implements interworking between PLMNs and other networks
used to provide international connections and is being replaced by ISUP
Maguire MSC interfaces and protocols GSM, GPRS, SMS, International Roaming, OAM 170
GSM Logical Channels
Traffic channels Full-rate (TCH/F) @ 22.8 kbps Two way
Half-rate (TCH/H) @ 11.4 kbps
Frequency correction base-to-mobile

(FCCH)
Broadcast channels
Synchronization (SCH)
Broadcast control (BCCH)
Paging (PCH)
Signaling Common control channels
channels Access Grant (AGCH)
Random access (RACH) mobile-to-base
Stand-alone dedicated two-way

control channel (SDCCH)
Dedicated control channels Slow associated control

(SACCH)
Fast associated control

(FACCH)
Maguire GSM Logical Channels GSM, GPRS, SMS, International Roaming, OAM 171 of
Traffic channel (TCH)
Multiframe - group of 26 TDMA frames (120 ms long)
24 are used for traffic (voice or user data)
1 is used for the slow associated control channel (SACCH)
1 is currently unused
TCHs for the uplink and downlink are separated in time by 3 burst periods
mobile station does not have to transmit and receive simultaneously
simplifies the electronic circuitry; avoids antenna duplex filters
reducing complexity helps to cut power consumption
Maguire Traffic channel (TCH) GSM, GPRS, SMS, International Roaming, OAM 172 of
Broadcast channels (BCH)
Carry only downlink information - mainly for synchronization and frequency
correction.
However, it is the only channel capable of point-to-multipoint communications in
which short messages are simultaneously transmitted to several mobiles.
Broadcast control channel (BCCH)
General information, cell-specific; e.g. local area code (LAC), network operator, access
parameters, list of neighboring cells, etc. A MS receives signals via the BCCH from many
BTSs within the same network and/or different networks
tells MS what their initial power level should be
Frequency correction channel (FCCH)
correction of MS frequencies
transmission of frequency standard to MS
also used for synchronization of an acquisition by providing the boundaries between
timeslots and position of the first time slot of a TDMA frame
Synchronization channel (SCH)
frame synchronization (TDMA frame number) and identification of base station
reception of one SCH burst provides a MS with all the information needed to synchronize
with a given BTS
Maguire Broadcast channels (BCH)GSM, GPRS, SMS, International Roaming, OAM 173 of
Common control channels (CCCH)
Uplink and downlink channels between the MS card and the BTS.
Convey information from the network to MSs and provide access to the network.
Paging channel (PCH)
Downlink only
MS is informed (by the BTS) of incoming calls via the PCH.
Access grant channel (AGCH)
Downlink only
BTS allocates a TCH or SDCCH to the MS, thus allowing the MS access to the network.
Random access channel (RACH)
Uplink only
allows MS to request an Stand-alone dedicated control channel (SDCCH) in response to a
page or due to a call
MS chooses a random time to send on this channel (note: potential collisions with RACH
transmissions from other MSs)
PCH and AGCH are transmitted in one channel called the paging and access grant
channel (PAGCH) - they are separated in time.
Maguire Common control channels (CCCH) GSM, GPRS, SMS, International Roaming, OAM
Dedicated control channels (DCCH)
Responsible for roaming, handovers, encryption, etc.
Stand-alone dedicated control channel (SDCCH)
communications channel between MS and the BTS
signaling during call setup -- before a traffic channel (TCH) is allocated
It takes ~480ms to transmit a message via SDDCH
Slow associated control channel (SACCH)
always allocated to a TCH or SDCCH
used for non-urgent procedures: radio measurement data (e.g. field strengths) {information
is used for handover decisions}, power control (downlink only), timing advance1,
260bps channel - enough for reporting on the current cell and upto 6 neighbors about twice
per second (if there is no other traffic for this channel)
note that the MS is told what frequencies to monitor (BTSs have a color code assigned to
them so the that the MS can report on multiple BTSs which are using the same frequency)
Fast associated control channel (FACCH)
similar to the SDCCH, but used in parallel to operation of the TCH
if the data rate of the FACCH is insufficient, borrowing mode is used (i.e., additional
bandwidth borrowed from the TCH), this happens for messages associated with call
establishment authentication of the subscriber, handover decisions,
It takes ~40ms to transmit a message via FACCH
1. Transmission and reception of bursts at the base station must be synchronized, thus the MS must compensate for the propagation delays by advancing its
transmission 0 .. 233 ms which is enough to handle cells of radius up to 35 km.
Maguire Dedicated control channels (DCCH) GSM, GPRS, SMS, International Roaming, OAM
GSM Timing
A very elaborate timing structure ranging from 1/4 of a bit (900ns) to an
encryption hyperframe (3 hours 28 minutes and 53.76s)!
Unit Time
bit 3.69us
slot 156.25 bits (577 us)
frame 8 slots (4.615 ms)
traffic multiframe 26 frames (120 ms) or control multiframe 51 frames (235.4 ms)
superframe 51 traffic multiframes or 26 control multiframes (6.12 s)
hyperframe 2048 superframes (3 hours 28 minutes and 53.76s)
Maguire GSM Timing GSM, GPRS, SMS, International Roaming, OAM 176 of 219
Incoming Call
1. incoming call is passed from the fixed network
to the gateway MSC (GMSC)
2. based on the IMSI numbers of the called party,
HLR is determined
Radio Link 3. HLR checks for the existence of the called
8 number, then the relevant VLR is requested to
9 provide a mobile station roaming number
8
12 BTS 11
(MSRN)
10
ME 7 4. reply transmitted back to the GMSC
VLR
SIM 8 Database 5. connection is switched through to the
8 8 6 4 responsible MSC
MS BSC MSC
BTS 6. VLR is queried for the location range and reach
9
12 8 ability status of the mobile subscriber
8
7. if the MS is marked reachable, then a radio call
8 5 is enabled
BTS GMSC
8. radio call is executed in all radio zones assigned
8 2 3 to the VLR
8 BSC PSTN 9. reply from the MS in its current radio cell
BTS HLR
Database
8 10.when mobile subscriber telephone responds to
8 1 the page, then complete all necessary security
BTS
procedures
11.if this is successful, the VLR indicates to the
MSC that call can be completed
12.call can be completed
Figure 25: Call from fixed network to MS - we dont know which cell the mobile is in, only its rough location
Maguire Incoming Call GSM, GPRS, SMS, International Roaming, OAM 177 of 219
Mobility Management (MM)
GSM network keeps track of which mobile telephones are powered on and active
in the network.
The network keeps track of the last known location of the MS in the VLR and
HLR.
Radio sites connected to the MSC are divided into location areas (LAs), thus
when a call comes for an MS, the network looks for the MS in the last known
location area.
Each BTS is assigned (by the operator) a 40 bit ID - called a location area identity
(LAI), with three parts:
mobile country code (MCC) - 3 (hex) digits [67]
http://en.wikipedia.org/wiki/Mobile_country_codes
mobile network code (MNC) - originally 2, later 3 (hex) digits
location area code (LAC) - originally 5, later 4 hex digits (= 2 bytes = 65K values)
Within each location area - each cell has a Cell ID (CID)
Cell Global Identity (CGI) = CID, MCC, MNC, and LAC
Maguire Mobility Management (MM)GSM, GPRS, SMS, International Roaming, OAM 178 of
Security
Use of TMSI rather than IMSI - reduces the need to send IMSI over the air (thus
simply listening to the radio link it is harder to identify a given user); there is a
pool of TMSIs for each LAC.
Two major aspects of security: Authentication and Encryption
A3 Authentication algorithm
A5 Ciphering algorithm
A8 Ciphering key computation
Ki secret encryption key - operator determines length, but it can be upto 128 bits
Kc cypher key, computed based on Ki
Cipher mode management
Connection always starts in non-ciphered mode, because ciphering requires a user

specific key and the network has to know the identity of the subscriber before it
can be used!
Maguire Security GSM, GPRS, SMS, International Roaming, OAM 179 of 219
Authentication
User authentication normally takes place when the MS is turned on (user must key
in a PIN code on the handset in order to activate the hardware before this automatic
procedure can start).
Authentication occurs with each incoming call and outgoing call. This is based on
checking that Ki (secret encryption key) stored in the AuC matches the Ki
stored in SIM card of the MS.
Maguire Authentication GSM, GPRS, SMS, International Roaming, OAM 180 of 219
Authentication and Encryption
MS Home System
RAND
Ki Ki
reject
A8 A3 No
A3 A8
Authentication Authentication
=
SRES Yes
SRES Kc
accept
Encryption Encryption
visited system
Kc frame number Kc
data A5 ciphering deciphering data

ciphered info
data deciphering ciphering A5 data
Maguire Authentication and Encryption GSM, GPRS, SMS, International Roaming, OAM 181
GSM data rates
The following table of data rates is from page 39 of [41]
Connection Typea Two-way delay
TCH/F9.6 T 330 ms
TCH/F9.6 NT > 330 ms
TCH/F4.8 T 330 ms
TCH/F2.4 T 200 ms
TCH/H4.8 T 600 ms
TCH/H4.8 NT > 600 ms
TCH/H2.4 T 600 ms
a. T = Transparent, NT = Non-transparent
Maguire GSM data rates GSM, GPRS, SMS, International Roaming, OAM 182 of 219
System engineering
The operator must choose how many of each element (MSC, BSC, BTS, ) to
order, what capacity each must have, where to install them, . However, since
traffic does not remain constant installing enough capacity for long term traffic is
not cost effective system engineering is an on-going activity
Note: goal of cellular planning is to choose the cell sites and cell parameters
(frequency allocation, capacity, power, etc.) to provide economically continuous
coverage and support the required traffic density (not an easy task)
Table of parameters, from page 101 of [41]
Area Parameters
Cell planning frequencies handover parameters
beacon frequencies cell selection parameters
hopping sequences Base Station Identity Code (BSIC)
power control parameters
Dimensioning # of common channels location areas
# of traffic channels periodic location updating
Load control overload control parameters
Maguire System engineering GSM, GPRS, SMS, International Roaming, OAM 183 of
GSM Network Optimization
Based on network performance & utilization, subscriber behavior, and (QoS)
Test methods:
Traffic analysis: the signaling channels in the PCM frame are
monitored and analyzed on the Abis and A interfaces
Bit error ratio test (BERT): bit error measurement at the PCM level
and the GSM-specific level (TRAU frame)
PCM bit error ratio (BER) is used to verify the quality of lines leased from fixed network
operators
By evaluating the control bits in the TRAU, a bit error probability can be determined (uplink)
during actual communications (in-service) {No easy measurement of the downlink BER}
More accurate radio link BER measurement (out-of-service) measurement in which the 260
data bits in the TRAU frame are checked using a pseudo-random bit sequence (PRBS)
Alarm monitoring - checking PCM links for layer 1 alarms
Network quality test: lots of measurements - including:
island problems, detection of coverage holes, interference, network load regarding signaling
and traffic, handover failures, Receive level (RXLEV) surveillance, bit error ratio of a BTS
(RXQUAL), multipath interference and propagation delays, frequency interference (due to
nearby frequency reuse), call completion/disconnect rate, indications of system overload.
Maguire GSM Network OptimizationGSM, GPRS, SMS, International Roaming, OAM 184 of
Optimal Cell Planning
Some of the parameters which have to be decided [44]:
Selecting Site location
Antenna parameters
Tilt, Azimuth, Height, Antenna type
Site parameters
Transmitter power/Dedicated channel power level/Common channel power level
Service parameters
Power per service
Enable/disable handover per service
Network parameters
Handover
Neighbor lists/Hysteresis/Timers
Power control policy
Resource management
Note: first two are sets of parameters are fixed ( a physical change in the site),
while the others can be changed under software control.
Maguire Optimal Cell Planning GSM, GPRS, SMS, International Roaming, OAM 185 of
Features
Call Waiting (CW) {network-based feature} users with a call in progress receive an audible beep to alert them
that there is an incoming call for their MS
The incoming call can be:
accepted {the original call is put on hold},
sent to voice mail, or
rejected {in this case the caller will receive a busy signal}
Call Hold (CH) allows the MS to park an in progress call, to make additional calls or to receive
incoming calls
Call Forwarding {network-based feature} allows calls to be sent to other numbers under conditions defined
(CF) by the user
Conditions can be either unconditional or dependent on certain criteria (no answer, busy, not
reachable)
Calling Line ID callers network to delivers the calling line ID (telephone no.) to the GSM network; GSM
telephone displays the originating telephone number
Maguire Features GSM, GPRS, SMS, International Roaming, OAM 186 of 219
GSM Phase 2+
General Packet Radio Service (GPRS)
Maguire GSM Phase 2+ GSM, GPRS, SMS, International Roaming, OAM 187 of 219
Idea is simple use several time slots out of each TDMA frame for one data connection
Reality this is taxing for the RF power systems
In the basic GSM model transmit/receive (TX/RX) activities, the terminal can be
implemented using one frequency synthesizer (even though it takes some time for
the synthesizer to change from one frequency to another) - because of the offset of
3 slots between transmit and receiver.
If you only use 2 slots, you just need a synthesizer that changes faster, but at 3 slots
you potentially need to transmit and receive at the same time.
At eight time slots (i.e., continuous transmission):
monitoring neighboring base stations would require an independent receiver
the terminal will be more expensive than one slot terminals
power consumption will be much higher
Multi-slot systems have required changes in: ciphering, frequency hopping, and
generally radio resource management functions.
Maguire High Speed Circuit Switched Data (HSCSD) GSM, GPRS, SMS, International Roaming,
HSCSD depends on:
Terminal Adaptation Function (TAF)
Interworking Functions (IWF)
enhanced RLP to handle multilink (aka multiple time slot) operation
Radio Link Protocol (RLP)
BSS
Abis
X.25 PSDN PSTN
Um OMC
BTS SS7/ISUP
X.25
ME
SIM MS Gateway MSC
A IWF
(GMSC)
EIR
NSS
TAF BSC MSC MSC MSC
E E F Database
B B C
TE
VLR VLR HLR AuC
Database
H Database
Figure 26: GSM/HSCSD Architecture
Nokias Card Phone 2.0: HSCSD at upto 43.2 kbps (without data compression)
Maguire High Speed Circuit Switched Data (HSCSD) GSM, GPRS, SMS, International Roaming,
General Packet Radio Service (GPRS)
GPRS features:
True packet radio system - sharing network and air interface resources
Volume based charging
TCP/IP (Internet & Intranet) interworking, SMS over GPRS, (and X.25
interworking)
Peak data rate from 9.05 kbps .. 171.2 kbps
bandwidth may be asymmetric, for example: 2 up/4 downlink channels
Protocols designed for evolution of radio
Enhanced Data rates for Global Evolution (EDGE) - a new 3G GSM modulation scheme
Migration into 3rd Generation
Maguire General Packet Radio Service (GPRS) GSM, GPRS, SMS, International Roaming, OAM
GPRS nodes
GPRS introduces new network elements
Serving GPRS Support Node (SGSN)
authentication & authorization, GTP tunneling to GGSN, ciphering & compression, mobility
management, session management, interaction with HLR,MSC/VLR, charging & statistics,
as well as NMS interfaces.
Gateway GPRS Support Node (GGSN)
interfacing to external data networks (basically it is a network router)
encapsulating data packets in GTP and forwarding them to right SGSN,
routing mobile originated packets to right destination, filtering end user
traffic, as well as collecting charging and statistical information of data
network usage
GPRS is the result of committees trying to adapt Mobile IP to GSM systems.
Maguire GPRS nodes GSM, GPRS, SMS, International Roaming, OAM 191 of 219
GSM/GPRS Architecture and Interfaces
Radio Link (with radio media access protocol) VLR AuC
Database Database
BSS
BTS
BTS
BSC MSC HLR
Database
ME
Internet
SIM Gc
TAF
MS Gs EIR
Database
BTS
BTS
BSC Gf Gr
TE Gb
BTS Gi
GPRS
BSC SGSN GGSN
PLMN BTS Gn Backbone Gn
Gp Ga Ga
GGSN CGF Billing system
Ga Charging data collection interface between a CDR Gi reference point between GPRS and an external packet
transmitting unit (e.g. a SGSN or a GGSN) data network (Gi = internet)
Gb between a SGSN and a BSS (Gb = base interface) Gn between two GSNs within the same PLMN (Gn = node)
Gc between a GGSN and a HLR (Gc = context) Gp between two GSNs in different PLMNs (Gp interface
allows support of GPRS network services across areas
served by the co-operating GPRS PLMNs.) (Gp = PLMN)
Gd between a SMS-GMSC and a SGSN, and between Gr between an SGSN and a HLR (Gr = roaming)
a SMS-IWMSC and a SGSN (not shown)
Gf between an SGSN and a EIR (Gf = fraud) Gs between a SGSN and a MSC/VLR
Maguire GSM/GPRS Architecture and InterfacesGSM, GPRS, SMS, International Roaming, OAM
GPRS Coding Schemes
Four coding schemes (but only CS1 and CS2 are in early systems)
Coding Scheme CS1 CS2 CS3 CS4
User Data Rate 9.05 kbps 13.4 kbps 15.6 kbps 21.4 kbps
Correction Capability Highest None
Worst-link Budgeta 135 dB 133dB 131 dB 128.5 dB
Maximum Cell Range 450 m 390 m 350 m 290 m
40 bytes (320 bits) of payload 1956 bits 1132 bits 1018 bits 625 bits
see [48], pg. 33
1500 bytes (12000 bits) 55787 bits 32490 bits 27218 bits 19345 bits
a. For comparison with GSM the worst-case link budget is 142.5 dB.
The real problem is that GPRS uses interleaving to spread the effect of burst errors
- but this means that the delay is always high!
Maguire GPRS Coding Schemes GSM, GPRS, SMS, International Roaming, OAM 193 of
Unstructured Supplementary Service Data
(USSD)
When MS can not recognize text - it simply passes it to the network as USSD.
USSD supports all digits, asterisk (*), and punt/pound (#) keys. In the form:
(* | #) command_code (2-3 digits) {*parameter}* #
total length up to 200 ASCII characters
A USSD server (or gateway) is connected to the users HLR via MAP and to
servers (which actually provide a specific service) via TCP/IP. USSD is thought
to be ~7x faster than SMS for two-way transactions (this is because USSD is
session oriented as opposed to SMSs store-and-forward behavior).
BSS
SS7/MAP USSD Internet
ME BTS
BSC MSC HLR
Gateway
SIM
MS BTS Database
TCP/IP
TE
VLR
Database
Application Application
Server Server
Maguire Unstructured Supplementary Service Data (USSD) GSM, GPRS, SMS, International Roaming,
USSD continued
Examples:
set-up or cancel of services like call forwarding
Swisscoms SIm Card Application Platform (SICAP) prepaid roaming
platform1: users dial in a USSD string that includes the telephone
number they want to call (e.g., *101*NUMBER#) this is sent to the
SICAP platform at their (home) operator, who then connects them to
the desired number by dialling them back!
In addition to passing the USSD message to the external application, the USSD
Gateway passes:
originating subscribers MSISDN
number of the HLR which handled the USSD
originating subscribers IMSI (optional)
VLR Number (optional)
Disadvantage: USSD and SMS both use the same control channel
1. Sold as GSM Card easyRoam
Maguire USSD continued GSM, GPRS, SMS, International Roaming, OAM 195 of 219
Short Message Service (SMS)
Short Message Service (SMS) offers connectionless (message) delivery (similar
to two-way-paging)
If the GSM telephone is not turned on, the message is held for later delivery. To
Ensure that each time a message is delivered to an MS, the network expects to
receive an acknowledgement from the MS that the message was correctly
received.
SMS supports messages up to 140 octets (160 characters of GSM
default Alphabet - see GSM 03.38) in length.
SMS concatenation - combines several messages
SMS compression - defined standard for compression of content
With international roaming these messages can be delivered by any GSM network
around the world to where the MS currently is.
Two types of messages: cell broadcast and point-to-point service
Maguire Short Message Service (SMS) GSM, GPRS, SMS, International Roaming, OAM 196
SMS message types
User-specific message is to be display to the user
ME-specific message is targeted at the mobile terminal itself
playing a ring tone
displaying a business card
changing the default icon

SIM-specific message is targeted at the SIM card
change the balance in a pre-paid card
Maguire SMS message types GSM, GPRS, SMS, International Roaming, OAM 197 of
Short Message Service Architecture
SMSC Short Message Service Centre
SMS GMSC SMS Gateway MSC
IWMSC Interworking MSC
ESME External Short Message Entities
BSS
SMSC
SMS EAI
ME
BTS
SGSN Database PSDN
SIM
MS Gd
BTS BSC ESME
TE
SMS GMSC
IWMSC
Gateway MSC
(GMSC) E
IWF
MSC EIR
E MSC E MSC F Database C
B B C
VLR VLR HLR AuC
Database
H Database
Figure 27: SMS Architecture
Maguire Short Message Service Architecture GSM, GPRS, SMS, International Roaming, OAM
SMSCs
High reliability
High availability
Logicas Picasso SMS Centre allows new hardware can be added within 60 seconds, with
no service outage
High performance
HPs (formerly Compaqs) AlphaServer ES45,over 8,000 SMS deliveries per second with
CMG Wireless Data Solutions (formerly CMG Telecommunications) SMSC software [54];
note that they have merged with Logica plc forming: LogicaCMG
Logicas Picasso SMS Centre supports 1 to 128 nodes with automatic load sharing
existing SMSCs talk TCP/IP as well as other protocols
SMS brokers: buy SMS capacity in bulk, they receive your messages
and then transfer them to operators that they have agreements with.
As each SMS is charged for the resulting CDR volumes can be very
high, e.g., Mannesmann has peak CDR rates as high as 2,500-3,000
CDRs per second ([57], pg. 13).
For a performace study of SMS and MMS centers see [64].
William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta, "Exploiting Open
Functionality in SMS Capable Cellular Networks" [65], describes a distributed denial of
service via SMS
Maguire SMSCs GSM, GPRS, SMS, International Roaming, OAM 199 of 219
Three kinds of SMSs
User-specific display to a user
ME-specific ME processes the message when it is received
Nokia has special function to play ring tone, display a business card, modify the default icon,
SIM-specific SIM processes the message when it is received

(for use via SIM toolkit applications)
Maguire Three kinds of SMSs GSM, GPRS, SMS, International Roaming, OAM 200 of
Entering Short Messages
To improve the speed of entering SMSs (and other text)
Full keyboards (such as Ericssons Chat Board)
Onscreen keyboard (such as Palms on-screen keyboard)
Fitaly keyboard - arranges letters based on their frequency and
probability transitions in English (see page 43 of [53])
Predictive text input algorithms
Tegic T9 - utilizes numeric keypad and probability to work out probably string
(see page 45 of [53])
e-acutes Octave keyboard (see pages 46-47 of [36])
Handwriting recognition
Word recognition, such as Psions CalliGrapher (see pages 47-48 of [36])
Character recognition, such as Palms Graffiti (see pages 48-49 of [36]) and
CJKOS - an OS extension for Palm for Chinese, Japanese, and Korean (see page 49 of [36])
Speech recognition
Maguire Entering Short Messages GSM, GPRS, SMS, International Roaming, OAM 201 of
SMS shorthand
From Get 2 grips with SMS-speak b4 its 2 L8 ! some examples:
afasik as far as I know <g> grin sc stay cool
asap as soon as possible gr8 great sol sooner or later
atw at the weekend gsoh good sense of humour t+ think positive
awhfy are we having fun yet? h2cus hope to see you soon t2ul talk to you later
b4 before hak hug and kisses tuvm thank you very much
bbfn bye bye for now ic I see w4u waiting for you!
bcnu be see in you idk I dont know wuwh wish you were here
brb be right back idts I dont think so! X! Typical woman!
btw by the way iow in other words Y! Typical man!
cm call me j4f just for fun
cu see you kc keep cool
cul8ter see you later khuf know how you feel
dk dont know l8r later
dur? do you remember m8 mate
e2eg ear to ear grin mtfbwu may the force be with you
eod end of discussion nc no comment
F? Friends? nwo no way out
F2F Face to Face o4u only for you
fya for your amusement O!ic Oh, I see!
fyi for your information ruok are you okay?
Maguire SMS shorthand GSM, GPRS, SMS, International Roaming, OAM 202 of 219
External Application Interface (EAI)
In order to enable non-mobile External Short Message Entities (ESME) to
interface with an SMSC one of the following protocols (which all run over
TCP/IP) is generally used:
Short Message Peer to Peer (SMPP) open message-transfer protocol to enable

SMPP V5.0 specification released 20 February 2003 [56]
Initially defined by Logica - now SMSForum
CIMD2 Nokias Computer Interface to Message Distribution 2 [58]
EMI/UCP Vodafones description of CMGs Universal Computer Protocol[59]
Note:
this avoids the earlier problem of the interface to the SMSC being closed;
more and more operators seem to be converging on using SMPP.
Maguire External Application Interface (EAI) GSM, GPRS, SMS, International Roaming, OAM
Voice Messaging System (VMS)
A value-added service which redirects incoming calls (i.e., forwards them) to a
voice mailbox when MS is turned off, low on battery, left unattended (after ringing
for xx seconds) or temporarily out of coverage.
A Voice Message Alert (VMA) can be send (via SMS) to the MS to let the user
know there is a waiting voice message.
Note that you can use SMSs replace message facility - to over-write last VMA
- thus there will only be one message with the latest status voice messages (for
example saying: You have N voice messages waiting).
Maguire Voice Messaging System (VMS)GSM, GPRS, SMS, International Roaming, OAM 204
Voice Profile for Internet Mail (VPIM)
Voice Profile for Internet Mail (VPIM) Version 2 is currently a Proposed Standard
(RFC 2421) Applicability Statement, it is an application of Internet Mail originally
intended for sending voice messages between voice messaging systems
http://www.ema.org/vpim
http://www.ietf.org/html.charters/vpim-charter.html
VPIM v3 Specification add extensions: IMAP voice extensions, voice directory

profiles, content negotiation details for voice, and partial non-delivery
notifications.
Maguire Voice Profile for Internet Mail (VPIM) GSM, GPRS, SMS, International Roaming, OAM
Enhanced Message Service (EMS)
Allows basic graphics, icons, and sounds to be incorporated in SMS messages.
Based on concatenating (i.e., linking together a chain of) several SMS messages
Maguire Enhanced Message Service (EMS) GSM, GPRS, SMS, International Roaming, OAM
Multimedia Messaging Service (MMS)
MMS Centre (MMSC) - a logical extension of an SMS Centre, but must cope with
a larger variety of message types; in addition, it can convert message formats to
suit the capabilities of the receiving terminal
Four key functional elements:
MMS Relay - engine which transcodes and delivers messages to
mobile subscribers
MMS Server - provides the store in the store-and-forward architecture
MMS User Databases - user profiles, subscription data,
MMS User Agent - an application server which enables users to view,
create, send, edit, delete, and manage their multimedia messages
An MMS presentation can utilize a synchronization language (e.g. Synchronized
Multimedia Integration Language (SMIL)[107]) for synchronized presentation.
In addition to store and forward, MMS also supports store and retrieve (via e-mail
and web), but it was primarily designed as a person-to-person service.
Maguire Multimedia Messaging Service (MMS) GSM, GPRS, SMS, International Roaming, OAM
SMS over GPRS
Can send SMS over GPRS - thus avoiding the problem of SMS utilizing the GSM
control channel
However, if users send their messages directly via an messaging application or via
e-mail -- this could take a lot of revenue away from the operators (as SMS and
MMS have a high premium over the cost of simply transferring the bits).
Maguire SMS over GPRS GSM, GPRS, SMS, International Roaming, OAM 208 of 219
International Roaming
GSMs roaming feature allows a user to make and receive calls in any GSM
network and to use the same user-specific services worldwide, but this requires a
roaming agreement between the individual operators.
Good news With worldwide roaming the MS is accessible via the same phone number everywhere!
Bad news It could be very expensive - much more expensive than you think!
The basic problem is that when you roam to another network (for example, in
another country) - your Mobile Station ISDN number (MSISDN) still looks like it
is in your home network.
Worse: If you are in the same (non-home) network as the person you are calling,
this results in two international calls! This is due to tromboning. For four solutions
see section 13.2 of [66], pages 242-249.
Maguire International Roaming GSM, GPRS, SMS, International Roaming, OAM 209 of
Enhanced Data Rates for GSM Evolution
(EDGE)
enhanced modulation technique designed to increase network capacity
and data rates in GSM networks
provide data rates up to 384 Kbps.
EDGE lets operators without a 3G license compete with 3G networks
(since the data rates are comparable in the wide area)
GSM/EDGE Radio Access network (GERAN)
The radio interface used in Enhanced Data Rates for GSM Evolution (EDGE)
Maguire Enhanced Data Rates for GSM Evolution (EDGE) GSM, GPRS, SMS, International Roaming,
EGRPS
EGPRS = EDGE -- an extension/enhancement of GPRS including 4 new Data
Packet Traffic Channels using 8-PSK modulation and a incremental redundancy
mechanism extended to the GMSK based data packet traffic channels.
Support for simultaneous, multiple radio access bearers with different QoS profiles.
New bearer classes:
Conversational Class Voice & video conferencing where small delay is required
Streaming Class Capable of processing as transfer is taking place, needs somewhat

constant delay and throughput
Interactive Class on-line applications
Background Class Delay insensitive but requires few errors (may require multiple
re-transmissions to hide errors)
Maguire EGRPS GSM, GPRS, SMS, International Roaming, OAM 211 of 219
Operation/Administration/Maintenance (OA&M) follows ITU-Ts
Telecommunications Management Network (TMN) model, which has several
components:
Operations system (OS) OS uses Operating System Function (OSF) to provide overall
management, billing, account, management of mobile equipment, HLR
measurement,
Network Element Functions provides monitoring and control of Network Elements (NEs): HLR,
(NEFs) VLR, AuC, EIR, MSC, BSC, and BTS
Data Communication OS, NEs, and other TMN elements via Data Communication Function
Network (DCF)
Mediation device (MD) adapts the OS to a specific NE
Q-Adapter (QA) uses Q-adapter function to adapt non-TMN equipment
Workstation (WS) OA&M personnel interact with OS via Workstation functions (WSFs)
I personally find this ITU-T speak! But you have to talk the talk to walk the walk!
Maguire Operation/Administration/Maintenance GSM, GPRS, SMS, International Roaming, OAM

Further reading
GSM
[37] M. Mouly and MB Paulet, The GSM System for Mobile Communications,
Mouly and Paulet, 1992
[38] M. Mouly and MB Paulet, Current evolution of the GSM systems, IEEE
Personal Communications, vol. 2, no. 5, pp. 9-19, 1995.
[39] David J. Goodman, Wireless Personal Communications Systems, Chapter 7,
GSM: Pan-European Digital Cellular System, Addison-Wesley, 1997,
ISBN 0-201-63470-8
[40] Marc Kahabka, GSM Pocket Guide revised version Vol. 2, Acterna Eningen
GmbH, 72795 Eningen u. A., Germany
[41] Petri Jarske, The GSM System, Principles of Digital Mobile Communication
Systems, 2001 edition, Technical University Tampere, Finland
http://www.cs.tut.fi/kurssit/83150/DigiCom2001.PDF
Maguire Further reading GSM, GPRS, SMS, International Roaming, OAM 213 of 219
[42] Sudeep Kumar Palat, Replication of User Mobility Profiles for Location
Management in Mobile Networks, Dr. Ing. dissertation, Norwegian
University of Science and Technology, Dept. of Telematics, 12 Jan. 1998.
[43] GSM security
http://www.isaac.cs.berkeley.edu/isaac/gsm.html
[44] Ron Abiri, Migrating to an Advantage: Planning & Optimizing to

Maximize Networkf efficiency & ROI, Schema Ltd., 2002.
http://www.iec.org/events/2002/natlwireless_nov/featured/f1_abiri.pdf
[45] Mobile Application Part (MAP) ETSI R10 ETSI 08/96, CAA 201 45 - was
at http://www.ericsson.com/signaling/cards/map_etsi.shtml
[46] 3GPP GSM-AMR standards:
3GPP TS 26.071 V4.0.0 AMR Speech Codec; General Description
3GPP TS 26.090 V4.0.0 AMR Speech Codec; Transcoding functions
3GPP TS 26.091 V4.0.0 AMR Speech Codec; Error concealment of lost frames
3GPP TS 26.092 V4.0.0 AMR Speech Codec; Comfort noise aspects
3GPP TS 26.093 V4.0.0 AMR Speech Codec; Source controlled rate operation
3GPP TS 26.094 V4.0.0 AMR Speech Codec; Voice activity detector
3GPP TS 26.071 V4.0.0 ANSI-C code for AMR speech codec (Code Version 7.5.0)
3GPP TS 26.074 V4.0.0 AMR Speech Codec; Test sequences
GPRS
[47] Jari Hmlinen, Design of GSM High Speed Data Services, Dr. Tech.
dissertation ,Tampere University of Technology, Department of Information
Technology, 4 October 1996.
[48] Jouni Mikkonen, Quality of Services in Radio Access Networks, Dr. Tech.
dissertation,Tampere University of Technology, Department of Information
Technology, 19 May 1999.
[49] Don Zelmer, GPRS, EDGE, & GERAN: Improving the performance of
GSM & TDMA Wireless by Packet Capabilities, Cingular Wireless LLC,
SUPERCOMM 2001, Atlanta, Georgia, Wednesday, June 6, 2001
http://www.atis.org/atis/Pictures/Supercomm01/Presentationfolder/T1P1zelmer3Gtemplate2.PDF
[50] Digital cellular telecommunications system (Phase 2+); Specification of the

SIM Application Toolkit for the Subscriber Identity Module - Mobile
Equipment (SIM - ME) interface, GSM 11.14, Version 5.2.0, December
1996 http://www.ttfn.net/techno/smartcards/GSM11-14V5-2-0.pdf
USSD
[51] GSM 02.90: USSD Stage 1 -- only one way communication

[52] GSM 03.90: USSD Stage 2 -- allows two way communication
SMS and Multimedia Messaging Service (MMS)
[53] Jochen Burkhardt, Dr. Horst Henn, Stefan Hepper, Klaus Rintdoff, and
Thomas Schck, Pervasive Computing: Technology and Architecture of
Mobile Internet Applications, Addison-Wesley, 2002, ISBN 0-201-72215-1
[54] CMG ANNOUNCES THIRD-GENERATION HIGH-PERFORMANCE
SMS CENTRE: AlphaServer-based SMSC clocks unrivalled 8,000
sustained deliveries per second, Nieuwegein, the Netherlands, Feb. 19th 200,
http://h18000.www1.hp.com/products/software/in7/art4.html
[55] Logicas Picasso SMS Centre

[56] SMS Forum - http://smsforum.net/
[57] Glyn Lloyd , Phill Davies, and Andrew Beswick, Short Messaging Service
Centres (SMSCs) Uncovered: More Than Just Text!, Lehman Brothers,
November 2000, Pub Codes: 01/07/43/2035,
http://www.airslide.com/pdf/lehman.pdf
[58] Nokias Computer Interface to Message Distribution

http://www.forum.nokia.com/main/1,6566,1_2_5_30,00.html
[59] Short Message Service Centre (SMSC) External Machine Interface (EMI)
Description, Version 4.1, September 2003
http://www.vodafone.de/downloadarea/UCP-Protokoll_Emi4_1.pdf
[60] Palowirelesss SMS, EMS and MMS tutorials, (accessed 2003.03.12)

http://www.palowireless.com/sms/tutorials.asp
[61] Gustav Sderstrm, Virtual networks in the cellular domain, M. Sc.

Thesis, KTH/IMIT, January 2003 -
ftp://ftp.it.kth.se/Reports/DEGREE-PROJECT-REPORTS/030211-Gustav_So
derstrom.pdf
[62] Logica, The essential guide to Multimedia Messaging, (accessed

2003.03.12) http://www.logica.com/pdf/telecom/Mmsguide.pdf
[63] http://www.3gpp.org/ftp/specs/2002-03/Rel-4/23_series/23140-460.zip
[64] Adrian Mahdavi, Value Added Services and Content Platforms, M. Sc.
Thesis, KTH/IMIT, 25 June 2003.
ftp://ftp.it.kth.se/Reports/DEGREE-PROJECT-REPORTS/030627-Adrian_Mahdavi.pdf
[65] William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta,
Exploiting Open Functionality in SMS Capable Cellular Networks, 12th
ACM Conference on Computer and Communications Security
(CCS05),November 7-11, 2005, Alexandria, VA, USA
http://smsanalysis.org/
http://www.smsanalysis.org/smsanalysis.pdf preprint: September 2, 2005
International Roaming
Architectures, Chapter 13, psages 239-250 in [1].
[67] The international identification plan for mobile terminals and mobile
users, ITU E.212, revised May 2004
http://www.itu.int/rec/recommendation.asp?type=items&lang=e&parent=
T-REC-E.212-200405-I {note that ITU charges for access to the document}
[68] David Crowe, IMSI Problems in North America, IFAST, IFAST#19,

2002.06.06
http://www.ifast.org/files/IFAST19_015_IMSI.pdf
[69] ECTRA Decision on Mobile Network Codes 2013 Change from 2-digits to
3-digits, GSM Europe, Paris, France, 1st September 2000
http://www.gsmworld.com/gsmeurope/documents/positions/2000/ectra_we
b.pdf
Architectures, Chapter 14, pp. 252-263 in [1].
Architectures
4. Number portability, VoIP,

Prepaid, Location Based Services
KTH Information and
Wiley & Sons, 2001, ISBN 0-471-39492-0

Last modified: 2006.01.13:10:20

Lecture 4
Number portability (Ch. 15), VoIP (Ch. 16), Prepaid (Ch. 17), Location Based Services (not
covered in the text)
Maguire Lecture 4 Number portability, VoIP, Prepaid, Location Based Services 221
Database lookups
Local Number Portability (LNP)
Local Number Portability required by the Telecommunications Act of 1996 and a

July 1996 order of the Federal Communications Commission (FCC) - similar
requirements in Sweden and elsewhere.
LNP (as defined by the FCC): the ability of users of telecommunications services
to retain, at the same location, existing telecommunications numbers without
impairment of quality, reliability, or convenience when switching from one
telecommunications carrier to another.
LNP implies efficient call-routing must not be based on a physical location, but
rather a logical routing scheme for how and where to route a call.
Verizons cost recovery for providing LNP amounts to US$13.80/line over a
5 year period! In Denmark, donor operator charges the recipient operator a fee of
DKK 72 (~9.6 EURO) excl. VAT (~9.6 EURO) for the coverage of one-time
administrative costs related to the porting of a single subscriber number.
Maguire Database lookups Number portability, VoIP, Prepaid, Location Based Services
Three kinds of Local Number Portability
Service Provider Portability: subscriber can move to an new provider
without a change in number (current requirement)
Location (or Geographic) Portability (GNP): subscriber can move to
a new location/geographic area (future requirement)
Service Portability: if the service (mix) which the subscriber has is not
available in their new local exchange, then connect them to where the
services are available (future requirement)
Maguire Three kinds of Local Number PortabilityNumber portability, VoIP, Prepaid, Location Based
Mobile Number Portability (MNP)
requirement that any mobile (e.g., GSM) subscriber be able to move to a new
operator or service provider and keep the same number (MSISDN)
Maguire Mobile Number Portability (MNP) Number portability, VoIP, Prepaid, Location Based
Non-geographic number portability (NGNP)
numbers (typically) associated with a service rather than a geographic destination,
e.g., freephone, low rate calling numbers, premium rate numbers; requires that the
service provider can be changed without a change of number; these all require DB
lookup
Maguire Non-geographic number portability (NGNP) Number portability, VoIP, Prepaid, Location
Call forwarding at donor end
Donor = service provider whom the number is initially associate with
Database
Originating network
Donor network
Transit network
Recipient network
inefficient in terms of call setup delays and usage of transmission

capacity
can not easily cope with numbers ported more than once, and
the donor network continues to control first and subsequent portings.
Maguire Call forwarding at donor endNumber portability, VoIP, Prepaid, Location Based Ser-
Drop back forwarding
Database
Originating network
Donor network
redirect
Transit network
Recipient network
transit network gets a redirect from the donor network, it may be able
to pass this all the way back to the originating network (i.e., dropping
back through each of the networks to the originating network)
makes better use of transmission capacity and can handle multiple
portings
the donor network continues to control first and subsequent portings.
Maguire Drop back forwarding Number portability, VoIP, Prepaid, Location Based Servic-
Query on release (QoR) solutions
Database
Originating network
Donor network
release
Transit network
Recipient network
Database
Donor network realizes the number has been ported out and sends an
ISUP release or it might not know anything about this number (i.e., not
it its DB any longer) releases the call
Release causes an intermediate point to query a portability database
and to redirect the call.
If the forward signalling indicates that preceding networks have QoR
capability, then the release goes all the way to the originating network,
which does the DB lookup and reroutes the call to recipient network.
Maguire Query on release (QoR) solutions Number portability, VoIP, Prepaid, Location Based
Look up type solutions
Originating network
Donor network
Transit network
Recipient network
Database
portability database is checked for all calls, if the number has been
ported, the new number is obtained and the call rerouted (done at first
first exchange in a network that can access a portability database)
solution is often implemented in North America via modified Signalling
Transfer Points (STPs) which can check and translate ported numbers
by modifying call setup information
the donor network now has no role, multiple portings easy; but requires
lookup of all numbers
Maguire Look up type solutionsNumber portability, VoIP, Prepaid, Location Based Servic-
Two stage solutions
Originating network
Database
returns
full number
returns recipient
network number
Transit network
Database Recipient network
Originating network simply learns the recipient networks number

(called a Logical Routing Number (LRN), in North America this is a
unique 10 digit number for the exchange)
Recipient network does a second lookup to determine where to deliver
the call within their network
increases the privacy (since the originating network does not learn
about the recipient network numbering)
Maguire Two stage solutionsNumber portability, VoIP, Prepaid, Location Based Services
All call/all network solutions
Originating network Database

Database Database
returns recipient returns recipient

network number network number
returns
full number
Transit network Transit network
Recipient network
each network does a lookup, but simply learns the next networks
number
final recipient network does a second lookup to determine where to
deliver the call within their network
increases the privacy -- since all networks along the path only learn
about the next network
Who knows the mappings?
Maguire All call/all network solutions Number portability, VoIP, Prepaid, Location Based Ser-
Who knows the mappings?
For North America the Number Portability Administration Center (NPAC) has
all the mappings and passes then to the operators Local Service Management
System (LSMS).
See also Neustar Number Pool Administration http://www.nationalpooling.com/
Swedish Number Portability Administrative Centre AB (SNPAC) officially
appointed as the single operator of the Swedish Central Reference Database
[75]; interaction follows ITS standard SS 63 63 91 [76].
see also regional numbering plan administrators:
North American Numbering Plan (NANP) http://www.nanpa.com/ (also
performed by NeuStar Inc.)

Maguire Who knows the mappings? Number portability, VoIP, Prepaid, Location Based Ser-
Nummerportabilitet i Sverige
Europaparlamentets och rdets direktiv 98/61/EG om
nummerportabilitet
Sverige ndringar i telelagen (1993:597) 1 juli 1999
Post- och telestyrelsen (PTS) om nummerportabilitet (PTSFS 1999:3
och PTSFS 2000:6).
PTS beslut 15 augusti 2001 (rende nr. 01-19102):
Swedish Number Portability Administrative Centre AB (SNPAC)
Peter Myndes Backe 12
118 46 Stockholm
(organisationsnr. 556595-2925)
http://www.pts.se/Archive/Documents/SE/Beslut for SNPAC.pdf
PTS recommended All Call Query (ACQ) as the preferred routing method for
Swedish telecommunications networks [74]
Maguire Nummerportabilitet i SverigeNumber portability, VoIP, Prepaid, Location Based Ser-

EU Document 398L0061
[ 13.20.60 - Information technology, telecommunications and data-processing ]
[ 13.10.30.20 - Research sectors ]
Instruments amended:
397L0033 (Modification)
398L0061: Directive 98/61/EC of the European Parliament and of the Council of
24 September 1998 amending Directive 97/33/EC with regard to operator number
portability and carrier pre-selection
Official Journal L 268 , 03/10/1998 p. 0037 - 0038
http://www.icp.pt/streaming/98.61.EC.pdf?categoryId=59431&contentId=94157&field=ATTACHED_FILE
Maguire EU Document 398L0061 Number portability, VoIP, Prepaid, Location Based Ser-
Nortel Networks Universal NP Master (UNMP)
A complete end-to-end number portability (NP) solution provides:
Number Portability Database (NPDB) and Number Portability
Global Title Translation (NPGTT) functionality as a single network
element
Local Service Management System (LSMS) for the management of
the ported subscriber records
support: AIN/IN and IS41 protocols for wireline and wireless porting
services
up to 11-digit GTTs for wireless number porting
up to five million ported number records.
Ported number service support includes Calling Name, CLASS,
Inter-switch Voice Messaging, Line Information Database, Short
Message Service, and PCS Call Delivery services.
5,000 queries per second, with planned expansion to 20,000 queries
per second.
Maguire Nortel Networks Universal NP Master (UNMP) Number portability, VoIP, Prepaid, Location
Lookup engines
Aeroflex UTMC LNP-Engine (cPCI or PCI board) [no longer UTMC]:
Stores up to 160 million 16-digit phone number pairs
Supports 100k lookups/sec. and 10K updates/second
Based upon two Content Addressable Memory Engines:
custom 100 MHz chip
lookup in as little as 100 nanoseconds
partitions memory into upto 8,192 tables, from 256 to 30 million records
programmable key widths (per table): from 1 to 32 bytes
programmable association widths (per table) up to 8 megabytes
performs exact matches, as well hierarchal, longest-prefix, and
proximity matches
pipelined operation with separate I/O FIFOs
bulk table load, unload, and count functions
handles table overflows
Maguire Lookup engines Number portability, VoIP, Prepaid, Location Based Services
Voice over IP (VoIP)
Integrating VoIP with mobile telephony - see also the course 2G1325/2G5564:
Practical Voice Over IP (VoIP): SIP and related protocols
http://www.imit.kth.se/courses/2G1325/
Maguire Voice over IP (VoIP)Number portability, VoIP, Prepaid, Location Based Services
TIPHON
ETSIs Telecom. and Internet Protocol Harmonization over Network (TIPHON)
(VLR)
Mediation
Radio Link BSS Gatekeeper BSC/BTS
IP
BTS Gateway Signalling Gateway

ME IP network
SIM
MS
BTS BSC GMSC VLR
TE Database
HLR AuC EIR

BTS
NSS
Figure 28: TIPHON Architecture

As of 24 September 2003 ETSI combined SPAN on fixed network standardization and TIPHON on Voice over IP (VoIP)
based networks into one committee, named TISPAN http://portal.etsi.org/tispan .
Maguire TIPHON Number portability, VoIP, Prepaid, Location Based Services 238
Ericssons GSM on the Net
Olle Granberg, GSM on the Net, Ericsson Review No. 04, 19981
Access
Radio Link BSS Node BSC/BTS
IP
Intranet
BTS Gateway Service
ME Node
SIM
MS
BTS BSC GMSC VLR
TE Database
HLR AuC EIR

BTS
NSS
Figure 29: Ericssons GSM on the Net Architecture
1. http://www.ericsson.com/about/publications/review/1998_04/files/1998046.pdf
Maguire Ericssons GSM on the Net Number portability, VoIP, Prepaid, Location Based Ser-
iGSM
Proposed by Yi-Bing Lin and Imrich Chlamtac in section 16.2([1], pp. 290-293).
This architecture is really a joining of H.323 with a gateway to GSM.
Maguire iGSMNumber portability, VoIP, Prepaid, Location Based Services 240 of

Prepaid
Customer pays before using service.
Advantages:
operator has the money - all up front (no risk and they can even earn
interest on it)
operator saves: no need for: credit checking, invoices, collections,
customer: no need for credit worthiness, no need for a contract,
immediate service, anonymous service is possible
since for many cultures and countries there is no tradition or
infrastructure for post-paid service - business is strictly cash up front --
prepaid fits well with the expectation of these customers
prepaid value can be installed in devices (such as toys, jewelry, )
many customers will never use up all their balance - it will simply be
abandon -- much to the delight of the operator {It is like printing
money!}
Maguire PrepaidNumber portability, VoIP, Prepaid, Location Based Services 241 of

GSM Prepaid
Prepaid credit is either kept in the SIM card or in the network.
When the balance is zero, customer can only receive calls. {this may be limited by
the operator}
To refill:
customer buys a refill/top-up card with a secret code
dials a freephone number to an Interactive Voice Response server
enters MSISDN number of their phone + secret code
system verifies secret code (so code can only be used once), then
refills the account
Prepaid comprises 81% of the Latin Americas mobile subscriptions - so it is very
important in practice.[80]
Maguire GSM Prepaid Number portability, VoIP, Prepaid, Location Based Services
Difference between Mobile and Fixed Prepaid
Mobile servers needs:
more complex billing system due to more complex tariffs (which can
be location dependant!)
more complex billing system due to more complex taxation (which can
be location dependant!)
real-time usage metering - which has to cut off service when balance is
zero (there is a trade off between accuracy and cost of implementation
- if the operator is willing to take some loss, the implementation can
relax the real-time constraints)
increased complexity of customer care: warning customer to refill in a
timely fashion (maintaining a credit balance - maintains cash at the
operator!)
Maguire Difference between Mobile and Fixed Prepaid Number portability, VoIP, Prepaid, Location
Four alternatives for Mobile Prepaid
Wireless Intelligent Network (WIN)
Service Node
Hot Billing
Handset-Based
Maguire Four alternatives for Mobile Prepaid Number portability, VoIP, Prepaid, Location Based
Wireless Intelligent Network (WIN)
signaling 4
Intelligent P-SCP
voice trunk Peripheral
3 8
6
1 3 2
7 5
BSC MSC 5 SSP
BTS 1 1
ME +xx xxx xxxxxx
SIM
MS
Figure 30: WIN Prepaid call origination
1. Prepaid mobile customer calls +xx xxx xxxxxx
2. MSC gets WIN call setup trigger, call setup suspended, message sent to Prepaid Service Control Point (P-SCP)
3. P-SCP instructs MSC to set up ISDN (voice) link to intelligent peripheral
4. P-SCP instructs intelligent peripheral to provide account status notification (balance, charging rate, ) for this call
5. P-SCP starts countdown timer & instructs MSC to resume call processing -- which connects the call
6. Call terminates: either (a) countdown timer expires (P-SCP instructs MSC to terminate call) or (b) call completes
7. MSC gets WIN call release trigger, sends disconnect message to P-SCP indicating duration of call
8. P-SCP rates the call (computes charges) and debits the prepaid balance, sends current balance and cost of call to MSC
Maguire Wireless Intelligent Network (WIN) Number portability, VoIP, Prepaid, Location Based
Calling party pays vs. Called party pays
Calling party pays style billing - Europe, Taiwan
Called party pays style billing - US (where mobile subscriber pays for both
incoming and outgoing calls)
Maguire Calling party pays vs. Called party pays Number portability, VoIP, Prepaid, Location
WIN Call termination when called party pays
signaling
P-SCP
voice trunk
4
6
5 3
2 1
BSC SSP
BTS 5 5 MSC 5 GMSC
ME +xx xxx xxxxxx
SIM
MS +xx yyy yyyyyy
Figure 31: WIN Prepaid call termination
1. Caller dials prepaid mobile customer +xx yyy yyyyyy
2. Call forwarded to gateway GMSC
3. GMSC get a WIN call setup trigger, suspends call processing, sends message to P-SCP
4. P-SCP determines if mobile is allowed to receive this call, if so instructs GMSC to resume call setup procedure
5. GMSC connects the call
6. P-SCP monitors called partys balance and can terminate the call if there is no credit (just as per call origination case)
Maguire WIN Call termination when called party pays Number portability, VoIP, Prepaid, Location
Service Node
signaling 3
Service PBP
voice trunk Node
4
1 2
4 SSP
4
BSC MSC
BTS 1 1
ME +xx xxx xxxxxx
SIM
MS
Figure 32: Service Node Prepaid call origination
1. Prepaid mobile dials called party (+xx xxx xxxxxx)
2. MSC detects this is a prepaid customer and sets up trunk to service node
3. Service node consults Prepared Billing Platform (PBP) to determine if the call should be allowed
4. If so, then a 2nd trunk is setup from the service node via the MSC to the called party
Note: at the cost of the 2nd trunk (and two ports of MSC), this is a very easy
service to build - since the MSC does not actually know about the prepaid service
- only that it is to connect calls from these customers to the service node.
Maguire Service Node Number portability, VoIP, Prepaid, Location Based Services
Hot Billing
signaling 5
HLR/AuC PSC
voice trunk Database
1 2 4
3 SSP
3
BSC MSC
BTS 1 1
ME +xx xxx xxxxxx
SIM
MS
Figure 33: Hotbilling Prepaid call origination
1. Prepaid mobile dials called party (+xx xxx xxxxxx) and sends their own IMSI
2. Based on IMSI, MSC asks HLR/AuC if this is a valid service request
3. If verified, HLR/AuC sends customer data and a prepaid tag to MSC, MSC connects call
4. When call terminates, a Call Detail Record (CDR) is sent to the Prepaid Service Center (PSC)
5. PSC debits the account, if the account is out of funds it notified the HLR/AuC to suspend service!
With hot billing the operator is taking a risk (of the cost of the call exceeding the
balance), but it is a one-call exposure and reduces the complexity of the system.
Maguire Hot BillingNumber portability, VoIP, Prepaid, Location Based Services 249
one-call exposure in depth
Since the operator may have no idea of who this customer is, they have no way of
collecting on the bad debt, thus they try to avoid it:
Use large values for the initial payment and refill/top-up - thus the
account has quite a ways to go before it is depleted (i.e., no low value
prepayments)
prohibit call forwarding to prepaid accounts (since otherwise you could
simultaneously forward lots of calls through a given prepaid account at
one time and one-call suddenly becomes N-calls!)
increase the interval at which CDRs are sent for processing {but this
costs in increased load on the PSC} -- in fact the trend is towards the
opposite, send bunches of CDRs are one time rather than in real-time
as calls end {this decreases load on PSC, but increases bad debt
exposure} -- in the end it is a business decision of risk/reward
Maguire one-call exposure in depthNumber portability, VoIP, Prepaid, Location Based Ser-
Handset-Based
Uses GSM Phase 2, Advice of Charge (AoC):
Advice of Charge Charging (AoCC) this is how you debit the balance in the SIM card
Advice of Charge Information (AoCI)
Builds upon sever SIM data fields:
accumulated call meter (ACM)
accumulated call meter maximum (ACM*)
price per unit and currency table (PUCT)
Prepaid service center (PSC) uses SMS messages to execute program in the
handset, these applications are controlled by the SIM Toolkit.
Different sized SIM cards may be needed if large tariff rate tables or
complex rating schemes are to be used.
ACM and ACM* are generally user accessible (via PIN2), but for
prepaid cards this access is disabled (either at time of manufacture or
via an SMS message when users subscribes to prepaid service).
Maguire Handset-Based Number portability, VoIP, Prepaid, Location Based Services

signaling
voice trunk
1
2 1 1 3 3
3 BTS 2 BSC 2 MSC SSP
ME 3 3 +xx xxx xxxxxx
SIM 4
MS
Figure 34: Handset-Based Prepaid call origination
1. Prepaid mobile dials called party (+xx xxx xxxxxx)
2. Based on rate plan (+ destination, time/date), MSC sends AoC e-parameters (including ACM and ACM*) to mobile
3. If mobile support AoCC, it acks receipt of e-parameters; if MSC gets this ack, call is connected, otherwise call is denied
4. During call MS uses AoC e-parameters for tariff info; locally decrements credit by incrementing ACM. When ACM
reaches ACM*, MS terminates call and informs MSC of call release
Maguire Handset-Based Number portability, VoIP, Prepaid, Location Based Services

Combined Handset-based + Hot Billing
For fraud reduction, Handset-based approach can be combined with the Hot
billing approach - thus if PSC thinks there is no credit but SIM claims credit, the
PSC can inform operator to: terminate service and/or trigger fraud investigation.
Unfortunately, the disagreement might be legitimate due to poor synchronization
(of charging information) between PSC and MS.
Maguire Combined Handset-based + Hot BillingNumber portability, VoIP, Prepaid, Location Based
Roaming and Prepaid
Lots of problems:
cant easily use special MSISDN numbers as this would:
prevent operator number portability
service portability is not allowed, since you could not change to post paid without changing
MSISDN
could use IMSI, but this might require software change at visited system
prepaid charging might not be performed at visited system (because it
uses a different prepaid scheme than home system)
therefore route the call via the home system - letting it implement the prepaid debiting
but this requires a trunk to the home system ( higher charge for a specific prepaid call than
a postpaid call) -- this may be too expensive for international roaming
scalability problems with service node approach (since you use up two
MSC ports per call)
AoC traffic is not encrypted - so the handset can just tamper with or
ignore debit commands! manufactures working on SIM encryption
handset-based approach may lock operator to a SIM supplier
some of the schemes have a high setup cost
Maguire Roaming and Prepaid Number portability, VoIP, Prepaid, Location Based Servic-
Revenue and new services
Carriers generally think in terms of Average Revenues Per User (ARPU).
ARPU is defined (by Telia) as total sales during the period, divided by the average
number of subscribers, divided by the number of months in that period.
For example, TeliaSonera Q4 2003 ARPU and MoU figures from [81]:
Customers ARPU Minutes of Use (MoU)
Prepaid Post-paid Avg. Prepaid Post-paid Avg.
Sweden 3,838,000 94 SEK 452 SEK 268 SEKa 56 209 129
Finland 2,428,000 41eb 164

Norway 1,195,000 129 NOK 560 NOK 351 NOKc 60 267 167
a. 227 SEK in 2004 (from TeliaSoneras Annual report for 2004)
b. 38e in 2004
c. 339 NOK in 2004
With time and competition ARPU generally decreases, hence the pressure to
introduce new services which have a higher margin.
Maguire Revenue and new services Number portability, VoIP, Prepaid, Location Based Ser-
Location Based Services (LBS)
As we have seen it is possible to locate where a user is to within a cell, but it is
also possible to refine this positioning via the infrastructure or via other means
such as GPS. Popular uses of LBS include:
Navigation applications
Location based information
Enabling services such as - Where is the nearest X? where X can be gas station, hospital,
restaurant, different responses depending on where you are when you ask for the
information
Location sensitive billing
see for example Virtual enterprise networks on page 326
Emergency services
US FCCs Wireless E911 Phase II Automatic Location Identification - requires wireless
carriers, to provide more precise location information to PSAPs, specifically, the latitude and
longitude of the caller to an accuracy of 50-300 meters (depending on the type of
technology used).
Tracking
fleet vehicles (such as taxis, service trucks, )
For an introduction to LBS see [89].
Maguire Location Based Services (LBS) Number portability, VoIP, Prepaid, Location Based
Means of determining location
Passive
Cell identity
especially useful if you have a table of where the cells are
completely passive - you just listen to the broadcast of the Cell ID, etc.
Based on satellite navigation systems: Global Positioning System (GPS), GLOSNASS,
Galileo,
must listen for sufficient data from multiple satellites
Active
Based on timing
Timing Advance (distance from basestation estimated by the timing advance value)
Based on timing and triangulation
Time of Arrival (TOA)
Time Difference of Arrival (TDOA)
Enhanced Observed Time Difference (EOTD)
Angle of Arrival (AOA)
Mixed
Assisted GPS (A-GPS), assisted-x
Maguire Means of determining location Number portability, VoIP, Prepaid, Location Based
Geographic Location/Privacy (geopriv)
IETF RFC 3693: Geopriv requirements, sets out a number of requirements
necessary preserve geopgraphic location privacy[83].
The RFC details authorization, security and privacy1 requirements for the Geopriv
Location Object (LO) and for the protocols that use this Location Object. The LO
is used to securely transfer location data.
Additional working drafts:
Dynamic Host Configuration Protocol Option for Coordinate-based
Location Configuration Information [84]
DHCP Option for Civil Addresses [85]
Geopriv Policy [86]
A Presence-based GEOPRIV Location Object Format
A Presence Architecture for the Distribution of Geopriv Location
Common Policy [88]
1. The protection of privacy is based on Privacy Rules set by the "user/owner of the Target".
Maguire Geographic Location/Privacy (geopriv)Number portability, VoIP, Prepaid, Location Based

Further reading
Number portability
[71] Tango Telecom,Number Portability: a white paper, Tango Telecom,

wpnp01-18/02/00
[72] Barry Bishop, LNP, Pooling and IVR: What are the impacts to Public
Safety Organizations and Law Enforcement?, Lockheed Martin,
http://www.numberpool.org/law_911_registration/apco.ppt
[73] North American Number Portability Administration Center (NPAC)

(http://www.npac.com)
[74] Olle Rding, NUMBER PORTABILITY IN SWEDEN: A project
summary, YABSA Informatik AB, Saltsjbaden, Sweden -
http://www.hif.hu/menu6/m6_3/pdf_p/13w5%20yabsa.pdf , the author was
responsible for
Principal design and specification of the Central Reference Database for number portability
in Sweden
Development & definition of business model and operational model for SNPAC AB,
Maguire Further reading Number portability, VoIP, Prepaid, Location Based Services
[75] Swedish Number Portability Administrative Centre AB
http://www.snpac.se/
[76] Number portability in Sweden: Administrative process for number

portability, including the administrative interface and the central reference
database (Nummerportabilitet i Sverige Administrativa rutiner fr
nummerportabilitet inkluderande administrativa grnssnitt och central
referensdatabas), Swedish Standard SS 63 63 91, 2000-03-14,
http://www.its.se/ITS/ss6363x/SS636391-ed2.pdf
[77] Number Portability in Sweden - Network solutions for Service Provider

Portability for public digital mobile telephony services, Swedish Standard
SS 63 63 92, 2000-03-14,
http://www.its.se/ITS/ss6363x/SS636392-ed1.pdf
VoIP
[78] G. Q. Maguire Jr., Practical Voice Over IP (VoIP): SIP and related
protocols, Lecture notes, Period 4, 2005
http://www.it.kth.se/courses/2G1325/VoIP-Coursepage-Spring-2005.html
Prepaid
[79] Gemplus, Smart Card in Wireless Services, {perhaps a bit biased since
they are one of the leading vendors of smart cards}
[80] Chris Pearson and Erasmo Rojas, Wireless Trends in the Americas: The
Proliferation of GSM 850 MHz and EDGE, A press release from
3G Americas, November 2003
http://www.3gamericas.org/PDFs/EDGE-GSM850_Nov03_English.pdf
[81] TeliaSonera, Year-End Report 2003: Appendic for the telephone conference,
February 11, 2004.
http://www.telia.net/Koncernwebb/Attachment/20040211/Q42003BackupSlidesExternal.ppt
Location Based Services
[82] IETF Geographic Location/Privacy (geopriv) working group charter -

http://www.ietf.org/html.charters/geopriv-charter.html
[83] J. Cuellar, J. Morris, D. Mulligan, J. Peterson, and J. Polk, Geopriv

requirements, IETF RFC 3693, February 2004
[84] .J. Polk, J. Schnizlein, and M. Linsner, Dynamic Host Configuration
Protocol Option for Coordinate-based Location Configuration Information,
RFC 3825, July 2004. http://www.ietf.org/rfc/rfc3825.txt
[85] H. Schulzrinne, DHCP Option for Civil Addresses, Internet draft,
February 19, 2004, Expires: August 19, 2004
http://www.ietf.org/internet-drafts/draft-ietf-geopriv-dhcp-civil-05.txt
[86] H. Schulzrinne, J. Morris, H. Tschofenig, J. Cuellar, and J. Polk, Geopriv

Policy, Internet draft, November 28, 2004, Expires: May 29, 2005
http://www.ietf.org/internet-drafts/draft-ietf-geopriv-pidf-lo-03.txt
[87] J. Peterson, A Presence Architecture for the Distribution of Geopriv

Location Objects, Internet draft, September 8, 2004, Expires: March 9,
2005
http://www.ietf.org/internet-drafts/draft-ietf-geopriv-pres-02.txt
[88] H. Schulzrinne, J. Morris, H. Tschofenig, J. Cuellar, J. Polk, and

J. Rosenberg, Common Policy, Internet draft, November 28, 2004,
Expires: May 29, 2005 http://www.ietf.org/internet-drafts/draft-ietf-geopriv-policy-05.txt
[89] Johan Hjelm, Creating Location Services for the Wireless Web, John Wiley
& Sons, 2002, ISBN: 0471402613
Architectures
5. WAP, Heterogeneous PCS, 3G

KTH Information and
Wiley & Sons, 2001, ISBN 0-471-39492-0

Last modified: 2006.01.13:10:20

Lecture 5
WAP (Ch. 19), Heterogeneous PCS (Ch. 20), 3G (Ch. 21)
Maguire Lecture 5 WAP, Heterogeneous PCS, 3G 265 of 318

Wireless Application Protocol (WAP)
Goal: a set of communication protocol standards to make accessing online
services from a mobile phone simple
The motivation for developing WAP was to extend Internet
technologies to wireless networks, bearers and devices.[90], page 4.
Initially conceived by four companies: Ericsson, Motorola, Nokia, and Openwave
Systems Inc. (formerly Unwired Planet)
WAP Forum is an industry association to promote WAP, they are now called
The Open Mobile Alliance Ltd. http://www.openmobilealliance.org/
Maguire Wireless Application Protocol (WAP) WAP, Heterogeneous PCS, 3G 266 of 318
WAP Model
Now called the WAP Proxy Model - since WAP gateway acts as a proxy:
GSM Network
Request
Encoded Request
WAP WML
Encoded WML gateway
WML origin
WML HTML server
microbrowser filter
The basic (erroneous) thoughts behind WAP were:

that terminals were limited in processing/memory/display,
that the communication channel was expensive,
that the operator was the natural intermediary in every mobile users
interaction with any services, and
that a special protocol stack was necessary to optimize for the above.
An emphasis was on push services: In push services content is sent to the user
without the user requesting it.
Maguire WAP Model WAP, Heterogeneous PCS, 3G 267 of 318
WAP (first round) Summary
Massive failure, because:
tried to introduce a WAP protocol stack
did not really provide an end-to-end service {because they wanted to
keep the operator in the middle of all transactions} - the result is that
content was in clear text in the WAP gateway
the result was significant security problems - especially because the changes that were
introduced into the WAPified SSL introduced problems
most operators used SMS to carry the WAP traffic and this was too
expensive and had very significant delay problems
many terminals had problems with their software and each type had its
own resolution, size, - so content had to be prepared for a specific
terminal {which increased content development costs - since automatic
conversion was not really successful}
WAP 2.0 moves toward being an IP based stack (with HTTP, TLS, and TCP) -
although of course they still support their earlier optimized/wapified stack. The
new model is a direct connection between mobile and HTTP server.
Maguire WAP (first round) Summary WAP, Heterogeneous PCS, 3G 268 of 318
WAP 2.0
Wireless Profiled HTTP (WP-HTTP) a profile of HTTP for the wireless environment and is fully interoperable
with HTTP/1.1. Built on HTTP request/response transaction. Supports
message body compression of responses and the establishment of secure
tunnels.
Transport Layer Security (TLS) a wireless profile of the TLS protocol, includes cipher suites, certificate
formats, signing algorithms and the use of session resume. Support
end-to-end security at the transport level.
Wireless Profiled TCP (WP-TCP) provides connection-oriented services, optimized for wireless
environments and fully interoperable with standard TCP
implementations. Builds upon IETF Performance Implications of Link
Characteristics (PILC) working group recommendations
Wireless Session Protocol (WSP) Wireless Transaction Protocol (WTP), Wireless Transport Layer
Security (WTLS), Wireless Datagram Protocol (WDP) - as now Legacy
Protocol Layers[90]
Maguire WAP 2.0 WAP, Heterogeneous PCS, 3G 269 of 318

WAP 2.0 new & enhanced services
WAP Push allows content to be sent or "pushed" to devices by server-based applications via a Push
Proxy; real-time applications; provides control over the lifetime of pushed messages,
store&forward capabilities at the Push Proxy, control over bearer choice for delivery.
User Agent Profile provides a mechanism for describing the capabilities of clients and the preferences of
(UAProf) users to an application server, based on the Composite Capabilities / Preference Profiles
(CC/PP) work of the W3C Wireless Telephony Application (WTA)
External Functionality specifies the interface between WAE and components or entities with embedded
Interface (EFI) applications that execute outside of the defined WAE capabilities (i.e., basically allowing
plug-in modules) - thus allowing access to external devices (e.g. smart cards, GPS,
digital cameras, sensors, )
Persistent Storage a standard set of storage services and interface for organizing, accessing, storing and
Interface retrieving data on the wireless device or other connected memory device.
Data Synchronization adopts SyncML language for the data synchronization (see www.syncml.org)
Multimedia Messaging permits delivery of varied types of content

Service (MMS)
Provisioning provides clients with information needed to operate on wireless networks; permits
network operator to manage the devices on its network using a common set of tools
Pictogram tiny images, that can be used to quickly convey concepts in a small amount of space
Maguire WAP 2.0 new & enhanced services WAP, Heterogeneous PCS, 3G 270 of 318
Heterogeneous PCS
Utilize multiple types of radios to get the advantages of each to:
increase capacity and/or
increase coverage area and/or
decrease power consumption and/or
increase bandwidth and/or
decrease delay,
Maguire Heterogeneous PCS WAP, Heterogeneous PCS, 3G 271 of 318

Similar Radio technologies +
Same Network technology (SRSN)
with different power different size cells; for example macrocells with
levels microcells for hotspot coverage; microcells borrow
Macrocell
radio channels from the macrocellular system - so
that they use a different channel than the overlapping
macrocell
Microcell
with different multiband system such as:

frequency bands GSM900+GSM1800macrocell since the cells can band1
overlaps arbitrarily they can of course be of different
sizes
band2
Maguire Similar Radio technologies + Same Network technology (SRSN) WAP, Heterogeneous PCS, 3G 272
Different Radio technologies +
Same Network technology
Both using IS-41 as network protocol:
IS-136 + AMPS
IS-95 +AMPS
Maguire Different Radio technologies + Same Network technology WAP, Heterogeneous PCS, 3G 273 of
Different Radio technologies +
Different Network technology
Generally high-tier PCS with low-tier PCS
Examples:
AMPS +PACS or GSM +PACS
GSM + DECT
Maguire Different Radio technologies + Different Network technology WAP, Heterogeneous PCS, 3G 274 of
Tier Handoff
Tier Handoff performs handoffs from one system to another.
For the case of SRSN - different power levels, the macro and microcells use the
same air interface and the handoffs is as usual.
For the case of SRSN - different bands, just a little harder than usual (because the
handset might not be able to listen to more than one frequency at a time).
For the case of DRSN it is harder yet generally requires modification in the
handoff of each system, in some cases the handoff might only work in one
direction
For the case of DRDN the easiest is to simply set up a new call (perhaps via
automatic redial) in the new network.
Maguire Tier Handoff WAP, Heterogeneous PCS, 3G 275 of 318

Registration for SRSN & DRSN
Fairly straight forward since the systems use the same network technology.
Key problem is: Who does the tier selection?
Maguire Registration for SRSN & DRSN WAP, Heterogeneous PCS, 3G 276 of 318
Registration for DRDN
Since the different systems use different registration & authentication and
different data may be store in their different HLRs (and VLRs) define a new
multitier HLR to integrate the two.
Implemented via tier manager
Single (SR) vs. Multiple registrations (MR) - the former is simpler, the later
reduces the registration traffic and decreases the time required for tier handoffs.
Maguire Registration for DRDN WAP, Heterogeneous PCS, 3G 277 of 318

Call delivery
SR case simply query the MHLR to find where to deliver the call
MR case either select the tier to try based on some heuristic (for example, always try low-tier first or
try the system where the MS register most recently) or page first, then try the one where
you get a response
Maguire Call delivery WAP, Heterogeneous PCS, 3G 278 of 318

User identity (identities) and MSs
Their can be
a single identity or several identities
user can be associated with a single logical number or multiple
identities can have a primary association with a MS or no
single or multiple MSs
user can use one (multimode MS) or several MSs
Does the user choose which device to use or does the multitier manager?
A hard problem is what to do when the service (for example, streaming video)
only makes sense on a subset of the MSs or PCS systems.
Maguire User identity (identities) and MSs WAP, Heterogeneous PCS, 3G 279 of 318
Major forces driving heterogeneous PCS
consolidation/mergers&acquisitions/bankruptcy/ new owner may end up
owning several different types of systems, examples:
AT&T acquisition of McCaws cellular system
Bell Atlantic merger with NYNEX
Merger of Vodaphone with AirTouch
DeutscheTelekoms (T-Mobile) Voicestream Wireless Corp. acquistion
of WLAN operations of MobileStar
Maguire Major forces driving heterogeneous PCS WAP, Heterogeneous PCS, 3G 280 of 318
Internetworking scenarios
There are several alternatives for how tightly the different systems might be
coupled[92]:
Open coupling
No real integration between the systems, except perhaps for sharing a billing system
Separate authentication for each system
Loose coupling
sharing a single subscriber database
allows centralized billing
allows interworking, but has two separate IP address spaces and does not support vertical
handoffs (so connections are dropped when the use moves from one network to another)
Tight coupling
an Interworking Unit (IWU)/Radio Network Controller (RNC) interconnects the radio access
neworks to the SGSNs
might require a new set of interfaces Iu (RNC-SGSN) and Iub (RAN-RNC) {RAN = Radio
Access Network}
Very tight coupling
an Interworking Unit (IWU) connects the Radio Access Network to the RNC
for example, using an interface Iu(RNC-WLAN) to connect WLAN as a cell of the RNC
Maguire Internetworking scenarios WAP, Heterogeneous PCS, 3G 281 of 318

Paradigm shifts
voice-centric data centric
shift to packet switching
problems: QoS, streaming media
continually evolving terminals and data applications - end users expect
the same services (and more) from wireless systems as they expect
from wireline systems
Maguire Paradigm shifts WAP, Heterogeneous PCS, 3G 282 of 318

Third Generation Mobile (3G)
Offering data rates greater than ISDN (144kbps), typically thought to be 384kbps
and perhaps upto 2 Mbps when stationary near a base station.
Six types of services:
Interactive multimedia (video conferencing)
High speed multimedia (broadcast TV)
Medium speed multimedia (web browsing)
Circuit switched data (FAX)
Speech (telephony)
Messaging (e-mail, SMS, )
All based on CDMA; Europes Universal Mobile Telecommunications System
(UMTS) will be Wideband CDMA (W-CDMA, 25 MHz channel bandwidth):
ETSI agreed to use a combination of wideband code division multiple access (W-CDMA)
and time division multiple access (TD/CDMA) on the air interface
W-CDMA will be used to cover larger areas
TD/CDMA for local (indoor) applications
Maguire Third Generation Mobile (3G) WAP, Heterogeneous PCS, 3G 283 of 318
3rd Generation Partnership Project (3GPP)
Original scope was to produce globally applicable Technical Specifications and
Technical Reports for a 3rd Generation Mobile System based on evolved GSM
core networks and the radio access technologies that they support Universal
Terrestrial Radio Access (UTRA)1, W-CDMA, UMTS (in Europe) and FOMA (in
Japan)
Amended to include the maintenance and development of the Global System for
Mobile communication (GSM) Technical Specifications and Technical Reports
including evolved radio access technologies (e.g. General Packet Radio Service
(GPRS) and Enhanced Data rates for GSM Evolution (EDGE)).
See: http://www.3gpp.org/
ETSI is the 3GPP Secretariat
1. Both Frequency Division Duplex (FDD) and Time Division Duplex (TDD) modes.
Maguire 3rd Generation Partnership Project (3GPP) WAP, Heterogeneous PCS, 3G 284 of 318
3G(PP) Architecture
Radio Link
UTRAN CS-
MGW
Nb CS-
MGW
CN
Iub External networks
Mc Mc
Uu Node B Iu-CS
MSC Nc GMSC
MS server
UE RNC server EIR PSTN
UIM B SS7 C
Iur HLR AuC
VLR Database Database
Database
RNC D HSS IMS

TE Gs
Iub Gc Gi
Node B Iu-PS Intranet
Gn Gn Gi
GPRS network
SGSN Internet
GGSN
Figure 35: 3G(PP) Architecture; CN = Core network; RNC = Radio Network Controller;
IMS=IP Multimedia Subsystem; HSS=Home Subscriber Server; CS-MWG=Circuit Switch Media Gateaway
The division into a circuit switched domain and a packet switched domain - will
disappear as the architecture evolves to an All-IP network
Maguire 3G(PP) Architecture WAP, Heterogeneous PCS, 3G 285 of 318

3.5G or super 3G
HSDPA + HSUPA sometimes called 3.5G or super 3G
High Speed Downlink Packet Access (HSDPA)
An enhancement to WCDMA providing fast retransmissions over wireless link

and fast scheduling to share a high speed downlink.
For further details see [114] and [115]
High Speed Uplink Packet Access (HSUPA)
An enhancement to WCDMA providing sharing of a high speed uplink, called the

enhanced dedicated channel (E-DCH); this channel is assigned to one mobile
device at a time
Goal: upload (burst) speeds up to 5.8 Mbit/s
For further details see [116] and [117]
Maguire 3.5G or super 3G WAP, Heterogeneous PCS, 3G 286 of 318

Third Generation Partnership Project 2
(3GPP2)
A collaborative third generation (3G) telecommunications standards-setting
project comprising North American and Asian interests developing global
specifications for ANSI/TIA/EIA-41 Cellular Radiotelecommunication
Intersystem Operations network evolution to 3G, and global specifications for
the radio transmission technologies (RTTs) supported by ANSI/TIA/EIA-41.
Focus is cdma2000
See: http://www.3gpp2.org/
TIA is the 3GPP2 Secretariat
Maguire Third Generation Partnership Project 2 (3GPP2) WAP, Heterogeneous PCS, 3G 287 of 318
3GPP2 reference model
Radio Link
Um
MS
ME
MT0 MT1 MT2
Sm
TE1 TAm
Ui or Ur Rm Rm
TE2 TE2 Uv
UIM Vehicle
Figure 36: 3GPP2 Architecture (the mobile)
Maguire 3GPP2 reference model WAP, Heterogeneous PCS, 3G 288 of 318

Packet Data
Radio Pi
Link BTS HA PDN
Di
ISDN
AAA
Pi
AAA T6
E? PDE MPC Y
Pi Pi E12 E WNE
BTS Pi T8 5 IWF Di
LPDE E9 Di
SN Di
Abis PSDN SCP
PCF
Aquinter T3 T7
Aquinter T1 T2
T5 IP Ai E2
NPDB T9 Ai
PSTN ESME
Z
A EIR Location
MSC E11
BSC E MSC E MSC F
B B C T4 CRDB
Ater Q1
VLR VLR HLR Law Enforcement
BTS D IAP
G DF CF
N1 D1 d e
Z1 N
VMS OTAF
V OTAF X
CSC
Q Z3 CDIS
H i CDGP Customer support
MC MC k
M2 AC j CDRP
Messaging M1 SME SME CDCP
M3
Figure 37: 3GPP2 Architecture (infrastructure and external entities)

Interface Description
A between BSC and MSC, PCM 2 Mbps, G. 703
Ai Analog Interface to PSTN
Abis between BTS and BSC, PCM 2 Mbps, G. 703
Aquinter between BSC and PCF (Packet Control Function)
B between MSC and VLR (use MAP/TCAP protocols)
C between MSC and HLR (MAP/TCAP)
D between HLR and VLR (MAP/TCAP)
Di Digital interface to ISDN
D1 between VLR and OTAF (Over-The-Air Service Provisioing Function)
E between two MSCs (MAP/TCAP + ISUP/TUP)
E2 between MPC and ESME (Emergency Service Message Entity
E5 between MPC and PDE (Position Determining Entity)
E9 between MPC and SCP
E11 between MPC and CRDB
E12 between MPC and ESME
F between MSC and EIR (MAP/TCAP)
G between VLRs (MAP/TCAP)
H between HLR and AuC
M1 between MC (Message Center) and SME (Short Message Entity)
M2 between MCs (Message Centers)
M3 between SMEs (Short Message Entities)

N between MC (Message Center) and HLR
N1 between HLR and OTAF
Pi Packet interface
Q between MSC and MC (Message center)
Q1 between MSC and OTAF
T1 between MSC and SCP
T2 between SCP and HLR
T3 between SCP and IP
T4 between SN and HLR
T5 between MPC and IP (Intelligent Peripheral)
T6 between MPC and SN (Service Node)
T7 between SN and SCP
T8 between SCPs
T9 between IP and HLR
Ui between UIM and ME
Um Radio link between MS and BTS
Ur between UIM and ME
Uv between MS and vehicle
V between OTAFs
X between OTAF and CSC
Y between WNE and IWF (Inter-working Function)
Z between MSC and NPDB

Z1 between MSC and VMS
Z3 between VMS and MC
d IAP (Intercept Access Point) interface to DF (Delivery function)
e between DF and CF (Collection function)
i CDIS (Call Data Information Service) interface to CDGP (Call Data Generation Point)
j between CDGP and CDCP (Call Data Collection Point)
k between CDGP and CDRP (Call Data Rating Point)

3GPP2 abbreviations
Abbrev Explaination
AAA Authentication, Authorization, and Accounting
AC Authentication Center (called AuC in GSM)
BTS Base Transceiver Station
CDCP Call Data Collection Point
CDGP Call Data Generation Point
CDIS Call Data Information Service
CDRP Call Data Rating Point
CF Collection Function (for collecting intercept information)
CRDB Coordinate Routing Database
CSC Customer Service Centre
DF Delivery function (for delivering intercepted communications)
ESME Emergency Service Message Entity
EIR Equipment Identity Register
HA Home Agent
HLR Home Location Register
IP Intelligent Peripheral
IAP Intercept Access Point
IWF Inter-working Function
LPDE Local Position Determing Entity
MC Message Centre
Maguire 3GPP2 abbreviations WAP, Heterogeneous PCS, 3G 293 of 318

Abbrev Explaination
ME Mobile Equipment
MPC Mobile Positioning Center
MS Mobile Station
MSC Mobile Switching Centre
NPDB Number Portability Database
OTAF Over-The-Air Provisioning Function
PCF Packet Control Function
PDN Packet Data network
PDSN Packet Data Serving Node (aka a router!)
SCP Service Control Point
SME Short Message Entity
SN Service Node
TA/Tm Terminal Adapter
UIM User Identity Module
VLR Visitor Location Register
VMS Voice Message System
WNE Wireless Network Entity
Maguire 3GPP2 abbreviations WAP, Heterogeneous PCS, 3G 294 of 318

Mobile Station Application Execution
Environment (MExE)
Building on ideas from WAP, UMTS introduces a Mobile Station Application
Execution Environment (MExE) to provide a standard environment for the MS to
access the internet and intranet services.
MExE Classmark
classifies the MS based on its capabilities (processing, memory, display, )

MExE classmark 1 based on WAP
MExE classmark 2 based on PersonalJava (supports JavaPhone Power Monitor package)
MExE classmark 3 based on Java 2ME Connected Limited Device Configuration (CLDC) and Mobile Information
Device Profile (MIDP) environment - supports Java applications running on resource
constrained devices.
MExE classmark 4 based on ECMAs Common Language Infrastructure Compact Profile - supports CLI based
applications running on resource constrained devices (CLI designed to be programming
language and OS neutral)
Maguire Mobile Station Application Execution Environment (MExE) WAP, Heterogeneous PCS, 3G 295 of
Common Language Infrastructure for MExE
devices: Classmark 4
Service discovery and management
Browser installed on a MExE device should support MIME type

text/vnd.sun.j2me.app-descriptor. Allows user to browse and discover a Java
application which can then be downloaded. Capability negotiation information in
the request header can determine which application to present.
MID applications (MIDlets) and MIDlet suites are indicated to the user, if the
terminal has a display, may be presented as an icon and a tag or as a textual tag
Java Application Description (JAD) file can be downloaded and to determine if
the MIDlet is suitable for download and installation
If it is, then JAR file can be downloaded and installed
If not, the MExE UE should be able to prompt the user so that the user (they can delete
some existing applications if there is not enough space to install the new application)
If the application chosen already exists on the device, the user should be notified so they
can choose to either to download the chosen version or to retain the existing one
user should be able either to launch the MIDlet immediately or later
Maguire Common Language Infrastructure for MExE devices: Classmark 4 WAP, Heterogeneous PCS, 3G 296
CLI MExE Devices
SMExE Classmark 4 devices based on CLI Compact Profile spec.: defines runtime
environment and APIs available to a CLI based MExE device such that services
(specified in the form of language independent classes and interfaces) can control
such a device in a standardized way.
CLI Compact Profile Namespaces Application management features for a Classmark 4 application
System Discovery
System.Collections Download
System.Globalization Verification
System.IO Installation
System.Text Execution Start
System.Threading Execution Pause
System.Runtime.CompilerServices Execution Resume
System.Reflection Execution Stop
System.Net Execution Terminate
System.Xml Uninstall
Support for network protocols

Protocol Optionally
HTTP/1.1 Mandatory Gopher Optional
HTTPS Mandatory ftp Optional
SOAP Mandatory mailto Optional
File Optional
Maguire Common Language Infrastructure for MExE devices: Classmark 4 WAP, Heterogeneous PCS, 3G 297
3G Physical Layer
There has been great fighting over what is the best physical and link layer for
3G, due to political, economic, reasons.
Indications are that there will be several 3G CDMA modes (at least 5 different
choices), but there might be some hope for harmonization at the network level
(with at least 3 choices: ANSI-41, GSM MAP, and IP)!
Maguire 3G Physical Layer WAP, Heterogeneous PCS, 3G 298 of 318

Gateway Location Register (GLR)
3GPP introduces a Gateway Location Register (GLR) to reduce traffic between
VLR and HLR {especially for the case of international roaming}. The GLR is
located in the visited network, but is treated by the visited network as the users
HLR (while the user is in the visited network).
The home network treats the GLR as if it were the VLR in the visited network.
While it can clearly reduce signaling costs when the user is not in their home
country - the book does not address the question of Does this really matter?
Since there is an enormous amount of bandwidth available via fibers - does the
signaling traffic really matter? Does the GLR reduce the delays for providing
service to the user?
Maguire Gateway Location Register (GLR) WAP, Heterogeneous PCS, 3G 299 of 318
3G QoS
Four QoS classes:
conversational for delay sensitive traffic, with limited transfer delay
streaming for one-way real-time traffic
interactive for delay-insensitive traffic such as e-mail, telnet,
background for delay-insensitive traffic such as FTP, background bulk transfer of e-mail,
7 QoS parameters: max/min/guaranteed bit rates, max. packet size, reliability,

Major problems with how to map between the QoS of different systems.
Maguire 3G QoS WAP, Heterogeneous PCS, 3G 300 of 318

UMTS Subscriber Identity Module (USIM)
3GPP specifications:
TS21.111 USIM and IC card requirements
TS22.112 USIM toolkit interpreter; Stage 1
TS31.111 USIM Application Toolkit (USAT)
TS31.112 USAT Interpreter Architecture Description; Stage 2
TS31.113 USAT interpreter byte codes
TS31.114 USAT interpreter protocol and administration
TS31.115 Secured packet structure for (U)SIM Toolkit applications
TS31.116 Remote APDU Structure for (U)SIM Toolkit applications
TS31.120 UICC-terminal interface; Physical, electrical and logical test specification
TS31.121 UICC-terminal interface; USIM application test specification
TS31.122 USIM conformance test specification
TS31.131 C-language binding for (U)SIM API
TR31.900 SIM/USIM internal and external interworking aspects
TS42.017 Subscriber Identity Module (SIM); Functional characteristics
TS42.019 Subscriber Identity Module Application Programming Interface (SIM API); Stage 1
TS43.019 Subscriber Identity Module Application Programming Interface (SIM API) for Java Card; Stage 2
TS51.011 Specification of the Subscriber Identity Module - Mobile Equipment (SIM-ME) interface
TS51.013 Test specification for SIM API for Java card
Maguire UMTS Subscriber Identity Module (USIM) WAP, Heterogeneous PCS, 3G 301 of 318
Wireless Operating System for Handsets
There has been a battle brewing for who will define and dominate the OS market
for 3G handsets - which given the expected handset volume could be a very large
market.
Candidates:
Microsoft - WinCE (and its successors)
Symbians EPOC OS - built upon Psions OS - Symbian formed by
Nokia, Ericsson, Motorola)
3Coms PalmOS
linux
Maguire Wireless Operating System for Handsets WAP, Heterogeneous PCS, 3G 302 of 318
Mobile Virtual Network Operator (MVNO)
A virtual operator who uses the physical infrastructure of other operators.
Pyramid Research projects a greater than 3x Return on Investment (ROI) for MVNOs vs. facilities-based
UMTS network operator1.
was http://www.pyramidresearch.com/info/rpts/mvno.asp
Richard Bransons Virgin Mobile signed up 700k customers in their first year!2
Freed from a large subscriber base that is necessary to cover network deployment
costs, an MVNO can target a more finely segmented market.3
Mobile Virtual Network Operators: Oftel inquiry into what MVNOs could offer
consumers - was
http://www.oftel.gov.uk/publications/1999/competition/mvno0699.htm
note Oftel was replace by Ofcom http://www.ofcom.org.uk/

1. was http://www.pyramidresearch.com/static_content/feature_articles/010402_feature.asp
2. was http://www.adventis.com/mvno/main.htm
3. was http://www.gii.co.jp/english/pr8818_mvno.html
Maguire Mobile Virtual Network Operator (MVNO) WAP, Heterogeneous PCS, 3G 303 of 318
IP Multimedia Subsystem (IMS)
One of the major driving forces for 3G telephony (as envisoned by many vendors
and operators) is Multimedia. 3GPP has defined an IP Multimedia Subsystem
(IMS) and 3GPP2 intorduced the MultiMedia Domain (MMD) for third
generation Code Division Multiple Access 2000 (CDMA2000) networks - the two
were subsequently harmonized.
The first new services include:
Instant Messaging
Presence
Push to Talk over Cellular (PoC) (walkie-talkie like services)
one of the major features of such services is group communication - i.e., the audio segment
can easily be delivered to many users
All of these services are easily added as they are not too demanding of the
underlying radio access network[106], hence they can be offered via existing 2G
and 2.5G networks, as well as via WLANs and even to an ISPs xDSL and cable
customers.
Maguire IP Multimedia Subsystem (IMS) WAP, Heterogeneous PCS, 3G 304 of 318
Future IMS services
person-to-person real-time IP-based multimedia communications (e.g.
voice, videotelephony, )
person-to-machine communications (e.g. gaming).
integrated real-time with non-real-time multimedia communications
(e.g. live streaming with a chat group)
services combining use of presence and instant messaging; other
combinations of services, e.g., surveillance - where a remote camera
begins streaming video because of a presence detection event)
multiple services in a single session or multiple simultaneous
synchronized sessions (think of Synchronized Multimedia Integration
Language (SMIL)[107])
should include transitioning from a two party voice call to a multi-party audio and video
conference no need for special predefined conference services
Maguire Future IMS services WAP, Heterogeneous PCS, 3G 305 of 318

IMS architecture
S-CSCF Serving Call Session
Control Function
Application Server(s)
I-CSCF Interrogating Call
Session Control
Function
P-CSCF Proxy Call Session
Service control Interface (ISC) Control Function
HSS Home Subscriber
IMS Core Network (CN) Remote IMS Server
S-CSCF
HSS I-CSCF
P-CSCF
GGSN
GERAN/UTRAN
Maguire IMS architecture WAP, Heterogeneous PCS, 3G 306 of 318

G
See: Theo Kanter, Adaptive Personal Mobile Communication -- Service
Architecture and Protocols, Tekn. Dr. Dissertation, KTH, December 14, 2001
http://ps.verkstad.net/Thesis/Final/theoDissertation.pdf (6271k)
Maguire G WAP, Heterogeneous PCS, 3G 307 of 318

4th generation?
User deployed access points (base stations)[121]
As of 16 November 2004, NTT DoCoMo have started shipping their
Wi-Fi/Cellular Phone - N900iL (supports a 3G FOMA cellular network and
Wi-Fi) [108].
The same day at the 3G World Congress Convention and Exhibition in Hong
Kong, Nokia showed real-time streaming video with seamless handoff between
two CDMA access networks using Mobile IPv6, the first Mobile IPv6
call.[109]
Maguire 4th generation? WAP, Heterogeneous PCS, 3G 308 of 318

IEEE 802.21
Developing standards to enable handover and interoperability between
heterogeneous network types including both 802 and non 802 networks.[110]
Maguire IEEE 802.21 WAP, Heterogeneous PCS, 3G 309 of 318

4G in Asia
CJK
Collaboration between China, Japan, and Korea for beyond 3G international standards
FuTURE - A chinese national project with 4 phases:
startup
2003-2005 specfication
2007-2007 implementation
2008- standardization
mITF
A japanese forum for 4G and Mobile Commerce
Targeting a commercial introduction in 2010
DoCoMo has shown 100 Mbps (outdoors) and 1 Gbps (indoors) using MIMO technology
Wireless Broadband Portable Internet (WiBro)
Korean effect for 2.3 GHz with 10MHz bandwidth to support 0.5 to 50 Mbops at speeds up to
50 km/h.
Information on these 4 efforts from slide 5 of 12 in a Siemens presentation at the
Public Launch of the eMobility Platform [111]
Maguire 4G in Asia WAP, Heterogeneous PCS, 3G 310 of 318

eMobility Platform
Member organisations of the eMobility Platform leads the way
Steering Board:
Alcatel In order to serve Europes need and to maintain its
Deutsche Telekom AG position in the global market for mobile and wireless
Ericsson systems in the 2010-2020 time horizon, it will be
France Telecom necessary to develop large-scale European
Hutchison 3G Europe approaches to system research and development,
Lucent Technologies and to mobile services and applications in the
Motorola context of digital convergence.
Nokia To this end, the eMobility Platform will define and
Philips implement a comprehensive research agenda in the
Siemens AG mobile and wireless sector. [112]
STMicroelectronics
Telecom Italia Mobile
Driven by a new paradigm: Individuals quality of life
Telefnica Mviles Espaa
improvement by making available an environment
Thales
for instant provision and access to meaningful
Vodafone
multi-sensory information and content. pg. 3 of [113]
Maguire eMobility Platform WAP, Heterogeneous PCS, 3G 311 of 318

Further reading
WAP
[90] WAP Forum, Wireless Application Protocol (WAP) 2.0 Technical White
Paper, www.wapforum.org, January 2002.
Heterogeneous PCS
[91] Ian F. Akyildiz and Wenye Wang, A Dynamic Location Management

Scheme for Next-Generation Multitier PCS Systems, IEEE Transactions on
Wireless Communications, Vol. 1, No. 1, January 2002, pp. 178-189.
[92] Nikolas Olaziregi, Stefano Micocci, Kambiz Madani, Tereska Karran,
George R. Ribeiro-Justo, Mahboubeh Lohi, David Lund, Iam Martin,
Bahram Honary, Sndor Imre, Gyula Rbai, Jsef Kovcs, Pter Kacsuk,
rpad Lnyi, Thomas Gritzner, and Mattias Forster, Chapter 5: Network
Architectures and Functions, in Software Defined Radio: Architectures,
Systems and Functions, Markus Dillinger, Kambiz Madani, and Nancy
Alonistioti (Eds.), Wiley 2003, ISBN 0-470-85164-3, pp. 95-142.
Maguire Further reading WAP, Heterogeneous PCS, 3G 312 of 318

3G
[93] Janos A. Csirik, A guide to 3GPP security documents, AT&T Research,

http://www.research.att.com/~janos/3gpp.html
[94] Gavin Stone, MExE: Mobile Execution Environment, White Paper, Ronin
Wireless, MExE Forum, Dec. 2000
[95] 3rd Generation Partnership Project (3GPP) - www.3GPP.org
[96] www.3GPP2.org
[97] 3GPP TS 23.057 V4.4.0 (2001-12) 3rd Generation Partnership Project

Technical Specification Group Terminals Mobile Station Application
Execution Environment (MExE), Functional description, Stage 2 (Release 4)
http://www.3gpp.org/ftp/Specs/2001-12/Rel-4/23_series/23057-440.zip
[98] PersonalJava Application Environment

http://java.sun.com/products/personaljava
[99] JavaPhone API

http://java.sun.com/products/javaphone

[100]Java 2 Micro Edition
http://java.sun.com/j2me
[101]Connected Limited Device Profile (CLDC)

http://java.sun.com/products/cldc/
[102]Mobile Information Device Profile (MIDP)

http://java.sun.com/products/midp/
[103]ECMAs Common Language Infrastructure (ECMA-335)

http://cedar.intel.com/media/zip/ECMA-335.zip
[104]ECMAs Common Language Infrastructure Technical Report

(ECMA-TR-084)
http://cedar.intel.com/media/zip/ECMA-TR-084.zip
[105]Erik Meijer and John Gough, Technical Overview of the Common

Language Runtime,
http://research.microsoft.com/~emeijer/Papers/CLR.pdf
[106]M. Tadault, S. Soormally, and L. Thibaut, Network Evolution towards IP

Multimedia Subsystem, Strategy White Paper, Alcatel
Telecommunications Review, 4th Quarter 2003/1st Quarter 2004
[107]Jeff Ayars, Dick Bulterman, Aaron Cohen, Ken Day, Erik Hodge, Philipp
Hoschka, Eric Hyche, Muriel Jourdan, Michelle Kim , Kenichi Kubota, Rob
Lanphier, Nabil Layada, Thierry Michel, Debbie Newman, Jacco van
Ossenbruggen, Lloyd Rutledge, Bridie Saccocio, Patrick Schmitz, Warner
ten Kate (editors), Synchronized Multimedia Integration Language (SMIL
2.0), W3C Recommendation, 07 August 2001 -
http://www.w3.org/TR/smil20/
[108] NTT DoCoMo Ships Wi-Fi/Cellular Phone, TechWeb News, November

16, 2004
http://www.internetweek.com/allStories/showArticle.jhtml?articleID=
53200333
[109]Nokia Demonstrates IPv6 Phone, TechWeb News, November 16, 2004

http://www.internetweek.com/allStories/showArticle.jhtml?articleID=
53200335
[110]IEEE 802.21 http://www.ieee802.org/21/

[111]Thorsten Heins, European and global initiatives in perspective, Siemens
presentation at Public Launch of the eMobility Platform on 18th March,
2005
http://www.emobility.eu.org/documents/launch/Siemens%20Presentation
.pdf
[112]eMobility Flyer, from Public Launch of the eMobility Platform on 18th

March, 2005
http://www.emobility.eu.org/documents/launch/Flyer_eMobility_R3.pdf
[113]Mobile Communications & Technology Platform Strategic Research

Agenda: eMobility Staying ahead!, edited by Rahim Tafazolli, Luis M.
Correia, and Juha Saarnio, from Public Launch of the eMobility Platform on
18th March, 2005
http://www.emobility.eu.org/documents/SRA_2005_03_18.pdf
[114]Xiaoxin Wang, 3G HSDPA Performance In Mobile Internet Connections,

M. Sc. Thesis, KTH/IMIT, March 2004.

[115] Pablo Ameigeiras Gutirrez, Packet Scheduling and Quality of Service in
HSDPA, Ph.D. Thesis, AAlborg University, Aalborg st, Denmark,
October 2003.
http://kom.aau.dk/ADM/research/reports/PhDThesis_Pablo_Ameigeiras.p
df
[116]Jos Outes Carnero, Uplink Capacity Enhancement in WCDMA:

Multi Cell Admission Control, Synchronised Schemes and Fast Packet
Scheduling, Ph.D. Thesis, AAlborg University, ISBN 87-90834-54-2,
ISSN 0908-1224, R04-1011, Aalborg st, Denmark, March 2004.
http://kom.aau.dk/ADM/research/reports/Review%20of%20Ph.D.%20Thesis
%20Jose%20Outes%20Carnero.pdf
[117]Claudio Rosa, Enhanced Uplink Packet Access in WCDMA, Ph.D.

Thesis, AAlborg University, Aalborg st, Denmark, February 2005.
http://kom.aau.dk/ADM/research/reports/PHD_Thesis_Claudio_Rosa.pdf
[118]Technical Specification Group Services and System Aspects (TSG SA),

TSGS#19(03)0299, WG2 Meeting #20, Hmeenlinna, Finland, 09-12 June

2003 (for some more details on IMS)
http://www.3gpp.org/ftp/tsg_sa/TSG_SA/TSGS_20/Docs/PDF/SP-030299.pd
f
[119]Eoin ORegan and Dirk Pesch, Performance Estimation of a SIP based

Push-to-Talk Service for 3G Networks, The Fifth European Wireless
Conference: Mobile and Wireless Systems beyond 3G, February 24-27,
2004, Barcelona,Spain, the paper was submitted 17 December 2003
http://research.ac.upc.edu/EW2004/papers/144.pdf
[120]Brough Turner & Marc Orange, 3G Tutorial, Originally presented at Fall

VON 2002, NMS Communications, 21 December 2004
http://www.nmscommunications.com/file/3G_Tutorial.pdf
[121]Matthias Unbehaun, Self-deployed Wireless Access Networks, Doctoral

dissertation, Radio Communication, KTH, 2002.

Architectures
6. Wireless Local Loop (WLL) and

Enterprise Networks
KTH Information and
Wiley & Sons, 2001, ISBN 0-471-39492-0

Last modified: 2006.01.13:10:21

Lecture 6
Wireless Local Loop (WLL) (Ch. 23), Enterprise Networks (Ch. 24)
Maguire Lecture 6Wireless Local Loop (WLL) and Enterprise Networks 320 of 332
Wireless Local Loop (WLL)
Providing wireless connections to stationary or near stationary stations within a
small service area
Generally targeted at the last mile or from a point in the neighborhood to the user
Advantages of Wireless local loop:
ease of installation
reducing digging, reduce poles, ducts/conduits,
quick installation of new links (i.e., rapid provisioning)
largely distance insensitive pricing - at least up to some limit
concentration of resources (especially at the multiplexer to the high
bandwidth backbone)
IS-54 architectural reference model for WLL:
WANU = Wireless
Access Network Unit
UWLL
WASU = Wireless WASU WANU AWLL Switch Trunk
PSTN
Access Subscriber Unit
transceiver Function
AM WLL
HLR controller
Maguire Wireless Local Loop (WLL) Wireless Local Loop (WLL) and Enterprise Networks
Deployment issues
Spectrum
licensed - limited interference, but requires licensing
unlicensed - more interference, but no licensing - generally limited in (maximum and
average) power
Service Quality
Users expect it is going to be the same as wireline service
high reliability
low risk of fraud (due to others hijacking the link)
Network planning
should support very high penetration levels (for example >90%)
exploits the fact that users are not moving (or rarely move)
antenna height, etc. is generally derived from user density
Very popular in the former East block of Europe - since there was no need to
install a local loop cable to bring users to the local exchange of the PSTN; enabled
very rapid provisioning to very large numbers of subscribers.
Maguire Deployment issuesWireless Local Loop (WLL) and Enterprise Networks 322 of
WLL Technologies
Satellite
a great chance for the satellite operators (Hughes Network Systems, Inmarsat International
Circular Orbit (ICO), Iridium, Globestar, Odyssey, American Mobile Satellite Corporation
(AMSC), Asia Cellular Satellite (ACeS), Thuraya, )
note that some of these operators (such as Hughes) used terrestrial versions of their system
Cellular-based
used in rural and sparse urban settings
Low Tier PCS or Microcellular based systems
PACS, PHS, DECT,
Fixed Wireless Access (FWA)
some times proprietary point-to-point links
increasingly LMDS
Maguire WLL TechnologiesWireless Local Loop (WLL) and Enterprise Networks 323 of
Enterprise Networks
Networking within an organization - often campus networking. Traditional voice
enterprise networks were based on a PBX, today this often extended by cordless
telephony, wired LANs, and WLAN systems.
Enterprise based location systems (such as Ericsson DECT mobility server, which
enabled redirecting a DECT call to any Ericsson site from the users home site).
Olivetti& Oracle Research Labs (now AT&T Research Labs) in Cambridge
developed an active badge system which used IR emitting badges (called active
badges) to locate users with in the building. This enabled delivering a phone call
to the nearest fixed line phone, logging who visited who, finding people and
equipment, . Their recent project uses ultrasound for location: active bats.
Theo Kanter and colleagues at Ellemtel showed a system in the mid-1990s which
utilized SmartBadges (developed at KTH, HP, and Univ. of Wollongong) to locate
users and by providing voice gateways the could direct a users calls to computers,
cordless, or mobile phones as appropriate.
Maguire Enterprise NetworksWireless Local Loop (WLL) and Enterprise Networks 324 of
Cordless PBXs
For example, Ericssons MD110 Communication System (aka Consono) --
which is a DECT based system - simply attaches DECT base stations to their PBX.
See http://www.ericsson.com/enterprise/products/md110.shtml/index.shtml
Telia provides packages where the user can pay:
per line/month - fixed
per line/month - DECT (with local mobility support)
per line/month - DECT (with mobility support over several exchanges)
per line - DECT (with local or multiple site mobility) - but only
outgoing/incoming trunk costs/month

Maguire Cordless PBXs Wireless Local Loop (WLL) and Enterprise Networks 325 of
Virtual enterprise networks
By utilizing location based billing, it is possible to offer an enterprise a virtual
cellular PBX (ala the Centrex systems for fixed telephony). In such a system the
operators negotiates a price for providing coverage to a campus or set of coverage
areas - typically for a fixed price for a year (or more).
The operator likes this as they know they have a given amount of income and they
know what their fixed costs for installing a base station to cover the relevant areas
is. As a side effect they may also be able to handle calls for other users -- and not
have to pay for renting antenna and other space!
Maguire Virtual enterprise networks Wireless Local Loop (WLL) and Enterprise Networks
Remoting the office to where the user is
A rapidly growing area of business utilizes Virtual Private Network technology to
extend the corporate network (voice, fax, data, file system, etc.) to where the user
is and via what ever communications interconnect that is available.
(See for example: Ericssons Virtual Office (EVO))
Maguire Remoting the office to where the user is Wireless Local Loop (WLL) and Enterprise Net-
corDECT
A version of DECT developed by Midas Communication Technologies
(http://www.midascomm.com/) and the Indian Institute of Technology, Madras
((http://www.tenet.res.in), in association with Analog Devices Inc., USA.
Provides toll-quality voice together with 35 or 70 kbps Internet service.
Utilizes the DECT air interface, but at the DECT Interface Unit (DIU) it separates
the voice (which it forwards to a telephone exchange over an E1 line) and data
which it passes on to an ISP. The data is sent using PPP.
For details see: Midas Communication Technologies, "corDECT Wireless Access
System", December 2000 http://www.tenet.res.in/Papers/cordect.pdf
Maguire corDECTWireless Local Loop (WLL) and Enterprise Networks 328 of 332
Personal Handyphone (PHS)
Personal Handyphone System (PHS) standard [122] is a TDD-TDMA based
microcellular wireless communications technology operating in the 1880 to 1930
MHz band.
It is used in public PHS networks, Wireless Local Loop (WLL) and Fixed
Wireless Access (FWA) networks, corporate (cordless PBX), and in homes. Like
DECT it uses dynamic channel allocation and provides 32kbps bearer capability
on each of the 24 TDMA frame slots. Multiple time slots can be utilized by one
user, thus providing up to 128kbps.
Maguire Personal Handyphone (PHS) Wireless Local Loop (WLL) and Enterprise Networks
PAS in China
PAS is a personal network access system that delivers wireless voice and data,
based on the Personal Handyphone System (PHS) protocol. It provides both fixed
and low mobility services.
PHS was enhanced by UTStar.com :
features: Caller ID, call forwarding, voice mail
city-wide and intercity handover and roaming services
32 Kbps mobile internet access
small handsets with >800 hours of standby and ~6.5 h of talk time
Following the breakup of China Telecom, used by the wireline operators to get
around the duopoly (only China Mobile and China Unicom can offer cellular
services). Ministry of Information Industry (MII) in an internal notice (June 2000)
will continue to allowed PAS in county-level cities and counties. In large and
medium-sized cities, it may only be used where there is a high concentration of
population, such as campuses, commercial buildings and special development
zones. While new city-wide PAS deployments will only be allowed in cities of
fewer than two million people. [123]
Maguire PAS in China Wireless Local Loop (WLL) and Enterprise Networks 330 of
Unified Communications
Integrated messaging
Cellular, cordless, fixed lines - are share the same voice mailbox, potentially with interface to
e-mail,
Synchronizing calendars, phone books,
Synchronizing services across many devices (which may be using
different networks)
Ericssons Always Best Connected (ABC) - to use the best
technology for the current setting
Maguire Unified CommunicationsWireless Local Loop (WLL) and Enterprise Networks 331
References
[122]Personal Handiphone MoU http://www.phsmou.or.jp/
[123]Joseph Tang and Florence Cheung, The Threat of PAS in China:Impact on
China Mobile and China Unicom, SUN HUNG KAI Research Ltd., 3 April
2001
http://www.shkresearch.com/English/ResearchProducts/DailyProducts/s
ector/prc/english/20010403sector.pdf
Maguire ReferencesWireless Local Loop (WLL) and Enterprise Networks 332 of 332
Architectures
7. Wireless LAN (WLAN)

KTH Information and
Wiley & Sons, 2001, ISBN 0-471-39492-0

Last modified: 2006.01.13:10:21
Maguire MWA-WLAN.fm Total pages: 371

IEEE 802.11 Medium Access Control (MAC) protocol uses Carrier sense multiple
access (CSMA) with collision avoidance (CA) medium access scheme.
Several variants:
IEEE 802.11b 1, 2, 5.5 and 11 Mbps - DS-SS

Wireless Ethernet Compatibility Alliance certifies its members equipment as conforming to the
802.11b standard. Compliant hardware is stamped Wi-Fi (Wireless Fidelity) compatible; oper-
ates in 2.4GHz band
IEEE 802.11g enable data transmission speeds of up to 54 Mbps, with backwards compatibility to 802.11b
infrastructure; operates in 2.4GHz band
IEEE 802.11a using OFDM (Orthogonal Frequency Division Multiplexing) achieves upto 54 Mbps - currently
not approved for use in Sweden; operates in 5 GHz band
IEEE 802.11h designed to adapt 802.11a to the european HiperLAN/2 requirements; operates in 5 GHz band
Maguire Wireless Local Area Networks (WLANs) Wireless LAN (WLAN) 334 of 371
Two possible network configurations
Independent Mobile stations communicate directly to each other with no access point (base station)
configuration support, i.e., peer-to-peer (ad hoc) networking
Infrastructure Mobile stations communicate only via access points (APs)

configuration
Maguire Two possible network configurations Wireless LAN (WLAN) 335 of 371
Terms
Basic Service Set (BSS) - a group of stations that are under the direct control of a
single coordination function (PCF or DCF)
Independent BSS (IBSS) - also known as an ad hoc network, defined as a BSS
which exist without an access point (AP)
Infrastructure network - a network of wireless stations along with APs, which
enables stations in one BSS to communicate with stations in another BSS
Distribution System (DS) - a backbone network between the two or more access
points
Extended Service Set (ESS) a series of overlapping BSSs (each with its own AP)
connected together by means of a Distribution System (DS)
Hidden node - a node is said to be hidden when its transmissions cannot be heard
by some other node in the network (although it can be heard be one or more other
nodes)
Maguire Terms Wireless LAN (WLAN) 336 of 371

IEEE 802.11 Basic Access Method
DIFS DIFS
Contention Window
SIFS
Busy
Medium Next Packet
Slot time
Defer Access
IFS Inter Frame spacing - during this time the medium is idle
SIFS Short IFS - transmission after SIFS is reserved for ACKs, Clear To Send frame, or to send a
fragmented MAC protocol data unit (MPDU)
DIFS if after DCF-IFS (DIFS) a station finds the media free it can transmit a pending packet;
otherwise it sets a backoff timer after selecting a random backoff value (BV) {selected from a
uniform distribution over [0 .. CW-1], where CW is the width of the contention window in slots}
if medium become busy before time goes off, then the value is frozen until the next DIFS interval,
where upon it continues the count down
CW is doubled after collisions and reset to CWmin after a successful transmission
EIFS Extended IFS - used when the receiver cant correct the received packet
Maguire IEEE 802.11 Basic Access Method Wireless LAN (WLAN) 337 of 371
Distribution Coordinating Function (DCF)
Distribution Coordinating Function (DCF) is based on carrier sense multiple
access with collision avoidance (CSMA/CA)
Receivers send an ACK if they successfully receive a packet, otherwise the
transmitter re-sends.
Maguire Distribution Coordinating Function (DCF) Wireless LAN (WLAN) 338 of 371
CSMA/CA with ACK in infrastructure network
DIFS
Data
SIFS
ACK
Mobile AP
IEEE 802.11 RTS/CTS mechanism
DIFS
RTS
SIFS
CTS
SIFS
Data
SIFS
ACK
Source Destination
IEEE 802.11 Frame Format
Frame Control 2 bytes
Duration/ID 2 bytes
Address 1 6 bytes
Address 2 6 bytes
Address 3 6 bytes
Sequence Control 2 bytes
Address 4 6 bytes
Frame Body 0 .. 2312 bytes
CRC 4 bytes
Maguire IEEE 802.11 Frame Format Wireless LAN (WLAN) 341 of 371
IEEE 802.11 Frame Control
B0 B1 B2 B3 B4 B5 B6 B7 B8 B9 B10 B11 B12 B13 B14 B15
Protocol Type Subtype To DS From
DS
More
Frag
Retry PwrMgt More
data
WEP RSVD
Version
2 2 4 1 1 1 1 1 1 1 1
Protocol Version currently 00, other values reserved
To DS/From DS 1 for communication between two APs
More Fragments 1 if another fragment follows
Retry 1 if packet is a retransmission
Power Management 1 if station is in sleep mode
More date 1 if there are more packets to the terminal in power-save mode
WEP 1 if data bits are encrypted
Maguire IEEE 802.11 Frame Control Wireless LAN (WLAN) 342 of 371
Startup, then Join a network
Turn on & discovery phase
determine AP or other stations exist
get SSID and other parameters
Negotiate for connection
Authentication & Association
Maguire Startup, then Join a network Wireless LAN (WLAN) 343 of 371
Discovery Phase
Enter scanning mode: Passive / Active scanning mode
Passive
Listen for a Beacon for ChannelTime period
From Beacon get the SSID & parameters
Active
Transmit a probe frame (including the SSID that you wish to join)
Wait for a period for responds by AP or other stations
Maguire Discovery Phase Wireless LAN (WLAN) 344 of 371

Authentication
Open system authentication
Default mode
Flow:
send: Authentication Frame: Algorithm=Open, Sequence Number =1
response: Authentication Frame: Algorithm=Open, Sequence Number =2,
result=accept/reject
Shared key authentication
Somewhat higher degree of security
Need to implement WEP
Flow:
Authentication Frame: Algorithm=Shared Key, Sequence Number =1
Authenticator
Authentication Frame: Algorithm=Shared Key, Sequence Number =2,
Challenge Text
Initiator

encrypted Challenge Text

Authentication result
Maguire Authentication Wireless LAN (WLAN) 345 of 371

Wire Equivalent Privacy (WEP)
IEEE 802.11 featured Wire Equivalent Privacy (WEP) - this proved to be rather
insecure; there are efforts to fix it - but meanwhile or in any case one can use
VPNs.
WEP use for data encryption & shared key authentication
Encryption of data through RSA RC4 algorithm
40-bit secret key + 24-bits Initialization Vector (IV)
IV in frame in clear text
Integrity Check Value (ICV) included in frame
When WEP is enabled, Shared Key Authentication is enabled
Adam Stubblefield, John Ioannidis, and Aviel D. Rubin, Using the Fluhrer,
Mantin, and Shamir Attack to Break WEP, AT&T Labs Technical Report
TD-4ZCPZZ, Revision 2, August 21, 2001 - now available at
http://web.archive.org/web/20030916024638/http://www.cs.rice.edu/~astubble/wep/wep_attack.pdf
see also http://www.cs.umd.edu/~waa/wireless.html

Maguire Wire Equivalent Privacy (WEP) Wireless LAN (WLAN) 346 of 371
Handoff
AP2
7
3 Path of mobile
1 4 6
AP1 2
5
AP3
1. Mobile starts with a strong signal from AP1

2. The signal from AP1 is now weaker, so mobile starts to look around for a better AP
3. Mobile sends a Probe Request
4. AP3 send probe response
5. Mobile chooses AP3 as the best AP
6. Mobile sends Reassociation request
7. AP3 sends a Reassociation Response
Maguire Handoff Wireless LAN (WLAN) 347 of 371

Inter-Access Point Protocol (IAPP)
Project 802.11f: IAPP Inter Access Point Protocol
IEEE 802.11 IAPP
Reassociation Procedure Handover Procedure

Reass
ociatio
n requ
est
e
nr esponc Hando
iatio ver req
Reassoc u est
r resp once
n d ove
Ha
Mobile APnew APold
Maguire Inter-Access Point Protocol (IAPP) Wireless LAN (WLAN) 348 of 371
Fast Handoff
802.11 being used in PDAs, WLAN phones, lots of new devices
(especially for multimedia)
Multimedia applications sensitive to connectivity loss (when the loss of data exceeds that
which the playout buffers can cover up)
TCP sensitive to multiple losses
Loss of an entire window causes connection to go into slow-start
basic handoff is fast and simple, but insecure
Authentication occurs prior to reassociation so pre-authentication is possible
Management frames are not authenticated, thus no cryptographic operations in critical path
If APs involved in the handover use the same WEP key, no inter-AP communication is
required
Unfortunately 802.1x complicates 802.11 handoff
now STAs have dynamic per-session keys
authentication occurs after reassociation, not before
If re-authentication is required, then STAs need to complete authentication before
recovering connectivity
Authentication and key management methods requiring public key operations (e.g.
EAP-TLS) -- this can take several seconds to complete
Using a TLS continuation can decrease the number of round-trips (from 3.5 to 2.5)
if authentication server is far away, then disconnection time can be large
for further information see [133]
Maguire Fast Handoff Wireless LAN (WLAN) 349 of 371

Point Coordination Function (PCF)
Point Coordination Function (PCF) an optional extension to DCF that provides a
time division duplexing capability to accommodate time bounded,
connection-oriented services.
AP polls each station:
enabling the polled station to transmit without contending for the
medium
Contention free period repetition interval (consisting of contention free
period (CFP) and contention period (CP) is initiated by the AP through
a Beacon frame.
If AP finds the medium idle, it waits for a PCF inter frame spacing (PIFS) period of time and
then transmits a beacon frame with a polling frame following SIFS seconds after it
when a station receives the poll from the AP, the medium is reserved for the duration of its
transfer (upto the length of CFP), when the data transfer complete (or the reserved time is
up), the AP waits for PIFS seconds and polls another station - it continues until the CP
interval is up - then the system operates in DCF mode.
note: AP can transmit data along with the polling frame
Maguire Point Coordination Function (PCF) Wireless LAN (WLAN) 350 of 371
Spacing
DIFS
PIFS
SIFS
Data
time
Maguire Spacing Wireless LAN (WLAN) 351 of 371

Timing and Power Management
Synchronization (to within 4 s plus propagation delay) of all clocks within a BSS
maintained by periodic transmission of beacons containing time stamp info. AP
(in infrastructure mode) is the timing master and generates all timing beacons.
Power saving modes:
awake STAs (aka mobiles) are fully powered and can receive packets at any time.
doze unable to transmit or receive data, but uses little power

STA must inform the AP it is entering the doze mode, then AP does not sent
packets simply buffers them
Unicast:
When AP has packets queued for STAs in doze state, a traffic indication map
(TIM) is broadcast as part of the timing beacon
STAs in the doze mode power up receivers to listen for beacons, if identified by
the TIM, they return to awake mode and transmit a PS-Poll message so the AP
knows that they are ready to receive data
Broadcast/multicast:
buffered broadcast/multicast packets queued in the AP are indicated in a deliv-
ery traffic indication message (DTIM) that is broadcast periodically to awaken
all STAs and alert them to a forthcoming broadcast/multicast message; the
message is then sent without the AP waiting for PS-Poll messages.
Maguire Timing and Power Management Wireless LAN (WLAN) 352 of 371
WLAN AP performance
A lot of work has been done to try to understand the details of APs, both their
throughput and how they behave during a handoff. For details see:
Enrico Pellettas M.Sc. thesis for AP throughput measurements and
J-O Vatns technical report [130] for handoff/handover details
His detailed measurements present some new aspects which others had not seen
Maguire WLAN AP performance Wireless LAN (WLAN) 353 of 371

AAA
IEEE 802.1x -port-based network access control for authentication, authorization,
and security[132]
See also Juan Caballero Bayerri and Daniel Malmkvist, Experimental Study of a
Network Access Server for a public WLAN access network, M.S. Thesis,
KTH/IMIT, Jan. 2002 [131].
IEEE Extensible Authentication Protocol
An authentication protocol which supports multiple authentication mechanisms,

runs directly over the link layer without requiring IP and therefore includes its own
support for in-order delivery and re-transmission. Originally developed for use
with PPP: Larry J. Blunk and John R. Vollbrecht, PPP Extensible Authentication
Protocol (EAP) standard, RFC 2284
Maguire AAA Wireless LAN (WLAN) 354 of 371

Roaming
Roaming is dependent on the underlying networks providing you service and if
they are to charge -- knowing who to charge and how much to charge.
Unlike macrocellular systems where you generally only face roaming when
making large scale movements (between countries or major regions of a country),
in WLAN systems the intersystem movement may occur with little of no
movement!
Clearinghouse
Clearinghouse to perform settlements between the various operators, see for

example Excilan (http://www.excilan.com).
Interconnect Provider
Sren Nyckelgrd, Telias Golden Gate and its Interconnect Provider Role, Telia
Golden Gate - Technical Overview, was available January 23, 2002 at
http://www.telia.se/filer/cmc_upload/0/000/030/185/ResearchGoldenGateTec1Overv2.doc
and
Maguire Roaming Wireless LAN (WLAN) 355 of 371

Martin Altinkaya and Saman Ahmedi, SIP in an Interconnector and Service
Provider Role, M.S. Thesis, KTH/IMIT, Dec. 2001.
Since IEEE 802.11 specifies only upto the interface to the 802.2 link layer all
mobility management is outside the scope of the standard.
The IEEE 802.11r task group is examining fast roaming, by utilizing faster
algorithms and preauthentication to avoid some of the performance problems
which now occur.
Maguire Roaming Wireless LAN (WLAN) 356 of 371

Proxies
Numerous proxy based proposals exist to improve performance across wireless
links - especially targeted to TCP (most have problems keeping TCP/IPs
end-to-end semantics)
See:
Luis Muoz, Marta Garcia, Johnny Choque, Ramn Agero, and Petri Mhnen, Optimizing Internet
Flows over IEEE 802.11b Wireless Local Area Networks: A Performance-Enhancing Proxy Based on
Forward Error Control, IEEE Communications Magazine, December 2001, pp. 60-67.
Maguire Proxies Wireless LAN (WLAN) 357 of 371

Lightweight Access Point Protocol (LWAPP)
A "thin" access point technology where control functions are centralized in
switches, instead of at each access point node.
Cisco introduced its WLAN management technology called Structured
Wireless-Aware Network solution.
Maguire Lightweight Access Point Protocol (LWAPP) Wireless LAN (WLAN) 358 of 371
HiperLAN2
Developed by the European Telecommunications Standard Institute (ETSI)
Broadband Radio Access Networks (BRAN)
Dedicated spectrum (in Europe) at 5 GHz
uses Orthogonal Frequency Division Multiplexing (OFDM) with 52
subchannels, 48 subchannels for data, and 4 subchannels for pilot
symbols
TDMA/TDD frames with fixed duration of 2ms
Maximum gross data rate of 54 Mb/s
MAC protocol was designed to support multimedia services
For more information see HiperLAN2 Global Forum and ETSI standards
documents.
Maguire HiperLAN2 Wireless LAN (WLAN) 359 of 371

802.11a and 802.11h
IEEE 802.11a and ETSIs HiperLAN2 standards have nearly identical physical
layers, but are very different at the MAC level
IEEE 802.11h adds Transmit Power Control (TPC) to limit a device from
emitting more radio signal than needed, and Dynamic Frequency Selection
(DFS), which lets the device listen to what is happening in the airspace before
picking a channel
TPC and DFS were introduced to satisfy European requirements
802.11h is to be sold under the name Wi-Fi5 (to build on the Wi-Fi
branding)
IEEE 802.11 working group j is working to add channel selection for 4.9 GHz and
5 GHz in Japan (and to conform to the Japanese rules for radio operation)
Maguire 802.11a and 802.11h Wireless LAN (WLAN) 360 of 371

IEEE 802.11k
This IEEE 802 task group is defining Radio Resource Measurement
enhancements to provide mechanisms to higher layers for radio and network
measurements.[135]
These enhancements will supplement the 802.11 standard(s) by:
defining and exposing radio and network information to facilitate the
management & maintenance of 802.11 networks, while
maintaining compatiblity with the IEEE 802.11 MAC
One of the measurements which they include is location. Interestingly only the
STA divulges its location (thus it can choose to divulge this information or not).
They want to enable new applications based on this radio and network
information, e.g., location-enabled services.
Maguire IEEE 802.11k Wireless LAN (WLAN) 361 of 371

IEEE 802.11p
The IEEE 802.11p task group was established to address Wireless Access in
Vehicular Environments (WAVE)
In particular, Dedicated Short Range Communications (DSRC) [136]as a general
purpose communications link between the vehicle and the roadside (or even
between vehicles).
Maguire IEEE 802.11p Wireless LAN (WLAN) 362 of 371

Multihop
Motorola (formerly MeshNetworks Inc.)
http://www.motorola.com/governmentandenterprise/northamerica/en-us/public/functions/browsesolution/browsesol
MeshLAN Multi-Hopping software:

ution.aspx?navigationpath=id_804i/id_2523i
designed for use with Wi-Fi hardware

extending useful range by adding multi-hopping peer-to-peer
capabilities to off-the-shelf 802.11 cards
IEEE 802.11s (ESS Mesh Networking) standard is emerging to manage wireless
back-haul links and to support mesh networks.
Maguire Multihop Wireless LAN (WLAN) 363 of 371

QDMA (quad-division multiple access)
MeshNetworks proprietary radio technology developed (by ITT Industries
(www.itt.com)) for and currently used by the military.
IP from end to end
supports high-speed mobile broadband access
infrastructure-free, i.e., ad hoc peer-to-peer networking
Claims they can deliver up to 6 Mbps to each user in a QDMA wireless network.
Products have built-in GPS (Global Positioning System) capabilities and QoS for
IP voice and video.
First implemented in 2.4GHz as prototype routers, relays, and PDA-size client
devices; now developing equipment for MMDS (2.5GHz) licensed operators.
They have FCC experimental license to build a (US) nationwide 4,000-node test
network.
Maguire QDMA (quad-division multiple access) Wireless LAN (WLAN) 364 of 371
Wireless Internet Service Providers (WISPs)
Location specific WISP - exploiting high value sites (airports, hotels,
coffee shops, )
example: Surf n Sip, MobileStar, and Wirelessbolaget
Advantages: often have exclusive offering
Disadvantages: users may also want access in other locations -- hence roaming
agreements will be important
Single site or campus WISP - a subset of the location specific WISP
category (e.g., university or corporate campus, a single conference
center/exhibition hall)
example: KTH and SUs IT-University campus, CMUs campus,
Advantages: they know the site very well, generally they have exclusive offering, users are
trapped - so they will have to pay and pay and pay or it is part of the tele/datacom offering
Disadvantages: for some sites the users are only there for a short period (hours to days),
very high turn over in users (so low administrative costs are very important); in university
and corporate campus settings very high demands/expectations
Maguire Wireless Internet Service Providers (WISPs) Wireless LAN (WLAN) 365 of 371
Mobile carrier WISP - mobile (WWAN) operator also offering WLAN
examples: Telia HomeRun (Sweden), Sonera wGate (Finland), and VoiceStream (Germany
/ US) {due to their acquisition of MobileStar in the US - what happens if they bring this
technology back to Europe?}
Advantages: they know where their users spend time (from their existing traffic and location
data) so they can easily build out hotspots; retain customers with whom they already have a
billing relationship
Disadvantages: offering WLAN might reduce their income (as they might have been able to
charge (a lot) for the traffic via the WWAN in these same spots)
ISP WISP - existing ISP that extends their network via WLAN access
points
example: Swedens PowerNet
Advantages: pretty straight forward extension of their existing network, by shipping dual
xDSL/cable/ + AP devices1; retain customers with whom they already have a billing
relationship
Disadvantages: offering WLAN might reduce their income since neighbors can share rather
than installing their own service
WISP - a pure wireless internet service provider
example: Sweden: Wirelessbolaget, DefaultCity, U.S.: Wayport
Advantages: this is their business
Disadvantages: this is their business but they depend on an ISP for back haul
1. Actiontec Electronics
Operator Neutral WISP - an Internet eXchange (IX) to which several
independent ISPs (or WISPs) are connected
example: StockholmOpen.net
Advantages: enable multiple operators
Disadvantages:
Franchising WISP -
example:
Advantages: they simply sell the idea, starter kit, supply backup support,
Disadvantages: dependant on getting a cut from the franchise
Virtual WISP - no actual network, - but rather they simply rent/buy
capacity for their users; thus their major role is to support and bill users
example: Boingo
Advantages: very low to near zero costs for infrastructure
Disadvantages: they must provide either high service level and/or low prices to retain their
customers
Community/Grassroots WISP - altruistic providers
example: NYC Wireless
Advantages: people making their WLAN available to others because it is the right thing to
do
Disadvantages: Support way or many not exist
Herslow, Navarro, and Scholander classify the WISPs based on whether they are for fee or for free and coverage area:
hotspot vs. wide area.
Further reading
WISPs
[124]Louise Herslow, Carl-Johan Navarro, and Joakim Scholander, Exploring

the WISP Industry - Analysing Strategies for Wireless Internet Service
Providers, Masters thesis, Institute of Economic Research, Lund
University, Sweden, January 2002. was accessible from
http://www.scholander.com
[125]David Alvn and Reza Farhang, Does it take a WISP to manage a wisp of
hotspots? - Analysis of the WLAN market from a WISP perspective,
Masters Thesis, Department of Microelectronics and Information
Technology, Royal Institute of Technology, Sweden, February 2002. was
accessible from http://www.e.kth.se/~e96_rfh/wisp_analysis.pdf
IEEE 802.11
[126]http://standards.ieee.org/getieee802/
[127]http://www.80211-planet.com/
Maguire Further reading Wireless LAN (WLAN) 368 of 371

[128]Rusty O. Baldwin, Nathaniel J. Davis IV, Scott F. Midkiff, and Richard A.
Raines, Packetized Voice Transmission using RT-MAC, a Wireless
Real-time Medium Access Control Protocol, Mobile Computing and
Communications Review, V. 5, N. 3, July 2001, pp. 11-25.
[129]Enrico Pelletta, Maximum Throughput of IEEE 802.11 Access Points: Test
Procedure and Measurements, Masters Thesis, Department of
Microelectronics and Information Technology, Royal Institute of
Technology (KTH), 10th August 2004.
ftp://ftp.it.kth.se/Reports/DEGREE-PROJECT-REPORTS/040622-Enrico-Pelletta.pdf
[130]Jon-Olov Vatn, An experimental study of IEEE 802.11b handover

performance nd its effect on voice traffic, Technical Report
TRITA-IMITTSLAB R 03:01, Telecommunication Systems Laboratory,
Department of Microelectronics and Information Technology (IMIT), Royal
Institute of Technology (KTH) Stockholm, Sweden, July 2003. Available at
http://www.imit.kth.se/~vatn/research/handover-perf.pdf

AAA
[131]Juan Caballero Bayerri and Daniel Malmkvist, Experimental Study of a

Network Access Server for a public WLAN access network, M.S. Thesis,
KTH/IMIT, Jan. 2002. was accessible from
http://www.e.kth.se/~e97_dma/FinalReport.pdf
[132]IEEE 802.1x Port Based Network Access Control
http://www.ieee802.org/1/pages/802.1x.html
[133]Tim Moore and Bernard Aboba Authenticated Fast Handoff, IEEE 802.11
Task group i, November 2001, doc. IEEE 802.11 submission
http://www.drizzle.com/~aboba/IEEE/11-01-TBD-I-Authenticated-FastHandoff.ppt
[134].P802.11i, (D8) Draft Supplement to Standard for Telecommunications and

Information Exchange Between Systems-LAN/MAN Specific
Requirements-Part 11: Wireless Medium Access Control (MAC) and
physical layer (PHY) specifications: Specification for Enhanced Security,
IEEE, 2004, 177 pages.
[135]IEEE Task Group 802.11k
http://grouper.ieee.org/groups/802/11/Reports/tgk_update.htm
[136]Dedicated Short Range Communications, IEEE web page, accessed

2005.03.24 http://grouper.ieee.org/groups/scc32/dsrc/index.html

Architectures
8. Bluetooth: Piconets, Scatternets

KTH Information and


Last modified: 2006.01.13:10:21
Maguire MWA-Bluetooth.fm Total pages: 408

Bluetooth
Bluetooth name comes from Danish king Harald Bltand (Bluetooth), credited
with uniting the Scandinavian people during the 10th century.
The idea was that Bluetooth wireless technology would unite personal computing
devices.
Maguire Bluetooth Bluetooth: Piconets, Scatternets 373 of 408

Bluetooth
Bluetooth is a trademark owned by the Bluetooth SIG, Inc., USA.
The Bluetooth Special Industry Group (SIG) formed in winter of 1998 by
Ericsson, IBM, Intel, Nokia, and Toshiba.
Goals
low cost
low power
primarily a cable replacement (to connect mobile phones to headsets)
There are those who believe it can be used as a Wireless Personal Area Network (WPAN),
hence it was the basis for IEEE 802.15.
Using:
short-range radio technology
ad hoc networking
dynamic discovery of other Bluetooth devices & the services they offer
Maguire Bluetooth Bluetooth: Piconets, Scatternets 374 of 408

Bluetooth protocol stack
Applications/Profiles
AT Commands
Middleware
TCS SDP
protocols
OBEX WAP
Control path
Audio path
RFCOMM
Logical Link Control and Adaptation (L2CAP)

Transport protocols
Host Controller Interface (HCI)

Link Manager
Baseband/Link Controller
Radio
Maguire Bluetooth protocol stack Bluetooth: Piconets, Scatternets 375 of 408
Physical Layer
Uses 2.4 GHz unlicensed Industrial, Scientific, and Medical (ISM) band
(globally portions of this band are available)
many other systems using the same spectrum
interference to other systems
interference from other systems
2.400-2.4835 GHz, i.e., 83.5 MHz divided into 79 channels with carrier frequencies
f = 2402 +k MHz, k = 0, , 78; Channel spacing is 1 MHz
Gaussian Frequency Shift Keying (GFSK) modulation with one bit per symbol

uses fast (1600 hops/s) frequency hopping spread spectrum (FHSS)
625 microsecond long time slots
one hop per packet, but a packet can be 1 slot, 3 slots, or 5 slots long
Maguire Physical Layer Bluetooth: Piconets, Scatternets 376 of 408

Transmit Power
Low transmit power
original goal was a 10m radius of operation, but some thought about
using Bluetooth for longer ranges Transmit Power Classes
Class Max. output power Range Power control
1 100mW (20 dBm) 100m+ mandatory
2 2.5mW (4 dBm) 10m optional
3 1mW (0 dBm) 1m optional
most manufacturers producing Class 3 radios

power control is to reduce both interference and power consumption
Maguire Transmit Power Bluetooth: Piconets, Scatternets 377 of 408

Masters vs. Slaves
Each Bluetooth device is a Master or Slave:
master initiates exchange of data and the slave responds to the master
in order to communicate devices must use same sequence of
frequency hops, hence slaves synchronize to hop sequence of master
master assigns an Active Member address (AM_ADDR) to the slaves
participating in active communications within the piconet
Additional devices may be registered with the master and be invited to become
active as necessary -- their state is called parked
Devices not currently associated with any piconet are in stand-by mode.
Maguire Masters vs. Slaves Bluetooth: Piconets, Scatternets 378 of 408

Frequency Hop Sequence
Each device has a 48 bit IEEE MAC address (called a Bluetooth device address
(BD_ADDR)) and a local free-running 28-bit clock that ticks once every 312.5 s
(which corresponds to half the residence time in a frequency when the radio hops
at the nominal rate of 1,600 hops/sec.)
Each slave receives masters address and clock, then uses this to calculate
frequency hop sequence
Maguire Frequency Hop Sequence Bluetooth: Piconets, Scatternets 379 of 408

Time Division Multiplexing (TDM)
Divide the total bandwidth between Bluetooth devices using a given hop sequence
Master assigns time slots to slaves
packets are joined together in transmit and receive pairs; master and
slaves alternate in time-division duplex (TDD)
Maguire Time Division Multiplexing (TDM) Bluetooth: Piconets, Scatternets 380 of 408
Network Topology
Piconet subnet of Bluetooth devices, synchronized to the timing and hopping sequence of a master
slaves only communicate with the master
maximum of 7 slaves in a piconet (as there are only 3 address bits!)
Scatternet multiple Bluetooth piconets joined together by devices that are in more than one piconet
Routing of packets between piconets is not defined)
Scatternet
class 2
slave class 3
master
class 3
slave
piconet1 piconet2
Maguire Network Topology Bluetooth: Piconets, Scatternets 381 of 408

Scatternets
If a device is present in more than one piconet, it must time-share, spending a few
slots in one piconet and a few slots in the other
A device may not be master of two different piconets since all slaves in a piconet
are synchronized to the masters hop sequence, thus if the slaves were all
synchronized with a single master -- they would be part of the same piconet!
This means that piconets making up a scatternet do not coordinate their frequency
hopping unsynchronized piconets in an area will randomly collide on the same
frequency.
Maguire Scatternets Bluetooth: Piconets, Scatternets 382 of 408

Voice + Data support
As an important application of Bluetooth was a cable replacement between
handset and headset and this was developed in a telecom companys development
lab synchronous voice support was the focus of the link protocol design
Synchronous Connection Oriented (SCO) links for voice
circuit-switched connections - 64 kbps in each direction per voice channel (using their own
voice coding or) using reserved slots
up to three voice channels active at one time (may be to 1, 2, or 3 slaves)
~78% overhead for data! (this is without FEC)
Asynchronous Connectionless (ACL) links for data
ACL Data Packets: 72-bit access code, 54-bit header, 16-bit Cyclic Redundancy Checksum
(CRC), and varying amount of data
with largest packet (Data High rate, DH5, packet stretching over five slots) maximum data
rate of ~650 kbps
a best effort delivery service - maintains integrity by using retransmissions and sequence
members, as well as forward error correction (FEC) if necessary
a master can have an ACL link to each of several slaves, but only one per slave
Broadcast packets: packets that are not addressed to a specific Slave
Maguire Voice + Data support Bluetooth: Piconets, Scatternets 383 of 408

Baseband
Baseband controls the radio and is responsible for low level timing, error control,
and management of link during a single data packet transfer
Packet types:
SCO, ACL - carrying payload
ID packet consists of access code, used during re-connection
NULL packet consists of access code and header, used for flow control
or to pass ARQ
POLL packet same structure as NULL packet, must be acknowledged
FHS (Frequency Hop Synchronization)
Maguire Baseband Bluetooth: Piconets, Scatternets 384 of 408

Baseband Packet formats
LSB MSB
ID AC
(bit count) 68 or 72
POLL/NULL AC BB_Header
68 or 72 54 (1/3 FEC)a
FHS AC BB_Header FHS payload
68 or 72 54 (1/3 FEC) 240 (2/3 FEC)
ACL/SCO AC BB_Header ACL or SCO payload
68 or 72 54 (1/3 FEC) 0-2744 ({1,2,3b}/3 FEC)

DV AC BB_Header SCO payload ACL payload
68 or 72 54 (1/3 FEC) 80 32-150 (2/3 FEC)

a. 54 bits includes the FEC bits (there are 18 bits of information with each bit repeated 3 times)
b. 3/3 FEC implies no FEC
Maguire Baseband Packet formats Bluetooth: Piconets, Scatternets 385 of 408

Baseband Packet formats
AC preamble sync word trailer
Access code 4 64 4
BB_Header AM_ADDRa PDU_TYPE Flagsb HECc
BaseBand header 3 4 3 8
SCO payload SCO Datad
ACL payload ACL_pld_hdre ACL_pld_body CRC
a. Broadcast packet has address zero

b. Flow (=1 means receive buffer is full), ARQN (ACK represented by ARQN=1 and NAK by ARQN=0), SEQN (alternating bit)
c. Header error check (HEC)
d. 30 bytes (240 bits), error control code with rate 1/3, 2/3, or 1 (no FEC) used for source data size of 10, 20, or 30 bytes; note BB_Header flags for ARQN and
SEQN are not used - since there is no flow control or retransmission, similarly the HEC is not used
e. L_CH (Logical CHannel) Field (3 bits) indicates whether payload is start or continuation of message, Flow field (1 bit) controls for data transfer at L2CAP
level, Length field (8 bits) indicates the number of data bytes in the payload header ends with 4 undefined bits
Maguire Baseband Packet formats Bluetooth: Piconets, Scatternets 386 of 408

Synchronization Word Algorithm
1. Get 24-bit Lower Address Part (LAP) of Bluetooth device address (48 bit IEEE MAC address)
2. Append 6-bit Barker sequence to improve auto-correlation properties
3. XOR with bits 34 to 63 of full length, 64-bit Pseudorandom Noise (PN) sequence
4. Encode resulting 30-bit sequence with (64,30) BCH (Bose-Chaudhuri-Hocquenghem) block code to obtain 34 parity
bits
5. 34-bit parity word XORd with the remaining bits, 0 to 33 of PN sequence to remove cyclic properties of block code
Note: 34 bits BCH parity word exhibits very high auto-correlation and very low
co-correlation properties, therefore a correlator can be used to obtain a match
between the received and expected (reference) synch word
Maguire Synchronization Word Algorithm Bluetooth: Piconets, Scatternets 387 of 408

Security
Some think that the high speed, pseudo-random frequency hopping algorithm
makes it difficult to listen in on a connection - but of course this is false, because
once you know the masters MAC address and clock you can calculate the next
hop too!
Authentication and negotiation for link encrypting are both part of the Link
Manager Protocol (LMP) specification.
authentication is based on a challenge/response mechanism based on
a common shared secret, a link key is generated through a
user-provided PIN
link level encryption using a public domain cipher algorithm SAFER+1
generates 128-bit cipher keys from 128-bit plain text
1. J. L. Massey, On the Optimally of SAFER+ Diffusion, available at

http://csrc.nist.gov/encryption/aes/round1/conf2/papers/massey.pdf
Maguire Security Bluetooth: Piconets, Scatternets 388 of 408

Link Control Protocol (LCP)
configures and controls baseband
packet level access control - determines what packet is going to be
sent next
high level operations: inquiry and paging
configures and controls multiple links between devices and piconets
does not require its own packets, but uses the (ARQN and SEQN) bits
in baseband packets for SCO and ACL links to signal between link
controllers - thus forming a logical LC (Link Control) channel
Maguire Link Control Protocol (LCP) Bluetooth: Piconets, Scatternets 389 of 408
Link Control states
State Description
Standby inactive, radio not switched on
Inquiry device tries to discover all Bluetooth enabled devices in the close vicinity; uses a special fast
hopping sequence; FHS packets with device information, such as clock, frequency hop
sequence, and BD ADDR, received from available devices; a list of all available devices
Inquiry Scan devices periodically enter the inquiry scan state to make themselves available to inquiring
devices; a special slow hopping sequence used
Page master enters page state and transmits paging messages to slave using access code and timing
information which it learned earlier
Page Scan device periodically enters page state to allow paging devices to establish connections
Connection-Active Slave synchronizes to masters frequency hop and timing sequence. Master transmits a POLL
packet to verify link, Slave sends NULL packet in reply
Connection-Hold device ceases to support ACL traffic for a period of time, keeps Active Member address
(AM_ADDR)
Connection-Sniff device listens in pre-defined time slots only
Connection-Park device listens for traffic only occasionally, gives up its AM address
Maguire Link Control states Bluetooth: Piconets, Scatternets 390 of 408

Link Manager
Translates commands from Host Controller Interface (HCI) into operations at
baseband level to implement the following operations:
attaching Slaves to a piconet, and allocating active member addresses
(AM addr)
tearing down connections when slaves leave piconet
configuring links, e.g., controlling Master/Slave switches
establishing ACL and SCO links
putting connections one of the low-power modes
communicates with other LMs using the Link Management Protocol
(LMP) which is a set of messages, or Protocol Data Units (PDUs),
whose payloads contain the following fields:
single bit Transaction Identifier equal to 0 (1) for PDU sent from Master (Slave)
Operation Code (OpCode) defining type of message being sent
message parameters
PDUs sent as single slot packets on link management logical channel (L_CH =3)
Maguire Link Manager Bluetooth: Piconets, Scatternets 391 of 408

Host Controller Interface (HCI)
interface between a host and a Bluetooth module
having a standard interface enables Baseband and Link Manager to
run on a processor in the Bluetooth module while higher layers and
applications running on host
Bluetooth module can wake the host via a message across this
interface
Maguire Host Controller Interface (HCI) Bluetooth: Piconets, Scatternets 392 of 408
HCI Transport Layer
Three different transport interfaces are defined to transfer HCI packets from the
host to the Bluetooth module:
USB Universal Serial Bus
RS-232 serial interface with error correction
UART Universal Asynchronous Receiver Transmitter, a serial interface without error correction
Maguire HCI Transport Layer Bluetooth: Piconets, Scatternets 393 of 408

Logical Link Control and Adaptation Protocol
(L2CAP)
L2CAP only transfers data and all applications must use L2CAP to send data.
provides:
multiplexing to allow several higher layer links to pass across a single
ACL connection
segmentation and reassembly to allow transfer of packets larger than
lower layers support
Quality of Service (QoS) management for higher layer protocols
Maguire Logical Link Control and Adaptation Protocol (L2CAP) Bluetooth: Piconets, Scatternets 394 of
L2CAP Signalling
labels packets with channel numbers
L2CAP entities communicate with each other using control channels with a
special channel number (used for connecting, configuring, and disconnecting
L2CAP connections)
packet contains a length field (2 bytes), a channel identifier (2 bytes), and a data
field (0 .. 65535 bytes)
Maguire L2CAP Signalling Bluetooth: Piconets, Scatternets 395 of 408

L2CAP Command
OpCode identifying contents of command
Identifier used to pair up requests and responses
Length of data field
More than one command can be sent within a L2CAP packet
Maguire L2CAP Command Bluetooth: Piconets, Scatternets 396 of 408

Configuring a Connection
Parameters which can be configured are:
Maximum Transmission Unit (MTU) < 65,535 bytes
Flush timeout -- time (in milliseconds) a device will spend trying to
transmit an L2CAP packet before it gives up
QoS option can select best effort, or a guaranteed QoS
Maguire Configuring a Connection Bluetooth: Piconets, Scatternets 397 of 408

Disconnecting and Timeouts
Two ways for an L2CAP channel to be closed down:
disconnection request from higher layer protocol or service
time out: every time L2CAP sends a packet, a Response Timeout
Expired (RTX) time is started; if the RTX timer expires before a
response is received, the channel may be disconnected
Maguire Disconnecting and Timeouts Bluetooth: Piconets, Scatternets 398 of 408

For A to talk to B
Step 1: Discovering a Bluetooth device:
device A transmits one or more inquiry packets1
device B replies with Frequency Hop Synchronization (FHS) packet which contains device
class information (including its BD_ADDR)
Step 2: Connecting to service discovery database:
ACL baseband connection is established
Logical Link Control and Adaption Protocol (L2CAP) connection is set up over ACL channel
L2CAP adds Protocol and Service Multiplexor (PSM) to L2CAP packets to distinguish
between different higher layer protocols and services (PSM=0x0001 for service discovery)
Service Discovery Protocol (SDP) connection over L2CAP channel
device A receives Dial-Up Networking (DUN) info from Bs service discovery database
device A disconnects
Step 3: Connecting to Bluetooth service:
ACL link is set up
device A utilizes Link Management Protocol (LMP) to configure link
L2CAP connection using the RFCOMM protocol (RS-232 serial cable emulation) is set up
(PSM=0x003)
DUN connection is set up using RFCOMM connection
1. A piconet master may explicitly page devices to join its piconet; if it knows their BD_ADDR it can skip the inquiry process and directly paging the device
Maguire For A to talk to B Bluetooth: Piconets, Scatternets 399 of 408

Service Discovery Protocol (SDP)
only provides information about services, does not provide access to
these services
optimized for usage by devices with limited capabilities over wireless
links
uses binary encoding of information
unique identifiers (UUIDs) describe services and attributes of these services such that you
dont need a central registration authority for registering services
generally UUIDs are 128 bits long; however, for known services 16-bit and 32-bit UUIDs may
also be used.
Maguire Service Discovery Protocol (SDP) Bluetooth: Piconets, Scatternets 400 of 408
RFCOMM Protocol
provides a serial interface over the packet-based transport layers
emulates the signals on the nine wires of an RS-232 cable
based on the ETSI 07.10 standard (also used by GSM terminals),
allows multiplexing (via L2CAP) several serial ports over a single
transport
supports flow control on individual channels
has a reserved Protocol and Service Multiplexer (PSM) value used by L2CAP to identify
RFCOMM traffic
no error control
enables legacy applications -- written to operate over serial cables -- to
run without modification
Maguire RFCOMM Protocol Bluetooth: Piconets, Scatternets 401 of 408

RFCOMM Frame Types
Five frame types (the first 4 are control frames):
SABM Start Asynchronous Balanced Mode (startup command)
UA Unnumbered Acknowledgement (response when connected)
DISC Disconnect (disconnect command)
DM Disconnected Mode (response to a command when disconnected)
UIH Unnumbered Information with Header check

each RFCOMM channel has a Data Link Connection Identifier
(DLCI)
UIH frames with DLCI = 0 are used for control messages,
while DLCI 0 are used data
Maguire RFCOMM Frame Types Bluetooth: Piconets, Scatternets 402 of 408

Telephony Control Signaling (TCS) Protocol
TCS-AT Telephony control can be performed using the AT command set
use the RFCOMM to send and receive control signaling based on the AT command set (for
example to implement a dialer application)
TCS-BIN (BIN stands for the binary encoding of information), that runs directly on top of L2CAP;
supports normal telephony control functions such as placing and terminating a call, sensing
ringing tones, accepting incoming calls, etc.
TCS-BIN supports point-to-multipoint communications as well, for example, a cordless

base station can pass the ringing signal of an incoming call to several cordless headsets
associated with the base station.
Maguire Telephony Control Signaling (TCS) Protocol Bluetooth: Piconets, Scatternets 403 of 408
Bluetooth Profiles
specifications for building interoperable applications
All profiles depend on the Generic Access Profile (GAP) -- defines the
basic rules and conditions for connecting devices with each other and
establishing Bluetooth links and L2CAP channels.
Profile Description
serial port profile defines how RFCOMM runs on top of the Bluetooth transport protocols
generic object defines how objects can be exchanged using the OBEX protocol running on top of
exchange profile RFCOMM
add more profiles - such as LAN access
Maguire Bluetooth Profiles Bluetooth: Piconets, Scatternets 404 of 408

Management
needed to manage links, but not defined by Bluetooth spec!
could provide fault, accounting, configuration, performance, and
security management
link level encryption using a public domain cipher algorithm SAFER+
generates 128-bit cipher keys from 128-bit plain text
Maguire Management Bluetooth: Piconets, Scatternets 405 of 408

Low Power Modes
sniff mode a slave agrees with its master to periodically listen for the masters transmissions; the period
is configured through LMP transactions
hold mode a device (in a piconet) agrees to remain silent (in that particular piconet) for a given amount
of time; note: keeps its temporary address, AM_ADDR
park mode a slave device agrees with its master to park until further notice; relinquishes its active
member address, AM_ADDR, periodically listens to beacon transmissions from the master
device can either be invited back (by the master) to active
communications using a broadcast transmission during a beacon or
if the slave wants to be unparked, it sends a message to the master
in the slots following the beacon
Although the radio is often the biggest power drain on a Bluetooth device, the
voltage controlled oscillator (for the Bluetooth clock) also consumer power and
can be shut off -- instead you can use a less accurate lower power oscillator when
the accuracy of the normal oscillator is not needed (for example when sleeping)
Maguire Low Power Modes Bluetooth: Piconets, Scatternets 406 of 408

Bluetooth performance when faced with
interference
Magnus Karlsson started with ns-2 and the Bluetooth extensions and further
extended it to support modeling of a data logger talking to a server in the presence
of interference.[141]
He also implemented a tool to assist in taking experimental data concerning
interference as a function of frequence and distance and generating the tables
necessary for simulating a Bluetooth link in this environment.
Maguire Bluetooth performance when faced with interference Bluetooth: Piconets, Scatternets 407 of
Further reading
The lecture notes are based on material from:
[137]Bluetooth: Part 1: Overview, Kjell Jrgen Hole <Kjell.Hole@ii.uib.no>,
NTNU, UiB, http://www.kjhole.com/Standards/BT/BTdownloads.html
which is in turn based on Ch. 1, 2, and 3 of:
[138]Bluetooth 1.1: Connect Without Cables by Jennifer Bray and Charles F.
Sturman
[139]C. Bisdikian, An overview of the Bluetooth Wireless Technology, IEEE
Communications Magazine, pp. 86-94, Dec. 2001.
[140]Bluetooth specification, http://www.bluetooth.com
[141]Magnus Karlsson, Modelling and Evaluation of a Bluetooth Data Logger in
the Presence of Interference Sources, M. Sc. Thesis, IMIT, KTH, April
2005.
Maguire Further reading Bluetooth: Piconets, Scatternets 408 of 408

Architectures
9. Ultrawideband (UWB)
KTH Information and
Wiley & Sons, 2001, ISBN 0-471-39492-0

Last modified: 2006.01.13:10:21
Maguire MWA-UWB.fm Total pages: 413

Ultrawideband
"[a]n intentional radiator that, at any point in time, has a fractional
equal to or greater than 0.20 or has a UWB bandwidth equal to or
greater than 500MHz, regardless of the fractional bandwidth."
- US FCC
Often implemented as ~picosecond impulses1 Very low power

(radiate power of 0.1mW to < 1W (-30dBm) ) - as the radio is only
emitting for a very short time
very robust to channel impairments such as multipath fading
Digital technology easy for makers of digital chips to design/make/
Intel demod a 100Mbps transmitter and receiver and expects to be able to get 500Mbps at a
few meters dropping to 10Mbps at 10m
http://www.freescale.com/webapp/sps/site/overview.jsp?nodeId=02XPgQh
HPR0220 - Trinity chipset 100Mbps at less than 200mW
1. For the underlying theory for why short pulses should be used see [143] and [144]. For and introduction to impulse radio see [142].
Maguire Ultrawideband Ultrawideband (UWB) 410 of 413

IEEE 802.15: Working Group for Wireless
Personal Area Networks (WPAN)
IEEE 802 family -- standards for low-complexity and low-power consumption
wireless connectivity. http://standards.ieee.org/wireless/overview.html#802.15
IEEE 802.15 (http://ieee802.org/15/) standards development projects:
IEEE 802.15.1 Mb/s WPAN/Bluetooth v1.x derivative work (cooperative effort with Bluetooth SIG, Inc.
http://www.bluetooth.com/)
IEEE 802.15.2 Recommended Practice for Coexistence in Unlicensed Bands
IEEE 802.15.3 20+ Mb/s High Rate WPAN for Multimedia and Digital Imaging
IEEE 802.15.3a 110+ Mb/s Higher Rate Alternative PHY for 802.15.3
Uses pulse position modulation (PPM)
IEEE 802.14 200 kb/s max for interactive toys, sensor and automation needs
Maguire IEEE 802.15: Working Group for Wireless Personal Area Networks (WPAN) Ultrawideband (UWB) 411 of
Further reading
UWB
[142]Moe Z. Win and Robert A. Scholtz, Impulse radio: how it works, IEEE
Communications Letters, vol. 2, no. 2, pp. 36-38, Feb. 1998
http://citeseer.ist.psu.edu/win98impulse.html
[143]Sergio Verd, Spectral efficiency in the wideband regime, IEEE

Transactions on Information Theory, 48(6):1319-1343, 2002.
http://citeseer.ist.psu.edu/535198.html
[144]Emre Telatar and David Tse, Capacity and mutual information of wideband
multipath fading channels, IEEE Transactions on Information Theory,
46(4):1384-1400, 2000. (preprint -
http://citeseer.ist.psu.edu/telatar99capacity.html )
[145]D. Hlal and P. Rouzet. ST Microelectronics Proposal for IEEE 801.15.3a

Alternate PHY. IEEE 802.15.3a/document 139r5, July 2003.
Maguire Further reading Ultrawideband (UWB) 412 of 413

[146]IEEE Standards for Information Technology-Part 15.3: Wireless Medium
Access Control (MAC) and Physical Layer (PHY) Specifications for High
Rate Wireless Personal Area Networks (WPAN), IEEE, 2003,
ISBN 0-7381-3705-7
[147]James P. K. Gilb, Wireless Multimedia: A Guide to the IEEE 802.15.3
Standard, IEEE Press, 2003, 250 pages, ISBN 0-7381-3668-9
Maguire Further reading Ultrawideband (UWB) 413 of 413

Architectures
10. Broadband Wireless Access

(BWA)
KTH Information and
Wiley & Sons, 2001, ISBN 0-471-39492-0

Last modified: 2006.01.13:10:21
Maguire MWA-BWA.fm Total pages: 421

Broadband Wireless Access
Features:
Data only
downlink speeds in excess of 500Kbps at a distance of several km
goal: wireless metropolitan area networking (WMAN), i.e., last mile
connections
Several contenders:
IEEE 802.16 aka Worldwide Microwave Interoperability Forums WiMAX (supported by Intel
and Nokia)
European Telecommunication Standards Institutes (ETSI)s BRAN HA (Broadband Radio
Access Networks HiperAccess) or HiperMAN
ArrayComm
Beamreach
Flarion flash-OFDM - IP oriented
IPWireless UMTS-TDD (closely related to 3Gs UMTS-FDD)
Navinis synchronous CDMA (SCDMA) - IP oriented
Maguire Broadband Wireless Access Broadband Wireless Access (BWA) 415 of 421
IEEE 802.16
Initial IEEE 802.16 [152] specification was only for Line-of-Sign environments in
the 10 to 66 GHz range
Several variants:
IEEE 802.16a Slotted TDMA (scheduled by base station) in a point-to-multipoint topology (mesh topologies are an option)
low latency
connection oriented
Features: ARQ, 3DES encryption, automatic power control
amendment to 802.16 - for 2GHz to 11GHz
Several physical (PHY) layers:
Single Carrier PHY
256 point FFT OFDM PHY (common to WiMAX and ETSI HyperMAN)
2048 point FFT OFDMA PHY
802.16b Concerns Quality of Service (QoS)
802.16c/d Introduces system profiles and specifies combinations of options - goal: increased interoperability
802.16e add mobility, packet oriented
Note: Attempts to harmonize ETSI HyperMAN and 802.16.

Maguire IEEE 802.16 Broadband Wireless Access (BWA) 416 of 421
Data only?
Could use Voice over IP techniques:
Flextronics has developed a prototype flash-OFDM (Flarion) VoIP
handset
Nokia working on a WiMAX handset

Maguire Data only? Broadband Wireless Access (BWA) 417 of 421

IEEE 802.20 aka Mobile-Fi
Developed by IEEE Mobile Broadband Wireless Access (MBWA) WG [153]
designed to carry IP packets with low latency
designed for mobile broadband access
symmetrical wireless rates from 1 .. 4Mbps
uses licensed spectrum below 3.5GHz
range upto 15km
to exploit smart antennas
Technology base: Flarion
Major backers: Motorola and Cisco
Maguire IEEE 802.20 aka Mobile-Fi Broadband Wireless Access (BWA) 418 of 421
All IP networks
Numerous efforts have shifted from simply using IP (rather than ATM) in the
backbone and have been moving to an all IP network (i.e., IP directly to/from MS
and in the infrastructure).
Airvana Inc. (www.airvananet.com): all-IP architecture for radio access
network equipment for 3G using CDMA2000 1x Evolution-Data Only
(1xEV-DO) wireless technology, data rates up to 2.4 Megabits per
second (Mbps) under ideal circumstances, with average sustained
rates expected to be 300 to 600 kbps
Some view "4G" as the Fourth Generation IP-based wireless network.
Eliminates SS7 (Signaling System 7) telecommunications protocol
Flarion http://www.flarion.com/ RadioRouter base stations used to build
all-IP network

Maguire All IP networks Broadband Wireless Access (BWA) 419 of 421

Further reading
BWA
[148]ARCchart ltd., The next bout: 3G versus BWA, London, UK,

September 30, 2003 - http://www.3gnewsroom.com/3g_news/sep_03/news_3793.shtml
[149]ARCchart ltd., WiMAX: The Critical Wireless Standard: 802.16 and
other broadband wireless options, October 2003,
http://www.arcchart.com/pr/blueprint/pdf/BluePrint_WiFi_REPORT_I.pdf
[150]Worldwide Microwave Interoperability Forum

http://www.wimaxforum.org
[151]Worldwide Interoperability for Microwave Access Forum, IEEE 802.16a

Standard and WiMAX Igniting Broadband Wireless Access, White Paper,
http://www.wimaxforum.org/news/downloads/WiMAXWhitepaper.pdf
[152]IEEE802.16WorkingGrouponBroadbandWirelessAccess
Standards - http://grouper.ieee.org/groups/802/16/
Maguire Further reading Broadband Wireless Access (BWA) 420 of 421

[153]IEEE Mobile Broadband Wireless Access (MBWA) Working Group -
http://grouper.ieee.org/groups/802/20/
Maguire Further reading Broadband Wireless Access (BWA) 421 of 421

Architectures
11. Sensor Networks

KTH Information and


Last modified: 2006.01.13:10:21
Maguire MWA-Sensor-networks.fm Total pages: 483

Significance
(Wireless) Sensor networks is an emerging area of computer science, driven by
advances in MEMS micro-sensors, wireless networking, and embedded
processing [154].
Ad hoc networks of sensors target both commercial & military applications:
environmental monitoring (e.g. traffic, habitat (HVAC), security, )
industrial sensing and diagnostics (devices which reports their usage,
wear, problems occuring, )
infrastructures (e.g. power, water, waste disposal/stewardship, )
battlefield awareness (multi-target tracking, )
logistics (for example using smart packages, smart packaging
{for example monitoring tampering, temperture, shock, humidity, age,
}, )
personnel monitoring (health, safety, location, )

Maguire Significance Sensor Networks 423 of 483

Spectrum of Concerns
Hardware
Architecture
Physical Layer
MAC Layer
Applications
Energy

First we will examine some fundamental concepts in communication and

networking, then we will proceed to talk about wireless sensor networks.
Maguire Spectrum of Concerns Sensor Networks 424 of 483

Patterns of Communication
Simplex (Full) Duplex
A B A B
One-to-One One-to-One
A B A B
C C
D D
One-to-Many Many-to-One
Figure 38: Basic Patterns of (Direct) Communication
Asymmetry: communications between nodes may be asymmetric, i.e., because

node can hear node , does not imply that can transmit directly to node .
Maguire Patterns of Communication Sensor Networks 425 of 483

Mediated Communication
A B C A B C
Forwarding or Routing Forwarding or Routing
A B C A B C
D D
E E
Multicast Routing (Unicast) Routing
Figure 39: Basic Patterns of (Indirect) Communication
B acts as an intermediary between A and C/D/E.

Forwarding is based on layer 2 (i.e., link layer) address
Routing is based on layer 3 (i.e., network layer) address.
Maguire Mediated Communication Sensor Networks 426 of 483

Transformations
d F(d) d F(d)
A B C A B C
G(e) e
A B C A B C
D D
Distribution E Aggregation E
Figure 40: Transformation

B acts as an intermediary
B operates on the data as it passes through
examples: transcoding, translation, replication, averaging,
Maguire Transformations Sensor Networks 427 of 483

Routing
m m E D
A B C A B C
m D
D D
m E
Multicast Routing E Routing E
C C C
A B C A B C C
D D
D D
D D
F F
E E
Routing E E
Ad Hoc Routing
Figure 41: Routing
B/F/ acts as an intermediary between A and x
B (or F) routes based on the address - this routing choice can be
time varying (especially if the nodes are moving)
Maguire Routing Sensor Networks 428 of 483
Ad hoc routing
Ad hoc routing supports self-configuration in the presence of wireless links and
node mobility. Lots of alternatives:
direct transmission,
minimum transmission energy,
geographic routing,
multi-hop routing, and
clustering
Proactive and Reactive routing schemes:
Proactive routing attempts to maintain routes to all destinations at all
times, regardless of whether they are needed or not
Reactive routing computes routes only when they are needed
Tradeoffs between routing traffic (and energy consumption) vs. delay.
Prof. D. Estrin and her WINS group offer a hypothesis that Internet technologies
+ ad hoc routing is sufficient to design sensor network applications [154].
Maguire Ad hoc routing Sensor Networks 429 of 483
Patterns of Communication in time
A emits data B collects data
A B
A B
Request
data
time
time Response
A emits data B collects data

A B
A B
Request
data
Response
time data
data Request
Response
Stream of data
Request
time Response
Stream of transactions
Maguire Patterns of Communication in time Sensor Networks 430 of 483

Internetworking
WLAN
MH FDDI
AP
R Token Ring
H
R switch
switch
H R
R WAN

switch IWU
PSTN
Ethernet LANs switch
R
R
IWU Ad hoc
MH
MH
BTS BSC MSC
HLR/VLR

PAN
MH
MH
Cellular networks
Routers (R) interconnect (concatenate) multiple networks

This accommodates multiple underlying hardware technologies by providing a way to
interconnect heterogeneous networks and makes them inter-operate
Facilitates disaggregation - since functionality can be located anywhere on the internet
Maguire Internetworking Sensor Networks 431 of 483

Ad hoc mode vs. Infrastructure mode
Mobile stations communicate directly to each other with no Mobile stations communicate only via access points (APs)
access point (base station) support, i.e., peer-to-peer (ad hoc)
networking Infrastructure
Adding Access Points (APs) - (provides connections to the infrastructure, but at

the cost of requiring/creating an infrastructure):
reduces delay
increases complexity of some nodes (the access points)
requires connectivity between APs and the infrastructure
may increase power consumption
Possible to combine both modes {but not in 802.11 WLANs}.
Maguire Internetworking Sensor Networks 432 of 483

DARPA/IPTO: BAA #99-16: Sensor
Information Technology1
... innovative and effective software for producing and
communicating sensor information and also for effective and low-cost
prototyping kits based on commercial off-the-shelf (COTS)
components and/or government furnished equipment (GFE). The
technology development is for a new DARPA program, SenseIT
(Sensor Information Technology).
Whereas past sensor networks have been single purpose and
dependent on a central apparatus for tasking/polling the sensors,
the SenseIT program will pioneer a network-based approach in which
the sensors can be dynamically multi-tasked from multiple
points, i.e. each node will be capable of running multiple
simultaneous applications on behalf of different exterior users. In an
1. http://www.darpa.mil/ipto/Solicitations/CBD_9916.html
Maguire DARPA/IPTO: BAA #99-16: Sensor Information Technology Sensor Networks 433 of 483
ideal scenario, queries emanating from one point are automatically
routed to the most appropriate sensor nodes, and the replies are
collected and fused en route to the designated reporting point(s).
Distributed sensor networks easily installed with little or no
pre-planning, of being self-organizing, and of being capable of
supporting sophisticated processing in the field. Sensors will be
tightly integrated with a general purpose CPU, wireless
communications, and memory; multiple sensors can be associated
with one node. Short-range communication among 10 to 10,000
sensor/computer nodes deployed in an irregular pattern will be
supported.
{Emphasis and bold added by Maguire}
Maguire DARPA/IPTO: BAA #99-16: Sensor Information Technology Sensor Networks 434 of 483
Self-organizing sensor networks
Built from sensor nodes that:
spontaneously create an ad hoc network vs. a traditionally engineered
system structure
nodes may simply be scattered (throw at random, shell dispursed, cloud, )
assemble the network themselves
large to very large numbers (103 .. 1023) of sensors
dynamically adapt to device failure and degradation
individual failure is going to occur - with large numbers of nodes you can be certain that
there will be failed nodes
manage movement of sensor nodes, and
react to changes in task and network requirements
due to their physical size and large number it is simply not possible to
visit/configure/fix/... individual nodes
frequent changes in: position, reachability, power availability, tasking,
Maguire Self-organizing sensor networks Sensor Networks 435 of 483

Sensor nodes must be reconfigurable
Reconfigurable smart sensor nodes enable sensor devices:
to be self-aware,
self-reconfigurable, and
autonomous
Benefits are:
incremental deployment
no central administration needed
dynamically adapt to device failure and degradation as well as changes
in task and network requirements (high flexibility), and
support application-specific network and system services by mixing
types of sensor nodes and applications
Maguire Sensor nodes must be reconfigurable Sensor Networks 436 of 483

Low Energy Adaptive Clustering Hierarchy
(LEACH)
Wendi (Rabiner) Heinzelman, LEACH: Low Energy Adaptive Clustering
Hierarchy, http://www-mtl.mit.edu/~wendi/leach/leach.html [173] and [174]
designed for sensor networks where an end-user wants to remotely
monitor the environment.
The data from the individual nodes must be sent to a central base
station, often located far from the sensor network
Desirable properties for protocols on these networks:
Use 100s - 1000s of nodes
Maximize system lifetime
Maximize network coverage
Use uniform, battery-operated nodes
using distributed cluster formation and local processing to reduce
global communication along with randomized rotation of the
cluster-heads allows LEACH to achieve the desired properties while
being energy-efficient, hence extending system lifetime
Maguire Low Energy Adaptive Clustering Hierarchy (LEACH) Sensor Networks 437 of 483
Protocols to disseminate information
Sensor Protocols for Information via Negotiation (SPIN) [175]
a family of protocols used to efficiently disseminate information in a
wireless sensor network
flooding and gossiping waste valuable communication and energy
resources sending redundant information throughout the network --
while not being resource-aware or resource-adaptive
use data negotiation and resource-adaptive algorithms
nodes assign a high-level name to their data, called meta-data, and
perform meta-data negotiations before any data is transmitted
avoids redundant data being sent throughout the network
utilize current energy level of the node to adapt the protocol based on
how much energy remains
Simulation shows that SPIN is both more energy-efficient than flooding
or gossiping while distributing data at the same rate or faster than
either of these protocols.
Maguire Protocols to disseminate information Sensor Networks 438 of 483

Coordination vs. Centralization
Centralization single point of failure, bottleneck, and perhaps energy inefficient
Coordination exploiting the large numbers of nodes, highly redundant (hence
fault tolerant),
another WINS hypothesis: sensor network coordination applications
are better realized with localized algorithms [154]
with local (neighboorhood) based communication - communication overhead scales well
with increasing network size
algorithms are more robust to network partitioning and node failures
(since they dont depend on global behaviours)
Clustering
localized coordination via a cluster head
cluster head can do data aggregation (for example,
summarizing local state)
can be a two layer model or a multi-layer model
communication at low layers, e.g. with-in a cluster, are short distance, short
delay, hopefully low power
communication at higher layers, e.g. between clusters, are long distance,
long delay, often require more power Clusterheads
not all choices of clusterheads are optimal
Maguire Coordination vs. Centralization Sensor Networks 439 of 483

Sensor fusion en route
(a form of in-net processing)
Heidemann, et al. use Low-Level Naming software architecture with named
data and enroute processing for multi-application sensor-network[156]
Maguire Sensor fusion en route (a form of in-net processing) Sensor Networks 440 of 483
Data Aggregation
At each node receive data, use it in conjunction with local data, transmit new
aggregated data
Typical operations
scalar operations (such as sum, average, median, )
vector operations (such as logical operations)
Data aggregation reduces the volume of data that must be transmitted - this is very
important to avoid hotspots in the network (i.e., lots of traffic all headed for the
same places and competing to get there) and reduce the energy required to send
meaningful data
Hotspot
Figure 42: Hotspot
Maguire Data Aggregation Sensor Networks 441 of 483

Directed diffusion
Promotes in-network processing by building on a data-centric vs. address-centric
architecture for the distributed system/network
Using data naming as the lowest level of system organization vs. using an explicit
sensor/node address, i.e., sensor #46879.
Sensors publish data (as sources) and clients subscribe to data (as sinks), both
identify data by attributes (meta-data) vs. addresses (i.e., data is not tied to host
identity) [190]
Clients subscriptions (i.e., interest in data) form gradients (with a magnitude and
direction) along which direct the data flows (data may also be aggregated along
the way)
Wide variety of data dissemination patterns possible: shortest path multicast tree,
energy-efficient spanning tree,
See also: [190], [191], [192], [191], [192], [193], [194],[195]
Maguire Directed diffusion Sensor Networks 442 of 483

Tasks and Events
Task (what to look for):
type = four-legged animal // detect animal location
interval = 20 ms // send back events every 20 ms
duration = 10 seconds // ... for the next 10 seconds
rect = [-100, 100, 200, 400] // from sensors within rectangular region
Attribute-value pairs; values could be instances, ranges, hierarchies,

Event (when there is an observation that matches the task specifications):
type = four-legged animal // type of animal detected
instance = elephant // instance of this type
location = [125, 220] // node location
confidence = 0.85 // confidence in the match
timestamp = 01:20:40 // event generation time
example values from [195]
Maguire Tasks and Events Sensor Networks 443 of 483

How did the sensor know it was an elephant?
Signal: extracted from acoustic, seismic, or other data
Matching: waveform matching,
Confidence: it might not be an elephant, but there is some degree of confidence it
is versus other possibilities
Maguire How did the sensor know it was an elephant? Sensor Networks 444 of 483
Caching of data
Intermediate nodes may keep local caches and satisfy requests from these caches
reduces energy over having to propagate the requests all the way to the source and propagating the answer back
increases scalability
increases robustness
may result in stale data
Caching prevents loops, since if the received data message matches a data cache
entry, then there is no need to pass the message farther.
If the cache also retains information about the sink it can do downconverting of
sample rates - so if one source only wants the data at half the rate of another source
and these sources lie on different gradients the node can send data messages at the
appropriate rate for the particular gradient[195].
Maguire Caching of data Sensor Networks 445 of 483

Design space for Diffusion
table from Figure 3 of [195]
Diffusion Element Design Choices

Interest Propagation Flooding
Constrained or directional flooding based on location
Directional propagation based on previously cached data
Data Propagation Reinforcement of single path

Multipath delivery with selective quality along different paths
Multipath delivery with probabilistic forwarding
Data caching and For robust data delivery in the face of node failure
aggregation
For coordinated sensing and data reduction
Reinforcement Rules for deciding when to reinforce

Rules for how many neighbors to reinforce
Negative reinforcement mechanisms and rules
Maguire Design space for Diffusion Sensor Networks 446 of 483

Metrics for evaluating directed diffusion
Average dissipated energy ratio of total dissipated energy per node in the network to the number of distinct
events seen by sinks, e.g., average work per node in delivering useful information
Average delay measures one-way latency between observation and it being received by each sink
(for example, this defines temporal accuracy of location estimates)
Event delivery ratio ratio of the number of distinct events received to the number originally sent
Generally results are compared to:

flooding
omniscient multicast (each source transmits its events along the
shortest path multicast tree to the sink(s)
Maguire Metrics for evaluating directed diffusion Sensor Networks 447 of 483
Congestion
Either operate network far from congestion or
reduce congestion: downconversion, aggregation with data quality
reduction,
Maguire Congestion Sensor Networks 448 of 483

Tiered architectures
Combing a small number of more capable nodes as complements to very large
numbers of very limited capability nodes
Smallest system elements provide: spatial diversity and short range
sensing
More powerful elements provide more sophisticated and performance
intensive processing functions (as they have greater resources)
Could even exploit robotic elements (i.e., physically mobile nodes) that wonder
over the sensor field delivering energy to depleted batteries/capacitors/fuel cells
or that deliver (localization), i.e., coordinates to other nodes, or that deliver new
fluids/gas/... (or expendibles) for sensors {or even excreters -- i.e., nodes that
release and perhaps even locally manufacturer materials}
Maguire Tiered architectures Sensor Networks 449 of 483

Localization
Some methods of localization:
x,y
map based location
surveyed location
using external markers
N
deriving relative location
in-network, autonomous
localization

x,y
See [213], [214], [215], [216], [217],
[218]
N
Maguire Localization Sensor Networks 450 of 483

Mapping where sensors are
A frequent problem is to build a map of where the nodes are. Requires:
a set of local measurements (at each node or some subset of nodes)
for example, measuring signal strength during preambles (as the pattern is well known)
knowledge of the location of some (marker) nodes
it is desirable that they should be far apart to provide a long base line
target tolerance (i.e., how close solution do you need)
Compute the location of all the nodes, building upon the position of maker nodes
- generally by doing distributed constraint solving.
Considerations:
location estimation error and speed of convergence
where should the markers be (number and distribution)
complexity (O(time), O(space), O(communications), O(energy), )
robustness to errors (such as marker positioning errors, lost packets,
errors in measurements, )
Maguire Mapping where sensors are Sensor Networks 451 of 483

Synchronization
to coordinate sensor sampling
to organize multiple hop transfers by defining a schedule (to avoid or
reduce collisions)
Some approaches:
high precision clocks at the end - then propagate them inward
UC Berekely group (David Culler, Eric Brewer, Dave Wagner, Shankar Sastry, and Kris
Pister) have experimented with timestamping a particuar bit in a message - since the during
the process of communication the transmitter and receiver are synchronized to a fraction of
a bit)
broadcast clocks (ala GPS)
chip scale atomic clocks (CSAC - a DARPA program) [225], [226]
Coordinating and adapting node sleep schedules enable tradeoffs between fidelity,
latency, and efficiency are emerging [185], [186], [187], [188], [196].
Maguire Synchronization Sensor Networks 452 of 483

Building upon localization and
synchronization
Forming sensor arrays which exploit their distribution:
two visual viewpoints stereo imaging
with N acoustic viewpoints phased array microphone arrays
with N acceleration sensor viewpoints phased array seismic,
geologic, footfall, vehicle movement,
with N visual viewpoints can use algorithms such as shape from
shading, avoid occlusion by (moving or stationary) objects,

Maguire Building upon localization and synchronization Sensor Networks 453 of 483
Securing what you send
Asymmetric digital signatures for the authentication are impractical:
long signatures high communication overhead (50-1000 bytes per
packet)
very high computational (and energy) overhead to create and verify the
signature
Gennaro and Rohatgi
>1 Kbyte of authentication information per packet, and
Rohatgis improved k-time signature scheme: > 300 bytes per packet
Authenticated streaming broadcast protocol (TESLA) [158]
uses too much communication and memory TESLA[157]
If the sensor is sending a stream of data, then Secure RTP (SRTP) can
be used [227]
Maguire Securing what you send Sensor Networks 454 of 483

Sensors
DARPA projects:
Ultra Low Power Wireless Sensor Project, Professor Charles G. Sodini,
MIT http://www-mtl.mit.edu/~jimg/project_top.html
PASTA project
Network of Embedded Software Technology (NEST) Program
Wireless Integrated Network Sensors (WINS) Project at UCLA [165]
WEBDUST at Rutgers University
NSF also has an initative: Sensors and Sensor Networks
Commercial R&D
Compaq (nee HP) (WRL) Factoid Project
a portable device small enough to be attached to a key chain, which collects
announcements broadcast from devices in the environment, later these can be uploaded via
a users home basestation
Maguire Sensors Sensor Networks 455 of 483

Smart dust: 1 cubic mm system
Driven by: advances in hardware and design reductions in size, power
consumption, and cost for digital circuitry, wireless communications, and
micro electromechanical systems (MEMS)
Professors Pister and Kahn leading the smart dust program[159].
Given limited volume battery supplies: ~1 J; potential power scavaging techniques
would enable solar power (1J/day) or indoor lighting (1mJ/day).
However, processing requires about 1nJ per 32 instruction and 100nJ per bit
transmitted (Bluetooth) and ~1nJ per bit as a target for picoradios (see also [162]).
Thus Pister and Kahn targetted using free-space optical transmission using
external lasers reflected from MEMS corner-cube retroreflector (CCR)
line-of-sight requirement + advantage of parallel read out using 2D sensors {i.e.,
a base station can listed to multiple transmitters as long as they appear in different
pixels of the receiving sensor)
Maguire Smart dust: 1 cubic mm system Sensor Networks 456 of 483

Berkeley Motes
Prof. Culler, and students at University of California, Berkeley have built motes
as a sensor platform
CPU 8-bit, 4 MHz
Storage 8 Kbytes instruction Flash

512 bytes RAM
512 bytes EEPROM
Communication 916 MHz radio
Bandwidth 10 Kbps
Operating system TinyOS
OS code space 3500 bytes
event-driven OS
Available code space 4500 bytes
Maguire Berkeley Motes Sensor Networks 457 of 483

University of California, Berkeley - Motes
Prototype device[167]:
measures 1 inch by 1.5 inch
a programmable processor AVR RISC processor (Atmel AT90LS8635)
8-Kbyte In-System programmable Flash Program Memory - 1,000 Write/Erase Cycles
544 bytes SRAM
512 Byte EEPROM - 100,000 Write/Erase Cycles
32 general-purpose registers
clock and timers:
Real-time Clock (RTC)
three flexible timer/counters with compare modes
programmable Watchdog Timer with internal oscillator
internal and external interrupts
a programmable serial UART
an SPI serial port
8-channel 10-bit ADC
Up to 4 MIPS throughput at 4 Mhz (1MIPS / MHz)
3-volt operation
Three Sleep Modes:
Maguire University of California, Berkeley - Motes Sensor Networks 458 of 483

Idle 6.4 mA 19.2mW1 - stops the CPU while allowing: SRAM, timer/counters, SPI port
and interrupt system to continue functioning
Power Save 1.9 mA 5.7mW - timer oscillator continues to run, allowing the user to
maintain a timer base -- while the rest of the device is sleeping
Power-down <1 A 3 W- saves the register contents but freezes the oscillator, dis-
abling all other chip functions until the next interrupt (or hardware reset)
they have used the 44-lead, Thin (1.0 mm) Plastic Gull Wing Quad Flat Package (TQFP)
RF Monolothics TR1000 radio transceiver
916.5 Mhz fixed carrier frequency
provisions for both on-off keyed (OOK) {upto 19.2 kbps} and amplitude-shift keyed (ASK)
modulation operates upto 115.2 kbps
an extension bus for adding a wide variety of analog and digital sensors
and actuators
Active Message model of communication
each Active Message contains the name of a user-level handler to be invoked on a target
node upon arrival and a data payload to pass in as arguments
handler function extracts the message from the network and either processes the data or
sends a response message
The network is modeled as a pipeline with minimal buffering for messages.
Message handlers must execute quickly and asynchronously
TinyOS [168]
1. Power Consumption at 4 MHz, 3V, 20C

tiny event-driven operating system - occupies 178 bytes of memory
propagates events in the time it takes to copy 1.25 bytes of memory
context switches in the time it takes to copy 6 bytes of memory
supports two level scheduling
Variants of the system exist with Atmega128 processor and a Chipcon CC1000
radio. Other researchers have used simply the physical layer part of Bluetooth (i.e.,
not including any of the link and higher layers at all).
Message format:
training sequence of alternating high and low bits (used to equalize the
DC balance of the receiver)
a flag byte was used to signal the beginning of the packet protocol:
01110110 (to differentiate itself more from the training sequence)
a byte which specifies the total data bytes in the packet
1 .. 255 data byes
a 16 bit CRC (cyclic-redundancy check)

Motes Routing
Ad hoc routing layer
determines the routing topology
enables forwarding of real sensor data up the routing topology to a
base-station
At the base-station, the data is now being forwarded into a vSpace base for storage
and display.
Maguire Motes Routing Sensor Networks 461 of 483

Millennial Net/
http://www.millennial.net/
reliable, low-power wireless sensor networks

See for example their i-Bean wireless sensor networking device:
2 cm x 2 cm size
10 year lifetime on a coin cell - with one report sent per second
analog and digital interfaces,
radio transceiver, and
microcontroller.
Maguire Millennial Net/ Sensor Networks 462 of 483

vSpace
Data is persistently stored using Distributed Data Structures (DDS)
build on a distributed hash table
allows multiple clients to simultaneously updating and querying the
sensor data
Queries comes through an HTTP interface
Users can view an image of the current network routing topology
users can zoom in to see detailed information about any of the sensor nodes in the network
green lines show routing topology and red lines show connectivity
They hope to display dynamically generated graphs of sensor data in
multiple forms, including:
single node time plot
aggregate time plots
and multiple plots in a single plot
http://www.cs.berkeley.edu/~mikechen/vspace/
Maguire vSpace Sensor Networks 463 of 483

Commercial sensor nodes
Crossbow MICA Motes & Sensors
http://www.xbow.com/Products/Wireless_Sensor_Networks.htm , based on UC
Berkeleys mote with 2 AA batteries
Processor Atmel Atmega 128L
Speed 4MHz
Flash 128K bytes
SRAM 4K bytes
EEPROM 4K bytes
Serial Flash 4Mbit
Serial Comms UART
permanent ID 64 bits
A/D 10 bit ADC 8 channel
Processor Current 5.5 mA active current, typical
<20uA sleep mode, typ
Maguire Commercial sensor nodes Sensor Networks 464 of 483

Radio Frequency 916 MHz ISM band (or 433 MHz)
Data Rate 40 Kbits/sec max
Power 0.75 mW
Radio Current Draw 12mA transmit current, typ
1.8 mA receive current, typ
<1uA sleep current, typ
Radio Range 100 feet programmable
Expansion 51 pin connector for plug-in sensor boards
Maguire Commercial sensor nodes Sensor Networks 465 of 483

Sensor nodes - low power VLSI design
-Adaptive Multi-domain Power aware Sensors (AMPS) project at MIT
http://www-mtl.mit.edu/research/icsystems/uamps/
AMPS-I: voltage scalable processor, adaptive transmit power, flexible error

coding and aggressive subsystem shutdown
AMPS-II: integrated sensor node: a digital and an analog/RF ASIC (intermediate
FPGA implementation of the digital part interfaced with the version-1 radio
system.
See the Mobicom 2002 poster Top Five Myths about the Energy Consumption of
Wireless Communication by Rex Min and Anantha Chandrakasan
http://www.mit.edu/~rmin/energymyths/
see also [161]
Maguire Sensor nodes - low power VLSI design Sensor Networks 466 of 483
Rex Mins Myths
MYTH#5. Abstraction gets in the way of energy savings
Instead: Create a power aware API - explictly define and expose tradeoffs:
set_max_energy(Joules), set_max_latency(ms), set_min_reliability(float probability),
set_range(int nearest nodes, Note[] who, float meters)
MYTH #4. Energy-quality scalability doesnt work for wireless
Create an API which gives you explicit control over energy vs. quality.
MYTH #3. Derivatives of 802.11 will drive emerging low-power nets
Microsensors arrays with large numbers of sensors each with 2J to 2KJ of energy and
1 to 54kbps data rate vs. 20KJ to 20MJ for 802.11b at 1 to 54Mbps!
MYTH#2. Communication energy scales
d = distance between the nodes, = static power, digital signal processing,
= power amplifier, receiver sensitivity
Radio Maximum dn
2.4 KHz OOK (RFM TR1000 @ 916 MHz) 14 J 3.1 J
n 115.2 KHz ASK (RFM TR1000 @ 916 MHz) 372 nJ 65 nJ
E bit = + d 11 Mbps Custom (MIT AMPS-1 @ 2.4 GHz) 570 nJ 740 nJ
11 Mbps 802.11b (Cisco Aironet 350 @ 2.4GHz) 236 nJ 91 nJ
54 Mbps 802.11a (Atheros, ISSCC2002) 14.8 nJ 11 nJ
MYTH#1. Multihop saves energy

Two hops are better than one -- NEVER! Since multihop energy > single hop energy.
Maguire Rex Mins Myths Sensor Networks 467 of 483

SmartBadge
G. Q. Maguire Jr. (KTH) in conjunction with Mark T. Smith (then of HP Labs,
now KTH) and H. W. Peter Beadle (then of the Univ. of Wollongong (Australia)):
ID card sized, communicates via wireless link to badge server
temperature, humidity, light, audio in/out, and tilt or 3-axis acceleration
used in courses at both KTH and Univ. of Wollongong; and numerous
MS thesis projects
Version 1- Spring 1997 Version 3 - April 1998 Version 4 - February 2001

Figure 43: SmartBadge series
Maguire SmartBadge Sensor Networks 468 of 483

Power
Batteries
Super capacitors
Fuel cells
Energy-harvesting utilizing
solar cells, movement to electricity conversion (mechanical, piezo-electrics, )
DC boosters
Maguire Power Sensor Networks 469 of 483

Dilemma
Since communication is expensive in energy, the cost of the power
management algorithm would swamp the savings from power
management! This illustrates the dilemma that so often arises in
problems in sensor nets: the seemingly optimal way of solving
a problem often results in algorithms whose communication
energy costs exceed their benefits. Therefore, a better strategy is
to use algorithms that only shoot for good though sub optimal results
but require only locally distributed processing with minimal
communication costs.[160]1
-- D. Estrin, L. Girod, G. Pottie, and M. Srivastava
adaptive duty cycle (based on needs of the neighborhood and applications, and
the rate with which events are likely to happen) -- applies at multiple levels in the
system
1. The emphasis is as in the original.
Maguire Dilemma Sensor Networks 470 of 483

Sensor Modeling Language (SensorML)
SensorML provides an XML schema for defining the geometric,
dynamic, and observational characteristics of a sensor. Sensors are
devices for the measurement of physical quantities.
-- Sensor Model Language (SensorML) for In-situ and Remote Sensors, Editor: Mike Botts,
University of Alabama in Huntsville, Open GIS Consortium Inc., OpenGIS Project
Document: OGC 02-026r4, Version: 0.7, 2002-12-20
contact: mike.botts@nsstc.uah.edu.
See http://www.opengis.org/
Maguire Sensor Modeling Language (SensorML) Sensor Networks 471 of 483

IEEE 802.15: Working Group for Wireless
Personal Area Networks (WPAN)
IEEE 802 family -- standards for low-complexity and low-power consumption
wireless connectivity. http://standards.ieee.org/wireless/overview.html#802.15
IEEE 802.15 (http://ieee802.org/15/) standards development projects:
IEEE 802.15.1 Mb/s WPAN/Bluetooth v1.x derivative work (cooperative effort with Bluetooth SIG, Inc.
http://www.bluetooth.com/)
IEEE 802.15.2 Recommended Practice for Coexistence in Unlicensed Bands
IEEE 802.15.3 20+ Mb/s High Rate WPAN for Multimedia and Digital Imaging [223], [224]
IEEE 802.15.3a 110+ Mb/s Higher Rate Alternative PHY for 802.15.3
Uses pulse position modulation (PPM) [222]
IEEE 802.14 200 kb/s max for interactive toys, sensor and automation needs
Maguire IEEE 802.15: Working Group for Wireless Personal Area Networks (WPAN) Sensor Networks 472 of 483
Ultrawideband
"[a]n intentional radiator that, at any point in time, has a fractional
equal to or greater than 0.20 or has a UWB bandwidth equal to or
greater than 500MHz, regardless of the fractional bandwidth."
- US FCC
Often implemented as ~picosecond impulses1 Very low power

(radiate power of 0.1mW to < 1W (-30dBm) ) - as the radio is only
emitting for a very short time
very robust to channel impairments such as multipath fading
Digital technology easy for makers of digital chips to design/make/
Intel demod a 100Mbps transmitter and receiver and expects to be able to get 500Mbps at a
few meters dropping to 10Mbps at 10m
XtremeSpectrum (XSI) - http://www.xtremespectrum.com/ - Trinity chipset 100Mbps at less
than 200mW
1. For the underlying theory for why short pulses should be used see [220] and [221]. For and introduction to impulse radio see [219].
Maguire Ultrawideband Sensor Networks 473 of 483

Active networks
C C C C
F,d F(d) F,d f(d)
A B C A B C
G(e) G,e
A A
m m C
F,d F(d) G,F,d
A B C A B C
F(d m
)
D D
Routing: G(F,d) E
F(
F(
m
d) Data: F(d) or F(G,d) E
d)
E E
Multicast F(d)
B acts as an intermediary between A and x:

(1) operates on the data as it passes through using the program F and/or
(2) routes based on the computed address using a program G
Packets carry the program that each node on the path is to execute.
{Even the program(s) can be transformed as the packet propagates.}
Maguire Active networks Sensor Networks 474 of 483

Methods used in this area
Analytic - frequently graph theoretical
Simulation - frequently using ns-2
Experiments
small scale
large scale
Maguire Methods used in this area Sensor Networks 475 of 483

Conferences and workshops
1st European Workshop on Wireless Sensor Networks (EWSN) -
19.-21 January 2004 in Berlin.
Infocom
Mobicom
Mobihoc
Fusion
ICASSP
Maguire Conferences and workshops Sensor Networks 476 of 483

References and Further Reading
[154] Deborah Estrin, Ramesh Govindan, John Heidemann and Satish Kumar, Next century challenges: scalable coordination in sensor networks,
Proceedings of the fifth annual ACM/IEEE international conference on Mobile computing and networking. August 15 - 19, 1999, Seattle, WA USA, pp
263-270
http://www.acm.org/pubs/citations/proceedings/comm/313451/p263-estr
in/
[155] R. R. Brooks and S. S. Iyengar, Multi-Sensor Fusion: Fundamentals and Applications with Software, Prentice Hall PTR, Upper Saddle River, NJ, 1998.
[156] John Heidemann, Fabio Silva, Chalermek Intanagonwiwat, Ramesh Govindan, Deborah Estrin, and Deepak Ganesan, Building Efficient Wireless Sensor
Networks with Low-Level Naming, In Proceedings of the Symposium on Operating Systems Principles, pp. 146-159. Chateau Lake Louise, Banff,
Alberta, Canada, ACM. October, 2001. http://www.isi.edu/~johnh/PAPERS/Heidemann01c.html
[157] A. Perrig, R. Szewczyk, V. Wen, D. Cullar, and J. D. Tygar. SPINS: Security protocols for sensor networks. In Proceedings of MOBICOM, 2001.
http://citeseer.nj.nec.com/perrig02spins.html
[158] A. Perrig, R. Canetti, J. Tygar and D. Song, Efficient authentication and signing of multicast streams over lossy channels, In IEEE Symposium on
Security and Privacy (2000).
[159] Kahn, R.H. Katz, K. Pister, Emerging Challenges: Mobile Networking for Smart Dust, J. Comm. Networks, Sept. 2000, pp. 188-196.
http://citeseer.nj.nec.com/kahn00emerging.html
[160] D. Estrin, L. Girod, G. Pottie, and M. Srivastava, Instrumenting the World with Wireless Sensor Networks, International Conference on Acoustics,
Speech, and Signal Processing (ICASSP 2001), Salt Lake City, Utah, May 2001
http://www.isi.edu/scadds/papers/ICASSP-2001.ps
[161] Rex Min, Manish Bhardwaj, Seong-Hwan Cho, Amit Sinha, Eugene Shih, Alice Wang, and Anantha Chandrakasan, "Low-Power Wireless Sensor
Networks", VLSI Design http://citeseer.nj.nec.com/min01lowpower.html
[162] Jan M. Rabaey, M. Josie Ammer, Julio L. da Silva Jr., Danny Patel. and Shad Roundy, PicoRadio Supports Ad Hoc Ultra-Low Power Wireless
Networking, IEEE Computer, Vol. 33, No. 7, July 2000, pp 42-48.
http://www.computer.org/computer/co2000/r7042abs.htm
[163] http://www.cs.rutgers.edu/~mini/sensornetworks.html -- an excellent bibliography for this
area
Maguire References and Further Reading Sensor Networks 477 of 483

[164] Al Demers and Johannes Gehrke, organized a database seminar course: CS735: Sensor Networks and Data Management, Cornell University
http://www.cs.cornell.edu/courses/cs735/2001fa/
[165] G.J.Pottie and W.J.Kaiser, Wireless integrated network sensors, Communications of the ACM, Vol.43, No.5, May 2000, pp51-58
http://www.cs.brown.edu/courses/cs295-1/Papers/pottie_ACM_may00.pdf
[166] Ugur Cetintemel, CS 295-1. Pervasive Computing, Course at Brown University,
http://www.cs.brown.edu/courses/cs295-1/schedule.htm
[167] Jason Hill, Robert Szewczyk, and Alec Woo (together with Professors David E. Culler and Kristofer S. J. Pister), TinyOS: Operating System for Sensor
Networks, (DARPA) DABT 63-98-C-0038, (DARPA) DABT 63-98-1-0018, and (NSF) RI EIA-9802069,
http://www.eecs.berkeley.edu/IPRO/Summary/01abstracts/szewczyk.1.ht
ml
[168] TinyOS, http://webs.cs.berkeley.edu/tos/
[169] RF Monolothics TR1000 radio
[170] ZigBee Alliance http://www.zigbee.org/
[171] DARPA SENSIT project http://www.eng.auburn.edu/users/lim/sensit.html
[172] Pennsylvania State University, Reactive Sensor Networks (RSN) project: http://strange.arl.psu.edu/RSN/
[173] LEACH http://nms.lcs.mit.edu/projects/leach/

[174] Wendi Rabiner Heinzelman, Joanna Kulik, and Hari Balakrishnan, Adaptive protocols for information dissemination in wireless sensor networks,
Proceedings of the fifth annual ACM/IEEE international conference on Mobile computing and networking. August 15 - 19, 1999, Seattle, WA USA, pp
174-185.
[175] W. Heinzelman, J. Kulik, and H. Balakrishnan, Adaptive Protocols for Information Dissemination in Wireless Sensor Networks, Proc. 5th ACM/IEEE
Mobicom Conference (MobiCom 99), Seattle, WA, August, 1999.
http://www-mtl.mit.edu/~wendi/papers/mobicom99.ps
[176] Joanna Kulik, Wendi Rabiner Heinzelman, and Hari Balakrishnan, Negotiation-based Protocols for Disseminating Information in Wireless Sensor
Networks, ACM/IEEE Int. Conf. on Mobile Computing and Networking, Seattle, WA, Aug. 1999
http://citeseer.nj.nec.com/335631.html

[177] John Heidemann, Fabio Silva, Chalermek Intanagonwiwat, Ramesh Govindan, Deborah Estrin, and Deepak Ganesan, Building Efficient Wireless
Sensor Networks with Low-Level Naming, In Proceedings of the Symposium on Operating Systems Principles, pp. 146-159. Chateau Lake Louise,
Banff, Alberta, Canada, ACM. October, 2001. http://citeseer.nj.nec.com/456986.html
[178] First ACM International Workshop on Wireless Sensor Networks and Applications. In conjunction with ACM MobiCom 2002. Sept. 28, 2002
[179] Great reading list and list to Sensor Network papers
http://www.cs.rutgers.edu/~mini/sensornetworks.html
Sensor Networks with Low-Level Naming, USC/Information Sciences Institute,
http://www.isi.edu/~johnh/PAPERS/Heidemann01c.html
[181] WINS project. http://www.janet.ucla.edu/WINS/
[182] Ultra Low Power Wireless Sensors Project. http://www-mtl.mit.edu/~jimg/project_top.html
[183] Wearble Computing. http://www.wearablegroup.org

[184] Deborah Estrin, David Culler, Kris Pister, and Gaurav Sukhatme, Instrumenting the physical world with pervasive networks, IEEE Pervasive
Computing, 2002.
[185] Benjie Chen, Kyle Jamieson, Hari Balakrishnan, and Robert Morris, Span: an Energy-Efficient Coordination Algorithm for Topology Maintenance in
Ad Hoc Wireless Networks, Proc. 7th ACM MOBICOM Rome, Italy. July, 2001.
[186] Alberto Cerpa and Deborah Estrin, ASCENT: Adaptive Self-Configuring sensor Network Topologies, IEEE Infocom 2002, NYC and Alberto Cerpa
and Deborah Estrin, Ascent: Adaptive Self-Configuring sEnsor Network Topologies, UCLA Computer Science Department Technical Report
UCLA/CSD-TR 01-0009, May 2001
http://lecs.cs.ucla.edu/~estrin/papers/Ascent-UCLA-tech-report.ps
[187] C. Schurgers, V. Tsiatsis, and M. Srivastava, STEM topology management for efficient sensor networks, IEEE Aerospace Conference, Big Sky MT,
March 2002.
[188] Y. Xu, J. Heidemann, and D. Estrin, Geography-informed Energy Conservation for Ad Hoc Routing, In Proceedings of the Seventh Annual ACM/IEEE
International Conference on Mobile Computing and Networking(ACM MobiCom), Rome, Italy, July 16-21, 2001.
[189] D. Johnson and D. Maltz, Protocols for Adaptive Wireless and Mobile Networking, IEEE Personal Communications Magazine, February 1996.
Sensor Networks with Low-Level Naming, SOSP 2001

[191] Jeremy Elson and Deborah Estrin, An Address-Free Architecture for Dynamic Sensor Networks,
http://citeseer.nj.nec.com/elson00addressfree.html
[192] Jeremy Elson and Deborah Estrin, Random, Ephemeral Transaction Identifiers in Dynamic Sensor Networks, In Proceedings of the 21st International
Conference on Distributed Computing Systems (ICDCS-21) April 16-19, 2001, Phoenix, Arizona, USA. Also published as UCLA CS Technical Report
200027 http://www.circlemud.org/~jelson/writings/retri/
[193] Sylvia Ratnasamy, Deborah Estrin, Ramesh Govindan, Brad Karp, Scott Shenker, Li Yin, Fang Yu, Data-centric storage in Sensornets, February 1st,
2002, http://lecs.cs.ucla.edu/~estrin/papers/dht.pdf
[194] Stephanie Lindsey, Cauligi Raghavendra, and Krishna Sivalingam, Data Gathering in Sensor Networks using the Energy Delay Metric, In International
Workshop on Parallel and Distributed Computing Issues in Wireless Networks and Mobile Computing, (San Francisco, CA), Apr. 2001
http://www.eecs.wsu.edu/~dawn/Papers/2001/e_d_final.pdf
[195] Chalermek Intanagonwiwat, Ramesh Govindan, and Deborah Estrin, Directed diffusion: A Scalable and Robust Communication Paradigm for Sensor
Networks, Proceedings of the sixth annual international conference on Mobile computing and networking, August 6 - 11, 2000, Boston, MA USA, pp
56-67
http://www.acm.org/pubs/citations/proceedings/comm/345910/p56-intan
agonwiwat/
[196] Jeremy Elson and Deborah Estrin, Time Synchronization for Wireless Sensor Networks, In Proceedings of the 2001 International Parallel and
Distributed Processing Symposium (IPDPS),Workshop on Parallel and Distributed Computing Issues in Wireless Networks and Mobile Computing.
http://www.circlemud.org/~jelson/writings/timesync/
[197] Ya Xu, John Heidemann, and Deborah Estrin, Adaptive Energy-Conserving Routing for Multihop Ad Hoc Networks, Research Report527,
USC/Information Sciences Institute, October, 2000. http://www.isi.edu/~johnh/PAPERS/Xu00a.html
[198] Sharad Agarwal, Randy H. Katz and Anthony D. Joseph, Reducing the Energy Consumption of Group Driven Ad-hoc Wireless Communication, Report
No. UCB/CSD-1-1127 January 2001
http://ncstrl.cs.cornell.edu:80/Dienst/UI/1.0/Display/ncstrl.ucb/CS
D-01-1127)
[199] A. Iwata, C.-C. Chiang, G. Pei, M. Gerla, and T.-W. Chen, Scalable Routing Strategies for Ad-hoc Wireless Networks, IEEE JSAC, August 1999
http://citeseer.nj.nec.com/iwata99scalable.html
[200] Paul J.M. Havinga, Gerard J.M. Smit, Martinus Bos, Energy efficient adaptive wireless network design, The Fifth Symposium on Computers and

Communications (ISCC00), Antibes, France, July 3-7, 2000 http://citeseer.nj.nec.com/255365.html
[201] S. Singh and C. S. Raghavendra, PAMAS - Power Aware Multi-Access protocol with Signalling for Ad Hoc Networks, ACM
ComputerCommunications Review, 1999 http://citeseer.nj.nec.com/157040.html
[202] I. Stojmenovic and Xu Lin, Power-aware localized routing in wireless networks, IEEE Int. Parallel and Distributed Processing Symp., Cancun, Mexico,
May 1-5, 2000 http://citeseer.nj.nec.com/385034.html
[203] Seapahn Meguerdichian, Sasa Slijepcevic, Vahag Karayan, Miodrag Potkonjak , Localized Algorithms In Wireless Ad-Hoc Networks: Location
Discovery and Sensor Exposure, MobiHoc 2001, Long Beach, CA USA
[204] Yonggang Jerry Zhao, Ramesh Govindan and Deborah Estrin, Residual Energy Scans for Monitoring Wireless Sensor Networks, IEEE Wilress
Communications and Networking Conference (WCNC02) , Orlando, FL, USA, March 17-21, 2002
[205] Loren Schwiebert, Sandeep K.S. Gupta and Jennifer Weinmann, Research Challenges in Wireless Networks of Biomedical Sensors, The seventh annual
international conference on Mobile computing and networking 2001, 2001, pp 151-165
http://www.acm.org/pubs/citations/proceedings/comm/381677/p151-schw
iebert/)
[206] Mani Srivastava, Richard Muntz and Miodrag Potkonjak, Smart Kindergarten: Sensor-based Wireless Networks for Smart Developmental
Problem-solving Environments, The seventh annual international conference on Mobile computing and networking 2001, July 16 - 21, 2001, Rome Italy,
pp132 - 138
http://www.acm.org/pubs/citations/proceedings/comm/381677/p132-sriv
astava/
[207] Sameer Tilak, Nael B. Abu-Ghazaleh and Wendi Heinzelman, A taxonomy of Wireless Micro-Sensor Network Models,
http://www.cs.binghamton.edu/~sameer/publications/main.pdf
[208] W. Heinzelman and A. Chandrakasan and H. Balakrishnan, Energy-Efficient Communication Protocol for Wireless Microsensor Networks, In
Proccedings of the Hawaii Conference on System Sciences, January 2000
http://dlib.computer.org/conferen/hicss/0493/pdf/04938020.pdf
[209] Yan Yu, Ramesh Govindan and Deborah Estrin, Geographical and Energy Aware Routing: A Recursive Data Dissemination Protocol for Wireless
Sensor Networks, UCLA Computer Science Department Technical Report UCLA/CSD-TR-01-0023, May 2001,

[210] Calermek Intanagonwiwat, Deborah Estrin, Ramesh Govindan, and John Heidemann, Impact of Network Density on Data Aggregation in Wireless
Sensor Networks Technical Report 01-750, University of Southern California Computer Science Department, November, 2001
[211] David Braginsky and Deborah Estrin, Rumor Routing Algorithm For Sensor Networks, Submitted to International Conference on Distributed
Computing Systems (ICDCS-22), November 2001. http://citeseer.nj.nec.com/462331.html
[212] Sudeept Bhatnagar, Budhaditya Deb and Badri Nath, Service Differentiation in Sensor Networks, Fourth International Symposium on Wireless
Personal Multimedia Communications, September 2001
http://paul.rutgers.edu/~sbhatnag/publications.html
[213] Dragos Niculescu and Badrinath, Ad hoc Positioning System (APS), Submitted to GLOBECOM 2001
http://www.cs.rutgers.edu/~dnicules/research/aps/aps_globecom.pdf
[214] Nirupama Bulusu, John Heidemann, and Deborah Estrin, Adaptive Beacon Placement In Proceedings of the 21st International Conference on
Distributed Computing Systems (ICDCS-21), Phoenix, Arizona, USA, April 2001, pp 489-498
http://citeseer.nj.nec.com/bulusu01adaptive.html
[215] Lance Doherty, Kristofer SJ Pister, Laurent El Ghaoui, Convex Position Estimation in Wireless Sensor Networks, Proc. of IEEE Infocom 2001
http://www.eecs.berkeley.edu/~elghaoui/pdffiles/Infocom.pdf
[216] Andreas Savvides, Chih-Chieh Han, and Mani B. Strivastava, Dynamic fine-grained localization in Ad-Hoc networks of sensors, Seventh annual
international conference on Mobile computing and networking 2001. July 16 - 21, 2001, Rome Italy, pp 166-179
http://www.acm.org/pubs/citations/proceedings/comm/381677/p166-savv
ides/
[217] Nirupama Bulusu, John Heidemann, and Deborah Estrin, GPS-less Low Cost Outdoor Localization For Very Small Devices IEEE Personal
Communications Magazine, 7 (5 ), pp. 28-34, October, 2000
http://www.isi.edu/~johnh/PAPERS/Bulusu00a.html
[218] Nirupama Bulusu, Deborah Estrin, Lewis Girod and John Heidemann, Scalable Coordination for wireless sensor networks: Self-Configuring
Localization Systems, International Symposium on Communication Theory and Applications (ISCTA 2001), Ambleside, Lake District, UK, July 2001.
http://www.isi.edu/scadds/papers/iscta-2001.ps
[219] Moe Z. Win and Robert A. Scholtz, Impulse radio: how it works, IEEE Communications Letters, vol. 2, no. 2, pp. 36-38, Feb. 1998

http://citeseer.ist.psu.edu/win98impulse.html
[220] Sergio Verd, Spectral efficiency in the wideband regime, IEEE Transactions on Information Theory, 48(6):1319-1343, 2002.
http://citeseer.ist.psu.edu/535198.html
[221] Emre Telatar and David Tse, Capacity and mutual information of wideband multipath fading channels, IEEE Transactions on Information Theory,
46(4):1384-1400, 2000. (preprint - http://citeseer.ist.psu.edu/telatar99capacity.html )
[222] D. Hlal and P. Rouzet. ST Microelectronics Proposal for IEEE 801.15.3a Alternate PHY. IEEE 802.15.3a/document 139r5, July 2003.
[223] IEEE Standards for Information Technology-Part 15.3: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications for High Rate
Wireless Personal Area Networks (WPAN), IEEE, 2003, ISBN 0-7381-3705-7
[224] James P. K. Gilb, Wireless Multimedia: A Guide to the IEEE 802.15.3 Standard, IEEE Press, 2003, 250 pages, ISBN 0-7381-3668-9
[225] William C. Tang, "Chip-Scale Atomic Clock", SECTION II: Reprint of Broad Agency Announcement 01-32, the Commerce Business Daily ,Publication
Date: July 6, 2001; Issue No. PSA-2887
http://www.darpa.mil/mto/solicitations/BAA01-32/S/Section2.html
[226] John Kitching , Local Oscillator Requirements for Chip-Scale Atomic Clocks, Time and Frequency Division, The National Institute of Standards and
Technology, 325 Broadway, Boulder, CO 80305, April 5, 2003
http://www.boulder.nist.gov/timefreq/ofm/smallclock/LO%20Requiremen
ts.pdf
[227] M. Baugher, D. McGrew, M. Naslund, E. Carrara, K. Norrman, "The Secure Real-time Transport Protocol", IETF RFC 3711, March 2004.

Architectures
12. Misc. topics

KTH Information and
Wiley & Sons, 2001, ISBN 0-471-39492-0

Last modified: 2006.01.13:10:20
Maguire MWA-Misc.fm Total pages: 495

Space Data Corporation
Space Data Corporation http://www.spacedata.net/ to provide low data rate
wireless (messaging and later voice) service to rural and suburban US (about 90%
of the land mass, but only 20% of the population); Piggyback their repeaters on
US National Weather Service biodegradable latex weather balloons SkySites.
Each balloon goes up to about 100,000 feet ~ 30km and stays there for ~1.5 days;
balloons are launched from 70 sites twice each day; the repeater has power for 16
hours (12 for operation and the rest as a reserve). They expect to use 50,000
balloons per year, each repeater costs US$300
Their business model does not depend on any recovery of balloons (although they
are adding GPS to theirs)
US National Weather Service gets 18% of their back - they put a mailing address and
promise to pay the postage on their payloads
lots of knowledge of winds from 60 years of weather balloons
Space Data has a license for 1.4 MHz of bandwidth nationwide (license US$4.2M)
Maguire Space Data Corporation Misc. topics 485 of 495

MITs AI Lab: Project Oxygen
Enabling people "to do more by doing less," that is, to accomplish
more with less work.
Bringing abundant computation and communication, as pervasive
and free as air, naturally into peoples lives.
-- http://oxygen.lcs.mit.edu/
Utilizing self-configuring network with devices embedded in desks, walls, homes,
to create intelligent spaces
Handheld devices to support speech interfaces and reconfiguration for various
protocols.
This is one of several projects trying to exploit ubiquitous/pervasive computing

and communication.
Maguire MITs AI Lab: Project Oxygen Misc. topics 486 of 495

Intelligent/Smart Spaces
Knowing what is around you is very useful for configuring devices and offering
services, there are several proposals for how to do this:
SUNs Jini
Microsofts Universal Plug-and-Play
For further information see Theo Kanters dissertation Adaptive Personal Mobile
Communication -- Service Architecture and Protocols:
http://ps.verkstad.net/Thesis/Final/theoDissertation.pdf
and also his defense slides:

http://ps.verkstad.net/Thesis/Defense/theoDefense.pdf
Maguire Intelligent/Smart Spaces Misc. topics 487 of 495

If WLANs are widely available
How many different places to do you frequently spend time?
What would happen if you had WLAN access in X% of these places?
(perhaps with X > 90%)
What if you also had VoIP service in all the places you have WLAN
access?
For example, via a Cisco Wireless IP Phone 7920
Is there a business case for 3G in urban areas?

Is there a business case for 3G anywhere?
Handoffs for real-time media: J-O Vatns upcoming dissertation
Broadcom Wi-Fi reference design using their new BCM1160 Mobile VoIP
processor and BCM94318SD WLAN, in addition to their BCM4318 AirForce
OneChip which integrates 802.11b/g Baseband, MAC, and radio.
Maguire If WLANs are widely available Misc. topics 488 of 495

Unlicensed Mobile Access (UMA)
To provide access to GSM and GPRS mobile services over unlicensed spectrum
technologies, e.g., Bluetooth and 802.11:
Unlicensed Mobile Access Network
MS (UMAN)
AP Unlicensed Mobile Network Controller (UNC)
IP Access nework
UNC
Core Mobile Network
Handoff
MS
BTS Private Network BSC

Cellular Radio Access Network (RAN)
Unlicensed Mobile Network Controller (UNC) plays a role similar to the BSC in
3GPP, but also must deal with Authentication and Autorization. MS must be at
least dual mode. See: http://www.umatechnology.org/
Maguire Unlicensed Mobile Access (UMA) Misc. topics 489 of 495

Note that the emphasis in UMA is for operators to be able to offer to their
subscribers the ability to roam to and handoff to/from various unlicensed wireless
access networks.
A VPLM/HPLMN
Up
MS Unlicensed Mobile MSC
Network Controller (UNC)
Gb
SGSN
This link connects via the AP and Wm D/Gr
some network carrying IP UNC AAA Proxy
packets. Its specification is SGW Server HLR
outside of the UMA functional
architecture.
Wd
HPLMN (roaming case) D/Gr

AAA
Server HLR
Figure 44: UMA Functional Architecture
Maguire Unlicensed Mobile Access (UMA) Misc. topics 490 of 495

Near Field Communications
Goal is wireless communications by touch or proximity.
I know whom Im talking with because Im beside them.
Im indicating that object - by touching it.
Focus is point-to-point over very short distances, base on RFID technology at
13.56MHz, data rates upto 424 kilobits/s
Some of the relevant standards:
ISO 14443 - Proximity Card
ISO 15693 - Vicinity Card
See also www.14443.org
Maguire Near Field Communications Misc. topics 491 of 495

Future work
To combine:
Mobility: WLAN + GPRS (via a private complete GSM/GPRS system http://csd.ssvl.kth.se/monaco/main.htm)
Security: IPsec, TLS, SRTP+MIKEY, + SIP secure VoIP
Context and location awareness: minimizing manual (re-)configuration as users move about
and facilitating their interaction with each other & the things around them - Adaptive and
Context-Aware Services (ACAS)1
New services: such as audio services - managing a 3D (or 4D) audio
environment, automatic call diversion,
In a challenging environment of socially correlated user movements (i.e., classes,
meetings, etc.)
Questions: What services do students want? Which services do they need? How
will this change interactions with other students, teachers, staff, .
1. http://psi.verkstad.net/acas/ (part of AWSI http://www.wireless.kth.se/AWSI/ )
Maguire Future work Misc. topics 492 of 495

Why audio? Because users can utilize audio interaction while on the
move
Why PDAs? Because they support both computing and
communication in a small form-factor, it is possible to have multiple
wireless interfaces, audio is good enough quality to use for
entertainment (MP3files, streaming audio, voice interaction, and
interactive voice), and we can have enough devices which people will
use on the move to start to understand the effects of correlation and
the demands on the underlying infrastructure1.
1. HP grant Applied Mobile Tech. Solutions in Learning Environments
Maguire Future work Misc. topics 493 of 495

Further reading
Near Field Communications
[228]Near Field Communication, ECMA, Ecma/TC32-TG19/2005/013, Feb.

2005
http://www.ecma-international.org/activities/Communications/tc32-tg
19-2005-013.pdf
[229]Near Field Communication - Interface and Protocol (NFCIP-1),

ECMA-340 , Second edition, December 2004
http://www.ecma-international.org/publications/standards/Ecma-340.h
tm
[230]Near Field Communication Interface and Protocol - 2 (NFCIP-2),

ECMA-352, December 2003
tm
[231]NFCIP-1 - RF Interface Test Methods. ECMA-356, June 2004

Maguire Further reading Misc. topics 494 of 495

tm
[232]NFCIP-1 - Protocol Test Methods, ECMA-362, Second edition, December

2005
tm
Maguire Further reading Misc. topics 495 of 495


Mwa 20060113

Uploaded by

Copyright:

Available Formats

Mwa 20060113

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mwa 20060113

Uploaded by

Copyright:

Available Formats

2G1330 Mobile and Wireless Network

KTH Information and

1998-2006 G.Q.Maguire Jr. .

Last modified: 2006.01.13:10:07

Maguire Cover.fm Total pages: 1

2. Network Signaling and CDPD........................................ 93

3. GSM, GPRS, SMS, International Roaming, OAM .... 132

User ID Device ID ...........................................................................

5. WAP, Heterogeneous PCS, 3G..................................... 264

6. Wireless Local Loop (WLL) and

8. Bluetooth: Piconets, Scatternets................................... 372

11. Sensor Networks .......................................................... 422

1998-2006 G.Q.Maguire Jr. .

Last modified: 2006.01.13:10:20

Maguire MWA-Lecture1.fm Total pages: 92

Maguire Welcome to the course! Introduction 2 of 92

prof. Gerald Q. Maguire Jr. <maguire at kth.se>

Irina Radulescu <irina.radulescu at wireless.kth.se>

Maguire Staff Associated with the Course Introduction 3 of 92

Maguire Goals, Scope and Method Introduction 4 of 92

Maguire Prerequisites Introduction 5 of 92

Maguire Contents Introduction 6 of 92

Maguire Topics Introduction 7 of 92

Maguire Examination requirements Introduction 8 of 92

Maguire Project Introduction 9 of 92

Maguire Literature Introduction 11 of 92

Maguire Lecture Plan Introduction 12 of 92

1. Because 3 < < 4 and is an irrational number.

Maguire Context of the course Introduction 13 of 92

Maguire Chapters 1-4, and 22 Introduction 14 of 92

Ethernet LANs switch switch

Figure 1: Multiple network technologies - internetworked together

Maguire Internet Architecture Introduction 15 of 92

Figure 2: Internet and PSTN

Maguire Internetworking Introduction 17 of 92

System High Tier Cellular Low Tier Cellular Cordless

User speed high ( 260 km/h) medium (100km/h) low (50km/h)

Handset complexity high low low

Handset power high (100-800mW) low (5-20mW) low (5-10mW)

Delay or latency high (600ms) low (10 ms) low (10ms)

Costs high medium low (often flat rate)

Examples GSM, D-AMPS, PDC, CT2, DECT, PHS, PACS

Maguire Cellular Telephony Introduction 20 of 92

Maguire Low Tier Cellular and Cordless Telephony Introduction 21 of 92

Maguire Mobile Data Introduction 22 of 92

Maguire Paging Introduction 23 of 92

Maguire Specialized Mobile Radio (SMR) Introduction 24 of 92

Maguire Satellite Introduction 25 of 92

Maguire Wideband systems Introduction 26 of 92

Maguire Point-to-Point Optical links Introduction 28 of 92

See Wireless LAN (WLAN) on page 333.

Maguire Wireless Local Area Networks (WLANs) Introduction 29 of 92

Near Field Communication (NFC) - typical range of centimeters (when operating

Maguire Short range radio Introduction 30 of 92

Base Station Controller

Radio Network Mobile Switching Center

Wireline Transport Network

Maguire Basic Personal Communication System (PCS) network architecture Introduction 32 of 92

Cellular network Mobile Station